forked from extern/shorewall_code
Update Web site for 3.0.5
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3465 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
a03a65e770
commit
f208ccce00
@ -25,9 +25,110 @@ Documentation License</a></span>”.<br>
|
|||||||
<hr style="width: 100%; height: 2px;">
|
<hr style="width: 100%; height: 2px;">
|
||||||
<p></p>
|
<p></p>
|
||||||
<!-- Shorewall Release 3.0.3 -->
|
<!-- Shorewall Release 3.0.3 -->
|
||||||
|
<span style="font-weight: bold;">2006-02-10 Shorewall 3.0.5<br>
|
||||||
|
</span>
|
||||||
|
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|
||||||
|
<meta name="Generator" content="Kate, the KDE Advanced Text Editor">
|
||||||
|
<pre>Problems corrected in Shorewall 3.0.5
|
||||||
|
|
||||||
|
1) Previously, if /etc/shorewall/ipsets existed, it was run when Shorewall starts
|
||||||
|
but not when Shorewall was restored.
|
||||||
|
|
||||||
|
2) When using the NETKEY IPSEC implementation in kernel 2.6 but without the
|
||||||
|
policy match patch and the Netfilter/IPSEC patches, previously an
|
||||||
|
entry in /etc/shorewall/tunnels was not sufficient in cases where:
|
||||||
|
|
||||||
|
a) gw<->gw traffic was encrypted
|
||||||
|
b) The gw<->gw policy through the tunnel was not ACCEPT
|
||||||
|
|
||||||
|
Thanks to Tuomo Soini, this has been corrected. By simply including the
|
||||||
|
remote VPN zone in the GATEWAY ZONE column for the tunnel's entry, no
|
||||||
|
additional rules are required.
|
||||||
|
|
||||||
|
3) Extra blank output lines are no longer produced by install.sh (patch
|
||||||
|
courtesy of Tuomo Soini).
|
||||||
|
|
||||||
|
4) TCP packets sent to QUEUE by rules in the ESTABLISHED section of the
|
||||||
|
rules file previously didn't work (they had the "--syn" parameter
|
||||||
|
added to them which resulted in a rule that no traffic would match).
|
||||||
|
|
||||||
|
WARNING: If you use the QUEUE target from an action, Shorewall will
|
||||||
|
still insert --syn if the protocol is tcp. So you don't want to
|
||||||
|
invoke such an action from the ESTABLISHED section of the rules
|
||||||
|
file.
|
||||||
|
|
||||||
|
5) The description of the SOURCE column in /etc/shorewall/rules has been
|
||||||
|
improved (patch courtesy of Ed Suominen).
|
||||||
|
|
||||||
|
6) The 'allow', 'drop' and 'reject' commands no longer produce iptables
|
||||||
|
errors when executed while Shorewall is not started.
|
||||||
|
|
||||||
|
7) The spelling of "maximize-throughput" has been corrected in the code
|
||||||
|
that implements tcclasses parsing. Patch courtesy of Paul Traina.
|
||||||
|
|
||||||
|
8) Shorewall now generates the correct match for devices in
|
||||||
|
/etc/shorewall/tcdevices that are actually bridge ports.
|
||||||
|
|
||||||
|
New Features in Shorewall 3.0.5
|
||||||
|
|
||||||
|
1) The facilities available for dealing with the TOS field in
|
||||||
|
/etc/shorewall/tcclasses has been expended. The OPTIONS field is now may
|
||||||
|
contain a comma-separates list of the following:
|
||||||
|
|
||||||
|
tos=0x<value>[/0x<mask>] (mask defaults to 0xff)
|
||||||
|
- this lets you define a classifier
|
||||||
|
for the given <value>/<mask> combination
|
||||||
|
of the IP packet's TOS/Precedence/DiffSrv
|
||||||
|
octet (aka the TOS byte). Please note,
|
||||||
|
classifiers override all mark settings,
|
||||||
|
so if you define a classifer for a class,
|
||||||
|
all traffic having that mark will go in it
|
||||||
|
regardless of any mark set on the packet
|
||||||
|
by a firewall/mangle filter.
|
||||||
|
|
||||||
|
NOTE: multiple tos= statements may be
|
||||||
|
applied per class and per interface, but
|
||||||
|
a given value/mask pair is valid for only
|
||||||
|
ONE class per interface.
|
||||||
|
|
||||||
|
tos-<tosname> - aliases for the following TOS octet
|
||||||
|
value and mask encodings. TOS encodings
|
||||||
|
of the "TOS byte" have been deprecated in
|
||||||
|
favor of diffserve classes, but programs
|
||||||
|
like ssh, rlogin, and ftp still use them.
