shorewall_code/Shorewall2/releasenotes.txt

Shorewall 2.0.0-Beta1

----------------------------------------------------------------------
Problems Corrected since prior version.

	 None - this is the initial release.
-----------------------------------------------------------------------
Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0:

1) The 'dropunclean' and 'logunclean' interface options are no longer
   supported. If either option is specified in
   /etc/shorewall/interfaces, an threatening message will be
   generated.

2) The NAT_BEFORE_RULES option has been removed from
   shorewall.conf. The behavior of Shorewall is as if
   NAT_BEFORE_RULES=No had been specified. In other words, DNAT rules
   now always take precidence over one-to-one NAT specifications.

3) The default value for the ALL INTERFACES column in
   /etc/shorewall/nat has changed. In Shorewall 1.*, if the column was
   left empty, a value of "Yes" was assumed. This has been changed so
   that a value of "No" is now assumed.

4) The following files don't exist in Shorewall 2.0:

       /etc/shorewall/common.def
       /etc/shorewall/common
       /etc/shorewall/icmpdef

   The /etc/shorewall/action file now allows an action to be
   designated as the "common" action for a particular policy type by
   following the action name with ":" and the policy (DROP, REJECT or
   ACCEPT).

   The file /etc/shorewall/actions.std has been added to define those
   actions that are released as part of Shorewall. In that file are
   two actions as follows:

       Drop:DROP
       Reject:REJECT

   The "Drop" action is the common action for DROP policies while the
   "Reject" action is the default action for "REJECT" policies. These
   actions will be performed on packets prior to applying the DROP or
   REJECT policy respectively. In the first release, the difference
   between "Reject" and "Drop" is that "Reject" REJECTs SMB traffic
   while "Drop" silently drops such traffic.

   As described above, Shorewall allows a common action for ACCEPT
   policies but does not specify such an action in the default
   configuration.

   /etc/shorewall/actions contains an INCLUDE for
   /etc/shorewall/actions.std. This causes a large number of actions to
   be defined; in the current release:

      DropBcast       #Silently Drops Broadcast Traffic
      DropSMB         #Silently Drops Microsoft SMB Traffic
      RejectSMB       #Silently Reject Microsoft SMB Traffic
      DropUPnP        #Silently Drop UPnP Probes
      DropNonSyn      #Silently Drop Non-syn TCP packets
      RejectAuth      #Silently Reject Auth
      DropPing        #Silently Drop Ping
      DropDNSrep      #Silently Drop DNS Replies

      AllowPing       #Accept Ping
      AllowFTP        #Accept FTP
      AllowDNS        #Accept DNS
      AllowSSH        #Accept SSH
      AllowWeb        #Allow Web Browsing
      AllowSMB        #Allow MS Networking
      AllowAuth       #Allow Auth (identd)
      AllowSMTP       #Allow SMTP (Email)
      AllowPOP3       #Allow reading mail via POP3
      AllowIMAP       #Allow reading mail via IMAP
      AllowTelnet     #Allow Telnet Access (not recommended for use over the
                      #Internet)
      AllowVNC        #Allow VNC, Displays 0-9
      AllowNTP        #Allow Network Time Protocol (ntpd)
      AllowRdate      #Allow remote time (rdate).
      AllowNNTP       #Allow network news (Usenet).
      AllowTrcrt      #Allows Traceroute (20 hops)
      AllowSNMP	      #Allows SNMP (including traps)

      Drop:DROP       #Common rules for DROP policy
      Reject:REJECT   #Common Action for Reject policy

   If you don't want to create all of the action chains, you can remove
   the INCLUDE and only include those actions that you need. Here's my
   /etc/shorewall/actions file:

      DropBcast       #Silently Drops Broadcast Traffic
      DropSMB         #Silently Drops Microsoft SMB Traffic
      RejectSMB       #Silently Reject Microsoft SMB Traffic
      DropUPnP        #Silently Drop UPnP Probes
      DropNonSyn      #Silently Drop Non-syn TCP packets
      RejectAuth      #Silently Reject Auth
      DropPing        #Silently Drop Ping
      DropDNSrep      #Silently Drop DNS Replies
      AllowPing       #Accept Ping

      Mirrors         #Accept traffic from Shorewall Mirrors

      MyDrop:DROP
      MyReject:REJECT

   At any rate, if you have an existing /etc/shorewall/actions file,
   then you MUST either add "INCLUDE /etc/shorewall/actions.std" to
   that file or you must include the definitions similar to mine above
   in your /etc/shorewall/actions file.

5) The /etc/shorewall directory no longer contains a 'users' file or a
   'usersets' file. Similar functionality is now available using
   user-defined actions.

   Now, action files created by copying /etc/shorewall/action.template
   may now specify a USER and or GROUP name/id in the final column just
   like in the rules file (see below). It is thus possible to create
   actions that control traffic from a list of users and/or groups.

   The last column in /etc/shorewall/rules is now labeled USER/GROUP
   and may contain:

       [!]<user number>[:]
       [!]<user name>[:]
       [!]:<group number>
       [!]:<group name>
       [!]<user number>:<group number>
       [!]<user number>:<group name>
       [!]<user name>:<group number>
       [!]<user name>:<group name>

6) It is no longer possible to specify rate limiting in the ACTION
   column of /etc/shorewall/rules -- you must use the RATE LIMIT
   column.

New Features:

1) The INCLUDE directive now allows absolute file names.

2) A 'nosmurfs' interface option has been added to
   /etc/shorewall/interfaces. When specified for an interface, this
   option causes smurfs (packets with a broadcast address as their
   source) to be dropped and optionally logged (based on the setting of
   a new SMURF_LOG_LEVEL option in shorewall.conf).

3) fw->fw traffic may now be controlled by Shorewall. There is no need
   to define the loopback interface in /etc/shorewall/interfaces; you
   simply add a fw->fw policy and fw->fw rules. If you have neither a
   fw->fw policy nor fw->fw rules, all fw->fw traffic is allowed.

4) There is a new PERSISTENT column in the proxyarp file. A value of
   "Yes" in this column means that the route added by Shorewall for
   this host will remain after a "shorewall stop" or "shorewall clear".

5) "trace" is now a synonym for "debug" in /sbin/shorewall commands.
   So to trace the "start" command, you could enter:

      shorewall trace start 2> /tmp/trace

   The trace information would be written to the file /tmp/trace.

6) When defining an ipsec tunnel in /etc/shorewall/tunnels, if you
   follow the tunnel type ("ipsec" or "ipsecnet") with ":noah"
   (e.g., "ipsec:noah"), then Shorewall will only create rules for
   ESP (protocol 50) and will not create rules for AH (protocol 51).