forked from extern/shorewall_code
Update Web site for 3.0.5
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3465 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
a03a65e770
commit
f208ccce00
@ -25,9 +25,110 @@ Documentation License</a></span>”.<br>
|
||||
<hr style="width: 100%; height: 2px;">
|
||||
<p></p>
|
||||
<!-- Shorewall Release 3.0.3 -->
|
||||
<span style="font-weight: bold;">2006-02-10 Shorewall 3.0.5<br>
|
||||
</span>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|
||||
<meta name="Generator" content="Kate, the KDE Advanced Text Editor">
|
||||
<pre>Problems corrected in Shorewall 3.0.5
|
||||
|
||||
1) Previously, if /etc/shorewall/ipsets existed, it was run when Shorewall starts
|
||||
but not when Shorewall was restored.
|
||||
|
||||
2) When using the NETKEY IPSEC implementation in kernel 2.6 but without the
|
||||
policy match patch and the Netfilter/IPSEC patches, previously an
|
||||
entry in /etc/shorewall/tunnels was not sufficient in cases where:
|
||||
|
||||
a) gw<->gw traffic was encrypted
|
||||
b) The gw<->gw policy through the tunnel was not ACCEPT
|
||||
|
||||
Thanks to Tuomo Soini, this has been corrected. By simply including the
|
||||
remote VPN zone in the GATEWAY ZONE column for the tunnel's entry, no
|
||||
additional rules are required.
|
||||
|
||||
3) Extra blank output lines are no longer produced by install.sh (patch
|
||||
courtesy of Tuomo Soini).
|
||||
|
||||
4) TCP packets sent to QUEUE by rules in the ESTABLISHED section of the
|
||||
rules file previously didn't work (they had the "--syn" parameter
|
||||
added to them which resulted in a rule that no traffic would match).
|
||||
|
||||
WARNING: If you use the QUEUE target from an action, Shorewall will
|
||||
still insert --syn if the protocol is tcp. So you don't want to
|
||||
invoke such an action from the ESTABLISHED section of the rules
|
||||
file.
|
||||
|
||||
5) The description of the SOURCE column in /etc/shorewall/rules has been
|
||||
improved (patch courtesy of Ed Suominen).
|
||||
|
||||
6) The 'allow', 'drop' and 'reject' commands no longer produce iptables
|
||||
errors when executed while Shorewall is not started.
|
||||
|
||||
7) The spelling of "maximize-throughput" has been corrected in the code
|
||||
that implements tcclasses parsing. Patch courtesy of Paul Traina.
|
||||
|
||||
8) Shorewall now generates the correct match for devices in
|
||||
/etc/shorewall/tcdevices that are actually bridge ports.
|
||||
|
||||
New Features in Shorewall 3.0.5
|
||||
|
||||
1) The facilities available for dealing with the TOS field in
|
||||
/etc/shorewall/tcclasses has been expended. The OPTIONS field is now may
|
||||
contain a comma-separates list of the following:
|
||||
|
||||
tos=0x<value>[/0x<mask>] (mask defaults to 0xff)
|
||||
- this lets you define a classifier
|
||||
for the given <value>/<mask> combination
|
||||
of the IP packet's TOS/Precedence/DiffSrv
|
||||
octet (aka the TOS byte). Please note,
|
||||
classifiers override all mark settings,
|
||||
so if you define a classifer for a class,
|
||||
all traffic having that mark will go in it
|
||||
regardless of any mark set on the packet
|
||||
by a firewall/mangle filter.
|
||||
|
||||
NOTE: multiple tos= statements may be
|
||||
applied per class and per interface, but
|
||||
a given value/mask pair is valid for only
|
||||
ONE class per interface.
|
||||
|
||||
tos-<tosname> - aliases for the following TOS octet
|
||||
value and mask encodings. TOS encodings
|
||||
of the "TOS byte" have been deprecated in
|
||||
favor of diffserve classes, but programs
|
||||
like ssh, rlogin, and ftp still use them.