|
||||||
|
|
||||||
|
tos-minimize-delay 0x10/0x10
|
||||||
|
tos-maximize-throughput 0x08/0x08
|
||||||
|
tos-maximize-reliability 0x04/0x04
|
||||||
|
tos-minimize-cost 0x02/0x02
|
||||||
|
tos-normal-service 0x00/0x1e
|
||||||
|
|
||||||
|
tcp-ack - defined causes an tc filter to
|
||||||
|
be created that puts all tcp ack
|
||||||
|
packets on that interface that have
|
||||||
|
an size of <=64 Bytes to go in this
|
||||||
|
class. This is useful for speeding up
|
||||||
|
downloads. Please note that the size
|
||||||
|
of the ack packets is limited to 64
|
||||||
|
bytes as some applications (p2p for
|
||||||
|
example) use to make every packet an
|
||||||
|
ack packet which would cause them
|
||||||
|
all into here. We want only packets
|
||||||
|
WITHOUT payload to match, so the size
|
||||||
|
limit.
|
||||||
|
|
||||||
|
NOTE: This option is only valid for
|
||||||
|
ONE class per interface.
|
||||||
|
|
||||||
|
Note that the semantics of 'tos-<tosname>' have changed slightly. Previously,
|
||||||
|
these were tested using a mask of 0xff (example: tos-minimize-delay was
|
||||||
|
equivalent to 0x10/0xff). Now each bit is tested individually.
|
||||||
|
|
||||||
|
This enhancement is courtesy of Paul Traina.
|
||||||
|
</pre>
|
||||||
<span style="font-weight: bold;">2006-01-05 Shorewall 3.0.4<br>
|
<span style="font-weight: bold;">2006-01-05 Shorewall 3.0.4<br>
|
||||||
</span>
|
</span>
|
||||||
<pre>Problems Corrected in 3.0.4<br><br>1) The shorewall.conf file is once again "console friendly". Patch is<br> courtesy of Tuomo Soini.<br><br>2) A potential security hole has been closed. Previously, Shorewall ACCEPTed<br> all traffic from a bridge port that was sent back out on the same port. If<br> the port was described in /etc/shorewall/hosts using the wildcard "+" (eg,<br> xenbr0:vif+), this could lead to traffic being passed in variance with the<br> supplied policies and rules.<br><br>3) Previously, an intra-zone policy of NONE would cause a startup error. That<br> problem has been corrected.<br><br>4) When RETAIN_ALIASES=Yes, the script produced by "shorewall save" did not<br> add the retained aliases. This means that the following sequence of<br> events resulted in missing aliases:<br><br> shorewall start<br> shorewall restart<br> shorewall save<br> reboot<br> shorewall -f start (which is the default during boot up)<br><br>5) When a 2.x standard action is invoked with a log level (example<br> "AllowPing:info"), logging does not occur.<br><br>New Features in 3.0.4<br><br>1) By popular demand, the 'Limit' action described at<br> http://www1.shorewall.net/PortKnocking.html#Limit has been made a standard<br> action. Limit requires 'recent match' support in your kernel and iptables.<br><br>2) DISABLE_IPV6 no longer disabled local (loopback) IPV6 traffic. This<br> change is reported to improve Java startup time on some distributions.<br><br>3) Shorewall now contains support for wildcard ports. In<br> /etc/shorewall/hosts, you may specify the port name with trailing "+" then <br> use specific port names in rules.<br><br> Example:<br><br> /etc/shorewall/hosts<br><br> vpn br0:tap+<br><br> /etc/shorewall/hosts<br><br> DROP vpn:tap0 vpn:tap1 udp 9999<br><br>4) For the benefit of those who run Shorewall on distributions that don't <br> autoload kernel modules, /etc/shorewall/modules now contains load commands <br> for a wide range of Netfilter modules.<br></pre>
|
<pre>Problems Corrected in 3.0.4<br><br>1) The shorewall.conf file is once again "console friendly". Patch is<br> courtesy of Tuomo Soini.<br><br>2) A potential security hole has been closed. Previously, Shorewall ACCEPTed<br> all traffic from a bridge port that was sent back out on the same port. If<br> the port was described in /etc/shorewall/hosts using the wildcard "+" (eg,<br> xenbr0:vif+), this could lead to traffic being passed in variance with the<br> supplied policies and rules.<br><br>3) Previously, an intra-zone policy of NONE would cause a startup error. That<br> problem has been corrected.<br><br>4) When RETAIN_ALIASES=Yes, the script produced by "shorewall save" did not<br> add the retained aliases. This means that the following sequence of<br> events resulted in missing aliases:<br><br> shorewall start<br> shorewall restart<br> shorewall save<br> reboot<br> shorewall -f start (which is the default during boot up)<br><br>5) When a 2.x standard action is invoked with a log level (example<br> "AllowPing:info"), logging does not occur.<br><br>New Features in 3.0.4<br><br>1) By popular demand, the 'Limit' action described at<br> http://www1.shorewall.net/PortKnocking.html#Limit has been made a standard<br> action. Limit requires 'recent match' support in your kernel and iptables.<br><br>2) DISABLE_IPV6 no longer disabled local (loopback) IPV6 traffic. This<br> change is reported to improve Java startup time on some distributions.<br><br>3) Shorewall now contains support for wildcard ports. In<br> /etc/shorewall/hosts, you may specify the port name with trailing "+" then <br> use specific port names in rules.<br><br> Example:<br><br> /etc/shorewall/hosts<br><br> vpn br0:tap+<br><br> /etc/shorewall/rules<br><br> DROP vpn:tap0 vpn:tap1 udp 9999<br><br>4) For the benefit of those who run Shorewall on distributions that don't <br> autoload kernel modules, /etc/shorewall/modules now contains load commands <br> for a wide range of Netfilter modules.<br></pre>
