forked from extern/shorewall_code
1f72beecc8
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@684 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
202 lines
7.0 KiB
Plaintext
202 lines
7.0 KiB
Plaintext
This is a minor release of Shorewall.
|
|
|
|
Problems Corrected:
|
|
|
|
1) A problem seen on RH7.3 systems where Shorewall encountered start
|
|
errors when started using the "service" mechanism has been worked
|
|
around.
|
|
|
|
2) Where a list of IP addresses appears in the DEST column of a DNAT[-]
|
|
rule, Shorewall incorrectly created multiple DNAT rules in the nat
|
|
table (one for each element in the list). Shorewall now correctly
|
|
creates a single DNAT rule with multiple "--to-destination" clauses.
|
|
|
|
3) Corrected a problem in Beta 1 where DNS names containing a "-" were
|
|
mis-handled when they appeared in the DEST column of a rule.
|
|
|
|
4) The handling of z1!z2 in the SOURCE column of DNAT and REDIRECT
|
|
rules has been corrected.
|
|
|
|
5) The message "Adding rules for DHCP" is now suppressed if there are
|
|
no DHCP rules to add.
|
|
|
|
6) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was
|
|
being tested before it was set.
|
|
|
|
7) Corrected handling of MAC addresses in the SOURCE column of the
|
|
tcrules file. Previously, these addresses resulted in an invalid
|
|
iptables command.
|
|
|
|
8) The "shorewall stop" command is now disabled when
|
|
/etc/shorewall/startup_disabled exists. This prevents people from
|
|
shooting themselves in the foot prior to having configured
|
|
Shorewall.
|
|
|
|
9) A change introduced in version 1.4.6 caused error messages during
|
|
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
|
|
being added to a PPP interface; the addresses were successfully
|
|
added in spite of the messages.
|
|
|
|
The firewall script has been modified to eliminate the error
|
|
messages.
|
|
|
|
Migration Issues:
|
|
|
|
1) In earlier versions, an undocumented feature allowed entries in
|
|
the host file as follows:
|
|
|
|
z eth1:192.168.1.0/24,eth2:192.168.2.0/24
|
|
|
|
This capability was never documented and has been removed in 1.4.6
|
|
to allow entries of the following format:
|
|
|
|
z eth1:192.168.1.0/24,192.168.2.0/24
|
|
|
|
2) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
|
|
removed from /etc/shorewall/shorewall.conf. These capabilities are
|
|
now automatically detected by Shorewall (see below).
|
|
|
|
New Features:
|
|
|
|
1) A 'newnotsyn' interface option has been added. This option may be
|
|
specified in /etc/shorewall/interfaces and overrides the setting
|
|
NEWNOTSYN=No for packets arriving on the associated interface.
|
|
|
|
2) The means for specifying a range of IP addresses in
|
|
/etc/shorewall/masq to use for SNAT is now
|
|
documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges.
|
|
|
|
3) Shorewall can now add IP addresses to subnets other than the first
|
|
one on an interface.
|
|
|
|
4) DNAT[-] rules may now be used to load balance (round-robin) over a
|
|
set of servers. Any number of servers may be specified in a range of
|
|
addresses given as <first address>-<last address> and multiple
|
|
ranges or individual servers may be specified in a comma-separated
|
|
list.
|
|
|
|
Example:
|
|
|
|
DNAT net loc:192.168.10.2-192.168.10.5,192.168.10.44 tcp 80
|
|
|
|
5) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
|
|
have been removed and have been replaced by code that detects
|
|
whether these capabilities are present in the current kernel. The
|
|
output of the start, restart and check commands have been enhanced
|
|
to report the outcome:
|
|
|
|
Shorewall has detected the following iptables/netfilter capabilities:
|
|
NAT: Available
|
|
Packet Mangling: Available
|
|
Multi-port Match: Available
|
|
Verifying Configuration...
|
|
|
|
6) Support for the Connection Tracking Match Extension has been
|
|
added. This extension is available in recent kernel/iptables
|
|
releases and allows for rules which match against elements in
|
|
netfilter's connection tracking table.
