forked from extern/shorewall_code
e6e9fccab4
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2017 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
314 lines
12 KiB
Plaintext
314 lines
12 KiB
Plaintext
Shorewall 2.0.17
|
|
|
|
----------------------------------------------------------------------
|
|
Problems Corrected in version 2.0.4
|
|
|
|
1) A DNAT rule with 'fw' as the source that specified logging caused
|
|
"shorewall start" to fail.
|
|
|
|
----------------------------------------------------------------------
|
|
Problems Corrected in version 2.0.5
|
|
|
|
1) Eliminated "$RESTOREBASE: ambiguous redirect" messages during
|
|
"shorewll stop" in the case where DISABLE_IPV6=Yes in
|
|
shorewall.conf.
|
|
|
|
2) An anachronistic reference to the mangle option was removed from
|
|
shorewall.conf.
|
|
|
|
----------------------------------------------------------------------
|
|
Problems Corrected in version 2.0.6
|
|
|
|
1) Some users have reported the pkttype match option in iptables/
|
|
Netfilter failing to match certain broadcast packets. The result
|
|
is that the firewall log shows a lot of broadcast packets.
|
|
|
|
Other users have complained of the following message when
|
|
starting Shorewall:
|
|
|
|
modprobe: cant locate module ipt_pkttype
|
|
|
|
Users experiencing either of these problems can use PKTTYPE=No in
|
|
shorewall.conf to cause Shorewall to use IP address filtering of
|
|
broadcasts rather than packet type.
|
|
|
|
2) The shorewall.conf and zones file are no longer given execute
|
|
permission by the installer script.
|
|
|
|
3) ICMP packets that are in the INVALID state are now dropped by the
|
|
Reject and Drop default actions. They do so using the new
|
|
'dropInvalid' builtin action.
|
|
-----------------------------------------------------------------------
|
|
Problems Corrected in version 2.0.7
|
|
|
|
1) The PKTTYPE option introduced in version 2.0.6 is now used when
|
|
generating rules to REJECT packets. Broadcast packets are silently
|
|
dropped rather than being rejected with an ICMP (which is a protocol
|
|
violation) and users whose kernels have broken packet type match
|
|
support are likely to see messages reporting this violation.
|
|
Setting PKTTYPE=No should cause these messages to cease.
|
|
|
|
2) Multiple interfaces with the 'blacklist' option no longer result in
|
|
an error message at startup.
|
|
|
|
3) The following has been added to /etc/shorewall/bogons:
|
|
|
|
0.0.0.0 RETURN
|
|
|
|
This prevents the 'nobogons' option from logging DHCP 'DISCOVER'
|
|
broadcasts.
|
|
-----------------------------------------------------------------------
|
|
New Features in version 2.0.7
|
|
|
|
1) To improve supportability, the "shorewall status" command now
|
|
includes IP and Route configuration information.
|
|
|
|
Example:
|
|
|
|
IP Configuration
|
|
|
|
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
|
|
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
|
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
|
|
inet6 ::1/128 scope host
|
|
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
|
link/ether 00:a0:c9:15:39:78 brd ff:ff:ff:ff:ff:ff
|
|
inet6 fe80::2a0:c9ff:fe15:3978/64 scope link
|
|
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
|
link/ether 00:a0:c9:a7:d7:bf brd ff:ff:ff:ff:ff:ff
|
|
inet6 fe80::2a0:c9ff:fea7:d7bf/64 scope link
|
|
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop
|
|
link/sit 0.0.0.0 brd 0.0.0.0
|
|
6: eth2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
|
link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
|
|
inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
|
|
7: br0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc noqueue
|
|
link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
|
|
inet 192.168.1.3/24 brd 192.168.1.255 scope global br0
|
|
inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
|
|
|
|
Routing Rules
|
|
|
|
0: from all lookup local
|
|
32765: from all fwmark ca lookup www.out
|
|
32766: from all lookup main
|
|
32767: from all lookup default
|
|
|
|
Table local:
|
|
|
|
broadcast 192.168.1.0 dev br0 proto kernel scope link src 192.168.1.3
|
|
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
|
|
local 192.168.1.3 dev br0 proto kernel scope host src 192.168.1.3
|
|
broadcast 192.168.1.255 dev br0 proto kernel scope link src 192.168.1.3
|
|
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
|
|
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
|
|
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
|
|
|
|
Table www.out:
|
|
|
|
default via 192.168.1.3 dev br0
|
|
|
|
Table main:
|
|
|
|
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.3
|
|
default via 192.168.1.254 dev br0
|
|
|
|
Table default:
|
|
-----------------------------------------------------------------------
|
|
Problems Corrected in version 2.0.8
|
|
|
|
1) User/group restricted rules now work in actions.
