If you are seeing port 80 being 'closed', that's probably
+ your ISP preventing you from running a web
+server in violation of your Service Agreement.
+
+a) Create /etc/shorewall/common if it doesn't already exist.
+
+ b) Be sure that
+ the first command in the file is ". /etc/shorewall/common.def"
+ c) Add the following
+ to /etc/shorewall/common
+
+By default, older versions of Shorewall ratelimited log messages
+ through settings
+ in /etc/shorewall/shorewall.conf -- If you want
+to log all messages, set:
+
+The 'stop' command is intended to place your firewall into
+ a safe state whereby only those hosts listed in
+ /etc/shorewall/routestopped' are activated. If
+you want to totally open up your firewall, you must use the
+'shorewall clear' command.
+
+This is usually cured by the following sequence of commands:
+
+
+I just installed Shorewall and when I issue the start command,
+ I see the following:
+
+Shorewall works with any GNU/Linux distribution that includes
+ the proper prerequisites.
+
+Is there any way it can add a rule before the rfc1918 blocking
+ that will let all traffic to and from the 192.168.100.1
+ address of the modem in/out but still block all other
+ rfc1918 addresses?
+
+
+
Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
+
+
+
Note: If you add a second IP address to your external firewall
+ interface to correspond to the modem address, you
+ must also make an entry in /etc/shorewall/rfc1918 for
+ that address. For example, if you configure the address
+ 192.168.100.2 on your firewall, then you would add two entries
+ to /etc/shorewall/rfc1918:
+
+
+
+
+
+
+ SUBNET
+ |
+ TARGET
+ |
| eth2 |
- 192.168.2.0/24 |
-
- |
-
-
-
-
-
-
-
3. I want to use Netmeeting or MSN Instant
- Messenger with Shorewall. What do I do?
-
-
Answer: There is an H.323 connection
- tracking/NAT module that may help with Netmeeting.
- Look here for
-a solution for MSN IM but be aware that there are significant security
- risks involved with this solution. Also check the Netfilter
-mailing list archives at http://www.netfilter.org.
-
-
-
4. I just used an online port scanner
- to check my firewall and it shows some ports
- as 'closed' rather than 'blocked'. Why?
-
-
Answer: The common.def included with version 1.3.x
- always rejects connection requests on TCP
-port 113 rather than dropping them. This is necessary
- to prevent outgoing connection problems to services that
- use the 'Auth' mechanism for identifying requesting users.
- Shorewall also rejects TCP ports 135, 137 and 139 as well
- as UDP ports 137-139. These are ports that are used by Windows
- (Windows can be configured to use the DCE cell locator
- on port 135). Rejecting these connection requests rather than
-dropping them cuts down slightly on the amount of Windows chatter
-on LAN segments connected to the Firewall.
-
-
If you are seeing port 80 being 'closed', that's probably
- your ISP preventing you from running a web
-server in violation of your Service Agreement.
-
-
4a. I just ran an nmap UDP scan of my
- firewall and it showed 100s of ports as open!!!!
-
-
Answer: Take a deep breath and read the nmap man page
- section about UDP scans. If nmap gets nothing
- back from your firewall then it reports the port
- as open. If you want to see which UDP ports are really open,
- temporarily change your net->all policy to REJECT,
- restart Shorewall and do the nmap UDP scan again.
-
-
-
4b. I have a port that I can't close no matter how
- I change my rules.
- I had a rule that allowed telnet from my local network to my firewall;
-I removed that rule and restarted Shorewall but my telnet session still
-works!!!
-
-
Answer: Rules only govern the establishment of new connections.
-Once a connection is established through the firewall it will be usable until
- disconnected (tcp) or until it times out (other protocols). If you stop
-telnet and try to establish a new session your firerwall will block that
-attempt.
-
-
5. I've installed Shorewall and now I
- can't ping through the firewall
-
-
Answer: If you want your firewall to be totally open
- for "ping",
-
-
a) Create /etc/shorewall/common if it doesn't already exist.
-
- b) Be sure that
-the first command in the file is ". /etc/shorewall/common.def"
- c) Add the following
- to /etc/shorewall/common
-
-
- run_iptables -A icmpdef -p ICMP --icmp-type echo-request
- -j ACCEPT
-
-
- For a complete description of Shorewall
- 'ping' management, see
this page.
-
-
6. Where are the log messages written
- and how do I change the destination?
-
-
Answer: NetFilter uses the kernel's equivalent of syslog
-(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
-(see "man openlog") and you get to choose the log level (again, see "man
-syslog") in your policies and rules. The destination for messaged
-logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
- When you have changed /etc/syslog.conf, be sure
-to restart syslogd (on a RedHat system, "service syslog
-restart").
-
-
By default, older versions of Shorewall ratelimited log messages
- through settings
- in /etc/shorewall/shorewall.conf -- If you want
-to log all messages, set:
-
-
-
-
6a. Are there any log parsers that work
- with Shorewall?
-
-
Answer: Here are several links that may be helpful:
-
-
-
- http://www.shorewall.net/pub/shorewall/parsefw/
- http://www.fireparse.com
- http://cert.uni-stuttgart.de/projects/fwlogwatch
- http://www.logwatch.org
- http://gege.org/iptables
-
-
- I personnaly use Logwatch. It emails
- me a report each day from my various systems with each report
- summarizing the logged activity on the corresponding system.
-
-
6b. DROP messages on port 10619
- are flooding the logs with their connect requests. Can
- i exclude these error messages for this port temporarily from logging
- in Shorewall?
- Temporarily add the following rule:
-
-
DROP net fw udp 10619
-
-
6c. All day long I get a steady flow
- of these DROP messages from port 53 to some high numbered port.
- They get dropped, but what the heck are they?
-
-
Jan 8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00
SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00
TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33
-
Answer: There are two possibilities:
-
-
- - They are late-arriving replies to DNS queries.
- - They are corrupted reply packets.
-
-
- You can distinguish the difference by setting the
-
logunclean option (
/etc/shorewall/interfaces)
- on your external interface (eth0 in the above example). If they get
- logged twice, they are corrupted. I solve this problem by using an
- /etc/shorewall/common file like this:
-
-
- #
# Include the standard common.def file
#
. /etc/shorewall/common.def
#
# The following rule is non-standard and compensates for tardy
# DNS replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
-
- The above file is also include in all of my sample
- configurations available in the
Quick Start Guides and in
- the common.def file in Shorewall 1.4.0 and later.
-
-
6d. Why is the MAC address in
- Shorewall log messages so long? I thought MAC addresses were only
- 6 bytes in length.
- What is labeled as the MAC address in a Shorewall log message
- is actually the Ethernet frame header. IT contains:
-
-
- - the destination MAC address (6 bytes)
- - the source MAC address (6 bytes)
- - the ethernet frame type (2 bytes)
-
-
- Example:
-
- MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00
-
-
- - Destination MAC address = 00:04:4c:dc:e2:28
- - Source MAC address = 00:b0:8e:cf:3c:4c
- - Ethernet Frame Type = 08:00 (IP Version 4)
-
-
-
-
7. When I stop Shorewall using 'shorewall
- stop', I can't connect to anything. Why doesn't
- that command work?
-
-
The 'stop' command is intended to place your firewall into
- a safe state whereby only those hosts listed
-in /etc/shorewall/routestopped' are activated.
-If you want to totally open up your firewall, you must use
-the 'shorewall clear' command.
-
-
8. When I try to start Shorewall on RedHat,
- I get messages about insmod failing -- what's wrong?
-
-
Answer: The output you will see looks something like
- this:
-
-
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
-
-
This is usually cured by the following sequence of commands:
-
-
-
-
service ipchains stop
chkconfig --delete ipchains
rmmod ipchains
-
-
-
-
Also, be sure to check the errata
- for problems concerning the version of iptables
- (v1.2.3) shipped with RH7.2.
-
-
-
8a. When I try to start Shorewall on RedHat
- I get a message referring me to FAQ #8
-
Answer: This is usually cured by the sequence of commands
- shown above in FAQ #8
-
-
-
9. Why can't Shorewall detect my interfaces
- properly at startup?
-
-
I just installed Shorewall and when I issue the start command,
- I see the following:
-
-
-
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net loc
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
Deleting user chains...
Creating input Chains...
...
-
-
-
-
Why can't Shorewall detect my interfaces properly?
-
-
-
-
Answer: The above output is perfectly normal. The Net
- zone is defined as all hosts that are connected through eth0 and the local
- zone is defined as all hosts connected through eth1
-
-
-
10. What Distributions does it work
- with?
-
-
Shorewall works with any GNU/Linux distribution that includes
- the proper prerequisites.
-
-
11. What Features does it have?
-
-
Answer: See the Shorewall
- Feature List.
-
-
12. Is there a GUI?
-
-
Answer: Yes. Shorewall support is included in Webmin
- 1.060 and later versions. See http://www.webmin.com
-
-
-
13. Why do you call it "Shorewall"?
-
-
Answer: Shorewall is a concatenation of "Shoreline"
- (the
- city where I live) and "Firewall". The full
- name of the product is actually "Shoreline Firewall" but "Shorewall"
- is must more commonly used.
-
-
14. I'm connected via a cable modem
- and it has an internal web server that allows
- me to configure/monitor it but as expected if I
-enable rfc1918 blocking for my eth0 interface (the internet
-one), it also blocks the cable modems web server.
-
-
Is there any way it can add a rule before the rfc1918 blocking
- that will let all traffic to and from the 192.168.100.1
- address of the modem in/out but still block all other
- rfc1918 addresses?
-
-
Answer: If you are running a version of Shorewall earlier
-than 1.3.1, create /etc/shorewall/start and in it, place the following:
-
-
-
run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT
-
-
-
-
-
-
-
-
-
- | SUBNET
- |
- TARGET |
-
-
- | 192.168.100.1 |
- RETURN |
-
-
-
-
-
-
-
-
-
Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
-
-
-
Note: If you add a second IP address to your external firewall
- interface to correspond to the modem address,
-you must also make an entry in /etc/shorewall/rfc1918
-for that address. For example, if you configure the address
- 192.168.100.2 on your firewall, then you would add two entries
- to /etc/shorewall/rfc1918:
-
-
-
-
-
-
- SUBNET
- |
- TARGET
- |
-
-
- 192.168.100.1
- |
-
+ | RETURN
- |
-
-
- |
+ |
+
+ 192.168.100.2
- |
-
+ | RETURN
- |
-
-
-
+
+
+
+
-
-
-
-
-
14a. Even though it assigns public IP
- addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
-1918 filtering on my external interface, my DHCP client cannot renew its
-lease.
+
-
-
-
The solution is the same as FAQ 14 above. Simply substitute
+
+
+
14a. Even though it assigns public
+IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
+RFC 1918 filtering on my external interface, my DHCP client cannot renew
+its lease.
+
+
+
+
The solution is the same as FAQ 14 above. Simply substitute
the IP address of your ISPs DHCP server.
-
-
-
15. My local systems can't see out to
+
+
+
15. My local systems can't see out to
the net
-
-
Answer: Every time I read "systems can't see out to
- the net", I wonder where the poster bought computers
- with eyes and what those computers will "see" when
- things are working properly. That aside, the most common
+
+
Answer: Every time I read "systems can't see out to
+ the net", I wonder where the poster bought computers
+ with eyes and what those computers will "see" when
+ things are working properly. That aside, the most common
causes of this problem are:
-
+
- -
-
-
The default gateway on each local system isn't set to
+
-
+
+
The default gateway on each local system isn't set to
the IP address of the local firewall interface.
-
- -
-
-
The entry for the local network in the /etc/shorewall/masq
+
+ -
+
+
The entry for the local network in the /etc/shorewall/masq
file is wrong or missing.
-
- -
-
-
The DNS settings on the local systems are wrong or the
- user is running a DNS server on the firewall
- and hasn't enabled UDP and TCP port 53 from the
-firewall to the internet.
-
-
+
+ -
+
+
The DNS settings on the local systems are wrong or the
+ user is running a DNS server on the firewall
+ and hasn't enabled UDP and TCP port 53 from the
+ firewall to the internet.
+
+
-
-
16. Shorewall is writing log messages
+
+16. Shorewall is writing log messages
all over my console making it unusable!
-
-
Answer: "man dmesg" -- add a suitable 'dmesg' command
- to your startup scripts or place it in /etc/shorewall/start.
- Under RedHat, the max log level that is sent
-to the console is specified in /etc/sysconfig/init in
+
+
Answer: If you are running Shorewall version 1.4.4
+or 1.4.4a then check the errata. Otherwise, see
+the 'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command
+ to your startup scripts or place it in /etc/shorewall/start.
+ Under RedHat, the max log level that is sent
+to the console is specified in /etc/sysconfig/init in
the LOGLEVEL variable.
-
-
-
17. How do I find out why this traffic is getting
+
+
+17. How do I find out why this traffic is getting
logged?
- Answer: Logging
- occurs out of a number of chains (as indicated in the
- log message) in Shorewall:
-
+ Answer: Logging
+ occurs out of a number of chains (as indicated in
+ the log message) in Shorewall:
+
- - man1918 - The
- destination address is listed in /etc/shorewall/rfc1918
+
- man1918 -
+ The destination address is listed in /etc/shorewall/rfc1918
with a logdrop target -- see /etc/shorewall/rfc1918.
- - rfc1918
-- The source address is listed in /etc/shorewall/rfc1918
- with a logdrop target -- see rfc1918
+ - The source address is listed in /etc/shorewall/rfc1918
+ with a logdrop target -- see /etc/shorewall/rfc1918.
- - all2<zone>,
- <zone>2all or all2all
- - You have a policy
-that specifies a log level and this packet is being
-logged under that policy. If you intend to ACCEPT this
-traffic then you need a rule to
-that effect.
-
- - <zone1>2<zone2>
+
- all2<zone>,
+ <zone>2all or all2all
+ - You have a policy that
+ specifies a log level and this packet is being logged
+under that policy. If you intend to ACCEPT this traffic
+then you need a rule to that effect.
+
+ - <zone1>2<zone2>
- Either you have a policy for <zone1>
- to <zone2> that specifies a log level and
- this packet is being logged under that policy or this packet
- matches a rule that
-includes a log level.
- - <interface>_mac
- - The packet is being logged under the maclist
+ href="Documentation.htm#Policy"> policy for <zone1>
+ to <zone2> that specifies a log level and
+ this packet is being logged under that policy or this packet
+ matches a rule that includes
+ a log level.
+ - <interface>_mac
+ - The packet is being logged under the maclist
interface option.
-
- - logpkt
-- The packet is being logged under the logunclean
+
+ - logpkt
+- The packet is being logged under the logunclean
interface option.
- - badpkt -
- The packet is being logged under the dropunclean
- interface option
+
- badpkt -
+ The packet is being logged under the dropunclean
+ interface option
as specified in the LOGUNCLEAN setting in /etc/shorewall/shorewall.conf.
- - blacklst
- - The packet is being logged because the source IP
- is blacklisted in the /etc/shorewall/blacklist
+
- blacklst
+ - The packet is being logged because the source IP
+ is blacklisted in the /etc/shorewall/blacklist
file.
- - newnotsyn -
- The packet is being logged because it is a TCP packet
- that is not part of any current connection yet it is not a
-syn packet. Options affecting the logging of such packets include
- NEWNOTSYN and LOGNEWNOTSYN in
- /etc/shorewall/shorewall.conf.
- - INPUT or
- FORWARD - The packet has a source IP address
- that isn't in any of your defined zones ("shorewall check"
- and look at the printed zone definitions) or the chain is FORWARD
- and the destination IP isn't in any of your defined zones.
- - logflags - The packet
- is being logged because it failed the checks implemented
- by the tcpflags newnotsyn
+ - The packet is being logged because it is a
+ TCP packet that is not part of any current connection yet
+ it is not a syn packet. Options affecting the logging of such
+ packets include NEWNOTSYN and LOGNEWNOTSYN
+ in /etc/shorewall/shorewall.conf.
+ - INPUT or
+ FORWARD - The packet has a source IP address
+ that isn't in any of your defined zones ("shorewall check"
+ and look at the printed zone definitions) or the chain is
+FORWARD and the destination IP isn't in any of your defined
+ zones.
+ - logflags - The packet
+ is being logged because it failed the checks implemented
+ by the tcpflags interface option.
-
-
+
+
-
-18. Is there any way to use aliased ip addresses
- with Shorewall, and maintain separate rulesets for
+
+18. Is there any way to use aliased ip addresses
+ with Shorewall, and maintain separate rulesets for
different IPs?
- Answer: Yes. See
-Shorewall and Aliased Interfaces.
-
-19. I have added entries to /etc/shorewall/tcrules
+ Answer: Yes. See
+Shorewall and Aliased Interfaces.
+
+19. I have added entries to /etc/shorewall/tcrules
but they don't seem to do anything. Why?
- You probably haven't set TC_ENABLED=Yes
- in /etc/shorewall/shorewall.conf so the contents of
+ You probably haven't set TC_ENABLED=Yes
+ in /etc/shorewall/shorewall.conf so the contents of
the tcrules file are simply being ignored.
-
-20. I have just set up a server. Do I have
- to change Shorewall to allow access to my server from
+
+20. I have just set up a server. Do I have
+ to change Shorewall to allow access to my server from
the internet?
-
- Yes. Consult the QuickStart guide that
-you used during your initial setup for information about how to set
- up rules for your server.
-
-21. I see these strange log entries occasionally;
+
+ Yes. Consult the QuickStart guide that you
+used during your initial setup for information about how to set up
+rules for your server.
+
+21. I see these strange log entries occasionally;
what are they?
-
-
-
+
+
+
Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00
SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3
[SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]
-
- 192.0.2.3 is external on my firewall...
+
+ 192.0.2.3 is external on my firewall...
172.16.0.0/24 is my internal LAN
-
- Answer: While most people
- associate the Internet Control Message Protocol (ICMP)
- with 'ping', ICMP is a key piece of the internet. ICMP is
- used to report problems back to the sender of a packet; this
-is what is happening here. Unfortunately, where NAT is involved
-(including SNAT, DNAT and Masquerade), there are a lot of broken
-implementations. That is what you are seeing with these messages.
-
- Here is my interpretation of what
- is happening -- to confirm this analysis, one would have
+
+ Answer: While most people
+ associate the Internet Control Message Protocol (ICMP)
+ with 'ping', ICMP is a key piece of the internet. ICMP is
+ used to report problems back to the sender of a packet; this is
+ what is happening here. Unfortunately, where NAT is involved (including
+ SNAT, DNAT and Masquerade), there are a lot of broken implementations.
+ That is what you are seeing with these messages.
+
+ Here is my interpretation of what
+ is happening -- to confirm this analysis, one would have
to have packet sniffers placed a both ends of the connection.
-
- Host 172.16.1.10 behind NAT gateway
- 206.124.146.179 sent a UDP DNS query to 192.0.2.3 and
-your DNS server tried to send a response (the response information
- is in the brackets -- note source port 53 which marks this as
-a DNS reply). When the response was returned to to 206.124.146.179,
- it rewrote the destination IP TO 172.16.1.10 and forwarded the
-packet to 172.16.1.10 who no longer had a connection on UDP port
-2857. This causes a port unreachable (type 3, code 3) to be generated
-back to 192.0.2.3. As this packet is sent back through 206.124.146.179,
- that box correctly changes the source address in the packet to 206.124.146.179
- but doesn't reset the DST IP in the original DNS response similarly.
- When the ICMP reaches your firewall (192.0.2.3), your firewall has
- no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't
- appear to be related to anything that was sent. The final result
- is that the packet gets logged and dropped in the all2all chain. I
-have also seen cases where the source IP in the ICMP itself isn't set
-back to the external IP of the remote NAT gateway; that causes your
-firewall to log and drop the packet out of the rfc1918 chain because
-the source IP is reserved by RFC 1918.
-
-22. I have some iptables commands that
- I want to run when Shorewall starts. Which file do
+
+ Host 172.16.1.10 behind NAT gateway
+ 206.124.146.179 sent a UDP DNS query to 192.0.2.3 and
+your DNS server tried to send a response (the response information
+ is in the brackets -- note source port 53 which marks this as a
+ DNS reply). When the response was returned to to 206.124.146.179,
+ it rewrote the destination IP TO 172.16.1.10 and forwarded the packet
+ to 172.16.1.10 who no longer had a connection on UDP port 2857.
+This causes a port unreachable (type 3, code 3) to be generated back
+to 192.0.2.3. As this packet is sent back through 206.124.146.179,
+ that box correctly changes the source address in the packet to 206.124.146.179
+ but doesn't reset the DST IP in the original DNS response similarly.