|
||||
|
||||
tos-minimize-delay 0x10/0x10
|
||||
tos-maximize-throughput 0x08/0x08
|
||||
tos-maximize-reliability 0x04/0x04
|
||||
tos-minimize-cost 0x02/0x02
|
||||
tos-normal-service 0x00/0x1e
|
||||
|
||||
tcp-ack - defined causes an tc filter to
|
||||
be created that puts all tcp ack
|
||||
packets on that interface that have
|
||||
an size of <=64 Bytes to go in this
|
||||
class. This is useful for speeding up
|
||||
downloads. Please note that the size
|
||||
of the ack packets is limited to 64
|
||||
bytes as some applications (p2p for
|
||||
example) use to make every packet an
|
||||
ack packet which would cause them
|
||||
all into here. We want only packets
|
||||
WITHOUT payload to match, so the size
|
||||
limit.
|
||||
|
||||
NOTE: This option is only valid for
|
||||
ONE class per interface.
|
||||
|
||||
Note that the semantics of 'tos-<tosname>' have changed slightly. Previously,
|
||||
these were tested using a mask of 0xff (example: tos-minimize-delay was
|
||||
equivalent to 0x10/0xff). Now each bit is tested individually.
|
||||
|
||||
This enhancement is courtesy of Paul Traina.
|
||||
</pre>
|
||||
<span style="font-weight: bold;">2006-01-05 Shorewall 3.0.4<br>
|
||||
</span>
|
||||
<pre>Problems Corrected in 3.0.4<br><br>1) The shorewall.conf file is once again "console friendly". Patch is<br> courtesy of Tuomo Soini.<br><br>2) A potential security hole has been closed. Previously, Shorewall ACCEPTed<br> all traffic from a bridge port that was sent back out on the same port. If<br> the port was described in /etc/shorewall/hosts using the wildcard "+" (eg,<br> xenbr0:vif+), this could lead to traffic being passed in variance with the<br> supplied policies and rules.<br><br>3) Previously, an intra-zone policy of NONE would cause a startup error. That<br> problem has been corrected.<br><br>4) When RETAIN_ALIASES=Yes, the script produced by "shorewall save" did not<br> add the retained aliases. This means that the following sequence of<br> events resulted in missing aliases:<br><br> shorewall start<br> shorewall restart<br> shorewall save<br> reboot<br> shorewall -f start (which is the default during boot up)<br><br>5) When a 2.x standard action is invoked with a log level (example<br> "AllowPing:info"), logging does not occur.<br><br>New Features in 3.0.4<br><br>1) By popular demand, the 'Limit' action described at<br> http://www1.shorewall.net/PortKnocking.html#Limit has been made a standard<br> action. Limit requires 'recent match' support in your kernel and iptables.<br><br>2) DISABLE_IPV6 no longer disabled local (loopback) IPV6 traffic. This<br> change is reported to improve Java startup time on some distributions.<br><br>3) Shorewall now contains support for wildcard ports. In<br> /etc/shorewall/hosts, you may specify the port name with trailing "+" then <br> use specific port names in rules.<br><br> Example:<br><br> /etc/shorewall/hosts<br><br> vpn br0:tap+<br><br> /etc/shorewall/hosts<br><br> DROP vpn:tap0 vpn:tap1 udp 9999<br><br>4) For the benefit of those who run Shorewall on distributions that don't <br> autoload kernel modules, /etc/shorewall/modules now contains load commands <br> for a wide range of Netfilter modules.<br></pre>
|
||||
<pre>Problems Corrected in 3.0.4<br><br>1) The shorewall.conf file is once again "console friendly". Patch is<br> courtesy of Tuomo Soini.<br><br>2) A potential security hole has been closed. Previously, Shorewall ACCEPTed<br> all traffic from a bridge port that was sent back out on the same port. If<br> the port was described in /etc/shorewall/hosts using the wildcard "+" (eg,<br> xenbr0:vif+), this could lead to traffic being passed in variance with the<br> supplied policies and rules.<br><br>3) Previously, an intra-zone policy of NONE would cause a startup error. That<br> problem has been corrected.<br><br>4) When RETAIN_ALIASES=Yes, the script produced by "shorewall save" did not<br> add the retained aliases. This means that the following sequence of<br> events resulted in missing aliases:<br><br> shorewall start<br> shorewall restart<br> shorewall save<br> reboot<br> shorewall -f start (which is the default during boot up)<br><br>5) When a 2.x standard action is invoked with a log level (example<br> "AllowPing:info"), logging does not occur.