Shorewall 2.0.1 ---------------------------------------------------------------------- Problems Corrected since 2.0.0 1) Using actions in the manner recommended in the documentation results in a Warning that the rule is a policy. 2) When a zone on a single interface is defined using /etc/shorewall/hosts, superfluous rules are generated in the _frwd chain. 3) Thanks to Sean Mathews, a long-standing problem with Proxy ARP and IPSEC has been corrected. Thanks Sean!!! 4) The "shorewall show log" and "shorewall logwatch" commands incorrectly displayed type 3 ICMP packets. ----------------------------------------------------------------------- Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1: 1) The function of 'norfc1918' is now split between that option and a new 'nobogons' option. The rfc1918 file released with Shorewall now contains entries for only those three address ranges reserved by RFC 1918. A 'nobogons' interface option has been added which handles bogon source addresses (those which are reserved by the IANA, those reserved for DHCP auto-configuration and the class C test-net reserved for testing and documentation examples). This will allow users to perform RFC 1918 filtering without having to deal with out of date data from IANA. Those who are willing to update their /usr/share/shorewall/bogons file regularly can specify the 'nobogons' option in addition to 'norfc1918'. The level at which bogon packets are logged is specified in the new BOGON_LOG_LEVEL variable in shorewall.conf. If that option is not specified or is specified as empty (e.g, BOGON_LOG_LEVEL="") then bogon packets whose TARGET is 'logdrop' in /usr/share/shorewall/bogons are logged at the 'info' level. New Features: 1) Support for Bridging Firewalls has been added. For details, see http://shorewall.net/bridge.html 2) Support for NETMAP has been added. NETMAP allows NAT to be defined between two network: a.b.c.1 -> x.y.z.1 a.b.c.2 -> x.y.z.2 a.b.c.3 -> x.y.z.3 ... http://shorewall.net/netmap.html 3) The /sbin/shorewall program now accepts a "-x" option to cause iptables to print out the actual packet and byte counts rather than abbreviated counts such as "13MB". Commands affected by this are: shorewall -x show [ [ ...] ] shorewall -x show tos|mangle shorewall -x show nat shorewall -x status shorewall -x monitor [ ] 4) Shorewall now traps two common zone definition errors: - Including the firewall zone in a /etc/shorewall/hosts record. - Defining an interface for a zone in both /etc/shorewall/interfaces and /etc/shorewall/hosts. In the second case, the following will appear during "shorewall [re]start" or "shorewall check": Determining Hosts in Zones... ... Error: Invalid zone definition for zone Terminated 5) To support bridging, the following options have been added to entries in /etc/shorewall/hosts: norfc1918 nobogons blacklist tcpflags nosmurfs newnotsyn With the exception of 'newnotsyn', these options are only useful when the entry refers to a bridge port. Example: #ZONE HOST(S) OPTIONS net br0:eth0 norfc1918,nobogons,blacklist,tcpflags,nosmurfs