+ When the ICMP reaches your firewall (192.0.2.3), your firewall has
+ no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't
+ appear to be related to anything that was sent. The final result
+ is that the packet gets logged and dropped in the all2all chain. I have
+ also seen cases where the source IP in the ICMP itself isn't set back
+ to the external IP of the remote NAT gateway; that causes your firewall
+ to log and drop the packet out of the rfc1918 chain because the source
+ IP is reserved by RFC 1918.
+
+22. I have some iptables commands that
+ I want to run when Shorewall starts. Which file do
I put them in?
- You can place these commands in
-one of the Shorewall Extension
-Scripts. Be sure that you look at the contents of the chain(s) that
-you will be modifying with your commands to be sure that the
-commands will do what they are intended. Many iptables commands
-published in HOWTOs and other instructional material use the -A command
-which adds the rules to the end of the chain. Most chains that Shorewall
-constructs end with an unconditional DROP, ACCEPT or REJECT rule and
-any rules that you add after that will be ignored. Check "man iptables"
- and look at the -I (--insert) command.
-
-23. Why do you use such ugly fonts on your
+ You can place these commands in
+ one of the Shorewall Extension
+ Scripts. Be sure that you look at the contents of the chain(s) that
+ you will be modifying with your commands to be sure that the
+ commands will do what they are intended. Many iptables commands
+ published in HOWTOs and other instructional material use the -A
+command which adds the rules to the end of the chain. Most chains
+ that Shorewall constructs end with an unconditional DROP, ACCEPT or
+REJECT rule and any rules that you add after that will be ignored.
+ Check "man iptables" and look at the -I (--insert) command.
+
+23. Why do you use such ugly fonts on your
web site?
- The Shorewall web site is almost font neutral
- (it doesn't explicitly specify fonts except on a few pages) so
- the fonts you see are largely the default fonts configured in your
- browser. If you don't like them then reconfigure your browser.
-
-24. How can I allow conections to let's say
- the ssh port only from specific IP Addresses on the
-internet?
- In the SOURCE column of the rule, follow "net"
- by a colon and a list of the host/subnet addresses as a comma-separated
+ The Shorewall web site is almost font neutral
+ (it doesn't explicitly specify fonts except on a few pages)
+so the fonts you see are largely the default fonts configured in
+your browser. If you don't like them then reconfigure your browser.
+
+24. How can I allow conections to let's say
+ the ssh port only from specific IP Addresses on the internet?
+ In the SOURCE column of the rule, follow "net"
+ by a colon and a list of the host/subnet addresses as a comma-separated
list.
-
+
net:<ip1>,<ip2>,...
- Example:
-
+ Example:
+
ACCEPT net:192.0.2.16/28,192.0.2.44 fw tcp 22
-
+
-
-25. How to I tell which version of Shorewall
+
+25. How to I tell which version of Shorewall
I am running?
-
- At the shell prompt, type:
-
- /sbin/shorewall version
-
- Last updated 4/14/2003 - Tom Eastep
+
+ At the shell prompt, type:
+
+ /sbin/shorewall version
+
+ Last updated 5/29/2003 - Tom Eastep
Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-
-
-
-
-
+
diff --git a/Shorewall-docs/IPSEC.htm b/Shorewall-docs/IPSEC.htm
index 842fe9168..7a0afd53a 100644
--- a/Shorewall-docs/IPSEC.htm
+++ b/Shorewall-docs/IPSEC.htm
@@ -1,421 +1,767 @@
-
+
Shorewall IPSec Tunneling
-
+
-
+
-
+
-
-
- |
+ |
+
+
IPSEC Tunnels
- |
-
-
-
+
+
+
+
-
+
Configuring FreeS/Wan
- There is an excellent guide to configuring IPSEC tunnels at
http://www.geocities.com/jixen66/
-. I highly recommend that you consult that site for information about confuring
-FreeS/Wan.
+ . I highly recommend that you consult that site for information about configuring
+ FreeS/Wan.
Warning: Do not use Proxy ARP and
- FreeS/Wan on the same system unless you are prepared to suffer the consequences.
- If you start or restart Shorewall with an IPSEC tunnel active, the proxied
- IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX)
- rather than to the interface that you specify in the INTERFACE column of
- /etc/shorewall/proxyarp. I haven't had the time to debug this problem so
-I can't say if it is a bug in the Kernel or in FreeS/Wan.
-
+ FreeS/Wan on the same system unless you are prepared to suffer the consequences.
+ If you start or restart Shorewall with an IPSEC tunnel active, the proxied
+ IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX)
+ rather than to the interface that you specify in the INTERFACE column
+of /etc/shorewall/proxyarp. I haven't had the time to debug this problem
+so I can't say if it is a bug in the Kernel or in FreeS/Wan.
+
You might be able to work around this problem using the following
- (I haven't tried it):
-
+ (I haven't tried it):
+
In /etc/shorewall/init, include:
-
+
qt service ipsec stop
-
+
In /etc/shorewall/start, include:
-
+
qt service ipsec start
-
+
IPSec Gateway on the Firewall System
-
+
Suppose that we have the following sutuation:
-
+
-
-
+
+
We want systems in the 192.168.1.0/24 sub-network to be able
- to communicate with systems in the 10.0.0.0/8 network.
-
+ to communicate with systems in the 10.0.0.0/8 network.
+
To make this work, we need to do two things:
-
+
a) Open the firewall so that the IPSEC tunnel can be established
- (allow the ESP and AH protocols and UDP Port 500).
-
+ (allow the ESP and AH protocols and UDP Port 500).
+
b) Allow traffic through the tunnel.
-
+
Opening the firewall for the IPSEC tunnel is accomplished
- by adding an entry to the /etc/shorewall/tunnels file.
-
+ by adding an entry to the /etc/shorewall/tunnels file.
+
In /etc/shorewall/tunnels on system A, we need the following
-
-
+
+
-
-
- | TYPE |
- ZONE |
- GATEWAY |
- GATEWAY ZONE |
-
-
- | ipsec |
- net |
- 134.28.54.2 |
- |
-
-
-
-
-
-
-In /etc/shorewall/tunnels on system B, we would have:
-
-
-
-
+
- | TYPE |
- ZONE |
- GATEWAY |
- GATEWAY ZONE |
-
-
- | ipsec |
- net |
- 206.161.148.9 |
- |
-
-
-
-
-
-
-Note: If either of the endpoints is behind a NAT gateway
- then the tunnels file entry on the other endpoint should specify
- a tunnel type of ipsecnat rather than ipsec and the GATEWAY
- address should specify the external address of the NAT gateway.
-
-
-You need to define a zone for the remote subnet or include
- it in your local zone. In this example, we'll assume that you have
-created a zone called "vpn" to represent the remote subnet.
-
-
-
-
-
- | ZONE |
- DISPLAY |
- COMMENTS |
-
-
- | vpn |
- VPN |
- Remote Subnet |
-
-
-
+ TYPE |
+ ZONE |
+ GATEWAY |
+ GATEWAY ZONE |
+
+
+ | ipsec |
+ net |
+ 134.28.54.2 |
+ |
+
+
+
-
-At both systems, ipsec0 would be included in /etc/shorewall/interfaces
- as a "vpn" interface:
-
-
+
+In /etc/shorewall/tunnels on system B, we would have:
+
+
-
+
- | ZONE |
- INTERFACE |
- BROADCAST |
- OPTIONS |
-
-
- | vpn |
- ipsec0 |
- |
- |
-
-
-
-
-
-
- You will need to allow traffic between the "vpn" zone and
- the "loc" zone -- if you simply want to admit all traffic in both
- directions, you can use the policy file:
-
-
-
-
-
- | SOURCE |
- DEST |
- POLICY |
- LOG LEVEL |
-
-
- | loc |
- vpn |
- ACCEPT |
- |
-
-
- | vpn |
- loc |
- ACCEPT |
- |
-
-
-
+ TYPE |
+ ZONE |
+ GATEWAY |
+ GATEWAY ZONE |
+
+
+ | ipsec |
+ net |
+ 206.161.148.9 |
+ |
+
+
+
-
+
+Note: If either of the endpoints is behind a NAT gateway
+ then the tunnels file entry on the other endpoint should
+specify a tunnel type of ipsecnat rather than ipsec and the
+GATEWAY address should specify the external address of the NAT gateway.
+
+
+You need to define a zone for the remote subnet or include
+ it in your local zone. In this example, we'll assume that you have
+created a zone called "vpn" to represent the remote subnet.
+
+
+
+
+
+ | ZONE |
+ DISPLAY |
+ COMMENTS |
+
+
+ | vpn |
+ VPN |
+ Remote Subnet |
+
+
+
+
+
+
+At both systems, ipsec0 would be included in /etc/shorewall/interfaces
+ as a "vpn" interface:
+
+
+
+
+
+ | ZONE |
+ INTERFACE |
+ BROADCAST |
+ OPTIONS |
+
+
+ | vpn |
+ ipsec0 |
+ |
+ |
+
+
+
+
+
+
+ You will need to allow traffic between the "vpn" zone and
+ the "loc" zone -- if you simply want to admit all traffic in both
+ directions, you can use the policy file:
+
+
+
+
+
+ | SOURCE |
+ DEST |
+ POLICY |
+ LOG LEVEL |
+
+
+ | loc |
+ vpn |
+ ACCEPT |
+ |
+
+
+ | vpn |
+ loc |
+ ACCEPT |
+ |
+
+
+
+
+
+
Once you have these entries in place, restart Shorewall (type
shorewall restart); you are now ready to configure the tunnel in FreeS/WAN .
-
- Mobile System (Road
- Warrior)
-
+
+VPN Hub
+ Shorewall can be used in a VPN Hub environment where multiple remote networks
+are connected to a gateway running Shorewall. This environment is shown in
+this diatram.
+
+
+
+
We want systems in the 192.168.1.0/24 sub-network to be able
+ to communicate with systems in the 10.0.0.0/16 and 10.1.0.0/16 networks
+and we want the 10.0.0.0/16 and 10.1.0.0/16 networks to be able to communicate.
+
+To make this work, we need to do several things:
+
+a) Open the firewall so that two IPSEC tunnels can be established
+ (allow the ESP and AH protocols and UDP Port 500).
+
+b) Allow traffic through the tunnels two/from the local zone
+(192.168.1.0/24).
+
+
+c) Deny traffic through the tunnels between the two remote
+networks.
+
+
+Opening the firewall for the IPSEC tunnels is accomplished
+ by adding two entries to the /etc/shorewall/tunnels file.
+
+In /etc/shorewall/tunnels on system A, we need the following
+
+
+
+
+
+ | TYPE |
+ ZONE |
+ GATEWAY |
+ GATEWAY ZONE |
+
+
+ ipsec
+ |
+ net |
+ 134.28.54.2 |
+ |
+
+
+ ipsec
+ |
+ net
+ |
+ 130.152.100.14
+ |
+
+ |
+
+
+
+
+
+
+In /etc/shorewall/tunnels on systems B and C, we would have:
+
+
+
+
+
+ | TYPE |
+ ZONE |
+ GATEWAY |
+ GATEWAY ZONE |
+
+
+ | ipsec |
+ net |
+ 206.161.148.9 |
+ |
+
+
+
+
+
+
+
+
+Note: If either of the endpoints is behind a NAT gateway
+ then the tunnels file entry on the other endpoint should
+specify a tunnel type of ipsecnat rather than ipsec
+ and the GATEWAY address should specify the external address of the
+NAT gateway.
+
+
+On each system, we will create a zone to represent the remote
+networks. On System A:
+
+
+
+
+
+
+ | ZONE |
+ DISPLAY |
+ COMMENTS |
+
+
+ | vpn1 |
+ VPN1 |
+ Remote Subnet on system B |
+
+
+ vpn2
+ |
+ VPN2
+ |
+ Remote Subnet on system C
+ |
+
+
+
+
+
+
+On systems B and C:
+
+
+
+
+
+
+ | ZONE |
+ DISPLAY |
+ COMMENTS |
+
+
+ | vpn |
+ VPN |
+ Remote Subnet on system A |
+
+
+
+
+
+
+At system A, ipsec0 represents two zones so we have the following
+in /etc/shorewall/interfaces:
+
+
+
+
+
+ | ZONE |
+ INTERFACE |
+ BROADCAST |
+ OPTIONS |
+
+
+ -
+ |
+ ipsec0 |
+ |
+
+ |
+
+
+
+
+
+
+The /etc/shorewall/hosts file on system A defines the two
+VPN zones:
+
+
+
+
+
+
+ | ZONE |
+ HOSTS
+ |
+ OPTIONS |
+
+
+ vpn1
+ |
+ ipsec0:10.0.0.0/16 |
+
+ |
+
+
+ vpn2
+ |
+ ipsec0:10.1.0.0/16
+ |
+
+ |
+
+
+
+
+
+
+At systems B and C, ipsec0 represents a single zone so we
+have the following in /etc/shorewall/interfaces:
+
+
+
+
+
+ | ZONE |
+ INTERFACE |
+ BROADCAST |
+ OPTIONS |
+
+
+ vpn
+ |
+ ipsec0 |
+ |
+
+ |
+
+
+
+
+
+
+On systems A, you will need to allow traffic between the "vpn1"
+zone and the "loc" zone as well as between "vpn2" and the "loc" zone
+-- if you simply want to admit all traffic in both directions, you
+can use the following policy file entries on all three gateways:
+
+
+
+
+
+ | SOURCE |
+ DEST |
+ POLICY |
+ LOG LEVEL |
+
+
+ | loc |
+ vpn1 |
+ ACCEPT |
+ |
+
+
+ | vpn1 |
+ loc |
+ ACCEPT |
+ |
+
+
+ loc
+ |
+ vpn2
+ |
+ ACCEPT
+ |
+
+ |
+
+
+ vpn2
+ |
+ loc
+ |
+ ACCEPT
+ |
+
+ |
+
+
+
+
+
+On systems B and C, you will need to allow traffic between
+the "vpn" zone and the "loc" zone -- if you simply want to admit all
+traffic in both directions, you can use the following policy file entries
+on all three gateways:
+
+
+
+
+
+ | SOURCE |
+ DEST |
+ POLICY |
+ LOG LEVEL |
+
+
+ | loc |
+ vpn |
+ ACCEPT |
+ |
+
+
+ | vpn |
+ loc |
+ ACCEPT |
+ |
+
+
+
+
+
+
+Once you have the Shorewall entries added, restart Shorewall
+on each gateway (type shorewall restart); you are now ready to configure
+the tunnels in FreeS/WAN
+ .
+ Note that to allow traffic between the networks attached to systems B and
+C, it is necessary to simply add two additional entries to the /etc/shorewall/policy
+file on system A.
+
+
+
+
+ | SOURCE |
+ DEST |
+ POLICY |
+ LOG LEVEL |
+
+
+ vpn1
+ |
+ vpn2 |
+ ACCEPT |
+ |
+
+
+ | vpn2 |
+ vpn1
+ |
+ ACCEPT |
+ |
+
+
+
+
+
+
+
+ Mobile System
+(Road Warrior)
+
Suppose that you have a laptop system (B) that you take with you when you
travel and you want to be able to establish a secure connection back to your
local network.
-
+
-
-
+
+
You need to define a zone for the laptop or include it in
- your local zone. In this example, we'll assume that you have created
- a zone called "vpn" to represent the remote host.
-
-
+ your local zone. In this example, we'll assume that you have created
+ a zone called "vpn" to represent the remote host.
+
+
-
-
- | ZONE |
- DISPLAY |
- COMMENTS |
-
-
- | vpn |
- VPN |
- Remote Subnet |
-
-
-
+
+
+ | ZONE |
+ DISPLAY |
+ COMMENTS |
+
+
+ | vpn |
+ VPN |
+ Remote Subnet |
+
+
+
+
+
+
+ In this instance, the mobile system (B) has IP address 134.28.54.2
+ but that cannot be determined in advance. In the /etc/shorewall/tunnels
+file on system A, the following entry should be made:
+
+
+
+
+
+ | TYPE |
+ ZONE |
+ GATEWAY |
+ GATEWAY ZONE |
+
+
+ | ipsec |
+ net |
+ 0.0.0.0/0 |
+ vpn |
+
+
+
-
- In this instance, the mobile system (B) has IP address 134.28.54.2
- but that cannot be determined in advance. In the /etc/shorewall/tunnels
-file on system A, the following entry should be made:
-
-
-
-
-
- | TYPE |
- ZONE |
- GATEWAY |
- GATEWAY ZONE |
-
-
- | ipsec |
- net |
- 0.0.0.0/0 |
- vpn |
-
-
-
-
-
-
+
Note that the GATEWAY ZONE column contains the name of the zone corresponding
- to peer subnetworks. This indicates that the gateway system itself comprises
- the peer subnetwork; in other words, the remote gateway is a standalone
+ to peer subnetworks. This indicates that the gateway system itself comprises
+ the peer subnetwork; in other words, the remote gateway is a standalone
system.
-
+
You will need to configure /etc/shorewall/interfaces and establish
your "through the tunnel" policy as shown under the first example above.
-
-
+
+
Dynamic RoadWarrior Zones
- Beginning with Shorewall release 1.3.10, you can define multiple VPN zones
- and add and delete remote endpoints dynamically using /sbin/shorewall. In
- /etc/shorewall/zones:
-
-
-
-
-
-
- ZONE
- |
- DISPLAY
- |
- COMMENTS
- |
-
-
- vpn1
- |
- VPN-1
- |
- First VPN Zone
- |
-
-
- vpn2
- |
- VPN-2
- |
- Second VPN Zone
- |
-
-
- vpn3
- |
- VPN-3
- |
- Third VPN Zone
- |
-
-
-
-
+ Beginning with Shorewall release 1.3.10, you can define multiple VPN
+zones and add and delete remote endpoints dynamically using /sbin/shorewall.
+In /etc/shorewall/zones:
-
- In /etc/shorewall/tunnels:
-
-
+
+
+
+
+
+ ZONE
+ |
+ DISPLAY
+ |
+ COMMENTS
+ |
+
+
+ vpn1
+ |
+ VPN-1
+ |
+ First VPN Zone
+ |
+
+
+ vpn2
+ |
+ VPN-2
+ |
+ Second VPN Zone
+ |
+
+
+ vpn3
+ |
+ VPN-3
+ |
+ Third VPN Zone
+ |
+
+
+
+
+
+
+ In /etc/shorewall/tunnels:
+
+
-
-
- TYPE
- |
- ZONE
- |
- GATEWAY
- |
- GATEWAY ZONE
- |
-
-
- ipsec
- |
- net
- |
- 0.0.0.0/0
- |
- vpn1,vpn2,vpn3
- |
-
-
+
+
+ TYPE
+ |
+ ZONE
+ |
+ GATEWAY
+ |
+ GATEWAY ZONE
+ |
+
+
+ ipsec
+ |
+ net
+ |
+ 0.0.0.0/0
+ |
+ vpn1,vpn2,vpn3
+ |
+
+
+
+
+
+
+ When Shorewall is started, the zones vpn[1-3] will all be empty and
+Shorewall will issue warnings to that effect. These warnings may be safely
+ignored. FreeS/Wan may now be configured to have three different Road Warrior
+connections with the choice of connection being based on X-509 certificates
+or some other means. Each of these connectioins will utilize a different
+updown script that adds the remote station to the appropriate zone when the
+connection comes up and that deletes the remote station when the connection
+comes down. For example, when 134.28.54.2 connects for the vpn2 zone the
+'up' part of the script will issue the command":
+
+
+/sbin/shorewall add ipsec0:134.28.54.2 vpn2
+
+ and the 'down' part will:
+
+/sbin/shorewall delete ipsec0:134.28.54.2 vpn
+
+
+
+Limitations of Dynamic Zones
+ If you include a dynamic zone in the exclude list of a DNAT rule, the dynamically-added
+ hosts are not excluded from the rule.
+
+ Example with dyn=dynamic zone:
+
+
+
+
+
+
+ ACTION
+ |
+ SOURCE
+ |
+ DESTINATION
+ |
+ PROTOCOL
+ |
+ PORT(S)
+ |
+ CLIENT
+ PORT(S)
+ |
+ ORIGINAL
+ DESTINATION
+ |
+
+
+ DNAT
+ |
+ z:dyn
+ |
+ loc:192.168.1.3
+ |
+ tcp
+ |
+ 80
+ |
+
+ |
+
+ |
+
+
-
-
- When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall
- will issue warnings to that effect. These warnings may be safely ignored.
