forked from extern/shorewall_code
07f66da156
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@483 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
490 lines
28 KiB
HTML
490 lines
28 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
<html>
|
||
<head>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<meta http-equiv="Content-Type"
|
||
content="text/html; charset=windows-1252">
|
||
<title>Shoreline Firewall (Shorewall) 1.4</title>
|
||
|
||
|
||
|
||
|
||
|
||
<base
|
||
target="_self">
|
||
<meta name="author" content="Tom Eastep">
|
||
</head>
|
||
<body>
|
||
|
||
|
||
|
||
|
||
<table border="0" cellpadding="0" cellspacing="4"
|
||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||
bgcolor="#4b017c">
|
||
|
||
<tbody>
|
||
|
||
<tr>
|
||
|
||
<td width="100%"
|
||
height="90">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<h1 align="center"> <font size="4"><i> <a
|
||
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
|
||
alt="Shorwall Logo" height="70" width="85" align="left"
|
||
src="images/washington.jpg" border="0">
|
||
|
||
</a></i></font><font
|
||
color="#ffffff">Shorewall 1.4 - <font size="4">"<i>iptables
|
||
made easy"</i></font></font></h1>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<div align="center"><a
|
||
href="http://shorewall.sf.net/1.3/index.html" target="_top"><font
|
||
color="#ffffff">Shorewall 1.3 Site here</font></a><br>
|
||
|
||
</div>
|
||
|
||
<br>
|
||
|
||
</td>
|
||
|
||
</tr>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
|
||
|
||
|
||
|
||
<div align="center">
|
||
|
||
<center>
|
||
|
||
<table border="0" cellpadding="0" cellspacing="0"
|
||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||
|
||
<tbody>
|
||
|
||
<tr>
|
||
|
||
<td width="90%">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<h2 align="left">What is it?</h2>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
|
||
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
|
||
that can be used on a dedicated firewall system, a multi-function
|
||
gateway/router/server or on a standalone GNU/Linux system.</p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p>This program is free software; you can redistribute it and/or modify
|
||
it under the terms
|
||
of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
||
2 of the GNU General Public License</a> as published by the Free Software
|
||
Foundation.<br>
|
||
|
||
<br>
|
||
|
||
This program is distributed
|
||
in the hope that it will be useful, but
|
||
WITHOUT ANY WARRANTY; without even the implied
|
||
warranty of MERCHANTABILITY or FITNESS FOR A
|
||
PARTICULAR PURPOSE. See the GNU General Public License
|
||
for more details.<br>
|
||
|
||
<br>
|
||
|
||
You should have received
|
||
a copy of the GNU General Public License
|
||
along with this program; if not, write to
|
||
the Free Software Foundation, Inc., 675 Mass
|
||
Ave, Cambridge, MA 02139, USA</p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
||
border="0" src="images/leaflogo.gif" width="49" height="36">
|
||
|
||
</a>Jacques Nilo and
|
||
Eric Wolzak have a LEAF (router/firewall/gateway
|
||
on a floppy, CD or compact flash) distribution called
|
||
<i>Bering</i> that features Shorewall-1.3.14
|
||
and Kernel-2.4.20. You can find their work at:
|
||
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
|
||
</a></p>
|
||
|
||
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
|
||
1.1!!!</b><br>
|
||
</p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
|
||
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<h2>News</h2>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<h2></h2>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img
|
||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||
</b></p>
|
||
|
||
|
||
<p></p>
|
||
Shorewall 1.4 represents the next step in the evolution of Shorewall.
|
||
The main thrust of the initial release is simply to remove the cruft that
|
||
has accumulated in Shorewall over time.<br>
|
||
<20><br>
|
||
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
|
||
('ip' utility).</b><br>
|
||
<br>
|
||
Function from 1.3 that has been omitted from this version include:<br>
|
||
|
||
<ol>
|
||
<li>The MERGE_HOSTS variable in shorewall.conf is
|
||
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
|
||
<br>
|
||
</li>
|
||
<li>Interface names of the form <device>:<integer>
|
||
in /etc/shorewall/interfaces now generate an error.<br>
|
||
<br>
|
||
</li>
|
||
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
|
||
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
|
||
of the 'noping' or 'filterping' interface options.<br>
|
||
<br>
|
||
</li>
|
||
<li>The 'routestopped' option in the /etc/shorewall/interfaces
|
||
and /etc/shorewall/hosts files is no longer supported and will generate
|
||
an error at startup if specified.<br>
|
||
<br>
|
||
</li>
|
||
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
|
||
is no longer accepted.<br>
|
||
<br>
|
||
</li>
|
||
<li>The ALLOWRELATED variable in shorewall.conf is no longer
|
||
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
|
||
<br>
|
||
</li>
|
||
<li>The icmp.def file has been removed.<br>
|
||
<br>
|
||
</li>
|
||
<li value="8">The 'multi' interface option is no longer supported.
