forked from extern/shorewall_code
3e90e68a7a
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1494 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
81 lines
2.7 KiB
Plaintext
Executable File
81 lines
2.7 KiB
Plaintext
Executable File
Shorewall 2.1.0
|
|
|
|
----------------------------------------------------------------------
|
|
Problems Corrected since 2.0.3
|
|
|
|
1) A non-empty DEST entry in /etc/shorewall/tcrules will generate an
|
|
error and Shorewall fails to start.
|
|
|
|
2) A potential security vulnerablilty in the way that Shorewall
|
|
handles temporary files and directories has been corrected.
|
|
|
|
3) Two problems with logging NAT rules (DNAT and REDIRECT) could cause
|
|
startup failures.
|
|
|
|
4) Some users have reported the pkttype match option in iptables/
|
|
Netfilter failing to match certain broadcast packets. The result
|
|
is that the firewall log shows a lot of broadcast packets.
|
|
|
|
Users experiencing this problem can use PKTTYPE=No in
|
|
shorewall.conf to cause Shorewall to use IP address filtering of
|
|
broadcasts rather than packet type.
|
|
|
|
Problems Corrected since 2.1.0
|
|
|
|
1) The "check" command fails with the following message:
|
|
|
|
iptables: No chain/target/match by that name
|
|
|
|
-----------------------------------------------------------------------
|
|
Issues when migrating from Shorewall 2.0 to Shorewall 2.1:
|
|
|
|
1) Shorewall configuration files except shorewall.conf are now empty
|
|
(they contain only comments). If you wish to retain the defaults
|
|
in any of the following files, you should copy these files before
|
|
upgrading them then restore them after the upgrade:
|
|
|
|
/etc/shorewall/zones
|
|
/etc/shorewall/policy
|
|
/etc/shorewall/tos
|
|
|
|
-----------------------------------------------------------------------
|
|
New Features:
|
|
|
|
1) ICMP packets that are in the INVALID state are now dropped by the
|
|
Reject and Drop default actions. They do so using the new
|
|
'dropInvalid' builtin action.
|
|
|
|
2) The /etc/shorewall/masq file INTERFACE column now allows additional
|
|
options.
|
|
|
|
Normally MASQUERADE/SNAT rules are evaluated after one-to-one NAT
|
|
rules defined in the /etc/shorewall/nat file. If you preceed the
|
|
interface name with a plus sign ("+") then the rule will be
|
|
evaluated before one-to-one NAT.
|
|
|
|
Examples:
|
|
|
|
+eth0
|
|
+eth1:192.0.2.32/27
|
|
|
|
Also, the effect of ADD_SNAT_ALIASES=Yes can be negated for an
|
|
entry by following the interface name by ":" but no digit.
|
|
|
|
Examples:
|
|
|
|
eth0:
|
|
eth1::192.0.2.32/27
|
|
+eth3:
|
|
|
|
3) Similar to 2), the /etc/shorewall/nat file INTERFACE column now allows
|
|
you to override the setting of ADD_IP_ALIASES=Yes by following the
|
|
interface name with ":" but no digit.
|
|
|
|
4) All configuration files in the Shorewall distribution are now
|
|
empty. In particular, the /etc/shorewall/zones,
|
|
/etc/shorewall/policy and /etc/shorewall/tos files now have no
|
|
active entries. Hopefully this will stop the questions on the
|
|
support and development lists regarding why the default entries
|
|
are the way they are.
|
|
|