forked from extern/shorewall_code
50b692b6be
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@431 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
771 lines
47 KiB
HTML
771 lines
47 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
<html>
|
||
<head>
|
||
|
||
|
||
|
||
|
||
|
||
<meta http-equiv="Content-Type"
|
||
content="text/html; charset=windows-1252">
|
||
<title>Shoreline Firewall (Shorewall) 1.3</title>
|
||
|
||
|
||
|
||
|
||
<base
|
||
target="_self">
|
||
</head>
|
||
<body>
|
||
|
||
|
||
|
||
<table border="0" cellpadding="0" cellspacing="4"
|
||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||
bgcolor="#4b017c">
|
||
|
||
<tbody>
|
||
|
||
<tr>
|
||
|
||
<td width="100%" height="90">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<h1 align="center"> <font size="4"><i> <a
|
||
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
|
||
alt="Shorwall Logo" height="70" width="85" align="left"
|
||
src="images/washington.jpg" border="0">
|
||
|
||
</a></i></font><font color="#ffffff">Shorewall
|
||
1.3 - <font size="4">"<i>iptables
|
||
made easy"</i></font></font></h1>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<div align="center"><a
|
||
href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
|
||
color="#ffffff">Shorewall 1.2 Site here</font></a><br>
|
||
|
||
</div>
|
||
|
||
<br>
|
||
|
||
</td>
|
||
|
||
</tr>
|
||
|
||
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
|
||
|
||
|
||
<div align="center">
|
||
|
||
<center>
|
||
|
||
<table border="0" cellpadding="0" cellspacing="0"
|
||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||
|
||
<tbody>
|
||
|
||
<tr>
|
||
|
||
<td width="90%">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<h2 align="left">What is it?</h2>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
|
||
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
|
||
that can be used on a dedicated firewall system, a multi-function
|
||
gateway/router/server or on a standalone GNU/Linux system.</p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p>This program is free software; you can redistribute it and/or modify
|
||
it under the terms of <a
|
||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
|
||
Public License</a> as published by the Free Software Foundation.<br>
|
||
|
||
<br>
|
||
|
||
This program is distributed in the
|
||
hope that it will be useful, but WITHOUT ANY
|
||
WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||
or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
GNU General Public License for more details.<br>
|
||
|
||
<br>
|
||
|
||
You should have received a copy of
|
||
the GNU General Public License along with
|
||
this program; if not, write to the Free Software
|
||
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
|
||
USA</p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
||
border="0" src="images/leaflogo.gif" width="49" height="36">
|
||
|
||
</a>Jacques Nilo and Eric Wolzak
|
||
have a LEAF (router/firewall/gateway on a floppy, CD
|
||
or compact flash) distribution called <i>Bering</i>
|
||
that features Shorewall-1.3.10 and Kernel-2.4.18.
|
||
You can find their work at: <a
|
||
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
|
||
</a></p>
|
||
|
||
|
||
|
||
|
||
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
|
||
1.0 Final!!! </b><br>
|
||
</p>
|
||
|
||
|
||
|
||
|
||
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
|
||
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<h2>News</h2>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<h2></h2>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p><b>2/4/2003 - Shorewall 1.3.14-RC1</b><b> </b><b><img
|
||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||
</b></p>
|
||
|
||
<p>Includes the Beta 2 content plus support for OpenVPN tunnels.</p>
|
||
|
||
<p> The release candidate may be downloaded from:<br>
|
||
</p>
|
||
|
||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||
</blockquote>
|
||
|
||
<p><b>1/28/2003 - Shorewall 1.3.14-Beta2 </b><b><img border="0"
|
||
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||
</b></p>
|
||
|
||
<p>Includes the Beta 1 content plus restores VLAN device names of the
|
||
form $dev.$vid (e.g., eth0.1)</p>
|
||
|
||
<p> The beta may be downloaded from:<br>
|
||
</p>
|
||
|
||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||
</blockquote>
|
||
|
||
<p><b>1/25/2003 - Shorewall 1.3.14-Beta1</b><b><EFBFBD></b><b><img
|
||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||
<20></b><br>
|
||
</p>
|
||
|
||
<p>The Beta includes the following changes:<br>
|
||
</p>
|
||
|
||
<ol>
|
||
<li>An OLD_PING_HANDLING option has been added to shorewall.conf.