- FreeS/Wan may now be configured to have three different Road Warrior connections
- with the choice of connection being based on X-509 certificates or some
-other means. Each of these connectioins will utilize a different updown
-script that adds the remote station to the appropriate zone when the connection
-comes up and that deletes the remote station when the connection comes down.
-For example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of
-the script will issue the command":
-
-
-/sbin/shorewall add ipsec0:134.28.54.2 vpn2
-
- and the 'down' part will:
-
-/sbin/shorewall delete ipsec0:134.28.54.2 vpn
-
-
-Limitations of Dynamic Zones
-If you include a dynamic zone in the exclude list of a DNAT rule, the dynamically-added
-hosts are not excluded from the rule.
-
-Example with dyn=dynamic zone:
-
-
-
-
-
- ACTION
- |
- SOURCE
- |
- DESTINATION
- |
- PROTOCOL
- |
- PORT(S)
- |
- CLIENT
-PORT(S)
- |
- ORIGINAL
-DESTINATION
- |
-
-
- DNAT
- |
- z:dyn
- |
- loc:192.168.1.3
- |
- tcp
- |
- 80
- |
-
- |
-
- |
-
-
-
-
-Dynamic changes to the zone dyn will have no effect on the above rule.
-
-Last updated 5/3//2003 -
+ Dynamic changes to the zone dyn will have no effect on the above
+rule.
+Last updated 6/10//2003 - Tom Eastep
-
+
Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-
-
-
+ size="2">2001, 2002, 2003 Thomas M. Eastep.
+
diff --git a/Shorewall-docs/MAC_Validation.html b/Shorewall-docs/MAC_Validation.html
index 60db899b2..7c47fade6 100644
--- a/Shorewall-docs/MAC_Validation.html
+++ b/Shorewall-docs/MAC_Validation.html
@@ -2,110 +2,118 @@
MAC Verification
-
+
-
+
-
+
-
-
- |
-
+ |
+
+
MAC Verification
-
-
- |
-
-
-
+
+
+
+
+
+
-
- All traffic from an interface or from a subnet on an interface
-can be verified to originate from a defined set of MAC addresses. Furthermore,
-each MAC address may be optionally associated with one or more IP addresses.
-
-
- Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
- - module name ipt_mac.o).
-
- There are four components to this facility.
-
+
+ All traffic from an interface or from a subnet on an interface
+ can be verified to originate from a defined set of MAC addresses. Furthermore,
+ each MAC address may be optionally associated with one or more IP addresses.
+
+
+ Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
+ - module name ipt_mac.o).
+
+ There are four components to this facility.
+
- - The maclist interface option in The maclist interface option in /etc/shorewall/interfaces. When
this option is specified, all traffic arriving on the interface is subjet
to MAC verification.
- - The maclist option in The maclist option in /etc/shorewall/hosts. When this option
- is specified for a subnet, all traffic from that subnet is subject to MAC
- verification.
- - The /etc/shorewall/maclist file. This file is used to associate
- MAC addresses with interfaces and to optionally associate IP addresses
-with MAC addresses.
- - The MACLIST_DISPOSITION and MACLIST_LOG_LEVEL variables
- in /etc/shorewall/shorewall.conf.
- The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
+ is specified for a subnet, all traffic from that subnet is subject to
+MAC verification.
+ - The /etc/shorewall/maclist file. This file is used to associate
+ MAC addresses with interfaces and to optionally associate IP addresses
+ with MAC addresses.
+ - The MACLIST_DISPOSITION and MACLIST_LOG_LEVEL variables
+ in /etc/shorewall/shorewall.conf.
+ The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
and determines the disposition of connection requests that fail MAC verification.
- The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
- requests that fail verification are to be logged. If set the the empty
+ The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
+ requests that fail verification are to be logged. If set the the empty
value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are
not logged.
-
-
+
+
- The columns in /etc/shorewall/maclist are:
-
+ The columns in /etc/shorewall/maclist are:
+
- - INTERFACE - The name of an ethernet interface on the Shorewall
- system.
- - MAC - The MAC address of a device on the ethernet segment connected
- by INTERFACE. It is not necessary to use the Shorewall MAC format in
-this column although you may use that format if you so choose.
- - IP Address - An optional comma-separated list of IP addresses
- for the device whose MAC is listed in the MAC column.
-
+ - INTERFACE - The name of an ethernet interface on the Shorewall
+ system.
+ - MAC - The MAC address of a device on the ethernet segment
+connected by INTERFACE. It is not necessary to use the Shorewall MAC format
+in this column although you may use that format if you so choose.
+ - IP Address - An optional comma-separated list of IP addresses
+ for the device whose MAC is listed in the MAC column.
+
-
+
Example 1: Here are my files:
- /etc/shorewall/shorewall.conf:
-
+ /etc/shorewall/shorewall.conf:
+
MACLIST_DISPOSITION=REJECT
MACLIST_LOG_LEVEL=info
- /etc/shorewall/interfaces:
-
- #ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 norfc1918,dhcp,blacklist
loc eth2 192.168.1.255 dhcp,maclist
dmz eth1 192.168.2.255
net eth3 206.124.146.255 blacklist
- texas 192.168.9.255
loc ppp+
- /etc/shorewall/maclist:
-
- #INTERFACE MAC IP ADDRESSES (Optional)
eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie
eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry
eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa
eth2 00:A0:CC:DB:31:C4 192.168.1.128/26 #PPTP Clients to server on Ursa
eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)
eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap
- As shown above, I use MAC Verification on my local zone.
-
+ /etc/shorewall/interfaces:
+
+
+ #ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
loc eth2 192.168.1.255 dhcp
dmz eth1 192.168.2.255
wap eth3 192.168.3.255 dhcp,maclist
- texas 192.168.9.255
+
+ /etc/shorewall/maclist:
+
+
+ #INTERFACE MAC IP ADDRESSES (Optional)
eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop
eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11
eth3 00:06:25:56:33:3c #WET11
eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER
+
+ As shown above, I use MAC Verification on my wireless zone.
+
+Note: The WET11 is a somewhat curious device; when forwarding DHCP
+traffic, it uses the MAC address of the host (TIPPER) but for other forwarded
+traffic it uses it's own MAC address. Consequently, I don't assign the WET11
+a fixed IP address in /etc/shorewall/maclist.
+
Example 2: Router in Local Zone
- Suppose now that I add a second ethernet segment to my local zone
-and gateway that segment via a router with MAC address 00:06:43:45:C6:15
-and IP address 192.168.1.253. Hosts in the second segment have IP addresses
- in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
- file:
-
- eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24
- This entry accomodates traffic from the router itself (192.168.1.253)
- and from the second LAN segment (192.168.2.0/24). Remember that all traffic
- being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
- by the router so that traffic's MAC address will be that of the router
-(00:06:43:45:C6:15) and not that of the host sending the traffic.
-
- Updated 2/21/2002 - Tom Eastep
-
-
-
-
+ Suppose now that I add a second wireless segment to my wireless
+zone and gateway that segment via a router with MAC address 00:06:43:45:C6:15
+ and IP address 192.168.3.253. Hosts in the second segment have IP addresses
+ in the subnet 192.168.4.0/24. I would add the following entry to my /etc/shorewall/maclist
+ file:
+
+ eth3 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24
+ This entry accomodates traffic from the router itself (192.168.3.253)
+ and from the second wireless segment (192.168.4.0/24). Remember that
+all traffic being sent to my firewall from the 192.168.4.0/24 segment
+will be forwarded by the router so that traffic's MAC address will be
+that of the router (00:06:43:45:C6:15) and not that of the host sending
+the traffic.
+ Updated 6/10/2002 - Tom Eastep
+
+
Copyright ©
- 2001, 2002, 2003 Thomas M. Eastep.
-
+ 2001, 2002, 2003 Thomas M. Eastep.
+
+
+
diff --git a/Shorewall-docs/News.htm b/Shorewall-docs/News.htm
index c5b0ac99b..2d1316734 100644
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
@@ -4,7 +4,7 @@
-
+
Shorewall News
@@ -14,254 +14,304 @@
-
+
-
+
-
+
-
-
- |
+
+ |
+
+
+
+
-
+
+
Shorewall News Archive
- |
-
+
+
+
+
-
+
-
+
-
-5/27/2003 - Shorewall-1.4.4a
- The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed out
- that the code in 1.4.4 restricts the length of short zone names to 4 characters.
- I've produced version 1.4.4a that restores the previous 5-character limit
- by conditionally omitting the log rule number when the LOGFORMAT doesn't
-contain '%d'.
+
+6/17/2003 - Shorewall-1.4.5
+Problems Corrected:
+
+
+ - The command "shorewall debug try <directory>" now correctly traces
+the attempt.
+ - The INCLUDE directive now works properly in the zones file; previously,
+INCLUDE in that file was ignored.
+ - /etc/shorewall/routestopped records with an empty second column are
+no longer ignored.
+
+
+New Features:
+
+
+ - The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may now contain
+a list of addresses. If the list begins with "!' then the rule will take
+effect only if the original destination address in the connection request
+does not match any of the addresses listed.
+
+6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8
+
+The firewall at shorewall.net has been upgraded to the 2.4.21 kernel and
+iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
+have been encountered with this set of software. The Shorewall version is
+1.4.4b plus the accumulated changes for 1.4.5.
+
+
+6/8/2003 - Updated Samples
+Thanks to Francesca Smith, the samples have been updated to Shorewall
+version 1.4.4.
+
+5/29/2003 - Shorewall-1.4.4b
+
+Groan -- This version corrects a problem whereby the --log-level was not
+ being set when logging via syslog. The most commonly reported symptom was
+ that Shorewall messages were being written to the console even though console
+ logging was correctly configured per FAQ 16.
+
+
+5/27/2003 - Shorewall-1.4.4a
+ The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
+ out that the code in 1.4.4 restricts the length of short zone names to
+4 characters. I've produced version 1.4.4a that restores the previous 5-character
+ limit by conditionally omitting the log rule number when the LOGFORMAT
+doesn't contain '%d'.
+
5/23/2003 - Shorewall-1.4.4
- I apologize for the rapid-fire releases but since there is a potential
-configuration change required to go from 1.4.3a to 1.4.4, I decided to make
-it a full release rather than just a bug-fix release.
-
- Problems corrected:
-
+ I apologize for the rapid-fire releases but since there is a potential
+ configuration change required to go from 1.4.3a to 1.4.4, I decided to
+make it a full release rather than just a bug-fix release.
+
+ Problems corrected:
+
None.
-
- New Features:
-
+
+ New Features:
+
- - A REDIRECT- rule target has been added. This target behaves for
-REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter nat
-table REDIRECT rule is added but not the companion filter table ACCEPT rule.
-
-
- - The LOGMARKER variable has been renamed LOGFORMAT and has been changed
- to a 'printf' formatting template which accepts three arguments (the chain
- name, logging rule number and the disposition). To use LOGFORMAT with fireparse
- (http://www.fireparse.com), set it
- as:
-
- LOGFORMAT="fp=%s:%d a=%s "
-
- CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT
- string (up to but not including the first '%') to find log messages in the
- 'show log', 'status' and 'hits' commands. This part should not be omitted
- (the LOGFORMAT should not begin with "%") and the leading part should be
-sufficiently unique for /sbin/shorewall to identify Shorewall messages.
-
-
- - When logging is specified on a DNAT[-] or REDIRECT[-] rule, the
-logging now takes place in the nat table rather than in the filter table.
-This way, only those connections that actually undergo DNAT or redirection
-will be logged.
-
-
+ - A REDIRECT- rule target has been added. This target behaves
+for REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter
+nat table REDIRECT rule is added but not the companion filter table ACCEPT
+rule.
+
+
+ - The LOGMARKER variable has been renamed LOGFORMAT and has been
+ changed to a 'printf' formatting template which accepts three arguments
+ (the chain name, logging rule number and the disposition). To use LOGFORMAT
+ with fireparse (http://www.fireparse.com),
+ set it as:
+
+ LOGFORMAT="fp=%s:%d a=%s "
+
+ CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT
+ string (up to but not including the first '%') to find log messages in
+the 'show log', 'status' and 'hits' commands. This part should not be omitted
+ (the LOGFORMAT should not begin with "%") and the leading part should be
+ sufficiently unique for /sbin/shorewall to identify Shorewall messages.
+
+
+ - When logging is specified on a DNAT[-] or REDIRECT[-] rule,
+the logging now takes place in the nat table rather than in the filter
+table. This way, only those connections that actually undergo DNAT or
+redirection will be logged.
+
+
-
+
5/20/2003 - Shorewall-1.4.3a
-
- This version primarily corrects the documentation included in the .tgz
- and in the .rpm. In addition:
-
+
+ This version primarily corrects the documentation included in the
+ .tgz and in the .rpm. In addition:
+
- - (This change is in 1.4.3 but is not documented) If you are running
- iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject replies
- as follows:
- a) tcp - RST
- b) udp - ICMP port unreachable
- c) icmp - ICMP host unreachable
- d) Otherwise - ICMP host prohibited
- If you are running earlier software, Shorewall will follow it's traditional
- convention:
- a) tcp - RST
- b) Otherwise - ICMP port unreachable
- - UDP port 135 is now silently dropped in the common.def chain.
-Remember that this chain is traversed just before a DROP or REJECT policy
-is enforced.
-
-
-
-
-5/18/2003 - Shorewall 1.4.3
-
- Problems Corrected:
-
-
- - There were several cases where Shorewall would fail to remove
-a temporary directory from /tmp. These cases have been corrected.
- - The rules for allowing all traffic via the loopback interface
-have been moved to before the rule that drops status=INVALID packets. This
-insures that all loopback traffic is allowed even if Netfilter connection
-tracking is confused.
-
-
- New Features:
-
-
- - IPV6-IPV4 (6to4) tunnels are now supported in the /etc/shorewall/tunnels
- file.
- - You may now change the leading portion of the --log-prefix
- used by Shorewall using the LOGMARKER variable in shorewall.conf. By default,
- "Shorewall:" is used.
-
-
-
-
-5/10/2003 - Shorewall Mirror in Asia
-
-
-Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
-
-
-5/8/2003 - Shorewall Mirror in Chile
- Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago
- Chile.
-4/21/2003 - Samples updated for Shorewall version 1.4.2
+ (This change is in 1.4.3 but is not documented) If you are
+running iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject
+replies as follows:
+ a) tcp - RST
+ b) udp - ICMP port unreachable
+ c) icmp - ICMP host unreachable
+ d) Otherwise - ICMP host prohibited
+ If you are running earlier software, Shorewall will follow it's
+traditional convention:
+ a) tcp - RST
+ b) Otherwise - ICMP port unreachable
+ UDP port 135 is now silently dropped in the common.def chain.
+ Remember that this chain is traversed just before a DROP or REJECT policy
+ is enforced.
+
+
+
+5/18/2003 - Shorewall 1.4.3
+
+ Problems Corrected:
+
+
+ - There were several cases where Shorewall would fail to remove
+ a temporary directory from /tmp. These cases have been corrected.
+ - The rules for allowing all traffic via the loopback interface
+ have been moved to before the rule that drops status=INVALID packets.
+This insures that all loopback traffic is allowed even if Netfilter connection
+ tracking is confused.
+
+
+ New Features:
+
+
+ - IPV6-IPV4 (6to4) tunnels are now supported in the /etc/shorewall/tunnels
+ file.
+ - You may now change the leading portion of the --log-prefix
+ used by Shorewall using the LOGMARKER variable in shorewall.conf. By default,
+ "Shorewall:" is used.
+
+
+
+
+5/10/2003 - Shorewall Mirror in Asia
+
+
+Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
+
+
+5/8/2003 - Shorewall Mirror in Chile
+ Thanks to Darcy Ganga, there is now an HTTP mirror in
+Santiago Chile.
+4/21/2003 - Samples updated for Shorewall version 1.4.2
+
Thanks to Francesca Smith, the sample configurations are now upgraded to
Shorewall version 1.4.2.
-
+
4/9/2003 - Shorewall 1.4.2
-
-
+
+
Problems Corrected:
-
-
+
+
- - TCP connection requests rejected out of the common
- chain are now properly rejected with TCP RST; previously, some of these
- requests were rejected with an ICMP port-unreachable response.
- - 'traceroute -I' from behind the firewall previously timed
- out on the first hop (e.g., to the firewall). This has been worked around.
-
+ - TCP connection requests rejected out of the common
+ chain are now properly rejected with TCP RST; previously, some of
+these requests were rejected with an ICMP port-unreachable response.
+ - 'traceroute -I' from behind the firewall previously
+ timed out on the first hop (e.g., to the firewall). This has been
+worked around.
+
-
-
+
+
New Features:
-
+
- - Where an entry in the/etc/shorewall/hosts file specifies
-a particular host or network, Shorewall now creates an intermediate chain
- for handling input from the related zone. This can substantially reduce
- the number of rules traversed by connections requests from such zones.
-
-
- - Any file may include an INCLUDE directive. An INCLUDE directive
- consists of the word INCLUDE followed by a file name and causes the
-contents of the named file to be logically included into the file containing
-the INCLUDE. File names given in an INCLUDE directive are assumed to
-reside in /etc/shorewall or in an alternate configuration directory
-if one has been specified for the command.
-
- Examples:
- shorewall/params.mgmt:
- MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
- TIME_SERVERS=4.4.4.4
- BACKUP_SERVERS=5.5.5.5
- ----- end params.mgmt -----
-
-
- shorewall/params:
- # Shorewall 1.3 /etc/shorewall/params
- [..]
- #######################################
-
- INCLUDE params.mgmt
-
- # params unique to this host here
- #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
- ----- end params -----
-
-
- shorewall/rules.mgmt:
- ACCEPT net:$MGMT_SERVERS $FW tcp 22
- ACCEPT $FW net:$TIME_SERVERS udp 123
- ACCEPT $FW net:$BACKUP_SERVERS tcp 22
- ----- end rules.mgmt -----
-
- shorewall/rules:
- # Shorewall version 1.3 - Rules File
- [..]
- #######################################
-
- INCLUDE rules.mgmt
-
- # rules unique to this host here
- #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
+ - Where an entry in the/etc/shorewall/hosts file specifies
+ a particular host or network, Shorewall now creates an intermediate
+ chain for handling input from the related zone. This can substantially
+ reduce the number of rules traversed by connections requests from such
+ zones.
+
+
+ - Any file may include an INCLUDE directive. An INCLUDE
+ directive consists of the word INCLUDE followed by a file name and
+causes the contents of the named file to be logically included into
+the file containing the INCLUDE. File names given in an INCLUDE directive
+are assumed to reside in /etc/shorewall or in an alternate configuration
+ directory if one has been specified for the command.
+
+ Examples:
+ shorewall/params.mgmt:
+ MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
+ TIME_SERVERS=4.4.4.4
+ BACKUP_SERVERS=5.5.5.5
+ ----- end params.mgmt -----
+
+
+ shorewall/params:
+ # Shorewall 1.3 /etc/shorewall/params
+ [..]
+ #######################################
+
+ INCLUDE params.mgmt
+
+ # params unique to this host here
+ #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT
REMOVE
- ----- end rules -----
-
- INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
- directives are ignored with a warning message.
-
-
- - Routing traffic from an interface back out that interface
- continues to be a problem. While I firmly believe that this should
-never happen, people continue to want to do it. To limit the damage
+ ----- end params -----
+
+
+ shorewall/rules.mgmt:
+ ACCEPT net:$MGMT_SERVERS $FW tcp 22
+ ACCEPT $FW net:$TIME_SERVERS udp 123
+ ACCEPT $FW net:$BACKUP_SERVERS tcp 22
+ ----- end rules.mgmt -----
+
+ shorewall/rules:
+ # Shorewall version 1.3 - Rules File
+ [..]
+ #######################################
+
+ INCLUDE rules.mgmt
+
+ # rules unique to this host here
+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO
+NOT REMOVE
+ ----- end rules -----
+
+ INCLUDE's may be nested to a level of 3 -- further nested
+ INCLUDE directives are ignored with a warning message.
+
+
+ - Routing traffic from an interface back out that interface
+ continues to be a problem. While I firmly believe that this should
+ never happen, people continue to want to do it. To limit the damage
that such nonsense produces, I have added a new 'routeback' option in
/etc/shorewall/interfaces and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces,
the 'ZONE' column may not contain '-'; in other words, 'routeback' can't
-be used as an option for a multi-zone interface. The 'routeback' option
-CAN be specified however on individual group entries in /etc/shorewall/hosts.
