forked from extern/shorewall_code
2d1f10908e
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1380 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
87 lines
3.0 KiB
Plaintext
Executable File
87 lines
3.0 KiB
Plaintext
Executable File
Shorewall 2.0.3 Beta 1
|
|
|
|
----------------------------------------------------------------------
|
|
Problems Corrected since 2.0.2
|
|
|
|
1) The 'firewall' script is not purging temporary restore files in
|
|
/var/lib/shorewall. These files have names of the form
|
|
"restore-nnnnn".
|
|
|
|
2) The /var/lib/shorewall/restore script did not load the kernel
|
|
modules specified in /etc/shorewall/modules.
|
|
|
|
3) Specifying a null common action in /etc/shorewall/actions (e.g.,
|
|
:REJECT) results in a startup error.
|
|
|
|
4) If /var/lib/shorewall does not exist, shorewall start fails.
|
|
|
|
5) DNAT rules with a dynamic source zone don't work properly. When
|
|
used, these rules cause the rule to be checked against ALL input,
|
|
not just input from the designated zone.
|
|
|
|
6) The install.sh script reported installing some files in
|
|
/etc/shorewall when the files were actually installed in
|
|
/usr/share/shorewall.
|
|
|
|
7) Shorewall checks netfilter capabilities before loading kernel
|
|
modules. Hence if kernel module autoloading isn't enabled, the
|
|
capabilities will be misdetected.
|
|
|
|
8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
|
|
-----------------------------------------------------------------------
|
|
Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
|
|
|
|
1) The 'dropNonSyn' standard builtin action has been replaced with the
|
|
'dropNotSyn' standard builtin action. The old name can still be used
|
|
but will generate a warning.
|
|
|
|
-----------------------------------------------------------------------
|
|
New Features:
|
|
|
|
1) "!" is now allowed in accounting rules.
|
|
|
|
2) Interface names appearing within the configuration are now
|
|
verified. Interface names must match the name of an entry in
|
|
/etc/shorewall/interfaces (or if bridging is enabled, they must
|
|
match the name of an entry in /etc/shorewall/interfaces or the name
|
|
of a bridge port appearing in /etc/shorewall/hosts).
|
|
|
|
3) A new 'rejNonSyn' built-in standard action has been added. This
|
|
action responds to "New not SYN" packets with an RST.
|
|
|
|
The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
|
|
action. The old name will be accepted until the next major release
|
|
of Shorewall but will generate a warning.
|
|
|
|
Several new logging actions involving "New not SYN" packets have
|
|
been added:
|
|
|
|
logNewNotSyn -- logs the packet with disposition = LOG
|
|
dLogNewNotSyn -- logs the packet with disposition = DROP
|
|
rLogNewNotSyn -- logs the packet with disposition = REJECT
|
|
|
|
The packets are logged at the log level specified in the
|
|
LOGNEWNOTSYN option in shorewall.conf. If than option is empty or
|
|
not specified, then 'info' is assumed.
|
|
|
|
Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
|
|
|
|
A: To simulate the behavior of NEWNOTSYN=No:
|
|
|
|
a) Add 'NoNewNotSyn' to /etc/shorewall/actions.
|
|
b) Create /etc/shorewall/action.NoNewNotSyn containing:
|
|
|
|
dLogNotSyn
|
|
dropNotSyn
|
|
|
|
c) Early in your rules file, place:
|
|
|
|
NoNewNotSyn all all tcp
|
|
|
|
B: Drop 'New not SYN' packets from the net only. Don't log them.
|
|
|
|
a) Early in your rules file, place:
|
|
|
|
dropNotSyn net all tcp
|
|
|