forked from extern/shorewall_code
06e38b587d
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@621 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
89 lines
3.4 KiB
Plaintext
Executable File
89 lines
3.4 KiB
Plaintext
Executable File
This is a snapshot release of Shorewall.
|
|
|
|
Problems Corrected:
|
|
|
|
1) A problem seen on RH7.3 systems where Shorewall encountered start
|
|
errors when started using the "service" mechanism has been worked
|
|
around.
|
|
|
|
2) A problem introduced in earlier snapshots has been corrected. This
|
|
problem caused incorrect netfilter rules to be created when the
|
|
destination zone in a rule was qualified by an address in CIDR
|
|
format.
|
|
|
|
Example:
|
|
|
|
ACCEPT fw net:206.124.146.0/24 tcp pop3
|
|
|
|
New Features:
|
|
|
|
1) A 'newnotsyn' interface option has been added. This option may be
|
|
specified in /etc/shorewall/interfaces and overrides the setting
|
|
NEWNOTSYN=No for packets arriving on the associated interface.
|
|
|
|
2) The means for specifying a range of IP addresses in
|
|
/etc/shorewall/masq to use for SNAT is now
|
|
documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges.
|
|
|
|
3) Shorewall can now add IP addresses to subnets other than the first
|
|
one on an interface.
|
|
|
|
4) DNAT[-] rules may now be used to load balance (round-robin) over a
|
|
set of servers. Up to 256 servers may be specified in a range of
|
|
addresses given as <first address>-<last address>.
|
|
|
|
Example:
|
|
|
|
DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
|
|
|
|
Note that this capability has previously been available using a
|
|
combination of a DNAT- rule and one or more ACCEPT rules. That
|
|
technique is still preferable for load-balancing over a large number
|
|
of servers (> 16) since specifying a range in the DNAT rule causes
|
|
one filter table ACCEPT rule to be generated for each IP address in
|
|
the range.
|
|
|
|
5) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
|
|
have been removed and have been replaced by code that detects
|
|
whether these capabilities are present in the current kernel. The
|
|
output of the start, restart and check commands have been enhanced
|
|
to report the outcome:
|
|
|
|
Shorewall has detected the following iptables/netfilter capabilities:
|
|
NAT: Available
|
|
Packet Mangling: Available
|
|
Multi-port Match: Available
|
|
Verifying Configuration...
|
|
|
|
6) Support for the Connection Tracking Match Extension has been
|
|
added. This extension is available in recent kernel/iptables
|
|
releases and allows for rules which match against elements in
|
|
netfilter's connection tracking table.
|
|
|
|
Shorewall automatically detects the availability of this extension
|
|
and reports its availability in the output of the start, restart and
|
|
check commands.
|
|
|
|
Shorewall has detected the following iptables/netfilter capabilities:
|
|
NAT: Available
|
|
Packet Mangling: Available
|
|
Multi-port Match: Available
|
|
Connection Tracking Match: Available
|
|
Verifying Configuration...
|
|
|
|
If this extension is available, the ruleset generated by Shorewall
|
|
is changed in the following ways:
|
|
|
|
a) To handle 'norfc1918' filtering, Shorewall will not create chains
|
|
in the mangle table but will rather do all 'norfc1918' filtering in
|
|
the filter table (rfc1918 chain).
|
|
|
|
b) Recall that Shorewall DNAT rules generate two netfilter rules;
|
|
one in the nat table and one in the filter table. If the Connection
|
|
Tracking Match Extension is available, the rule in the filter table
|
|
is extended to check that the original destination address was the
|
|
same as specified (or defaulted to) in the DNAT rule.
|
|
|
|
7) The shell used to interpret the firewall script
|
|
(/usr/share/shorewall/firewall) may now be specified using the
|
|
SHOREWALL_SHELL parameter in shorewall.conf. |