-
- The 'routeback' option is similar to the old 'multi' option
-with two exceptions:
-
- a) The option pertains to a particular zone,interface,address
- tuple.
-
- b) The option only created infrastructure to pass traffic
-from (zone,interface,address) tuples back to themselves (the 'multi'
-option affected all (zone,interface,address) tuples associated with the
-given 'interface').
-
- See the 'Upgrade Issues' for
- information about how this new option may affect your configuration.
-
-
+ be used as an option for a multi-zone interface. The 'routeback' option
+ CAN be specified however on individual group entries in /etc/shorewall/hosts.
+
+ The 'routeback' option is similar to the old 'multi' option
+ with two exceptions:
+
+ a) The option pertains to a particular zone,interface,address
+ tuple.
+
+ b) The option only created infrastructure to pass traffic
+ from (zone,interface,address) tuples back to themselves (the 'multi'
+ option affected all (zone,interface,address) tuples associated with
+ the given 'interface').
+
+ See the 'Upgrade Issues'
+ for information about how this new option may affect your configuration.
+
+
-
+
3/24/2003 - Shorewall 1.4.1
-
+
@@ -280,955 +330,893 @@ given 'interface').
-
+
This release follows up on 1.4.0. It corrects a problem introduced in
1.4.0 and removes additional warts.
-
- Problems Corrected:
-
-
+
+ Problems Corrected:
+
+
- - When Shorewall 1.4.0 is run under the ash shell (such as
- on Bering/LEAF), it can attempt to add ECN disabling rules even if
-the /etc/shorewall/ecn file is empty. That problem has been corrected
-so that ECN disabling rules are only added if there are entries in /etc/shorewall/ecn.
-
+ - When Shorewall 1.4.0 is run under the ash shell (such
+ as on Bering/LEAF), it can attempt to add ECN disabling rules even
+if the /etc/shorewall/ecn file is empty. That problem has been corrected
+ so that ECN disabling rules are only added if there are entries in
+/etc/shorewall/ecn.
+
- New Features:
-
+ New Features:
+
Note: In the list that follows, the term group refers to
a particular network or subnetwork (which may be 0.0.0.0/0 or it may be a
host address) accessed through a particular interface. Examples:
-
+
eth0:0.0.0.0/0
- eth2:192.168.1.0/24
- eth3:192.0.2.123
-
- You can use the "shorewall check" command to see the groups
-associated with each of your zones.
-
-
+ eth2:192.168.1.0/24
+ eth3:192.0.2.123
+
+ You can use the "shorewall check" command to see the groups
+ associated with each of your zones.
+
+
- - Beginning with Shorewall 1.4.1, if a zone Z comprises more
- than one group then if there is no explicit Z to Z policy and
-there are no rules governing traffic from Z to Z then Shorewall will permit
- all traffic between the groups in the zone.
- - Beginning with Shorewall 1.4.1, Shorewall will never create
- rules to handle traffic from a group to itself.
- - A NONE policy is introduced in 1.4.1. When a policy of
-NONE is specified from Z1 to Z2:
-
+ - Beginning with Shorewall 1.4.1, if a zone Z comprises
+ more than one group then if there is no explicit Z to Z policy
+ and there are no rules governing traffic from Z to Z then Shorewall will
+ permit all traffic between the groups in the zone.
+ - Beginning with Shorewall 1.4.1, Shorewall will never
+ create rules to handle traffic from a group to itself.
+ - A NONE policy is introduced in 1.4.1. When a policy
+of NONE is specified from Z1 to Z2:
+
-
+
- - There may be no rules created that govern connections from
- Z1 to Z2.
- - Shorewall will not create any infrastructure to handle
-traffic from Z1 to Z2.
-
+ - There may be no rules created that govern connections
+ from Z1 to Z2.
+ - Shorewall will not create any infrastructure to handle
+ traffic from Z1 to Z2.
+
- See the upgrade issues for
-a discussion of how these changes may affect your configuration.
-
+ See the upgrade issues
+for a discussion of how these changes may affect your configuration.
+
3/17/2003 - Shorewall 1.4.0
- Shorewall 1.4
- represents the next step in the evolution of Shorewall. The main
-thrust of the initial release is simply to remove the cruft that has
-accumulated in Shorewall over time.
-
- IMPORTANT: Shorewall 1.4.0 requires the iproute
- package ('ip' utility).
-
- Function from 1.3 that has been omitted from this version
- include:
-
+ Shorewall
+ 1.4 represents the next step in the evolution of Shorewall. The
+ main thrust of the initial release is simply to remove the cruft that
+ has accumulated in Shorewall over time.
+
+ IMPORTANT: Shorewall 1.4.0 requires the iproute
+ package ('ip' utility).
+
+ Function from 1.3 that has been omitted from this
+ version include:
+
- - The MERGE_HOSTS variable in shorewall.conf
-is no longer supported. Shorewall 1.4 behavior is the same as 1.3
-with MERGE_HOSTS=Yes.
-
-
- - Interface names of the form <device>:<integer>
- in /etc/shorewall/interfaces now generate an error.
-
-
- - Shorewall 1.4 implements behavior consistent with
- OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error
- at startup as will specification of the 'noping' or 'filterping'
- interface options.
-
-
- - The 'routestopped' option in the /etc/shorewall/interfaces
- and /etc/shorewall/hosts files is no longer supported and will generate
- an error at startup if specified.
-
-
- - The Shorewall 1.2 syntax for DNAT and REDIRECT
-rules is no longer accepted.
-
-
- - The ALLOWRELATED variable in shorewall.conf is
-no longer supported. Shorewall 1.4 behavior is the same as 1.3 with
- ALLOWRELATED=Yes.
-
-
- - The icmp.def file has been removed.
-
-
+ - The MERGE_HOSTS variable in shorewall.conf
+ is no longer supported. Shorewall 1.4 behavior is the same as 1.3
+ with MERGE_HOSTS=Yes.
+
+
+ - Interface names of the form <device>:<integer>
+ in /etc/shorewall/interfaces now generate an error.
+
+
+ - Shorewall 1.4 implements behavior consistent
+ with OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate
+ an error at startup as will specification of the 'noping' or 'filterping'
+ interface options.
+
+
+ - The 'routestopped' option in the /etc/shorewall/interfaces
+ and /etc/shorewall/hosts files is no longer supported and will
+ generate an error at startup if specified.
+
+
+ - The Shorewall 1.2 syntax for DNAT and REDIRECT
+ rules is no longer accepted.
+
+
+ - The ALLOWRELATED variable in shorewall.conf
+ is no longer supported. Shorewall 1.4 behavior is the same as
+1.3 with ALLOWRELATED=Yes.
+
+
+ - The icmp.def file has been removed.
+
+
- Changes for 1.4 include:
-
+ Changes for 1.4 include:
+
- - The /etc/shorewall/shorewall.conf file has been
- completely reorganized into logical sections.
-
-
- - LOG is now a valid action for a rule (/etc/shorewall/rules).
-
-
- - The firewall script and version file are now installed
- in /usr/share/shorewall.
-
-
- - Late arriving DNS replies are now silently dropped
- in the common chain by default.
-
-
- - In addition to behaving like OLD_PING_HANDLING=No,
- Shorewall 1.4 no longer unconditionally accepts outbound ICMP packets.
- So if you want to 'ping' from the firewall, you will need the appropriate
- rule or policy.
-
-
- - CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
-
-
- - 802.11b devices with names of the form wlan<n>
-now support the 'maclist' option.
-
-
- - Explicit Congestion Notification (ECN - RFC 3168) may
- now be turned off on a host or network basis using the new /etc/shorewall/ecn
- file. To use this facility:
-
- a) You must be running kernel 2.4.20
- b) You must have applied the patch in
- http://www.shorewall/net/pub/shorewall/ecn/patch.
- c) You must have iptables 1.2.7a installed.
-
-
- - The /etc/shorewall/params file is now processed first
- so that variables may be used in the /etc/shorewall/shorewall.conf
-file.
-
-
- - Shorewall now gives a more helpful diagnostic
- when the 'ipchains' compatibility kernel module is loaded and a 'shorewall
- start' command is issued.
-
-
- - The SHARED_DIR variable has been removed from shorewall.conf.
- This variable was for use by package maintainers and was not documented
- for general use.
-
-
- - Shorewall now ignores 'default' routes when detecting
-masq'd networks.
-
+ - The /etc/shorewall/shorewall.conf file has
+been completely reorganized into logical sections.
+
+
+ - LOG is now a valid action for a rule (/etc/shorewall/rules).
+
+
+ - The firewall script and version file are now
+ installed in /usr/share/shorewall.
+
+
+ - Late arriving DNS replies are now silently
+dropped in the common chain by default.
+
+
+ - In addition to behaving like OLD_PING_HANDLING=No,
+ Shorewall 1.4 no longer unconditionally accepts outbound ICMP
+packets. So if you want to 'ping' from the firewall, you will need
+the appropriate rule or policy.
+
+
+ - CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
+
+
+ - 802.11b devices with names of the form wlan<n>
+ now support the 'maclist' option.
+
+
+ - Explicit Congestion Notification (ECN - RFC 3168)
+ may now be turned off on a host or network basis using the new /etc/shorewall/ecn
+ file. To use this facility:
+
+ a) You must be running kernel 2.4.20
+ b) You must have applied the patch in
+ http://www.shorewall/net/pub/shorewall/ecn/patch.
+ c) You must have iptables 1.2.7a installed.
+
+
+ - The /etc/shorewall/params file is now processed
+first so that variables may be used in the /etc/shorewall/shorewall.conf
+ file.
+
+
+ - Shorewall now gives a more helpful diagnostic
+ when the 'ipchains' compatibility kernel module is loaded and a
+'shorewall start' command is issued.
+
+
+ - The SHARED_DIR variable has been removed from shorewall.conf.
+ This variable was for use by package maintainers and was not documented
+ for general use.
+
+
+ - Shorewall now ignores 'default' routes when detecting
+ masq'd networks.
+
-
+
3/10/2003 - Shoreall 1.3.14a
-
+
A roleup of the following bug fixes and other updates:
-
-
- - There is an updated rfc1918 file that reflects the resent
- allocation of 222.0.0.0/8 and 223.0.0.0/8.
-
-
- - The documentation for the routestopped file claimed that
- a comma-separated list could appear in the second column while the
- code only supported a single host or network address.
- - Log messages produced by 'logunclean' and 'dropunclean'
- were not rate-limited.
- - 802.11b devices with names of the form wlan<n>
- don't support the 'maclist' interface option.
- - Log messages generated by RFC 1918 filtering are not rate
- limited.
- - The firewall fails to start in the case where you have
-"eth0 eth1" in /etc/shorewall/masq and the default route is through eth1
-
+ - There is an updated rfc1918 file that reflects the
+resent allocation of 222.0.0.0/8 and 223.0.0.0/8.
+
-
+
+
+ - The documentation for the routestopped file claimed
+ that a comma-separated list could appear in the second column
+while the code only supported a single host or network address.
+ - Log messages produced by 'logunclean' and 'dropunclean'
+ were not rate-limited.
+ - 802.11b devices with names of the form wlan<n>
+ don't support the 'maclist' interface option.
+ - Log messages generated by RFC 1918 filtering are not
+ rate limited.
+ - The firewall fails to start in the case where you
+have "eth0 eth1" in /etc/shorewall/masq and the default route is through
+ eth1
+
+
+
2/8/2003 - Shoreawall 1.3.14
-
+
New features include
-
-
- - An OLD_PING_HANDLING option has been added
-to shorewall.conf. When set to Yes, Shorewall ping handling is
-as it has always been (see http://www.shorewall.net/ping.html).
-
- When OLD_PING_HANDLING=No, icmp echo (ping)
-is handled via rules and policies just like any other connection
- request. The FORWARDPING=Yes option in shorewall.conf and the
- 'noping' and 'filterping' options in /etc/shorewall/interfaces
-will all generate an error.
-
-
- - It is now possible to direct Shorewall to
-create a "label" such as "eth0:0" for IP addresses that it
-creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This
-is done by specifying the label instead of just the interface name:
-
- a) In the INTERFACE column of /etc/shorewall/masq
- b) In the INTERFACE column of /etc/shorewall/nat
-
- - Support for OpenVPN Tunnels.
-
-
- - Support for VLAN devices with names of the
-form $DEV.$VID (e.g., eth0.0)
-
-
- - In /etc/shorewall/tcrules, the MARK value may
- be optionally followed by ":" and either 'F' or 'P' to designate
- that the marking will occur in the FORWARD or PREROUTING chains respectively.
- If this additional specification is omitted, the chain used to mark
- packets will be determined by the setting of the MARK_IN_FORWARD_CHAIN
- option in shorewall.conf.
-
-
- - When an interface name is entered in the SUBNET
- column of the /etc/shorewall/masq file, Shorewall previously
- masqueraded traffic from only the first subnet defined on that
- interface. It did not masquerade traffic from:
-
- a) The subnets associated with other addresses
- on the interface.
- b) Subnets accessed through local routers.
-
- Beginning with Shorewall 1.3.14, if you enter
- an interface name in the SUBNET column, shorewall will use the
- firewall's routing table to construct the masquerading/SNAT rules.
-
- Example 1 -- This is how it works in 1.3.14.
-
-
-
-
- [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
-
- [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
-
-
-
- [root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
-
- When upgrading to Shorewall 1.3.14, if you
-have multiple local subnets connected to an interface that
-is specified in the SUBNET column of an /etc/shorewall/masq entry,
-your /etc/shorewall/masq file will need changing. In most cases,
-you will simply be able to remove redundant entries. In some cases
-though, you might want to change from using the interface name to listing
-specific subnetworks if the change described above will cause masquerading
- to occur on subnetworks that you don't wish to masquerade.
-
- Example 2 -- Suppose that your current config
- is as follows:
-
-
-
-
- [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
-
- [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, the second entry in /etc/shorewall/masq
- is no longer required.
-
- Example 3 -- What if your current configuration
- is like this?
-
-
-
-
- [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
-
- [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, you would want to change the
- entry in /etc/shorewall/masq to:
-
-
-
- #INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
-
-
-
- 2/5/2003 - Shorewall Support included in Webmin
- 1.060
-
-Webmin version 1.060 now has Shorewall support included as standard. See
- http://www.webmin.com.
-
- 2/4/2003 - Shorewall 1.3.14-RC1
-
-Includes the Beta 2 content plus support for OpenVPN tunnels.
-
-1/28/2003 - Shorewall 1.3.14-Beta2
-Includes the Beta 1 content plus restores VLAN device names of the form
- $dev.$vid (e.g., eth0.1)
-
-1/25/2003 - Shorewall 1.3.14-Beta1
-
-
-The Beta includes the following changes:
-
-
- - An OLD_PING_HANDLING option has been
-added to shorewall.conf. When set to Yes, Shorewall ping handling
-is as it has always been (see http://www.shorewall.net/ping.html).
-
- When OLD_PING_HANDLING=No, icmp echo (ping)
-is handled via rules and policies just like any other connection
- request. The FORWARDPING=Yes option in shorewall.conf and the
- 'noping' and 'filterping' options in /etc/shorewall/interfaces
-will all generate an error.
-
-
- - It is now possible to direct Shorewall
- to create a "label" such as "eth0:0" for IP addresses that
-it creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes.
- This is done by specifying the label instead of just the interface
+
- An OLD_PING_HANDLING option has been added
+ to shorewall.conf. When set to Yes, Shorewall ping handling
+ is as it has always been (see http://www.shorewall.net/ping.html).
+
+ When OLD_PING_HANDLING=No, icmp echo (ping)
+ is handled via rules and policies just like any other connection
+ request. The FORWARDPING=Yes option in shorewall.conf and
+the 'noping' and 'filterping' options in /etc/shorewall/interfaces
+ will all generate an error.
+
+
+ - It is now possible to direct Shorewall
+to create a "label" such as "eth0:0" for IP addresses that
+it creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes.
+This is done by specifying the label instead of just the interface
name:
-
- a) In the INTERFACE column of /etc/shorewall/masq
- b) In the INTERFACE column of /etc/shorewall/nat
-
- - When an interface name is entered in
-the SUBNET column of the /etc/shorewall/masq file, Shorewall
-previously masqueraded traffic from only the first subnet defined
-on that interface. It did not masquerade traffic from:
-
- a) The subnets associated with other addresses
- on the interface.
- b) Subnets accessed through local routers.
-
- Beginning with Shorewall 1.3.14, if you enter
- an interface name in the SUBNET column, shorewall will use the
- firewall's routing table to construct the masquerading/SNAT rules.
-
- Example 1 -- This is how it works in 1.3.14.
-
+
+ a) In the INTERFACE column of /etc/shorewall/masq
+ b) In the INTERFACE column of /etc/shorewall/nat
+
+ - Support for OpenVPN Tunnels.
+
+
+ - Support for VLAN devices with names of
+the form $DEV.$VID (e.g., eth0.0)
+
+
+ - In /etc/shorewall/tcrules, the MARK value
+ may be optionally followed by ":" and either 'F' or 'P' to designate
+ that the marking will occur in the FORWARD or PREROUTING chains
+respectively. If this additional specification is omitted, the chain
+used to mark packets will be determined by the setting of the MARK_IN_FORWARD_CHAIN
+ option in shorewall.conf.
+
+
+ - When an interface name is entered in the
+ SUBNET column of the /etc/shorewall/masq file, Shorewall previously
+ masqueraded traffic from only the first subnet defined on that
+ interface. It did not masquerade traffic from:
+
+ a) The subnets associated with other
+addresses on the interface.
+ b) Subnets accessed through local routers.
+
+ Beginning with Shorewall 1.3.14, if you
+enter an interface name in the SUBNET column, shorewall will
+use the firewall's routing table to construct the masquerading/SNAT
+rules.
+
+ Example 1 -- This is how it works in 1.3.14.
+
-
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
-
+
[root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
-
- When upgrading to Shorewall 1.3.14, if you
-have multiple local subnets connected to an interface that
-is specified in the SUBNET column of an /etc/shorewall/masq entry,
-your /etc/shorewall/masq file will need changing. In most cases,
-you will simply be able to remove redundant entries. In some cases
-though, you might want to change from using the interface name to listing
-specific subnetworks if the change described above will cause masquerading
- to occur on subnetworks that you don't wish to masquerade.
-
- Example 2 -- Suppose that your current config
- is as follows:
-
+
+ When upgrading to Shorewall 1.3.14, if
+you have multiple local subnets connected to an interface
+that is specified in the SUBNET column of an /etc/shorewall/masq
+ entry, your /etc/shorewall/masq file will need changing. In
+most cases, you will simply be able to remove redundant entries.
+In some cases though, you might want to change from using the interface
+ name to listing specific subnetworks if the change described above
+will cause masquerading to occur on subnetworks that you don't wish
+to masquerade.
+
+ Example 2 -- Suppose that your current
+config is as follows:
+
-
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, the second entry in /etc/shorewall/masq
- is no longer required.
-
- Example 3 -- What if your current configuration
- is like this?
-
+
+ In this case, the second entry in /etc/shorewall/masq
+ is no longer required.
+
+ Example 3 -- What if your current configuration
+ is like this?
+
-
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, you would want to change the
- entry in /etc/shorewall/masq to:
+
+ In this case, you would want to change
+ the entry in /etc/shorewall/masq to:
-
+
#INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
+
+
+
+
+ 2/5/2003 - Shorewall Support included in
+Webmin 1.060
+Webmin version 1.060 now has Shorewall support included as standard. See
+ http://www.webmin.com.
+
+ 2/4/2003 - Shorewall 1.3.14-RC1
+
+Includes the Beta 2 content plus support for OpenVPN tunnels.
+
+1/28/2003 - Shorewall 1.3.14-Beta2
+
+Includes the Beta 1 content plus restores VLAN device names of the form
+ $dev.$vid (e.g., eth0.1)
+
+1/25/2003 - Shorewall 1.3.14-Beta1
+
+
+The Beta includes the following changes:
+
+
+
+ - An OLD_PING_HANDLING option has been
+ added to shorewall.conf. When set to Yes, Shorewall ping
+handling is as it has always been (see http://www.shorewall.net/ping.html).
+
+ When OLD_PING_HANDLING=No, icmp echo (ping)
+ is handled via rules and policies just like any other connection
+ request. The FORWARDPING=Yes option in shorewall.conf and
+the 'noping' and 'filterping' options in /etc/shorewall/interfaces
+ will all generate an error.
+
+
+ - It is now possible to direct Shorewall
+ to create a "label" such as "eth0:0" for IP addresses that
+ it creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes.