|
||
<20>Shorewall will generate rules for sending packets back out the same interface
|
||
that they arrived on in two cases:</li>
|
||
|
||
</ol>
|
||
|
||
<ul>
|
||
<li>There is an <u>explicit</u> policy for the source zone to
|
||
or from the destination zone. An explicit policy names both zones and does
|
||
not use the 'all' reserved word.</li>
|
||
<li>There are one or more rules for traffic for the source zone
|
||
to or from the destination zone including rules that use the 'all' reserved
|
||
word. Exception: if the source zone and destination zone are the same then
|
||
the rule must be explicit - it must name the zone in both the SOURCE and
|
||
DESTINATION columns.<br>
|
||
</li>
|
||
|
||
</ul>
|
||
|
||
<ol>
|
||
|
||
</ol>
|
||
Changes for 1.4 include:<br>
|
||
|
||
<ol>
|
||
<li>The /etc/shorewall/shorewall.conf file has been completely
|
||
reorganized into logical sections.<br>
|
||
<br>
|
||
</li>
|
||
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
|
||
<br>
|
||
</li>
|
||
<li>The firewall script and version file are now installed
|
||
in /usr/share/shorewall.<br>
|
||
<br>
|
||
</li>
|
||
<li>Late arriving DNS replies are now silently dropped in
|
||
the common chain by default.<br>
|
||
<br>
|
||
</li>
|
||
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
|
||
1.4 no longer unconditionally accepts outbound ICMP packets. So if you
|
||
want to 'ping' from the firewall, you will need the appropriate rule or
|
||
policy.<br>
|
||
<br>
|
||
</li>
|
||
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
|
||
<br>
|
||
</li>
|
||
<li>802.11b devices with names of the form wlan<i><n></i>
|
||
now support the 'maclist' option.<br>
|
||
<br>
|
||
</li>
|
||
<li value="8">Explicit Congestion Notification (ECN - RFC 3168) may
|
||
now be turned off on a host or network basis using the new /etc/shorewall/ecn
|
||
file. To use this facility:<br>
|
||
<br>
|
||
<20><> a) You must be running kernel 2.4.20<br>
|
||
<20><> b) You must have applied the patch in<br>
|
||
<20><> http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
|
||
<20><> c) You must have iptables 1.2.7a installed.<br>
|
||
<br>
|
||
</li>
|
||
<li>The /etc/shorewall/params file is now processed first so that
|
||
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
|
||
</li>
|
||
|
||
</ol>
|
||
|
||
|
||
|
||
<ul>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
</ul>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p><b></b><a href="News.htm">More News</a></p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<h2><a name="Donations"></a>Donations</h2>
|
||
|
||
|
||
</td>
|
||
|
||
<td width="88"
|
||
bgcolor="#4b017c" valign="top" align="center"> <a
|
||
href="http://sourceforge.net">M</a></td>
|
||
|
||
</tr>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
|
||
</center>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
|
||
<table border="0" cellpadding="5" cellspacing="0"
|
||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||
bgcolor="#4b017c">
|
||
|
||
<tbody>
|
||
|
||
<tr>
|
||
|
||
<td width="100%"
|
||
style="margin-top: 1px;">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p align="center"><a href="http://www.starlight.org"> <img
|
||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||
hspace="10">
|
||
|
||
<20> </a></p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
|
||
if you try it and find it useful, please consider making a donation
|
||
to <a
|
||
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
|
||
Foundation.</font></a> Thanks!</font></p>
|
||
|
||
</td>
|
||
|
||
</tr>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
|
||
|
||
|
||
|
||
<p><font size="2">Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||
|
||
<br>
|
||
</p>
|
||
<br>
|
||
</body>
|
||
</html>
|