|
||
When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).<br>
|
||
<br>
|
||
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
|
||
policies just like any other connection request. The FORWARDPING=Yes option
|
||
in shorewall.conf and the 'noping' and 'filterping' options in /etc/shorewall/interfaces
|
||
will all generate an error.<br>
|
||
<br>
|
||
</li>
|
||
<li>It is now possible to direct Shorewall to create a "label"
|
||
such as<61> "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
|
||
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of
|
||
just the interface name:<br>
|
||
<20><br>
|
||
<20><> a) In the INTERFACE column of /etc/shorewall/masq<br>
|
||
<20><> b) In the INTERFACE column of /etc/shorewall/nat<br>
|
||
<20></li>
|
||
<li>When an interface name is entered in the SUBNET column of
|
||
the /etc/shorewall/masq file, Shorewall previously masqueraded traffic
|
||
from only the first subnet defined on that interface. It did not masquerade
|
||
traffic from:<br>
|
||
<20><br>
|
||
<20><> a) The subnets associated with other addresses on the interface.<br>
|
||
<20><> b) Subnets accessed through local routers.<br>
|
||
<20><br>
|
||
Beginning with Shorewall 1.3.14, if you enter an interface name in
|
||
the SUBNET column, shorewall will use the firewall's routing table to
|
||
construct the masquerading/SNAT rules.<br>
|
||
<20><br>
|
||
Example 1 -- This is how it works in 1.3.14.<br>
|
||
<20><> <br>
|
||
|
||
<pre><EFBFBD><EFBFBD> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE<43><45><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SUBNET<45><54><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ADDRESS<br> eth0<68><30><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> eth2<68><32><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||
|
||
<pre><EFBFBD> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24<32> scope link<br> 192.168.10.0/24<32> proto kernel<65> scope link<6E> src 192.168.10.254<br></pre>
|
||
|
||
<pre><EFBFBD> [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...<2E><br></pre>
|
||
When upgrading to Shorewall 1.3.14, if you have multiple local subnets
|
||
connected to an interface that is specified in the SUBNET column of an
|
||
/etc/shorewall/masq entry, your /etc/shorewall/masq file will need changing.
|
||
In most cases, you will simply be able to remove redundant entries. In some
|
||
cases though, you might want to change from using the interface name to
|
||
listing specific subnetworks if the change described above will cause masquerading
|
||
to occur on subnetworks that you don't wish to masquerade.<br>
|
||
<20><br>
|
||
Example 2 -- Suppose that your current config is as follows:<br>
|
||
|
||
<pre><EFBFBD><EFBFBD> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE<43><45><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SUBNET<45><54><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ADDRESS<br> eth0<68><30><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> eth2<68><32><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 206.124.146.176<br> eth0<68><30><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 192.168.10.0/24<32><34><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||
|
||
<pre><EFBFBD><EFBFBD> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24<32> scope link<br> 192.168.10.0/24<32> proto kernel<65> scope link<6E> src 192.168.10.254<br> [root@gateway test]#<br></pre>
|
||
<20><> In this case, the second entry in /etc/shorewall/masq is no longer
|
||
required.<br>
|
||
<20><br>
|
||
Example 3 -- What if your current configuration is like this?<br>
|
||
|
||
<pre><EFBFBD><EFBFBD> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE<43><45><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SUBNET<45><54><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ADDRESS<br> eth0<68><30><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> eth2<68><32><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||
|
||
<pre><EFBFBD><EFBFBD> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24<32> scope link<br> 192.168.10.0/24<32> proto kernel<65> scope link<6E> src 192.168.10.254<br> [root@gateway test]#<br></pre>