<br><br>New Features in 3.0.4<br><br>1) By popular demand, the 'Limit' action described at<br> http://www1.shorewall.net/PortKnocking.html#Limit has been made a standard<br> action. Limit requires 'recent match' support in your kernel and iptables.<br><br>2) DISABLE_IPV6 no longer disabled local (loopback) IPV6 traffic. This<br> change is reported to improve Java startup time on some distributions.<br><br>3) Shorewall now contains support for wildcard ports. In<br> /etc/shorewall/hosts, you may specify the port name with trailing "+" then <br> use specific port names in rules.<br><br> Example:<br><br> /etc/shorewall/hosts<br><br> vpn br0:tap+<br><br> /etc/shorewall/rules<br><br> DROP vpn:tap0 vpn:tap1 udp 9999<br><br>4) For the benefit of those who run Shorewall on distributions that don't <br> autoload kernel modules, /etc/shorewall/modules now contains load commands <br> for a wide range of Netfilter modules.<br></pre>
|
||||
<span style="font-weight: bold;">2005-12-13
|
||||
Shorewall 3.0.3<br>
|
||||
</span>
|
||||
|
||||
@ -11,17 +11,17 @@
|
||||
<base target="main">
|
||||
</head>
|
||||
<body>
|
||||
<a style="color: rgb(255, 255, 255);" href="index.htm" target="_top"></a><span
|
||||
style="color: rgb(255, 255, 255);"><a target="_top" href="index.htm">Home</a><br>
|
||||
<a href="News.htm">News</a><br>
|
||||
<a href="download.htm">Download</a><br>
|
||||
<a href="Install.htm">Installation/Upgrade</a><br>
|
||||
<a href="Documentation.html">Documentation</a><br>
|
||||
<a href="support.html">Support</a><br>
|
||||
<a href="shorewall_mirrors.htm">Mirrors</a><br>
|
||||
</span><a style="color: rgb(255, 255, 255);" href="useful_links.html">Other
|
||||
Links</a><br>
|
||||
<ul>
|
||||
<li><a href="index.htm" target="_top">Home</a></li>
|
||||
<li><a href="News.htm">News <br>
|
||||
</a></li>
|
||||
<li><a href="download.htm">Download</a></li>
|
||||
<li><a href="Install.htm">Installation/Upgrade</a><br>
|
||||
</li>
|
||||
<li><a href="Documentation.html">Documentation</a></li>
|
||||
<li><a href="support.html">Support</a></li>
|
||||
<li><a href="shorewall_mirrors.htm">Mirrors</a></li>
|
||||
<li><a href="useful_links.html">Other Links</a></li>
|
||||
</ul>
|
||||
<ul class="menu">
|
||||
</ul>
|
||||
|
||||
@ -13,13 +13,13 @@
|
||||
<body dir="ltr" lang="en-US">
|
||||
<h1>Shoreline Firewall (Shorewall)</h1>
|
||||
<span style="color: rgb(255, 0, 0);"><span style="font-weight: bold;"><big><big></big></big></span></span>
|
||||
<p>The current Stable Version is 3.0.4 -- Get it from the <a
|
||||
<p>The current Stable Version is 3.0.5 -- Get it from the <a
|
||||
href="download.htm">download sites</a>. Here are the <a
|
||||
href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.4/releasenotes.txt">
|
||||
href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/releasenotes.txt">
|
||||
release notes</a> and here are the <a
|
||||
href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.4/known_problems.txt">
|
||||
href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/known_problems.txt">
|
||||
known problems</a> and <a
|
||||
href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.4/errata/">
|
||||
href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/errata/">
|
||||
updates</a>.</p>
|
||||
<p>The current Development Version is 3.1.5 -- Get it from the <a
|
||||
href="download.htm">download sites</a>. Here are the <a
|
||||
@ -37,7 +37,7 @@ document under the terms of the GNU Free Documentation License, Version
|
||||
with no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled “<a
|
||||
href="GnuCopyright.htm" target="_self">GNU Free Documentation License</a>”.</p>
|
||||
<p>2005-02-03</p>
|
||||
<p>2005-02-10</p>
|
||||
<hr style="width: 100%; height: 2px;">
|
||||
<h3>Table of Contents</h3>
|
||||
<p style="margin-left: 0.42in; margin-bottom: 0in;"><a href="#Intro">Introduction
|
||||
|
||||
Loading…
Reference in New Issue
Block a user