|
|
|
|
Shorewall automatically detects the availability of this extension
|
|
and reports its availability in the output of the start, restart and
|
|
check commands.
|
|
|
|
Shorewall has detected the following iptables/netfilter capabilities:
|
|
NAT: Available
|
|
Packet Mangling: Available
|
|
Multi-port Match: Available
|
|
Connection Tracking Match: Available
|
|
Verifying Configuration...
|
|
|
|
If this extension is available, the ruleset generated by Shorewall
|
|
is changed in the following ways:
|
|
|
|
a) To handle 'norfc1918' filtering, Shorewall will not create chains
|
|
in the mangle table but will rather do all 'norfc1918' filtering in
|
|
the filter table (rfc1918 chain).
|
|
|
|
b) Recall that Shorewall DNAT rules generate two netfilter rules;
|
|
one in the nat table and one in the filter table. If the Connection
|
|
Tracking Match Extension is available, the rule in the filter table
|
|
is extended to check that the original destination address was the
|
|
same as specified (or defaulted to) in the DNAT rule.
|
|
|
|
7) The shell used to interpret the firewall script
|
|
(/usr/share/shorewall/firewall) may now be specified using the
|
|
SHOREWALL_SHELL parameter in shorewall.conf.
|
|
|
|
8) An 'ipcalc' command has been added to /sbin/shorewall.
|
|
|
|
ipcalc [ <address> <netmask> | <address>/<vlsm> ]
|
|
|
|
Examples:
|
|
|
|
[root@wookie root]# shorewall ipcalc 192.168.1.0/24
|
|
CIDR=192.168.1.0/24
|
|
NETMASK=255.255.255.0
|
|
NETWORK=192.168.1.0
|
|
BROADCAST=192.168.1.255
|
|
[root@wookie root]#
|
|
|
|
[root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0
|
|
CIDR=192.168.1.0/24
|
|
NETMASK=255.255.255.0
|
|
NETWORK=192.168.1.0
|
|
BROADCAST=192.168.1.255
|
|
[root@wookie root]#
|
|
|
|
Warning:
|
|
|
|
If your shell only supports 32-bit signed arithmatic (ash or
|
|
dash), then the ipcalc command produces incorrect information for
|
|
IP addresses 128.0.0.0-1 and for /1 networks. Bash should produce
|
|
correct information for all valid IP addresses.
|
|
|
|
9) An 'iprange' command has been added to /sbin/shorewall.
|
|
|
|
iprange <address>-<address>
|
|
|
|
This command decomposes a range of IP addressses into a list of
|
|
network and host addresses. The command can be useful if you need to
|
|
construct an efficient set of rules that accept connections from a
|
|
range of network addresses.
|
|
|
|
Note: If your shell only supports 32-bit signed arithmetic (ash or
|
|
dash) then the range may not span 128.0.0.0.
|
|
|
|
Example:
|
|
|
|
[root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9
|
|
192.168.1.4/30
|
|
192.168.1.8/29
|
|
192.168.1.16/28
|
|
192.168.1.32/27
|
|
192.168.1.64/26
|
|
192.168.1.128/25
|
|
192.168.2.0/23
|
|
192.168.4.0/22
|
|
192.168.8.0/22
|
|
192.168.12.0/29
|
|
192.168.12.8/31
|
|
[root@gateway root]#
|
|
|
|
10) A list of host/net addresses is now allowed in an entry in
|
|
/etc/shorewall/hosts.
|
|
|
|
Example:
|
|
|
|
foo eth1:192.168.1.0/24,192.168.2.0/24
|
|
|
|
11) The "shorewall check" command now includes the chain name when
|
|
printing the applicable policy for each pair of zones.
|
|
|
|
Example:
|
|
|
|
Policy for dmz to net is REJECT using chain all2all
|
|
|
|
This means that the policy for connections from the dmz to the
|
|
internet is REJECT and the applicable entry in the
|
|
/etc/shorewall/policy was the all->all policy.
|
|
|
|
12) Support for the 2.6 Kernel series has been added.
|
|
|