|
||
<20><> In this case, you would want to change the entry in<69> /etc/shorewall/masq
|
||
to:<br>
|
||
|
||
<pre><EFBFBD><EFBFBD> #INTERFACE<43><45><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SUBNET<45><54><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ADDRESS<br> eth0<68><30><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 192.168.1.0/24<32><34><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||
</li>
|
||
|
||
</ol>
|
||
The beta may be downloaded from:<br>
|
||
|
||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||
</blockquote>
|
||
|
||
<p><b>1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format</b><b>
|
||
</b></p>
|
||
|
||
|
||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13
|
||
documenation. the PDF may be downloaded from</p>
|
||
<20><><EFBFBD> <a
|
||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
|
||
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||
<20><><EFBFBD> <a
|
||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a>
|
||
|
||
<p><b>1/17/2003 - shorewall.net has MOVED</b><b></b></p>
|
||
|
||
<p>Thanks to the generosity of Alex Martin and <a
|
||
href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net and
|
||
ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A
|
||
big thanks to Alex for making this happen.<br>
|
||
</p>
|
||
|
||
<p><b>1/13/2003 - Shorewall 1.3.13</b><br>
|
||
</p>
|
||
|
||
<p>Just includes a few things that I had on the burner:<br>
|
||
</p>
|
||
|
||
<ol>
|
||
<li>A new 'DNAT-' action has been added for entries in the
|
||
/etc/shorewall/rules file. DNAT- is intended for advanced users who wish
|
||
to minimize the number of rules that connection requests must traverse.<br>
|
||
<br>
|
||
A Shorewall DNAT rule actually generates two iptables rules: a
|
||
header rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter'
|
||
table. A DNAT- rule only generates the first of these rules. This is handy
|
||
when you have several DNAT rules that would generate the same ACCEPT rule.<br>
|
||
<br>
|
||
<20><> Here are three rules from my previous rules file:<br>
|
||
<br>
|
||
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> DNAT<41><54> net<65> dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
|
||
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> DNAT<41><54> net<65> dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
|
||
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ACCEPT net<65> dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
|
||
<br>
|
||
<20><> These three rules ended up generating _three_ copies of<br>
|
||
<br>
|
||
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ACCEPT net<65> dmz:206.124.146.177 tcp smtp<br>
|
||
<br>
|
||
<20><> By writing the rules this way, I end up with only one copy of
|
||
the ACCEPT rule.<br>
|
||
<br>
|
||
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> DNAT-<2D> net<65> dmz:206.124.146.177 tcp smtp -<2D> 206.124.146.178<br>
|
||
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> DNAT-<2D> net<65> dmz:206.124.146.177 tcp smtp -<2D> 206.124.146.179<br>
|
||
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ACCEPT net<65> dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
|
||
<br>
|
||
</li>
|
||
<li>The 'shorewall check' command now prints out the applicable
|
||
policy between each pair of zones.<br>
|
||
<br>
|
||
</li>
|
||
<li>A new CLEAR_TC option has been added to shorewall.conf.
|
||
If this option is set to 'No' then Shorewall won't clear the current
|
||
traffic control rules during [re]start. This setting is intended for
|
||
use by people that prefer to configure traffic shaping when the network
|
||
interfaces come up rather than when the firewall is started. If that
|
||
is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not
|
||
supply an /etc/shorewall/tcstart file. That way, your traffic shaping
|
||
rules can still use the 'fwmark' classifier based on packet marking defined
|
||
in /etc/shorewall/tcrules.<br>
|
||
<br>
|
||
</li>
|
||
<li>A new SHARED_DIR variable has been added that allows
|
||
distribution packagers to easily move the shared directory (default /usr/lib/shorewall).
