forked from extern/shorewall_code
144c9ab576
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@390 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
35 lines
1.3 KiB
Plaintext
Executable File
35 lines
1.3 KiB
Plaintext
Executable File
This is a minor release of Shorewall that has a couple of new features.
|
|
|
|
New features include:
|
|
|
|
1) A new 'DNAT-' action has been added for entries in the
|
|
/etc/shorewall/rules file. DNAT- is intended for advanced users who
|
|
wish to minimize the number of rules that connection requests must
|
|
traverse.
|
|
|
|
A Shorewall DNAT rule actually generates two iptables rules: an
|
|
address rewriting rule in the 'nat' table and an ACCEPT rule in the
|
|
'filter' table. A DNAT- rule only generates the first of these
|
|
rules. This is handy when you have several DNAT rules that would
|
|
generate the same ACCEPT rule.
|
|
|
|
Here are three rules from my previous rules file:
|
|
|
|
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
|
|
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
|
|
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
|
|
|
|
These three rules ended up generating _three_ copies of
|
|
|
|
ACCEPT net dmz:206.124.146.177 tcp smtp
|
|
|
|
By writing the rules this way, I end up with only one copy of the
|
|
ACCEPT rule.
|
|
|
|
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
|
|
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
|
|
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
|
|
|
|
2) The 'shorewall check' command now prints out the applicable policy
|
|
between each pair of zones.
|