+ This is done by specifying the label instead of just the interface
+ name:
+
+ a) In the INTERFACE column of /etc/shorewall/masq
+ b) In the INTERFACE column of /etc/shorewall/nat
+
+ - When an interface name is entered
+in the SUBNET column of the /etc/shorewall/masq file, Shorewall
+ previously masqueraded traffic from only the first subnet
+defined on that interface. It did not masquerade traffic from:
+
+ a) The subnets associated with other
+addresses on the interface.
+ b) Subnets accessed through local routers.
+
+ Beginning with Shorewall 1.3.14, if you
+enter an interface name in the SUBNET column, shorewall will
+use the firewall's routing table to construct the masquerading/SNAT
+rules.
+
+ Example 1 -- This is how it works in 1.3.14.
+
+
+
+
+ [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+
+
+ [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
+
+
+
+ [root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
+
+ When upgrading to Shorewall 1.3.14, if
+you have multiple local subnets connected to an interface
+that is specified in the SUBNET column of an /etc/shorewall/masq
+ entry, your /etc/shorewall/masq file will need changing. In
+most cases, you will simply be able to remove redundant entries.
+In some cases though, you might want to change from using the interface
+ name to listing specific subnetworks if the change described above
+will cause masquerading to occur on subnetworks that you don't wish
+to masquerade.
+
+ Example 2 -- Suppose that your current
+config is as follows:
+
+
+
+
+ [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+
+
+ [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
+
+ In this case, the second entry in /etc/shorewall/masq
+ is no longer required.
+
+ Example 3 -- What if your current configuration
+ is like this?
+
+
+
+
+ [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+
+
+ [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
+
+ In this case, you would want to change
+ the entry in /etc/shorewall/masq to:
+
+
+
+ #INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+
+
+
1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format
-
+
Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation.
- the PDF may be downloaded from
-
+
+ ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
+
1/17/2003 - shorewall.net has MOVED
-
+
+
Thanks to the generosity of Alex Martin and Rett Consulting, www.shorewall.net and ftp.shorewall.net
are now hosted on a system in Bellevue, Washington. A big thanks to Alex
for making this happen.
-
-
+
+
+
1/13/2003 - Shorewall 1.3.13
-
-
+
+
+
Just includes a few things that I had on the burner:
-
-
+
+
+
- - A new 'DNAT-' action has been added
- for entries in the /etc/shorewall/rules file. DNAT- is intended
- for advanced users who wish to minimize the number of rules
-that connection requests must traverse.
-
- A Shorewall DNAT rule actually generates
- two iptables rules: a header rewriting rule in the 'nat' table
- and an ACCEPT rule in the 'filter' table. A DNAT- rule only
-generates the first of these rules. This is handy when you have
- several DNAT rules that would generate the same ACCEPT rule.
-
- Here are three rules from my previous
- rules file:
-
- DNAT net dmz:206.124.146.177
-tcp smtp - 206.124.146.178
- DNAT net dmz:206.124.146.177
-tcp smtp - 206.124.146.179
- ACCEPT net dmz:206.124.146.177
-tcp www,smtp,ftp,...
-
- These three rules ended up generating
- _three_ copies of
-
- ACCEPT net dmz:206.124.146.177
- tcp smtp
-
- By writing the rules this way, I end
-up with only one copy of the ACCEPT rule.
-
- DNAT- net dmz:206.124.146.177
-tcp smtp - 206.124.146.178
- DNAT- net dmz:206.124.146.177
-tcp smtp - 206.124.146.179
- ACCEPT net dmz:206.124.146.177
-tcp www,smtp,ftp,....
-
-
- - The 'shorewall check' command now
-prints out the applicable policy between each pair of zones.
-
-
- - A new CLEAR_TC option has been added
- to shorewall.conf. If this option is set to 'No' then Shorewall
- won't clear the current traffic control rules during [re]start.
- This setting is intended for use by people that prefer to configure
- traffic shaping when the network interfaces come up rather than when
- the firewall is started. If that is what you want to do, set TC_ENABLED=Yes
- and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file.
- That way, your traffic shaping rules can still use the 'fwmark' classifier
- based on packet marking defined in /etc/shorewall/tcrules.
-
-
- - A new SHARED_DIR variable has been
- added that allows distribution packagers to easily move the
- shared directory (default /usr/lib/shorewall). Users should
-never have a need to change the value of this shorewall.conf setting.
-
-
+ - A new 'DNAT-' action has been
+added for entries in the /etc/shorewall/rules file. DNAT-
+is intended for advanced users who wish to minimize the number
+ of rules that connection requests must traverse.
+
+ A Shorewall DNAT rule actually generates
+ two iptables rules: a header rewriting rule in the 'nat'
+table and an ACCEPT rule in the 'filter' table. A DNAT- rule
+only generates the first of these rules. This is handy when you
+have several DNAT rules that would generate the same ACCEPT rule.
+
+ Here are three rules from my previous
+ rules file:
+
+ DNAT net dmz:206.124.146.177
+ tcp smtp - 206.124.146.178
+ DNAT net dmz:206.124.146.177
+ tcp smtp - 206.124.146.179
+ ACCEPT net dmz:206.124.146.177
+ tcp www,smtp,ftp,...
+
+ These three rules ended up generating
+ _three_ copies of
+
+ ACCEPT net dmz:206.124.146.177
+ tcp smtp
+
+ By writing the rules this way, I
+end up with only one copy of the ACCEPT rule.
+
+ DNAT- net dmz:206.124.146.177
+ tcp smtp - 206.124.146.178
+ DNAT- net dmz:206.124.146.177
+ tcp smtp - 206.124.146.179
+ ACCEPT net dmz:206.124.146.177
+ tcp www,smtp,ftp,....
+
+
+ - The 'shorewall check' command
+now prints out the applicable policy between each pair of
+zones.
+
+
+ - A new CLEAR_TC option has been
+ added to shorewall.conf. If this option is set to 'No' then
+ Shorewall won't clear the current traffic control rules during
+ [re]start. This setting is intended for use by people that prefer
+ to configure traffic shaping when the network interfaces come up
+rather than when the firewall is started. If that is what you want
+to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart
+ file. That way, your traffic shaping rules can still use the 'fwmark'
+ classifier based on packet marking defined in /etc/shorewall/tcrules.
+
+
+ - A new SHARED_DIR variable has
+been added that allows distribution packagers to easily move
+the shared directory (default /usr/lib/shorewall). Users should
+ never have a need to change the value of this shorewall.conf
+ setting.
+
+
+
-
+
+
1/6/2003 - BURNOUT
-
+
+
Until further notice, I will not be involved in either Shorewall Development
- or Shorewall Support
-
+ or Shorewall Support
+
+
-Tom Eastep
-
-
+
+
+
12/30/2002 - Shorewall Documentation in PDF Format
-
+
Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation.
- the PDF may be downloaded from
+ the PDF may be downloaded from
-
+
ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
+
+
+
+12/27/2002 - Shorewall 1.3.12 Released
+
+
+ Features include:
-
-12/27/2002 - Shorewall 1.3.12 Released
-
- Features include:
-
-
+
- - "shorewall refresh" now reloads
- the traffic shaping rules (tcrules and tcstart).
- - "shorewall debug [re]start" now
- turns off debugging after an error occurs. This places
-the point of the failure near the end of the trace rather
-than up in the middle of it.
- - "shorewall [re]start" has been
-speeded up by more than 40% with my configuration. Your milage
-may vary.
- - A "shorewall show classifiers"
-command has been added which shows the current packet classification
- filters. The output from this command is also added as
-a separate page in "shorewall monitor"
- - ULOG (must be all caps) is now
-accepted as a valid syslog level and causes the subject
-packets to be logged using the ULOG target rather than the
-LOG target. This allows you to run ulogd (available from "shorewall refresh" now reloads
+ the traffic shaping rules (tcrules and tcstart).
+ - "shorewall debug [re]start"
+ now turns off debugging after an error occurs. This
+places the point of the failure near the end of the trace
+rather than up in the middle of it.
+ - "shorewall [re]start" has
+been speeded up by more than 40% with my configuration.
+Your milage may vary.
+ - A "shorewall show classifiers"
+ command has been added which shows the current packet
+ classification filters. The output from this command is
+ also added as a separate page in "shorewall monitor"
+ - ULOG (must be all caps) is
+now accepted as a valid syslog level and causes the subject
+ packets to be logged using the ULOG target rather than the
+ LOG target. This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd)
- and log all Shorewall messages to a separate log file.
- - If you are running a kernel that
- has a FORWARD chain in the mangle table ("shorewall show
- mangle" will show you the chains in the mangle table), you
- can set MARK_IN_FORWARD_CHAIN=Yes in If you are running a kernel
+ that has a FORWARD chain in the mangle table ("shorewall
+ show mangle" will show you the chains in the mangle table),
+ you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows for
marking input packets based on their destination even when you
are using Masquerading or SNAT.
- - I have cluttered up the /etc/shorewall
- directory with empty 'init', 'start', 'stop' and 'stopped'
- files. If you already have a file with one of these names,
-don't worry -- the upgrade process won't overwrite your file.
- - I have added a new RFC1918_LOG_LEVEL
- variable to shorewall.conf.
- This variable specifies the syslog level at which packets
- are logged as a result of entries in the /etc/shorewall/rfc1918
- file. Previously, these packets were always logged at the 'info'
- level.
-
-
-
-
-12/20/2002 - Shorewall 1.3.12 Beta 3
-
- This version corrects a problem with
- Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL was
-set to anything but ULOG, the firewall would fail to start and
-"shorewall refresh" would also fail.
+ I have cluttered up the /etc/shorewall
+ directory with empty 'init', 'start', 'stop' and 'stopped'
+ files. If you already have a file with one of these names,
+ don't worry -- the upgrade process won't overwrite your file.
+ I have added a new RFC1918_LOG_LEVEL
+ variable to shorewall.conf.
+ This variable specifies the syslog level at which packets
+ are logged as a result of entries in the /etc/shorewall/rfc1918
+ file. Previously, these packets were always logged at the 'info'
+ level.
+
-
+
+
+
+
+12/20/2002 - Shorewall 1.3.12 Beta 3
+
+ This version corrects a problem
+with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL
+ was set to anything but ULOG, the firewall would fail to start
+and "shorewall refresh" would also fail.
+
+
12/20/2002 - Shorewall 1.3.12 Beta 2
-
+
The first public Beta version of Shorewall 1.3.12 is now available (Beta
- 1 was made available only to a limited audience).
-
- Features include:
+ 1 was made available only to a limited audience).
+
+ Features include:
-
+
- - "shorewall refresh" now reloads
- the traffic shaping rules (tcrules and tcstart).
- - "shorewall debug [re]start"
- now turns off debugging after an error occurs. This places
- the point of the failure near the end of the trace rather than
- up in the middle of it.
- - "shorewall [re]start" has
-been speeded up by more than 40% with my configuration. Your
-milage may vary.
- - A "shorewall show classifiers"
- command has been added which shows the current packet
-classification filters. The output from this command is also
-added as a separate page in "shorewall monitor"
- - ULOG (must be all caps) is
- now accepted as a valid syslog level and causes the subject
- packets to be logged using the ULOG target rather than the
-LOG target. This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd)
- and log all Shorewall messages "shorewall refresh" now
+ reloads the traffic shaping rules (tcrules and tcstart).
+ - "shorewall debug [re]start"
+ now turns off debugging after an error occurs. This
+places the point of the failure near the end of the trace rather
+ than up in the middle of it.
+ - "shorewall [re]start"
+has been speeded up by more than 40% with my configuration.
+ Your milage may vary.
+ - A "shorewall show classifiers"
+ command has been added which shows the current packet
+ classification filters. The output from this command is
+ also added as a separate page in "shorewall monitor"
+ - ULOG (must be all caps)
+ is now accepted as a valid syslog level and causes the
+ subject packets to be logged using the ULOG target rather than
+ the LOG target. This allows you to run ulogd (available from
+ http://www.gnumonks.org/projects/ulogd)
+ and log all Shorewall messages to a separate log file.
- - If you are running a kernel
- that has a FORWARD chain in the mangle table ("shorewall
- show mangle" will show you the chains in the mangle table),
- you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This
- allows for marking input packets based on their destination even
- when you are using Masquerading or SNAT.
- - I have cluttered up the /etc/shorewall
- directory with empty 'init', 'start', 'stop' and 'stopped'
- files. If you already have a file with one of these names,
- don't worry -- the upgrade process won't overwrite your file.
+ - If you are running a
+kernel that has a FORWARD chain in the mangle table
+("shorewall show mangle" will show you the chains in the mangle
+table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
+ This allows for marking input packets based on their destination
+even when you are using Masquerading or SNAT.
+ - I have cluttered up the
+ /etc/shorewall directory with empty 'init', 'start',
+'stop' and 'stopped' files. If you already have a file with
+one of these names, don't worry -- the upgrade process won't overwrite
+ your file.
-
+
- You may download the Beta from:
+ You may download the Beta from:
-
+
http://www.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
+
-
+
12/12/2002 - Mandrake Multi Network Firewall 
-
- Shorewall is at the center of
- MandrakeSoft's recently-announced
+ Shorewall is at the center
+ of MandrakeSoft's recently-announced Multi
- Network Firewall (MNF) product. Here is the
product. Here is the press
- release.
+ release.
-
+
12/7/2002 - Shorewall Support for Mandrake 9.0
-
+
Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered.
- I have installed 9.0 on one of my systems and I am
-now in a position to support Shorewall users who run Mandrake
- 9.0.
+ I have installed 9.0 on one of my systems and I
+am now in a position to support Shorewall users who run
+Mandrake 9.0.
-
+
12/6/2002 - Debian 1.3.11a Packages Available
-
+
-
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
12/3/2002 - Shorewall 1.3.11a
-
+
This is a bug-fix roll up which includes Roger Aich's fix for DNAT with
- excluded subnets (e.g., "DNAT foo!bar ..."). Current
- 1.3.11 users who don't need rules of this type need not
- upgrade to 1.3.11.
+ excluded subnets (e.g., "DNAT foo!bar ..."). Current
+ 1.3.11 users who don't need rules of this type need
+not upgrade to 1.3.11.
-
+
11/24/2002 - Shorewall 1.3.11
-
+
In this version:
-
+
- - A 'tcpflags' option
- has been added to entries in A 'tcpflags' option
+ has been added to entries in /etc/shorewall/interfaces.
This option causes Shorewall to make a set of sanity check on TCP
packet header flags.
- - It is now allowed
-to use 'all' in the SOURCE or DEST column in a rule. When used, 'all' must
-appear by itself (in may not be qualified) and it does not enable
+
- It is now allowed
+ to use 'all' in the SOURCE or DEST column in a
+ rule. When used, 'all'
+must appear by itself (in may not be qualified) and it does not enable
intra-zone traffic. For example, the rule
-
- ACCEPT loc all tcp 80
-
- does not enable http traffic
- from 'loc' to 'loc'.
- - Shorewall's use of
-the 'echo' command is now compatible with bash clones
-such as ash and dash.
- - fw->fw policies
-now generate a startup error. fw->fw rules generate
- a warning and are ignored
+
+ ACCEPT loc all tcp
+ 80
+
+ does not enable http
+traffic from 'loc' to 'loc'.
+ - Shorewall's use
+ of the 'echo' command is now compatible with bash
+clones such as ash and dash.
+ - fw->fw policies
+ now generate a startup error. fw->fw rules generate
+ a warning and are ignored
-
+
-
+
11/14/2002 - Shorewall Documentation in PDF Format
-
+
Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation.
- the PDF may be downloaded from
+ the PDF may be downloaded from
-
+
ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
+
-
+
11/09/2002 - Shorewall is Back at SourceForge
-
+
The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.
-
+
-
+
11/09/2002 - Shorewall 1.3.10
-
+
In this version:
-
+
- - You may now define the contents of a zone dynamically
- with the "shorewall
- add" and "shorewall delete" commands. These commands
- are expected to be used primarily within
- FreeS/Wan updown
- scripts.
- - Shorewall can now
- do MAC verification on ethernet
- segments. You can specify the set of allowed MAC addresses on
-the segment and you can optionally tie each MAC address to one or more
- IP addresses.
- - PPTP Servers and
- Clients running on the firewall system may now be
- defined in the /etc/shorewall/tunnels
-file.
- - A new 'ipsecnat'
- tunnel type is supported for use when the remote IPSEC endpoint is behind a NAT gateway.
- - The PATH used by
- Shorewall may now be specified in You may now
+ define the contents of a zone
+ dynamically with the "shorewall add" and
+ "shorewall delete" commands. These commands are
+expected to be used primarily within FreeS/Wan updown
+ scripts.
+ - Shorewall can
+ now do MAC verification on
+ ethernet segments. You can specify the set of allowed MAC addresses
+ on the segment and you can optionally tie each MAC address to one
+ or more IP addresses.
+ - PPTP Servers
+ and Clients running on the firewall system may now
+ be defined in the /etc/shorewall/tunnels
+ file.
+ - A new 'ipsecnat'
+ tunnel type is supported for use when the
+ remote IPSEC endpoint is behind a NAT
+ gateway.
+ - The PATH used
+ by Shorewall may now be specified in /etc/shorewall/shorewall.conf.
- - The main firewall
- script is now /usr/lib/shorewall/firewall. The script
- in /etc/init.d/shorewall is very small and uses /sbin/shorewall
- to do the real work. This change makes custom distributions
- such as for Debian and for Gentoo easier to manage since
- it is /etc/init.d/shorewall that tends to have distribution-dependent
- code
+ - The main firewall
+ script is now /usr/lib/shorewall/firewall. The script
+ in /etc/init.d/shorewall is very small and uses /sbin/shorewall
+ to do the real work. This change makes custom distributions
+ such as for Debian and for Gentoo easier to manage since
+ it is /etc/init.d/shorewall that tends to have distribution-dependent
+ code
-
+
-
+
10/24/2002 - Shorewall is now in Gentoo Linux
-
- Alexandru Hartmann
-reports that his Shorewall package is now a part of
-
the Gentoo Linux distribution.
- Thanks Alex!
+
+ Alexandru Hartmann
+ reports that his Shorewall package is now a part
+ of
the Gentoo Linux distribution.
+ Thanks Alex!
+
+
+
10/23/2002 - Shorewall 1.3.10 Beta 1
+ In this version:
+
+
+
+ You may download
+ the Beta from:
- - You may now define the contents of a zone dynamically
- with the "shorewall
- add" and "shorewall delete" commands. These commands
- are expected to be used primarily within
- FreeS/Wan updown
- scripts.
- - Shorewall can
-now do MAC verification on
-ethernet segments. You can specify the set of allowed
-MAC addresses on the segment and you can optionally tie
- each MAC address to one or more IP addresses.
- - PPTP Servers and
- Clients running on the firewall system may now be
- defined in the /etc/shorewall/tunnels file.
- - A new 'ipsecnat'
- tunnel type is supported for use when the remote IPSEC endpoint is behind a NAT gateway.
- - The PATH used
-by Shorewall may now be specified in /etc/shorewall/shorewall.conf.
- - The main firewall
- script is now /usr/lib/shorewall/firewall. The script
- in /etc/init.d/shorewall is very small and uses /sbin/shorewall
- to do the real work. This change makes custom distributions
- such as for Debian and for Gentoo easier to manage since
- it is /etc/init.d/shorewall that tends to have distribution-dependent
- code.
-
-
-
- You may download the
- Beta from:
-
-
-
-
-
10/10/2002 - Debian 1.3.9b Packages Available
-
-
-
-
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
-
-
10/9/2002 - Shorewall 1.3.9b
- This release rolls
-up fixes to the installer and to the firewall script.
-
-
-
10/6/2002 - Shorewall.net now running on RH8.0
-
- The firewall and
-server here at shorewall.net are now running RedHat
- release 8.0.
-
- 9/30/2002 - Shorewall
- 1.3.9a
- Roles up the fix
-for broken tunnels.
-
-
9/30/2002 - TUNNELS Broken in 1.3.9!!!
- There is an updated
- firewall script at
ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall
- -- copy that file to /usr/lib/shorewall/firewall.
+
10/10/2002 - Debian 1.3.9b Packages Available
+
-
-
9/28/2002 - Shorewall 1.3.9
-
-
-
In this version:
-
-
-
-
- - DNS Names are
-now allowed in Shorewall config files (although I recommend against
- using them).
- - The connection
- SOURCE may now be qualified by both interface and
- IP address in a Shorewall
- rule.
- - Shorewall
- startup is now disabled after initial installation
- until the file /etc/shorewall/startup_disabled is removed.