|
||
Users should never have a need to change the value of this shorewall.conf
|
||
setting.<br>
|
||
</li>
|
||
|
||
</ol>
|
||
|
||
<p><b>1/6/2003 -</b><b><big><big><big><big><big><big><big><big> B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
|
||
</b></p>
|
||
|
||
|
||
<p><b>Until further notice, I will not be involved in either Shorewall
|
||
Development or Shorewall Support</b></p>
|
||
|
||
|
||
<p><b>-Tom Eastep</b><br>
|
||
</p>
|
||
|
||
|
||
<p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>
|
||
</b></p>
|
||
|
||
|
||
|
||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
|
||
documenation. the PDF may be downloaded from</p>
|
||
|
||
|
||
|
||
<p><EFBFBD><EFBFBD><EFBFBD> <a
|
||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
|
||
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||
<20><><EFBFBD> <a
|
||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||
</p>
|
||
|
||
|
||
|
||
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>
|
||
</b></p>
|
||
|
||
|
||
<p> Features include:<br>
|
||
</p>
|
||
|
||
|
||
<ol>
|
||
<li>"shorewall refresh" now reloads the traffic
|
||
shaping rules (tcrules and tcstart).</li>
|
||
<li>"shorewall debug [re]start" now turns off debugging
|
||
after an error occurs. This places the point of the failure near
|
||
the end of the trace rather than up in the middle of it.</li>
|
||
<li>"shorewall [re]start" has been speeded up by
|
||
more than 40% with my configuration. Your milage may vary.</li>
|
||
<li>A "shorewall show classifiers" command has been
|
||
added which shows the current packet classification filters. The
|
||
output from this command is also added as a separate page in "shorewall
|
||
monitor"</li>
|
||
<li>ULOG (must be all caps) is now accepted as a
|
||
valid syslog level and causes the subject packets to be logged using
|
||
the ULOG target rather than the LOG target. This allows you to run
|
||
ulogd (available from <a
|
||
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||
and log all Shorewall messages <a
|
||
href="shorewall_logging.html">to a separate log file</a>.</li>
|
||
<li>If you are running a kernel that has a FORWARD
|
||
chain in the mangle table ("shorewall show mangle" will show you
|
||
the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
|
||
in <a href="Documentation.htm#Conf">shorewall.conf</a>. This allows for
|
||
marking input packets based on their destination even when you are
|
||
using Masquerading or SNAT.</li>
|
||
<li>I have cluttered up the /etc/shorewall directory
|
||
with empty 'init', 'start', 'stop' and 'stopped' files. If you already
|
||
have a file with one of these names, don't worry -- the upgrade process
|
||
won't overwrite your file.</li>
|
||
<li>I have added a new RFC1918_LOG_LEVEL variable
|
||
to <a href="Documentation.htm#Conf">shorewall.conf</a>. This
|
||
variable specifies the syslog level at which packets are logged as
|
||
a result of entries in the /etc/shorewall/rfc1918 file. Previously,
|
||
these packets were always logged at the 'info' level.<br>
|
||
</li>
|
||
|
||
|
||
</ol>
|
||
|
||
|
||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
|
||
</p>
|
||
This version corrects a problem with Blacklist logging.
|
||
In Beta 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the
|
||
firewall would fail to start and "shorewall refresh" would also fail.<br>
|
||
|
||
|
||
<p> You may download the Beta from:<br>
|
||
</p>
|
||
|
||
|
||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||
<a
|
||
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||
</blockquote>
|
||
|
||
|
||
|
||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
|
||
</b></p>
|
||
The first public Beta version of Shorewall 1.3.12 is
|
||
now available (Beta 1 was made available to a limited audience).
|
||
<br>
|
||
<br>
|
||
Features include:<br>
|
||
<br>
|
||
|
||
|
||
|
||
<ol>
|
||
<li>"shorewall refresh" now reloads the traffic
|
||
shaping rules (tcrules and tcstart).</li>
|
||
<li>"shorewall debug [re]start" now turns off
|
||
debugging after an error occurs. This places the point of the failure
|
||
near the end of the trace rather than up in the middle of it.</li>
|
||
<li>"shorewall [re]start" has been speeded
|
||
up by more than 40% with my configuration. Your milage may vary.</li>
|
||
<li>A "shorewall show classifiers" command
|
||
has been added which shows the current packet classification filters.
|
||
The output from this command is also added as a separate page in
|
||
"shorewall monitor"</li>
|
||
<li>ULOG (must be all caps) is now accepted
|
||
as a valid syslog level and causes the subject packets to be logged
|
||
using the ULOG target rather than the LOG target. This allows you to
|
||
run ulogd (available from <a
|
||
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||
and log all Shorewall messages <a
|
||
href="shorewall_logging.html">to a separate log file</a>.</li>
|
||
<li>If you are running a kernel that has a
|
||
FORWARD chain in the mangle table ("shorewall show mangle" will
|
||
show you the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
|
||
in shorewall.conf. This allows for marking input packets based on
|
||
their destination even when you are using Masquerading or SNAT.</li>
|
||
<li>I have cluttered up the /etc/shorewall
|
||
directory with empty 'init', 'start', 'stop' and 'stopped' files.
