forked from extern/shorewall_code
48390fd671
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4478 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
116 lines
4.3 KiB
Plaintext
116 lines
4.3 KiB
Plaintext
Shorewall 3.3.1
|
|
|
|
Note to users upgrading from Shorewall 3.0 or 3.2
|
|
|
|
Most problems associated with upgrades come from two causes:
|
|
|
|
- The user didn't read and follow the migration considerations in these
|
|
release notes.
|
|
|
|
- The user mis-handled the /etc/shorewall/shorewall.conf file during
|
|
upgrade. Shorewall is designed to allow the default behavior of
|
|
the product to evolve over time. To make this possible, the design
|
|
assumes that you will not replace your current shorewall.conf file
|
|
during upgrades. If you feel absolutely compelled to have the latest
|
|
comments and options in your shorewall.conf then you must proceed
|
|
carefully.
|
|
|
|
While you are at it, if you have a file named /etc/shorewall/rfc1918 then
|
|
please check that file. If it has addresses listed that are NOT in one of
|
|
these three ranges, then please rename the file to
|
|
/etc/shorewall/rfc1918.old.
|
|
|
|
10.0.0.0 - 10.255.255.255
|
|
172.16.0.0 - 172.31.255.255
|
|
192.168.0.0 - 192.168.255.255
|
|
|
|
If you have a file named /etc/shorewall/modules, please remove
|
|
it. The default modules file is now located in /usr/share/shorewall/
|
|
(see the "Migration Considerations" below).
|
|
|
|
Please see the "Migration Considerations" below for additional upgrade
|
|
information.
|
|
|
|
Problems Corrected in 3.3.1
|
|
|
|
1) The 'proxyarp' option in /etc/shorewall/interfaces was not
|
|
triggering the loading of lib.proxyarp with the result that the
|
|
option was ignored unless there were also entries in
|
|
/etc/shorewall/proxyarp.
|
|
|
|
Other changes in 3.3.1
|
|
|
|
None.
|
|
|
|
Migration Considerations:
|
|
|
|
New Features:
|
|
|
|
1) In order to accomodate small embedded applications, Shorewall 3.3
|
|
is now modularized. In addition to the base files, there are
|
|
loadable "libraries" that may be included or omitted from an
|
|
embedded system as required.
|
|
|
|
Loadable Shorewall libraries reside in /usr/share/shorewall/ and
|
|
have names that begin with "lib.". The following libraries are
|
|
included in Shorewall 3.3:
|
|
|
|
- lib.accounting. Must be available if you include entries in
|
|
/etc/shorewall/accounting.
|
|
|
|
- lib.actions. Must be available if you do not specify
|
|
USE_ACTIONS=No in /etc/shorewall/shorewall.conf.
|
|
|
|
- lib.dynamiczones. Must be available if you specify
|
|
DYNAMIC_ZONES=Yes in shorewall.conf.
|
|
|
|
- lib.maclist. Must be available if you specify the 'maclist'
|
|
option in /etc/shorewall/interfaces or /etc/shorewall/hosts.
|
|
|
|
- lib.nat. Must be available if you have entries in
|
|
/etc/shorewall/masq, /etc/shorewall/nat or /etc/shorewall/netmap.
|
|
|
|
- lib.providers. Must be available if you have entries in
|
|
/etc/shorewall/providers.
|
|
|
|
- lib.proxyarp. Must be available if you have entries in
|
|
/etc/shorewall/proxyarp or if you specify the 'proxyarp' option
|
|
in /etc/shorewall/interfaces.
|
|
|
|
- lib.tc. Must be available if you have entries in
|
|
/etc/shorewall/tcdevices and /etc/shorewall/tcclasses.
|
|
|
|
- lib.tcrules. Must be available if you have entries in
|
|
/etc/shorewall/tcrules.
|
|
|
|
- lib.tunnels. Must be available if you have entries in
|
|
/etc/shorewall/tunnels.
|
|
|
|
Embedded applications can further decrease the size of the Shorewall
|
|
footprint by:
|
|
|
|
- Omitting the macro files.
|
|
- Only including the 'modules' file appropriate for the kernel in
|
|
use.
|
|
- Omitting all unused extension scripts.
|
|
- Stripping the comments (except for copyright) from the various
|
|
files.
|
|
|
|
2) As hinted in the previous bullet, there is a new USE_ACTIONS option
|
|
in /etc/shorewall/shorewall.conf. Shorewall actions can be very
|
|
powerful but they also require a lot of code to implement. Embedded
|
|
applications can omit that code by setting
|
|
USE_ACTIONS=No. Shorewall will ignore all action-related files
|
|
including /usr/share/shorewall/actions.std and
|
|
/etc/shorewall/actions. Builtin actions will still be available for
|
|
use in rules and macros.
|
|
|
|
Note that with USE_ACTIONS=No, there will be no default actions so
|
|
you must include explicit rules to handle those rules that are normally
|
|
supplied by the default actions.
|
|
|
|
The macros macro.Drop and macro.Reject are supplied to help you do
|
|
that.
|
|
|
|
|