- This avoids nasty surprises during reboot for users who
- install Shorewall but don't configure it.
- - The 'functions'
- and 'version' files and the 'firewall' symbolic
- link have been moved from /var/lib/shorewall to /usr/lib/shorewall
- to appease the LFS police at Debian.
-
-
-
-
-
-
-
9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
- Restored
-
-
- A couple
-of recent configuration changes at www.shorewall.net
- broke the Search facility:
-
-
-
-
-
-
-
- - Mailing
- List Archive Search was not available.
- - The
-Site Search index was incomplete
- - Only
- one page of matches was presented.
-
-
-
-
-
-
- Hopefully
- these problems are now corrected.
-
-
9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
- Restored
-
- A couple of
- recent configuration changes at www.shorewall.net
- had the negative effect of breaking the Search facility:
-
-
-
- - Mailing
- List Archive Search was not available.
- - The
-Site Search index was incomplete
- - Only
-one page of matches was presented.
-
-
-
- Hopefully
-these problems are now corrected.
-
-
-
9/18/2002 - Debian 1.3.8 Packages Available
-
-
-
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
-
9/16/2002 - Shorewall 1.3.8
+
+
10/9/2002 - Shorewall 1.3.9b
+ This release rolls
+ up fixes to the installer and to the firewall script.
+
+
+
10/6/2002 - Shorewall.net now running on RH8.0
+
+ The firewall
+and server here at shorewall.net are now running RedHat
+ release 8.0.
+
+
+ 9/30/2002 - Shorewall
+ 1.3.9a
+ Roles up the
+fix for broken tunnels.
+
+
+
9/30/2002 - TUNNELS Broken in 1.3.9!!!
+ There is an
+updated firewall script at
ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall
+ -- copy that file to /usr/lib/shorewall/firewall.
+
+
+
9/28/2002 - Shorewall 1.3.9
In this version:
@@ -1236,700 +1224,808 @@ these problems are now corrected.
- - A
- NEWNOTSYN option has
-been added to shorewall.conf. This option determines whether Shorewall
- accepts TCP packets which are not part of an established
- connection and that are not 'SYN' packets (SYN flag
- on and ACK flag off).
+ - DNS Names are
+now allowed in Shorewall config files (although I recommend against
+ using them).
- The
- need for the 'multi' option to communicate between
- zones za and zb on the same interface is removed in the
- case where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb'
- will exist if:
+ connection SOURCE may now be qualified by both interface
+ and IP address in a Shorewall
+ rule.
+ - Shorewall
+ startup is now disabled after initial installation
+ until the file /etc/shorewall/startup_disabled is removed.
+ This avoids nasty surprises during reboot for users
+who install Shorewall but don't configure it.
+ - The
+'functions' and 'version' files and the 'firewall'
+ symbolic link have been moved from /var/lib/shorewall
+ to /usr/lib/shorewall to appease the LFS police at
+Debian.
+
+
+
+
+
+
+
9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
+ Restored
+
+
+
+
+ A couple
+ of recent configuration changes at www.shorewall.net
+ broke the Search facility:
+
+
+
+
+
+
+
+ - Mailing
+ List Archive Search was not available.
+ - The
+ Site Search index was incomplete
+ - Only
+ one page of matches was presented.
+
+
+
+ Hopefully
+ these problems are now corrected.
+
+
9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
+ Restored
+
+ A couple
+ of recent configuration changes at www.shorewall.net
+ had the negative effect of breaking the Search facility:
+
+
+
+ - Mailing
+ List Archive Search was not available.
+ - The
+ Site Search index was incomplete
+ - Only
+ one page of matches was presented.
+
+
+
+ Hopefully
+ these problems are now corrected.
+
+
+
9/18/2002 - Debian 1.3.8 Packages Available
+
+
+
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
+
+
+
9/16/2002 - Shorewall 1.3.8
+
+
+
In this version:
+
+
+
+
+ - A
+ NEWNOTSYN option has
+ been added to shorewall.conf. This option determines whether Shorewall
+ accepts TCP packets which are not part of an established
+ connection and that are not 'SYN' packets (SYN flag
+ on and ACK flag off).
+ - The
+ need for the 'multi' option to communicate between
+ zones za and zb on the same interface is removed in
+the case where the chain 'za2zb' and/or 'zb2za' exists.
+ 'za2zb' will exist if:
+
+
+
+
- -
- There is a policy for za to zb; or
- - There is at least one rule for za to zb.
+ - There is a policy for za to zb; or
+
+
+ - There is at least one rule for za to zb.
-
+
-
+
-
+
+
- - The
- /etc/shorewall/blacklist file now contains three columns.
- In addition to the SUBNET/ADDRESS column, there are
- optional PROTOCOL and PORT columns to block only certain
- applications from the blacklisted addresses.
-
+ - The
+ /etc/shorewall/blacklist file now contains three
+ columns. In addition to the SUBNET/ADDRESS column, there
+ are optional PROTOCOL and PORT columns to block only certain
+ applications from the blacklisted addresses.
+
-
+
-
+
9/11/2002 - Debian 1.3.7c Packages Available
-
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
9/2/2002 - Shorewall 1.3.7c
-
+
This is a role up of a fix for "DNAT" rules where the source zone is $FW
- (fw).
+ (fw).
-
+
8/31/2002 - I'm not available
-
+
I'm currently on vacation -- please respect my need for a couple of
weeks free of Shorewall problem reports.
-
+
-Tom
-
+
8/26/2002 - Shorewall 1.3.7b
-
+
This is a role up of the "shorewall refresh" bug fix and the change which
- reverses the order of "dhcp" and "norfc1918"
- checking.
+ reverses the order of "dhcp" and "norfc1918"
+ checking.
-
+
8/26/2002 - French FTP Mirror is Operational
-
+
ftp://france.shorewall.net/pub/mirrors/shorewall
- is now available.
+ is now available.
-
+
8/25/2002 - Shorewall Mirror in France
-
+
Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored
- at http://france.shorewall.net.
-
+
8/25/2002 - Shorewall 1.3.7a Debian Packages Available
-
+
Lorenzo Martignoni reports that the packages for version 1.3.7a are available
- at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author
- -- Shorewall 1.3.7a released
-
+
-
+
1.3.7a corrects problems occurring in rules file processing when starting
- Shorewall 1.3.7.
+ Shorewall 1.3.7.
-
+
8/22/2002 - Shorewall 1.3.7 Released 8/13/2002
-
+
Features in this release include:
-
+
- - The
- 'icmp.def' file is now empty! The rules in that file
- were required in ipchains firewalls but are not
-required in Shorewall. Users who have ALLOWRELATED=No
- in shorewall.conf should
- see the Upgrade Issues.
- - A
- 'FORWARDPING' option has been added to shorewall.conf. The effect
- of setting this variable to Yes is the same as
- the effect of adding an ACCEPT rule for ICMP echo-request
- in /etc/shorewall/icmpdef.
- Users who have such a rule in icmpdef are
- encouraged to switch to FORWARDPING=Yes.
- - The
- loopback CLASS A Network (127.0.0.0/8) has been added
- to the rfc1918 file.
- - Shorewall
- now works with iptables 1.2.7
- - The
- documentation and web site no longer uses FrontPage
- themes.
-
+ - The 'icmp.def' file is now empty! The rules
+in that file were required in ipchains firewalls
+ but are not required in Shorewall. Users who have
+ ALLOWRELATED=No in shorewall.conf
+ should see the Upgrade Issues.
+
+ - A 'FORWARDPING' option has been added to
+ shorewall.conf. The
+effect of setting this variable to Yes is the same
+ as the effect of adding an ACCEPT rule for ICMP
+echo-request in /etc/shorewall/icmpdef.
+ Users who have such a rule in icmpdef are
+ encouraged to switch to FORWARDPING=Yes.
+
+ - The loopback CLASS A Network (127.0.0.0/8)
+has been added to the rfc1918 file.
+
+ - Shorewall now works with iptables 1.2.7
+
+ - The documentation and web site no longer uses
+ FrontPage themes.
+
+
-
+
I would like to thank John Distler for his valuable input regarding TCP
- SYN and ICMP treatment in Shorewall. That
- input has led to marked improvement in Shorewall
- in the last two releases.
+ SYN and ICMP treatment in Shorewall.
+That input has led to marked improvement in
+ Shorewall in the last two releases.
-
+
8/13/2002 - Documentation in the CVS Repository
-
+
The Shorewall-docs project now contains just the HTML and image files
- the Frontpage files have been removed.
-
+
8/7/2002 - STABLE branch added to CVS Repository
-
+
This branch will only be updated after I release a new version of Shorewall
- so you can always update from this branch
- to get the latest stable tree.
+ so you can always update from this branch
+ to get the latest stable tree.
-
+
8/7/2002 - Upgrade Issues section
added to the Errata Page
-
+
Now there is one place to go to look for issues involved with upgrading
- to recent versions of Shorewall.
+ to recent versions of Shorewall.
-
+
8/7/2002 - Shorewall 1.3.6
-
+
This is primarily a bug-fix rollup with a couple of new features:
-
+
-
+
7/30/2002 - Shorewall 1.3.5b Released
-
+
This interim release:
-
+
- - Causes
- the firewall script to remove the lock file if it
- is killed.
- - Once
- again allows lists in the second column of the
- /etc/shorewall/hosts
-file.
- - Includes
- the latest QuickStart
- Guides.
-
+ - Causes the firewall script to remove the lock
+ file if it is killed.
+
+ - Once again allows lists in the second column
+ of the /etc/shorewall/hosts
+ file.
+
+ - Includes the latest QuickStart Guides.
+
+
-
+
7/29/2002 - New Shorewall Setup Guide Available
-
+
The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm.
- The guide is intended for use by people
- who are setting up Shorewall to manage multiple
- public IP addresses and by people who want to learn
- more about Shorewall than is described in the single-address
- guides. Feedback on the new guide is welcome.
+ The guide is intended for use by people
+ who are setting up Shorewall to manage multiple
+ public IP addresses and by people who want to learn
+ more about Shorewall than is described in the single-address
+ guides. Feedback on the new guide is welcome.
-
+
7/28/2002 - Shorewall 1.3.5 Debian Package Available
-
+
Lorenzo Martignoni reports that the packages are version 1.3.5a and are
- available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
7/27/2002 - Shorewall 1.3.5a Released
-
+
This interim release restores correct handling of REDIRECT rules.
-
+
7/26/2002 - Shorewall 1.3.5 Released
-
+
This will be the last Shorewall release for a while. I'm going to be
focusing on rewriting a lot of the documentation.
-
+
In this version:
-
+
- - Empty
- and invalid source and destination qualifiers are
- now detected in the rules file. It is a good idea to
- use the 'shorewall check' command before you issue
- a 'shorewall restart' command be be sure that you don't have
- any configuration problems that will prevent a successful
- restart.
- - Added
- MERGE_HOSTS variable in shorewall.conf to provide
- saner behavior of the /etc/shorewall/hosts
- file.
- - The
- time that the counters were last reset is now displayed
- in the heading of the 'status' and 'show' commands.
- - A
- proxyarp option has been added for entries
- in /etc/shorewall/interfaces.
- This option facilitates Proxy ARP sub-netting as described
- in the Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/).
- Specifying the proxyarp option for an
- interface causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
- - The
- Samples have been updated to reflect the new capabilities
- in this release.
-
+ - Empty and invalid source and destination qualifiers
+ are now detected in the rules file. It is a good
+ idea to use the 'shorewall check' command before
+ you issue a 'shorewall restart' command be be sure that you
+don't have any configuration problems that will prevent
+ a successful restart.
+
+ - Added MERGE_HOSTS variable in shorewall.conf to provide
+ saner behavior of the /etc/shorewall/hosts
+ file.
+
+ - The time that the counters were last reset is
+ now displayed in the heading of the 'status' and
+ 'show' commands.
+
+ - A proxyarp option has been added
+ for entries in /etc/shorewall/interfaces.
+ This option facilitates Proxy ARP sub-netting as described
+ in the Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/).
+ Specifying the proxyarp option for
+an interface causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
+
+ - The Samples have been updated to reflect the
+ new capabilities in this release.
+
+
-
+
7/16/2002 - New Mirror in Argentina
-
+
Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in
- Argentina. Thanks Buanzo!!!
+ Argentina. Thanks Buanzo!!!
-
+
7/16/2002 - Shorewall 1.3.4 Released
-
+
In this version:
-
+
- - A
- new /etc/shorewall/routestopped
- file has been added. This file is intended
-to eventually replace the routestopped
-option in the /etc/shorewall/interface and /etc/shorewall/hosts
- files. This new file makes remote firewall administration
- easier by allowing any IP or subnet to be enabled while
- Shorewall is stopped.
- - An
- /etc/shorewall/stopped extension script has been
- added. This script is invoked after Shorewall has
- stopped.
- - A
- DETECT_DNAT_ADDRS option has been added
- to /etc/shoreall/shorewall.conf.
- When this option is selected, DNAT rules only apply
- when the destination address is the external
- interface's primary IP address.
- - The
- QuickStart Guide
- has been broken into three guides and has been
- almost entirely rewritten.
- - The
- Samples have been updated to reflect the new capabilities
- in this release.
-
+ - A new /etc/shorewall/routestopped
+ file has been added. This file is intended
+ to eventually replace the routestopped
+ option in the /etc/shorewall/interface and /etc/shorewall/hosts
+ files. This new file makes remote firewall administration
+ easier by allowing any IP or subnet to be enabled
+ while Shorewall is stopped.
+
+ - An /etc/shorewall/stopped extension script has been
+ added. This script is invoked after Shorewall
+has stopped.
+
+ - A DETECT_DNAT_ADDRS option has
+been added to /etc/shoreall/shorewall.conf.
+ When this option is selected, DNAT rules only
+apply when the destination address is the
+ external interface's primary IP address.
+
+ - The QuickStart
+ Guide has been broken into three guides
+and has been almost entirely rewritten.
+
+ - The Samples have been updated to reflect the
+ new capabilities in this release.
+
+
-
+
7/8/2002 - Shorewall 1.3.3 Debian Package Available
-
+
Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
7/6/2002 - Shorewall 1.3.3 Released
-
+
In this version:
-
+
- - Entries
- in /etc/shorewall/interface that use the wildcard
- character ("+") now have the "multi" option assumed.
- - The
- 'rfc1918' chain in the mangle table has been renamed
- 'man1918' to make log messages generated from that
- chain distinguishable from those generated by the
- 'rfc1918' chain in the filter table.
- - Interface
- names appearing in the hosts file are now validated
- against the interfaces file.
- - The
- TARGET column in the rfc1918 file is now checked for
- correctness.
- - The
- chain structure in the nat table has been changed
- to reduce the number of rules that a packet must traverse
- and to correct problems with NAT_BEFORE_RULES=No
- - The
- "hits" command has been enhanced.
-
+ - Entries in /etc/shorewall/interface that use
+ the wildcard character ("+") now have the "multi"
+ option assumed.
+
+ - The 'rfc1918' chain in the mangle table has
+ been renamed 'man1918' to make log messages generated
+ from that chain distinguishable from those generated
+ by the 'rfc1918' chain in the filter table.
+
+ - Interface names appearing in the hosts file
+ are now validated against the interfaces file.
+
+ - The TARGET column in the rfc1918 file is now
+ checked for correctness.
+
+ - The chain structure in the nat table has been
+ changed to reduce the number of rules that a packet
+ must traverse and to correct problems with NAT_BEFORE_RULES=No
+
+ - The "hits" command has been enhanced.
+
+
-
+
6/25/2002 - Samples Updated for 1.3.2
-
+
The comments in the sample configuration files have been updated to reflect
- new features introduced in Shorewall 1.3.2.
+ new features introduced in Shorewall
+1.3.2.
-
+
6/25/2002 - Shorewall 1.3.1 Debian Package Available
-
+
Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
6/19/2002 - Documentation Available in PDF Format
-
+
Thanks to Mike Martinez, the Shorewall Documentation is now available
for download in Adobe PDF format.
-
+
6/16/2002 - Shorewall 1.3.2 Released
-
+
In this version:
-
+
-
+
6/6/2002 - Why CVS Web access is Password Protected
-
+
Last weekend, I installed the CVS Web package to provide brower-based
access to the Shorewall CVS repository. Since then, I have had several
instances where my server was almost unusable due to the high load generated
by website copying tools like HTTrack and WebStripper. These mindless tools:
-
+
- - Ignore
- robot.txt files.
- - Recursively
- copy everything that they find.
- - Should
- be classified as weapons rather than tools.
-
+ - Ignore robot.txt files.
+
+ - Recursively copy everything that they find.
+
+ - Should be classified as weapons rather than tools.
+
+
-
+
These tools/weapons are particularly damaging when combined with CVS Web
- because they doggedly follow every link
- in the cgi-generated HTML resulting in 1000s
- of executions of the cvsweb.cgi script. Yesterday,
-I spend several hours implementing measures to block these
- tools but unfortunately, these measures resulted in
-my server OOM-ing under even moderate load.
+ because they doggedly follow every link
+ in the cgi-generated HTML resulting in 1000s
+ of executions of the cvsweb.cgi script. Yesterday,
+ I spend several hours implementing measures to block
+these tools but unfortunately, these measures resulted
+ in my server OOM-ing under even moderate load.
-
+
Until I have the time to understand the cause of the OOM (or until I buy
- more RAM if that is what is required),
-CVS Web access will remain Password Protected.
-
+ more RAM if that is what is required),
+ CVS Web access will remain Password Protected.
+
-
+
6/5/2002 - Shorewall 1.3.1 Debian Package Available
-
+
Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
6/2/2002 - Samples Corrected
-
+
The 1.3.0 samples configurations had several serious problems that prevented
- DNS and SSH from working properly. These
- problems have been corrected in the 1.3.1 samples.
-
+
6/1/2002 - Shorewall 1.3.1 Released
-
+
Hot on the heels of 1.3.0, this release:
-
+
-
+
5/29/2002 - Shorewall 1.3.0 Released
-
+
In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0
includes:
-
+
- - A
- 'filterping' interface option that allows ICMP echo-request
- (ping) requests addressed to the firewall to
-be handled by entries in /etc/shorewall/rules and /etc/shorewall/policy.
-
+ - A 'filterping' interface option that allows
+ICMP echo-request (ping) requests addressed
+to the firewall to be handled by entries in /etc/shorewall/rules
+ and /etc/shorewall/policy.
+
+
-
+
5/23/2002 - Shorewall 1.3 RC1 Available
-
+
In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92)
incorporates the following:
-
+
- - Support
- for the /etc/shorewall/whitelist file has been withdrawn.
- If you need whitelisting, see these instructions.
-
+ - Support for the /etc/shorewall/whitelist file
+ has been withdrawn. If you need whitelisting, see
+ these instructions.
+
+
-
+
5/19/2002 - Shorewall 1.3 Beta 2 Available
-
+
In addition to the changes in Beta 1, this release which carries the
designation 1.2.91 adds:
-
+
- - The
- structure of the firewall is changed markedly. There
- is now an INPUT and a FORWARD chain for each interface;
- this reduces the number of rules that a packet
-must traverse, especially in complicated setups.
- - Sub-zones may now be excluded
- from DNAT and REDIRECT rules.
- - The
- names of the columns in a number of the configuration
- files have been changed to be more consistent
-and self-explanatory and the documentation has been
- updated accordingly.
- - The
- sample configurations have been updated for 1.3.
-
+ - The structure of the firewall is changed markedly.
+ There is now an INPUT and a FORWARD chain for each
+ interface; this reduces the number of rules that
+ a packet must traverse, especially in complicated setups.
+
+ - Sub-zones may now be
+ excluded from DNAT and REDIRECT rules.
+
+ - The names of the columns in a number of the
+configuration files have been changed to be more
+ consistent and self-explanatory and the documentation
+ has been updated accordingly.
+
+ - The sample configurations have been updated
+for 1.3.
+
+
-
+
5/17/2002 - Shorewall 1.3 Beta 1 Available
-
+
Beta 1 carries the version designation 1.2.90 and implements the following
- features:
+ features:
-
+
- - Simplified
- rule syntax which makes the intent of each rule
- clearer and hopefully makes Shorewall easier to learn.
- - Upward
- compatibility with 1.2 configuration files has
- been maintained so that current users can migrate
- to the new syntax at their convenience.
- - WARNING: Compatibility with the old
- parameterized sample configurations has NOT been maintained.
- Users still running those configurations should migrate
- to the new sample configurations before upgrading
- to 1.3 Beta 1.