|
||||||
<span style="font-weight: bold;">2005-12-13
|
<span style="font-weight: bold;">2005-12-13
|
||||||
Shorewall 3.0.3<br>
|
Shorewall 3.0.3<br>
|
||||||
</span>
|
</span>
|
||||||
|
|||||||
@ -11,17 +11,17 @@
|
|||||||
<base target="main">
|
<base target="main">
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
|
<a style="color: rgb(255, 255, 255);" href="index.htm" target="_top"></a><span
|
||||||
|
style="color: rgb(255, 255, 255);"><a target="_top" href="index.htm">Home</a><br>
|
||||||
|
<a href="News.htm">News</a><br>
|
||||||
|
<a href="download.htm">Download</a><br>
|
||||||
|
<a href="Install.htm">Installation/Upgrade</a><br>
|
||||||
|
<a href="Documentation.html">Documentation</a><br>
|
||||||
|
<a href="support.html">Support</a><br>
|
||||||
|
<a href="shorewall_mirrors.htm">Mirrors</a><br>
|
||||||
|
</span><a style="color: rgb(255, 255, 255);" href="useful_links.html">Other
|
||||||
|
Links</a><br>
|
||||||
<ul>
|
<ul>
|
||||||
<li><a href="index.htm" target="_top">Home</a></li>
|
|
||||||
<li><a href="News.htm">News <br>
|
|
||||||
</a></li>
|
|
||||||
<li><a href="download.htm">Download</a></li>
|
|
||||||
<li><a href="Install.htm">Installation/Upgrade</a><br>
|
|
||||||
</li>
|
|
||||||
<li><a href="Documentation.html">Documentation</a></li>
|
|
||||||
<li><a href="support.html">Support</a></li>
|
|
||||||
<li><a href="shorewall_mirrors.htm">Mirrors</a></li>
|
|
||||||
<li><a href="useful_links.html">Other Links</a></li>
|
|
||||||
</ul>
|
</ul>
|
||||||
<ul class="menu">
|
<ul class="menu">
|
||||||
</ul>
|
</ul>
|
||||||
|
|||||||
@ -13,13 +13,13 @@
|
|||||||
<body dir="ltr" lang="en-US">
|
<body dir="ltr" lang="en-US">
|
||||||
<h1>Shoreline Firewall (Shorewall)</h1>
|
<h1>Shoreline Firewall (Shorewall)</h1>
|
||||||
<span style="color: rgb(255, 0, 0);"><span style="font-weight: bold;"><big><big></big></big></span></span>
|
<span style="color: rgb(255, 0, 0);"><span style="font-weight: bold;"><big><big></big></big></span></span>
|
||||||
<p>The current Stable Version is 3.0.4 -- Get it from the <a
|
<p>The current Stable Version is 3.0.5 -- Get it from the <a
|
||||||
href="download.htm">download sites</a>. Here are the <a
|
href="download.htm">download sites</a>. Here are the <a
|
||||||
href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.4/releasenotes.txt">
|
href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/releasenotes.txt">
|
||||||
release notes</a> and here are the <a
|
release notes</a> and here are the <a
|
||||||
href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.4/known_problems.txt">
|
href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/known_problems.txt">
|
||||||
known problems</a> and <a
|
known problems</a> and <a
|
||||||
href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.4/errata/">
|
href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/errata/">
|
||||||
updates</a>.</p>
|
updates</a>.</p>
|
||||||
<p>The current Development Version is 3.1.5 -- Get it from the <a
|
<p>The current Development Version is 3.1.5 -- Get it from the <a
|
||||||
href="download.htm">download sites</a>. Here are the <a
|
href="download.htm">download sites</a>. Here are the <a
|
||||||
@ -37,7 +37,7 @@ document under the terms of the GNU Free Documentation License, Version
|
|||||||
with no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
with no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
Texts. A copy of the license is included in the section entitled “<a
|
Texts. A copy of the license is included in the section entitled “<a
|
||||||
href="GnuCopyright.htm" target="_self">GNU Free Documentation License</a>”.</p>
|
href="GnuCopyright.htm" target="_self">GNU Free Documentation License</a>”.</p>
|
||||||
<p>2005-02-03</p>
|
<p>2005-02-10</p>
|
||||||
<hr style="width: 100%; height: 2px;">
|
<hr style="width: 100%; height: 2px;">
|
||||||
<h3>Table of Contents</h3>
|
<h3>Table of Contents</h3>
|
||||||
<p style="margin-left: 0.42in; margin-bottom: 0in;"><a href="#Intro">Introduction
|
<p style="margin-left: 0.42in; margin-bottom: 0in;"><a href="#Intro">Introduction
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user