|
|
|
|
-----------------------------------------------------------------------
|
|
Problems Corrected in version 2.0.9
|
|
|
|
1) Previously, an empty PROTO column or a value of "all" in that column
|
|
would cause errors when processing the /etc/shorewall/tcrules file.
|
|
|
|
New Fewatures in version 2.0.9
|
|
|
|
1) The "shorewall status" command now includes the output of "brctl
|
|
show" if the bridge tools are installed.
|
|
-----------------------------------------------------------------------
|
|
Problems corrected in version 2.0.10
|
|
|
|
1) The GATEWAY column was previously ignored in 'pptpserver' entries in
|
|
/etc/shorewall/tunnels.
|
|
|
|
2) When log rule numbers are included in the LOGFORMAT, duplicate
|
|
rule numbers could previously be generated.
|
|
|
|
3) The /etc/shorewall/tcrules file now includes a note to the effect
|
|
that rule evaluation continues after a match.
|
|
|
|
4) The error message produced if Shorewall couldn't obtain the routes
|
|
through an interface named in the SUBNET column of
|
|
/etc/shorewall/masq was less than helpful since it didn't include
|
|
the interface name.
|
|
-----------------------------------------------------------------------
|
|
New Features in 2.0.10
|
|
|
|
The "shorewall status" command has been enhanced to include the values
|
|
of key /proc settings:
|
|
|
|
Example from a two-interface firewall:
|
|
|
|
/proc
|
|
|
|
/proc/sys/net/ipv4/ip_forward = 1
|
|
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
|
|
/proc/sys/net/ipv4/conf/all/arp_filter = 0
|
|
/proc/sys/net/ipv4/conf/all/rp_filter = 0
|
|
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
|
|
/proc/sys/net/ipv4/conf/default/arp_filter = 0
|
|
/proc/sys/net/ipv4/conf/default/rp_filter = 0
|
|
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
|
|
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
|
|
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0
|
|
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
|
|
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0
|
|
/proc/sys/net/ipv4/conf/eth1/rp_filter = 0
|
|
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
|
|
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
|
|
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
|
|
|
|
-----------------------------------------------------------------------
|
|
Problems corrected in 2.0.11
|
|
|
|
1) The INSTALL file now include special instructions for Slackware
|
|
users.
|
|
|
|
2) The bogons file has been updated.
|
|
|
|
3) Service names are replaced by port numbers in /etc/shorewall/tos.
|
|
|
|
4) A typo in the install.sh file that caused an error during a new
|
|
install has been corrected.
|
|
-----------------------------------------------------------------------
|
|
New Features in 2.0.11
|
|
|
|
1) The AllowNNTP action now allows NNTP over SSL/TLS (NTTPS).
|
|
|
|
-----------------------------------------------------------------------
|
|
Problems corrected in 2.0.12
|
|
|
|
1) A typo in shorewall.conf (NETNOTSYN) has been corrected.
|
|
|
|
2) The "shorewall add" and "shorewall delete" commands now work in a
|
|
bridged environment. The syntax is:
|
|
|
|
shorewall add <interface>[:<port>]:<address> <zone>
|
|
shorewall delete <interface>[:<port>]:<address> <zone>
|
|
|
|
Examples:
|
|
|
|
shorewall add br0:eth2:192.168.1.3 OK
|
|
shorewall delete br0:eth2:192.168.1.3 OK
|
|
|
|
3) Previously, "shorewall save" created an out-of-sequence restore
|
|
script. The commands saved in the user's /etc/shorewall/start script
|
|
were executed prior to the Netfilter configuration being
|
|
restored. This has been corrected so that "shorewall save" now
|
|
places those commands at the end of the script.