-
+ - Simplified rule syntax which makes the intent
+ of each rule clearer and hopefully makes Shorewall
+ easier to learn.
+
+ - Upward compatibility with 1.2 configuration
+ files has been maintained so that current users can
+migrate to the new syntax at their convenience.
+
+ - WARNING: Compatibility with
+ the old parameterized sample configurations has NOT been
+ maintained. Users still running those configurations
+should migrate to the new sample configurations
+ before upgrading to 1.3 Beta 1.
+
+
-
+
5/4/2002 - Shorewall 1.2.13 is Available
-
+
In this version:
-
+
-
+
4/30/2002 - Shorewall Debian News
-
+
Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the
Debian
Testing Branch and the .
-
+
4/20/2002 - Shorewall 1.2.12 is Available
-
+
- - The
- 'try' command works again
- - There
- is now a single RPM that also works with SuSE.
-
+ - The 'try' command works again
+
+ - There is now a single RPM that also works with
+ SuSE.
+
+
-
+
4/17/2002 - Shorewall Debian News
-
+
Lorenzo Marignoni reports that:
-
+
-
+
Thanks, Lorenzo!
-
+
4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE
-
+
Thanks to Stefan Mohr, there
- is now a Shorewall 1.2.11
- SuSE RPM available.
+ SuSE RPM available.
-
+
4/13/2002 - Shorewall 1.2.11 Available
-
+
In this version:
-
+
- - The
- 'try' command now accepts an optional timeout. If
- the timeout is given in the command, the standard
- configuration will automatically be restarted after
- the new configuration has been running for that length of
- time. This prevents a remote admin from being locked out
-of the firewall in the case where the new configuration
- starts but prevents access.
- - Kernel
- route filtering may now be enabled globally using
- the new ROUTE_FILTER parameter in /etc/shorewall/shorewall.conf.
- - Individual
- IP source addresses and/or subnets may now be
-excluded from masquerading/SNAT.
- - Simple
- "Yes/No" and "On/Off" values are now case-insensitive
- in /etc/shorewall/shorewall.conf.
-
+ - The 'try' command now accepts an optional timeout.
+ If the timeout is given in the command, the standard
+ configuration will automatically be restarted after
+ the new configuration has been running for that length
+of time. This prevents a remote admin from being locked
+out of the firewall in the case where the new configuration
+ starts but prevents access.
+
+ - Kernel route filtering may now be enabled globally
+ using the new ROUTE_FILTER parameter in /etc/shorewall/shorewall.conf.
+
+ - Individual IP source addresses and/or subnets
+ may now be excluded from masquerading/SNAT.
+
+ - Simple "Yes/No" and "On/Off" values are now
+case-insensitive in /etc/shorewall/shorewall.conf.
+
+
-
+
4/13/2002 - Hamburg Mirror now has FTP
-
+
Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall.
- Thanks Stefan!
+ Thanks Stefan!
-
+
4/12/2002 - New Mirror in Hamburg
-
+
Thanks to Stefan Mohr, there
- is now a mirror of the Shorewall website
- at http://germany.shorewall.net.
-
+ is now a mirror of the Shorewall website
+ at
http://germany.shorewall.net.
+
-
+
4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available
-
+
Version 1.1 of the QuickStart
- Guide is now available. Thanks to
-those who have read version 1.0 and offered their
- suggestions. Corrections have also been made to the
- sample scripts.
+ Guide is now available. Thanks to
+ those who have read version 1.0 and offered their
+ suggestions. Corrections have also been made to the
+ sample scripts.
-
+
4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available
-
+
Version 1.0 of the QuickStart
- Guide is now available. This Guide
-and its accompanying sample configurations are
- expected to provide a replacement for the recently
- withdrawn parameterized samples.
+ Guide is now available. This Guide
+ and its accompanying sample configurations
+are expected to provide a replacement for the recently
+ withdrawn parameterized samples.
-
+
4/8/2002 - Parameterized Samples Withdrawn
-
+
Although the parameterized
- samples have allowed people to get
-a firewall up and running quickly, they have
-unfortunately set the wrong level of expectation among
-those who have used them. I am therefore withdrawing support
- for the samples and I am recommending that they not be
-used in new Shorewall installations.
+ samples have allowed people to get
+ a firewall up and running quickly, they have
+ unfortunately set the wrong level of expectation among
+ those who have used them. I am therefore withdrawing
+support for the samples and I am recommending that
+they not be used in new Shorewall installations.
-
+
4/2/2002 - Updated Log Parser
-
+
John Lodge has provided an updated
- version of his CGI-based log parser
with corrected date handling.
-
+
3/30/2002 - Shorewall Website Search Improvements
-
+
The quick search on the home page now excludes the mailing list archives.
- The Extended
- Search allows excluding the archives or
- restricting the search to just the archives. An archive
- search form is also available on the Extended
+ Search allows excluding the archives
+or restricting the search to just the archives. An archive
+ search form is also available on the mailing list information
- page.
+ page.
-
+
3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)
-
+
-
+
3/25/2002 - Log Parser Available
-
+
John Lodge has provided a CGI-based log parser for Shorewall. Thanks
- John.
+ John.
-
+
3/20/2002 - Shorewall 1.2.10 Released
-
+
In this version:
-
+
- - A
- "shorewall try" command has been added (syntax: shorewall
- try <configuration directory>).
- This command attempts "shorewall -c <configuration
- directory> start" and if that results in the
-firewall being stopped due to an error, a "shorewall start"
- command is executed. The 'try' command allows you to
+
+
- A "shorewall try" command has been added (syntax:
+ shorewall try <configuration directory>).
+ This command attempts "shorewall -c <configuration
+ directory> start" and if that results in the
+ firewall being stopped due to an error, a "shorewall start"
+ command is executed. The 'try' command allows you to
create a new configuration
and attempt to start it; if there is an error that leaves
- your firewall in the stopped state, it will automatically
- be restarted using the default configuration (in /etc/shorewall).
- - A
- new variable ADD_SNAT_ALIASES has been added to
- /etc/shorewall/shorewall.conf.
- If this variable is set to "Yes", Shorewall will
- automatically add IP addresses listed in the third
- column of the /etc/shorewall/masq
- file.
- - Copyright
- notices have been added to the documenation.
+ your firewall in the stopped state, it will automatically
+ be restarted using the default configuration (in /etc/shorewall).
-
+ - A new variable ADD_SNAT_ALIASES has been added
+ to /etc/shorewall/shorewall.conf.
+ If this variable is set to "Yes", Shorewall will
+ automatically add IP addresses listed in the
+third column of the /etc/shorewall/masq
+ file.
+
+ - Copyright notices have been added to the documenation.
+
+
-
+
3/11/2002 - Shorewall 1.2.9 Released
-
+
In this version:
-
+
-
+
3/1/2002 - 1.2.8 Debian Package is Available
-
+
See http://security.dsi.unimi.it/~lorenzo/debian.html
-
+
2/25/2002 - New Two-interface Sample
-
+
I've enhanced the two interface sample to allow access from the firewall
- to servers in the local zone -
- http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz
+ http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz
-
+
2/23/2002 - Shorewall 1.2.8 Released
-
+
Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects
problems associated with the lock file used to prevent multiple state-changing
- operations from occuring simultaneously.
- My apologies for any inconvenience my carelessness
- may have caused.
+ operations from occuring simultaneously.
+ My apologies for any inconvenience my carelessness
+ may have caused.
-
+
2/22/2002 - Shorewall 1.2.7 Released
-
+
In this version:
-
+
- - UPnP
- probes (UDP destination port 1900) are now silently
- dropped in the common chain
- - RFC
- 1918 checking in the mangle table has been streamlined
- to no longer require packet marking. RFC 1918 checking
- in the filter table has been changed to require half
- as many rules as previously.
- - A
- 'shorewall check' command has been added that does
- a cursory validation of the zones, interfaces, hosts,
- rules and policy files.
-
+ - UPnP probes (UDP destination port 1900) are
+now silently dropped in the common chain
+
+ - RFC 1918 checking in the mangle table has been
+ streamlined to no longer require packet marking.
+ RFC 1918 checking in the filter table has been changed
+to require half as many rules as previously.
+
+ - A 'shorewall check' command has been added that
+ does a cursory validation of the zones, interfaces,
+ hosts, rules and policy files.
+
+
-
+
2/18/2002 - 1.2.6 Debian Package is Available
-
+
See http://security.dsi.unimi.it/~lorenzo/debian.html
-
+
2/8/2002 - Shorewall 1.2.6 Released
-
+
In this version:
-
+
- - $-variables
- may now be used anywhere in the configuration files
- except /etc/shorewall/zones.
- - The
- interfaces and hosts files now have their contents
- validated before any changes are made to the existing
- Netfilter configuration. The appearance of a zone
- name that isn't defined in /etc/shorewall/zones causes "shorewall
- start" and "shorewall restart" to abort without changing
- the Shorewall state. Unknown options in either file
-cause a warning to be issued.
- - A
- problem occurring when BLACKLIST_LOGLEVEL was not
- set has been corrected.
-
+ - $-variables may now be used anywhere in the
+configuration files except /etc/shorewall/zones.
+
+ - The interfaces and hosts files now have their
+ contents validated before any changes are made to
+the existing Netfilter configuration. The appearance
+ of a zone name that isn't defined in /etc/shorewall/zones
+ causes "shorewall start" and "shorewall restart"
+ to abort without changing the Shorewall state. Unknown
+options in either file cause a warning to be issued.
+
+ - A problem occurring when BLACKLIST_LOGLEVEL
+ was not set has been corrected.
+
+
-
+
2/4/2002 - Shorewall 1.2.5 Debian Package Available
-
+
see http://security.dsi.unimi.it/~lorenzo/debian.html
-
+
2/1/2002 - Shorewall 1.2.5 Released
-
+
Due to installation problems with Shorewall 1.2.4, I have released Shorewall
- 1.2.5. Sorry for the rapid-fire development.
+ 1.2.5. Sorry for the rapid-fire development.
-
+
In version 1.2.5:
-
+
- - The
- installation problems have been corrected.
- - SNAT is now supported.
- - A
- "shorewall version" command has been added
- - The
- default value of the STATEDIR variable in /etc/shorewall/shorewall.conf
- has been changed to /var/lib/shorewall in
- order to conform to the GNU/Linux File Hierarchy Standard,
- Version 2.2.
-
+ - The installation problems have been corrected.
+
+ - SNAT is now supported.
+
+ - A "shorewall version" command has been added
+
+ - The default value of the STATEDIR variable in
+ /etc/shorewall/shorewall.conf has been changed
+ to /var/lib/shorewall in order to conform to the
+GNU/Linux File Hierarchy Standard, Version 2.2.
+
+
-
+
1/28/2002 - Shorewall 1.2.4 Released
-
+
- - The
- "fw" zone may now be given
- a different name.
- - You
- may now place end-of-line comments (preceded by
-'#') in any of the configuration files
- - There
- is now protection against against two state changing
- operations occuring concurrently. This is implemented
- using the 'lockfile' utility if it is available
- (lockfile is part of procmail); otherwise, a less robust
- technique is used. The lockfile is created in the STATEDIR
- defined in /etc/shorewall/shorewall.conf and has the
- name "lock".
- - "shorewall
- start" no longer fails if "detect" is specified
- in /etc/shorewall/interfaces
- for an interface with subnet mask 255.255.255.255.
-
+ - The "fw" zone may now
+ be given a different name.
+
+ - You may now place end-of-line comments (preceded
+ by '#') in any of the configuration files
+
+ - There is now protection against against two
+state changing operations occuring concurrently.
+ This is implemented using the 'lockfile' utility
+ if it is available (lockfile is part of procmail);
+ otherwise, a less robust technique is used. The lockfile
+ is created in the STATEDIR defined in /etc/shorewall/shorewall.conf
+ and has the name "lock".
+
+ - "shorewall start" no longer fails if "detect"
+ is specified in /etc/shorewall/interfaces
+ for an interface with subnet mask 255.255.255.255.
+
+
-
+
1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html
-
+
1/20/2002 - Corrected firewall script available
-
+
Corrects a problem with BLACKLIST_LOGLEVEL. See the
- errata for details.
+ errata for details.
-
+
1/19/2002 - Shorewall 1.2.3 Released
-
+
This is a minor feature and bugfix release. The single new feature is:
-
+
- - Support
- for TCP MSS Clamp to PMTU -- This support is usually
- required when the internet connection is via
-PPPoE or PPTP and may be enabled using the CLAMPMSS option in /etc/shorewall/shorewall.conf.
-
+ - Support for TCP MSS Clamp to PMTU -- This support
+ is usually required when the internet connection
+ is via PPPoE or PPTP and may be enabled using the
+ CLAMPMSS option in
+ /etc/shorewall/shorewall.conf.
+
+
-
+
The following problems were corrected:
-
+
- - The
- "shorewall status" command no longer hangs.
- - The
- "shorewall monitor" command now displays the icmpdef
- chain
- - The
- CLIENT PORT(S) column in tcrules is no longer ignored
-
+ - The "shorewall status" command no longer hangs.
+
+ - The "shorewall monitor" command now displays
+ the icmpdef chain
+
+ - The CLIENT PORT(S) column in tcrules is no longer
+ ignored
+
+
-
+
1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release
-
+
Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution
- that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo
- for details.
+ for details.
-
+
1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2
- Shorewall Debian package is now available.
- There is a link to Lorenzo's site from the Shorewall download page.
-
+
1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores
- the "shorewall status" command to health.
+ the "shorewall status" command to health.
-
+
1/8/2002 - Shorewall 1.2.2 Released
-
+
In version 1.2.2
-
+
- - Support
- for IP blacklisting has been added
+
+
- Support for IP blacklisting has been added
-
+
- - You
- specify whether you want packets from blacklisted
- hosts dropped or rejected using the BLACKLIST_DISPOSITION
- setting in /etc/shorewall/shorewall.conf
- - You
- specify whether you want packets from blacklisted
- hosts logged and at what syslog level using the
- BLACKLIST_LOGLEVEL
- setting in /etc/shorewall/shorewall.conf
- - You
- list the IP addresses/subnets that you wish to blacklist
- in /etc/shorewall/blacklist
- - You
- specify the interfaces you want checked against
- the blacklist using the new "You specify whether you want packets from
+ blacklisted hosts dropped or rejected using the
+ BLACKLIST_DISPOSITION
+ setting in /etc/shorewall/shorewall.conf
+
+ - You specify whether you want packets from
+ blacklisted hosts logged and at what syslog level
+ using the BLACKLIST_LOGLEVEL
+ setting in /etc/shorewall/shorewall.conf
+
+ - You list the IP addresses/subnets that you
+ wish to blacklist in /etc/shorewall/blacklist
+
+ - You specify the interfaces you want checked
+ against the blacklist using the new "blacklist" option
- in /etc/shorewall/interfaces.
- - The
- black list is refreshed from /etc/shorewall/blacklist
- by the "shorewall refresh" command.
+ in /etc/shorewall/interfaces.
+
+ - The black list is refreshed from /etc/shorewall/blacklist
+ by the "shorewall refresh" command.
-
+
-
-
Use
- of TCP RST replies has been expanded
+
+
+
+
Use of TCP RST replies has been expanded
-
+
- - TCP
- connection requests rejected because of a REJECT
- policy are now replied with a TCP RST packet.
- - TCP
- connection requests rejected because of a protocol=all
- rule in /etc/shorewall/rules are now replied
- with a TCP RST packet.
+
+ - TCP connection requests rejected because
+ of a REJECT policy are now replied with a TCP
+ RST packet.
+
+ - TCP connection requests rejected because
+ of a protocol=all rule in /etc/shorewall/rules
+ are now replied with a TCP RST packet.
-
+
-
-
A
- LOGFILE specification
- has been added to /etc/shorewall/shorewall.conf. LOGFILE
- is used to tell the /sbin/shorewall program where to look
- for Shorewall messages.
-
+
+
+
A LOGFILE specification
+ has been added to /etc/shorewall/shorewall.conf. LOGFILE
+ is used to tell the /sbin/shorewall program where to look
+ for Shorewall messages.
+
+
-
+
1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates
- to the previously-released samples. There
- are two new rules added:
+ to the previously-released samples. There
+ are two new rules added:
-
+
- - Unless
- you have explicitly enabled Auth connections (tcp
- port 113) to your firewall, these connections will be
-REJECTED rather than DROPPED. This speeds up connection
- establishment to some servers.
- - Orphan
- DNS replies are now silently dropped.
-
+ - Unless you have explicitly enabled Auth connections
+ (tcp port 113) to your firewall, these connections
+ will be REJECTED rather than DROPPED. This speeds
+up connection establishment to some servers.
+
+ - Orphan DNS replies are now silently dropped.
+
+
-
+
See the README file for upgrade instructions.
-
+
1/1/2002 - Shorewall Mailing List Moving
-
+
The Shorewall mailing list hosted at
- Sourceforge is moving to Shorewall.net.
- If you are a current subscriber to the list at
-Sourceforge, please is moving to Shorewall.net.
+ If you are a current subscriber to the list
+at Sourceforge, please see these instructions.
- If you would like to subscribe to the new
-list, visit http://www.shorewall.net/mailman/listinfo/shorewall-users.
-
+
12/31/2001 - Shorewall 1.2.1 Released
-
+
In version 1.2.1:
-
+
-
+
12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist
releasing 1.2 on 12/21/2001
-
+
Version 1.2 contains the following new features:
-
+
-
+
For the next month or so, I will continue to provide corrections to version
- 1.1.18 as necessary so that current version
- 1.1.x users will not be forced into a quick upgrade
- to 1.2.0 just to have access to bug fixes.
+ 1.1.18 as necessary so that current version
+ 1.1.x users will not be forced into a quick upgrade
+ to 1.2.0 just to have access to bug fixes.
-
+
For those of you who have installed one of the Beta RPMS, you will need
- to use the "--oldpackage" option when upgrading
- to 1.2.0:
+ to use the "--oldpackage" option when
+upgrading to 1.2.0:
-
+
-
+
+
rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm
-
+
-
+
12/19/2001 - Thanks to Steve
- Cowles, there is now a Shorewall mirror
- in Texas. This web site is mirrored at , there is now a Shorewall mirror
+ in Texas. This web site is mirrored at http://www.infohiiway.com/shorewall
- and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall.
-
+
11/30/2001 - A new set of the parameterized Sample
Configurations has been released. In this version:
-
+
- - Ping
- is now allowed between the zones.
- - In
- the three-interface configuration, it is now possible
- to configure the internet services that are to be
-available to servers in the DMZ.
-
+ - Ping is now allowed between the zones.
+
+ - In the three-interface configuration, it is now
+ possible to configure the internet services that
+ are to be available to servers in the DMZ.
+
+
-
+
+
11/20/2001 - The current version of Shorewall is 1.1.18.
-
+
In this version:
-
+
- - The
- spelling of ADD_IP_ALIASES has been corrected in
-the shorewall.conf file
- - The
- logic for deleting user-defined chains has been simplified
- so that it avoids a bug in the LRP version of the
-'cut' utility.
- - The
- /var/lib/lrpkg/shorwall.conf file has been corrected
- to properly display the NAT entry in that file.
-
+ - The spelling of ADD_IP_ALIASES has been corrected
+ in the shorewall.conf file
+
+ - The logic for deleting user-defined chains has
+ been simplified so that it avoids a bug in the LRP
+version of the 'cut' utility.
+
+ - The /var/lib/lrpkg/shorwall.conf file has been
+ corrected to properly display the NAT entry
+in that file.
+
+
-
+
11/19/2001 - Thanks to Juraj
- Ontkanin, there is now a Shorewall
- mirror in the Slovak Republic. The website
-is now mirrored at , there is now a Shorewall
+ mirror in the Slovak Republic. The website
+ is now mirrored at http://www.nrg.sk/mirror/shorewall
and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.
-
+
11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations.
- There are three sample configurations:
-
-
-
-
- - One
- Interface -- for a standalone system.
- - Two
- Interfaces -- A masquerading firewall.
- - Three
- Interfaces -- A masquerading firewall with DMZ.
-
-
-
+ There are three sample configurations:
+
+
+ - One Interface -- for a standalone system.
+
+ - Two Interfaces -- A masquerading firewall.
+
+ - Three Interfaces -- A masquerading firewall with
+ DMZ.
+
+
+
+
+
+
Samples may be downloaded from ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17
- . See the README file for instructions.
+ . See the README file for instructions.
-
+
11/1/2001 - The current version of Shorewall is 1.1.17. I intend
- this to be the last of the 1.1 Shorewall
- releases.
+ this to be the last of the 1.1
+Shorewall releases.
-
+
In this version:
-
+
-
+
+
10/22/2001 - The current version of Shorewall is 1.1.16. In this
- version:
+ version:
-
+
- - A
- new "shorewall show connections" command has been
- added.
- - In
- the "shorewall monitor" output, the currently tracked
- connections are now shown on a separate page.
- - Prior
- to this release, Shorewall unconditionally added
- the external IP adddress(es) specified in /etc/shorewall/nat.
- Beginning with version 1.1.16, a new parameter
- (ADD_IP_ALIASES) may
- be set to "no" (or "No") to inhibit this behavior.
- This allows IP aliases created using your distribution's
- network configuration tools to be used in static
- NAT.
-
+ - A new "shorewall show connections" command has
+ been added.
+
+ - In the "shorewall monitor" output, the currently
+ tracked connections are now shown on a separate
+ page.
+
+ - Prior to this release, Shorewall unconditionally
+ added the external IP adddress(es) specified in
+/etc/shorewall/nat. Beginning with version 1.1.16,
+ a new parameter (ADD_IP_ALIASES)
+ may be set to "no" (or "No") to inhibit
+this behavior. This allows IP aliases created using
+your distribution's network configuration tools
+ to be used in static NAT.
+
+
-
+
+
10/15/2001 - The current version of Shorewall is 1.1.15. In this
- version:
+ version:
-
+
- - Support
- for nested zones has been improved. See the documentation for details
- - Shorewall
- now correctly checks the alternate configuration
- directory for the 'zones' file.
-
+ - Support for nested zones has been improved.
+See the documentation
+ for details
+
+ - Shorewall now correctly checks the alternate
+ configuration directory for the 'zones' file.
+
+
-
+
10/4/2001 - The current version of Shorewall is 1.1.14. In this
- version
+ version
-
+
- - Shorewall
- now supports alternate configuration directories.
- When an alternate directory is specified when starting
- or restarting Shorewall (e.g., "shorewall -c /etc/testconf
- restart"), Shorewall will first look for configuration
- files in the alternate directory then in /etc/shorewall.
- To create an alternate configuration simply:
- 1.
-Create a New Directory
- 2.
-Copy to that directory any of your configuration files
- that you want to change.
- 3.
-Modify the copied files as needed.
- 4.
-Restart Shorewall specifying the new directory.
- - The
- rules for allowing/disallowing icmp echo-requests
- (pings) are now moved after rules created when
+
+
- Shorewall now supports alternate configuration
+ directories. When an alternate directory is specified
+when starting or restarting Shorewall (e.g.,
+ "shorewall -c /etc/testconf restart"), Shorewall will
+first look for configuration files in the alternate directory
+ then in /etc/shorewall. To create an alternate configuration
+ simply:
+
+ 1. Create a New Directory
+
+ 2. Copy to that directory any of your configuration
+ files that you want to change.
+
+ 3. Modify the copied files as needed.
+
+ 4. Restart Shorewall specifying the new directory.
+
+ - The rules for allowing/disallowing icmp echo-requests
+ (pings) are now moved after rules created when
processing the rules file. This allows you to add
rules that selectively allow/deny ping based on source or
destination address.
- - Rules
- that specify multiple client ip addresses or subnets
- no longer cause startup failures.
- - Zone
- names in the policy file are now validated against
- the zones file.
- - If
- you have packet mangling
- support enabled, the "Rules that specify multiple client ip addresses
+ or subnets no longer cause startup failures.
+
+ - Zone names in the policy file are now validated
+ against the zones file.
+
+ - If you have packet
+ mangling support enabled, the "norfc1918"
interface option now logs and drops any incoming packets on
the interface that have an RFC 1918 destination address.
-
+
-
+
9/12/2001 - The current version of Shorewall is 1.1.13. In this
- version
+ version
-
+
- - Shell
- variables can now be used to parameterize Shorewall
- rules.
- - The
- second column in the hosts file may now contain a
- comma-separated list.
-
- Example:
-
- sea eth0:130.252.100.0/24,206.191.149.0/24
- - Handling
- of multi-zone interfaces has been improved. See
-the documentation for
-the /etc/shorewall/interfaces file.
-
+ - Shell variables can now be used to parameterize
+ Shorewall rules.
+
+ - The second column in the hosts file may now contain
+ a comma-separated list.
+
+
+
+ Example:
+
+ sea eth0:130.252.100.0/24,206.191.149.0/24
+
+ - Handling of multi-zone interfaces has been improved.
+ See the documentation
+ for the /etc/shorewall/interfaces file.
+
+
-
+
8/28/2001 - The current version of Shorewall is 1.1.12. In this
- version
+ version
-
+
- - Several
- columns in the rules file may now contain comma-separated
- lists.
- - Shorewall
- is now more rigorous in parsing the options in
- /etc/shorewall/interfaces.
- - Complementation
- using "!" is now supported in rules.
-
+ - Several columns in the rules file may now contain
+ comma-separated lists.
+
+ - Shorewall is now more rigorous in parsing the
+ options in /etc/shorewall/interfaces.
+
+ - Complementation using "!" is now supported in
+ rules.
+
+
-
+
7/28/2001 - The current version of Shorewall is 1.1.11. In this
- version
+ version
-
+
- - A
- "shorewall refresh" command has been added to allow
- for refreshing the rules associated with the broadcast
- address on a dynamic interface. This command should
- be used in place of "shorewall restart" when the internet
- interface's IP address changes.
- - The
- /etc/shorewall/start file (if any) is now processed
- after all temporary rules have been deleted.
- This change prevents the accidental removal of
- rules added during the processing of that file.
- - The
- "dhcp" interface option is now applicable to firewall
- interfaces used by a DHCP server running on the firewall.
- - The
- RPM can now be built from the .tgz file using "rpm
- -tb"
-
+ - A "shorewall refresh" command has been added
+ to allow for refreshing the rules associated with
+the broadcast address on a dynamic interface. This
+ command should be used in place of "shorewall restart"
+ when the internet interface's IP address changes.
+
+ - The /etc/shorewall/start file (if any) is now
+ processed after all temporary rules have been
+ deleted. This change prevents the accidental
+ removal of rules added during the processing of that file.
+
+ - The "dhcp" interface option is now applicable
+ to firewall interfaces used by a DHCP server running
+ on the firewall.
+
+ - The RPM can now be built from the .tgz file using
+ "rpm -tb"
+
+
-
+
7/6/2001 - The current version of Shorewall is 1.1.10. In this
version
-
+
- - Shorewall
- now enables Ipv4 Packet Forwarding by default.
-Packet forwarding may be disabled by specifying IP_FORWARD=Off
- in /etc/shorewall/shorewall.conf. If you don't
- want Shorewall to enable or disable packet forwarding,
- add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf
- file.
- - The
- "shorewall hits" command no longer lists extraneous
- service names in its last report.
- - Erroneous
- instructions in the comments at the head of the
- firewall script have been corrected.
-
+ - Shorewall now enables Ipv4 Packet Forwarding
+ by default. Packet forwarding may be disabled by
+specifying IP_FORWARD=Off in /etc/shorewall/shorewall.conf.
+ If you don't want Shorewall to enable or disable
+ packet forwarding, add IP_FORWARDING=Keep to your
+ /etc/shorewall/shorewall.conf file.
+
+ - The "shorewall hits" command no longer lists
+ extraneous service names in its last report.
+
+ - Erroneous instructions in the comments at the
+ head of the firewall script have been corrected.
+
+
-
+
6/23/2001 - The current version of Shorewall is 1.1.9. In this
version
-
+
- - The
- "tunnels" file really is in the RPM now.
- - SNAT
- can now be applied to port-forwarded connections.
- - A
- bug which would cause firewall start failures in
-some dhcp configurations has been fixed.
- - The
- firewall script now issues a message if you have
-the name of an interface in the second column in an
- entry in /etc/shorewall/masq and that interface
-is not up.
- - You
- can now configure Shorewall so that it doesn't require the NAT and/or
- mangle netfilter modules.
- - Thanks
- to Alex Polishchuk, the "hits" command from seawall
- is now in shorewall.
- - Support
- for IPIP tunnels has been added.
-
+ - The "tunnels" file really is in the
+ RPM now.
+
+ - SNAT can now be applied to port-forwarded connections.
+
+ - A bug which would cause firewall start failures
+ in some dhcp configurations has been fixed.
+
+ - The firewall script now issues a message if you
+ have the name of an interface in the second column
+ in an entry in /etc/shorewall/masq and that interface
+ is not up.
+
+ - You can now configure Shorewall so that it doesn't require the NAT and/or
+ mangle netfilter modules.
+
+ - Thanks to Alex Polishchuk, the "hits" command
+ from seawall is now in shorewall.
+
+ - Support for IPIP tunnels
+ has been added.
+
+
-
+
6/18/2001 - The current version of Shorewall is 1.1.8. In this
version
-
+
-
+
6/2/2001 - The current version of Shorewall is 1.1.7. In this version
-
+
- - The
- TOS rules are now deleted when the firewall is stopped.
- - The
- .rpm will now install regardless of which version
- of iptables is installed.
- - The
- .rpm will now install without iproute2 being installed.
- - The
- documentation has been cleaned up.
- - The
- sample configuration files included in Shorewall
- have been formatted to 80 columns for ease of editing
-on a VGA console.
-
+ - The TOS rules are now deleted when the firewall
+ is stopped.
+
+ - The .rpm will now install regardless of which
+ version of iptables is installed.
+
+ - The .rpm will now install without iproute2 being
+ installed.
+
+ - The documentation has been cleaned up.
+
+ - The sample configuration files included in Shorewall
+ have been formatted to 80 columns for ease of
+editing on a VGA console.
+
+
-
+
5/25/2001 - The current version of Shorewall is 1.1.6. In this
version
-
+
- - You may now rate-limit the
-packet log.
- -
- Previous versions of Shorewall have an implementation
- of Static NAT which violates the principle
- of least surprise. NAT only occurs for packets arriving
+
+
- You may now rate-limit
+ the packet log.
+
+ - Previous versions of Shorewall have an implementation
+ of Static NAT which violates the principle
+ of least surprise. NAT only occurs for packets arriving
at (DNAT) or send from (SNAT) the interface named in the
- INTERFACE column of /etc/shorewall/nat. Beginning with version
- 1.1.6, NAT effective regardless of which interface
- packets come from or are destined to. To get compatibility
+ INTERFACE column of /etc/shorewall/nat. Beginning with
+version 1.1.6, NAT effective regardless of which interface
+ packets come from or are destined to. To get compatibility
with prior versions, I have added a new "ALL "ALL INTERFACES" column to /etc/shorewall/nat.
- By placing "no" or "No" in the new column, the NAT
-behavior of prior versions may be retained.
- - The
- treatment of IPSEC Tunnels
- where the remote gateway is a standalone system has been
- improved. Previously, it was necessary to include an additional
- rule allowing UDP port 500 traffic to pass through the tunnel.
- Shorewall will now create this rule automatically when you
-place the name of the remote peer's zone in a new GATEWAY ZONE
-column in /etc/shorewall/tunnels.
+ By placing "no" or "No" in the new column, the NAT
+ behavior of prior versions may be retained.
-
+ - The treatment of IPSEC
+ Tunnels where the remote gateway is a standalone system
+has been improved. Previously, it was necessary to include
+an additional rule allowing UDP port 500 traffic to pass
+through the tunnel. Shorewall will now create this rule automatically
+ when you place the name of the remote peer's zone in a new GATEWAY
+ZONE column in /etc/shorewall/tunnels.
+
+
-
+
5/20/2001 - The current version of Shorewall is 1.1.5. In this
version
-
+
-
+
5/10/2001 - The current version of Shorewall is 1.1.4. In this
version
-
+
- -
- Accepting RELATED connections
- is now optional.
- - Corrected
- problem where if "shorewall start" aborted early
- (due to kernel configuration errors for example), superfluous
- 'sed' error messages were reported.
- - Corrected
- rules generated for port redirection.
- - The
- order in which iptables kernel modules are loaded
- has been corrected (Thanks to Mark Pavlidis).
-
+ - Accepting RELATED
+connections is now optional.
+
+ - Corrected problem where if "shorewall start"
+ aborted early (due to kernel configuration errors
+ for example), superfluous 'sed' error messages
+ were reported.
+
+ - Corrected rules generated for port redirection.
+
+ - The order in which iptables kernel modules are
+ loaded has been corrected (Thanks to Mark Pavlidis).
+
+
-
+
4/28/2001 - The current version of Shorewall is 1.1.3. In this
version
-
+
- - Correct
- message issued when Proxy ARP address added (Thanks
- to Jason Kirtland).
- - /tmp/shorewallpolicy-$$
- is now removed if there is an error while
- starting the firewall.
- - /etc/shorewall/icmp.def
- and /etc/shorewall/common.def are now used
- to define the icmpdef and common chains unless overridden
- by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
- - In
- the .lrp, the file /var/lib/lrpkg/shorwall.conf has
- been corrected. An extra space after "/etc/shorwall/policy"
- has been removed and "/etc/shorwall/rules" has been
- added.
- - When
- a sub-shell encounters a fatal error and has stopped
- the firewall, it now kills the main shell so that
- the main shell will not continue.
- - A
- problem has been corrected where a sub-shell stopped
- the firewall and main shell continued resulting in
- a perplexing error message referring to "common.so"
- resulted.
- - Previously,
- placing "-" in the PORT(S) column in /etc/shorewall/rules
- resulted in an error message during start. This
- has been corrected.
- - The
- first line of "install.sh" has been corrected --
-I had inadvertently deleted the initial "#".
-
+ - Correct message issued when Proxy ARP address
+ added (Thanks to Jason Kirtland).
+
+ - /tmp/shorewallpolicy-$$ is now removed if there
+ is an error while starting the firewall.
+
+ - /etc/shorewall/icmp.def and /etc/shorewall/common.def
+ are now used to define the icmpdef and common
+chains unless overridden by the presence of /etc/shorewall/icmpdef
+or /etc/shorewall/common.
+
+ - In the .lrp, the file /var/lib/lrpkg/shorwall.conf
+ has been corrected. An extra space after "/etc/shorwall/policy"
+ has been removed and "/etc/shorwall/rules" has
+been added.
+
+ - When a sub-shell encounters a fatal error and
+ has stopped the firewall, it now kills the main
+ shell so that the main shell will not continue.
+
+ - A problem has been corrected where a sub-shell
+ stopped the firewall and main shell continued
+ resulting in a perplexing error message referring
+ to "common.so" resulted.
+
+ - Previously, placing "-" in the PORT(S) column
+ in /etc/shorewall/rules resulted in an error message
+ during start. This has been corrected.
+
+ - The first line of "install.sh" has been corrected
+ -- I had inadvertently deleted the initial "#".
+
+
-
+
4/12/2001 - The current version of Shorewall is 1.1.2. In this
version
-
+
- - Port
- redirection now works again.
- - The
- icmpdef and common chains may now be user-defined.
- - The
- firewall no longer fails to start if "routefilter"
- is specified for an interface that isn't started.
- A warning message is now issued in this case.
- - The
- LRP Version is renamed "shorwall" for 8,3 MSDOS
-file system compatibility.
- - A
- couple of LRP-specific problems were corrected.
-
+ - Port redirection now works again.
+
+ - The icmpdef and common chains may now be user-defined.
+
+ - The firewall no longer fails to start if "routefilter"
+ is specified for an interface that isn't started.
+ A warning message is now issued in this case.
+
+ - The LRP Version is renamed "shorwall" for 8,3
+ MSDOS file system compatibility.
+
+ - A couple of LRP-specific problems were corrected.
+
+
-
+
4/8/2001 - Shorewall is now affiliated with the Leaf Project 
-
+
-
+
4/5/2001 - The current version of Shorewall is 1.1.1. In this version:
-
+
- - The
- common chain is traversed from INPUT, OUTPUT and
-FORWARD before logging occurs
- - The
- source has been cleaned up dramatically
- - DHCP
- DISCOVER packets with RFC1918 source addresses no
- longer generate log messages. Linux DHCP clients generate
- such packets and it's annoying to see them logged.
-
+ - The common chain is traversed from INPUT, OUTPUT
+ and FORWARD before logging occurs
+
+ - The source has been cleaned up dramatically
+
+ - DHCP DISCOVER packets with RFC1918 source addresses
+ no longer generate log messages. Linux DHCP clients
+ generate such packets and it's annoying to see
+them logged.
+
+
-
+
3/25/2001 - The current version of Shorewall is 1.1.0. In this version:
-
+
- - Log
- messages now indicate the packet disposition.
- - Error
- messages have been improved.
- - The
- ability to define zones consisting of an enumerated
- set of hosts and/or subnetworks has been added.
- - The
- zone-to-zone chain matrix is now sparse so that only
- those chains that contain meaningful rules are
- defined.
- - 240.0.0.0/4
- and 169.254.0.0/16 have been added to the source
- subnetworks whose packets are dropped under the
- norfc1918 interface option.
- - Exits
- are now provided for executing an user-defined script
- when a chain is defined, when the firewall is initialized,
- when the firewall is started, when the firewall
- is stopped and when the firewall is cleared.
- - The
- Linux kernel's route filtering facility can now
-be specified selectively on network interfaces.
-
+ - Log messages now indicate the packet disposition.
+
+ - Error messages have been improved.
+
+ - The ability to define zones consisting of an
+enumerated set of hosts and/or subnetworks has been
+ added.
+
+ - The zone-to-zone chain matrix is now sparse so
+ that only those chains that contain meaningful
+ rules are defined.
+
+ - 240.0.0.0/4 and 169.254.0.0/16 have been added
+ to the source subnetworks whose packets are dropped
+ under the norfc1918 interface option.
+
+ - Exits are now provided for executing an user-defined
+ script when a chain is defined, when the firewall
+ is initialized, when the firewall is started,
+ when the firewall is stopped and when the firewall is
+ cleared.
+
+ - The Linux kernel's route filtering facility
+can now be specified selectively on network interfaces.
+
+
-
+
3/19/2001 - The current version of Shorewall is 1.0.4. This version:
-
+
- - Allows
- user-defined zones. Shorewall now has only one pre-defined
- zone (fw) with the remaining zones being defined
- in the new configuration file /etc/shorewall/zones.
- The /etc/shorewall/zones file released in this version
- provides behavior that is compatible with Shorewall 1.0.3.
- - Adds
- the ability to specify logging in entries in the
- /etc/shorewall/rules file.
- - Correct
- handling of the icmp-def chain so that only ICMP
- packets are sent through the chain.
- - Compresses
- the output of "shorewall monitor" if awk is
-installed. Allows the command to work if awk isn't installed
- (although it's not pretty).
-
+ - Allows user-defined zones. Shorewall now has
+ only one pre-defined zone (fw) with the remaining
+ zones being defined in the new configuration
+ file /etc/shorewall/zones. The /etc/shorewall/zones file
+released in this version provides behavior that
+is compatible with Shorewall 1.0.3.
+
+ - Adds the ability to specify logging in entries
+ in the /etc/shorewall/rules file.
+
+ - Correct handling of the icmp-def chain so that
+ only ICMP packets are sent through the chain.
+
+ - Compresses the output of "shorewall monitor"
+if awk is installed. Allows the command to work if
+awk isn't installed (although it's not pretty).
+
+
-
+
3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix
- release with no new features.
+ release with no new features.
-
+
- - The
- PATH variable in the firewall script now includes
- /usr/local/bin and /usr/local/sbin.
- - DMZ-related
- chains are now correctly deleted if the DMZ is
- deleted.
- - The
- interface OPTIONS for "gw" interfaces are no longer
- ignored.
-
+ - The PATH variable in the firewall script now
+includes /usr/local/bin and /usr/local/sbin.
+
+ - DMZ-related chains are now correctly deleted
+ if the DMZ is deleted.
+
+ - The interface OPTIONS for "gw" interfaces are
+ no longer ignored.
+
+
-
+
3/8/2001 - The current version of Shorewall is 1.0.2. It supports an
- additional "gw" (gateway) zone for tunnels
- and it supports IPSEC tunnels with end-points on
- the firewall. There is also a .lrp available now.
+ additional "gw" (gateway) zone for tunnels
+ and it supports IPSEC tunnels with end-points
+ on the firewall. There is also a .lrp available now.
-
-
Updated 5/27/2003 - Tom Eastep
-
+
+
Updated 6/17/2003 - Tom Eastep
+
-
+
Copyright © 2001, 2002 Thomas M. Eastep.
-
-
-
+
- .