|
|
|
|
To accomplish this change, the "restore base" file
|
|
(/var/lib/shorewall/restore-base) has been split into two files:
|
|
|
|
/var/lib/shorewall/restore-base -- commands to be executed before
|
|
Netfilter the configuration is restored.
|
|
|
|
/var/lib/shorewall/restore-tail -- commands to be executed after the
|
|
Netfilter configuration is restored.
|
|
|
|
4) Previously, traffic from the firewall to a dynamic zone member host
|
|
did not need to match the interface specified when the host was
|
|
added to the zone. For example, if eth0:1.2.3.4 is added to dynamic
|
|
zone Z then traffic out of any firewall interface to 1.2.3.4 will
|
|
obey the fw->Z policies and rules. This has been corrected.
|
|
|
|
-----------------------------------------------------------------------
|
|
New Features in 2.0.12
|
|
|
|
1) Variable expansion may now be used with the INCLUDE directive.
|
|
|
|
Example:
|
|
|
|
/etc/shorewall/params
|
|
|
|
FILE=/etc/foo/bar
|
|
|
|
Any other config file:
|
|
|
|
INCLUDE $FILE
|
|
-----------------------------------------------------------------------
|
|
Problems corrected in 2.0.13
|
|
|
|
1) A typo in /usr/share/shorewall/firewall caused the following:
|
|
|
|
/usr/share/shorewall/firewall: line 1: match_destination_hosts: command
|
|
not found
|
|
-----------------------------------------------------------------------
|
|
New Features in 2.0.14
|
|
|
|
1) Previously, when rate-limiting was specified in
|
|
/etc/shorewall/policy (LIMIT:BURST column), any traffic which
|
|
exceeded the specified rate was silently dropped. Now, if a log
|
|
level is given in the entry (LEVEL column) then drops are logged at
|
|
that level at a rate of 5/min with a burst of 5.
|
|
-----------------------------------------------------------------------
|
|
Problems corrected in 2.0.14
|
|
|
|
1) A typo in the /etc/shorewall/interfaces file has been fixed.
|
|
|
|
2) "bad variable" error messages occurring during "shorewall stop" and
|
|
"shorewall clear" have been eliminated.
|
|
|
|
3) A misleading typo in /etc/shorewall/tunnels has been corrected.
|
|
-----------------------------------------------------------------------
|
|
Problems corrected in 2.0.15
|
|
|
|
1) The range of ports opened by the AllowTrcrt action has been
|
|
expanded to 33434:33524.
|
|
|
|
2) Code mis-ported from 2.2.0 caused the following error during
|
|
"shorewall start" where SYN rate-limiting is present in
|
|
/etc/shorewall/policy:
|
|
|
|
Bad argument `DROP'
|
|
Try `iptables -h' or 'iptables --help' for more information.
|
|
-----------------------------------------------------------------------
|
|
New Features in 2.0.16
|
|
|
|
1) Recent 2.6 kernels include code that evaluates TCP packets based on
|
|
TCP Window analysis. This can cause packets that were previously
|
|
classified as NEW or ESTABLISHED to be classified as INVALID.
|
|
|
|
The new kernel code can be disabled by including this command in
|
|
your /etc/shorewall/init file:
|
|
|
|
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
|
|
|
|
Additional kernel logging about INVALID TCP packets may be
|
|
obtained by adding this command to /etc/shorewall/init:
|
|
|
|
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
|
|
|
|
Traditionally, Shorewall has dropped INVALID TCP packets early. The
|
|
new DROPINVALID option allows INVALID packets to be passed through
|
|
the normal rules chains by setting DROPINVALID=No.
|
|
|
|
If not specified or if specified as empty (e.g., DROPINVALID="")
|
|
then DROPINVALID=Yes is assumed.
|
|
-------------------------------------------------------------------------------
|
|
Problems corrected in 2.0.17
|
|
|
|
1) Invoking the 'rejNotSyn' action results in an error at startup.
|
|
|
|
2) The UDP and TCP port numbers in /usr/share/shorewall/action.AllowPCA
|
|
were reversed.
|
|
|
|
3) If a zone is defined in /etc/shorewall/hosts using
|
|
<interface>:!<network> in the HOSTS column then startup errors occur
|
|
on "shorewall [re]start".
|
|
|