|
||
If you already have a file with one of these names, don't worry
|
||
-- the upgrade process won't overwrite your file.</li>
|
||
|
||
|
||
|
||
</ol>
|
||
You may download the Beta from:<br>
|
||
|
||
|
||
|
||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||
<a
|
||
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||
</blockquote>
|
||
|
||
|
||
|
||
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
|
||
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
|
||
alt="Powered by Mandrake Linux" width="150" height="21" border="0">
|
||
</a></b></p>
|
||
Shorewall is at the center of MandrakeSoft's recently-announced
|
||
<a
|
||
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&id_art=250&LANG_=en#GOTO_250">Multi
|
||
Network Firewall (MNF)</a> product. Here is the <a
|
||
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
|
||
release</a>.<br>
|
||
|
||
|
||
|
||
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
|
||
</b></p>
|
||
|
||
|
||
|
||
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
|
||
delivered. I have installed 9.0 on one of my systems and I am
|
||
now in a position to support Shorewall users who run Mandrake 9.0.</p>
|
||
|
||
|
||
|
||
<p><b>12/6/2002 - <20>Debian 1.3.11a Packages Available</b><br>
|
||
</p>
|
||
|
||
|
||
|
||
|
||
<p>Apt-get sources listed at <a
|
||
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
|
||
|
||
|
||
|
||
|
||
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
|
||
</b></p>
|
||
|
||
|
||
|
||
|
||
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
|
||
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
|
||
users who don't need rules of this type need not upgrade to 1.3.11.</p>
|
||
|
||
|
||
|
||
|
||
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
|
||
</b></p>
|
||
|
||
|
||
|
||
|
||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
|
||
documenation. the PDF may be downloaded from</p>
|
||
|
||
|
||
|
||
|
||
<p><EFBFBD><EFBFBD><EFBFBD> <a
|
||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||
<20><><EFBFBD> <a
|
||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||
</p>
|
||
|
||
|
||
|
||
|
||
<p><b>11/24/2002 - Shorewall 1.3.11</b><b><EFBFBD></b><b>
|
||
</b></p>
|
||
|
||
|
||
|
||
|
||
<p>In this version:</p>
|
||
|
||
|
||
|
||
|
||
<ul>
|
||
<li>A 'tcpflags' option has been
|
||
added to entries in <a
|
||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
||
This option causes Shorewall to make a set of sanity check on TCP
|
||
packet header flags.</li>
|
||
<li>It is now allowed to use 'all'
|
||
in the SOURCE or DEST column in a <a
|
||
href="Documentation.htm#Rules">rule</a>. When used, 'all' must appear
|
||
by itself (in may not be qualified) and it does not enable intra-zone
|
||
traffic. For example, the rule <br>
|
||
<br>
|
||
<20> <20> ACCEPT loc all tcp 80<br>
|
||
<br>
|
||
does not enable http traffic from 'loc'
|
||
to 'loc'.</li>
|
||
<li>Shorewall's use of the 'echo'
|
||
command is now compatible with bash clones such as ash and dash.</li>
|
||
<li>fw->fw policies now generate
|
||
a startup error. fw->fw rules generate a warning and are
|
||
ignored</li>
|
||
|
||
|
||
|
||
|
||
</ul>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p><b></b><a href="News.htm">More News</a></p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<h2><a name="Donations"></a>Donations</h2>
|
||
|
||
</td>
|
||
|
||
<td width="88" bgcolor="#4b017c"
|
||
valign="top" align="center"> <a
|
||
href="http://sourceforge.net">M</a></td>
|
||
|
||
</tr>
|
||
|
||
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
|
||
</center>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
<table border="0" cellpadding="5" cellspacing="0"
|
||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||
bgcolor="#4b017c">
|
||
|
||
<tbody>
|
||
|
||
<tr>
|
||
|
||
<td width="100%" style="margin-top: 1px;">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p align="center"><a href="http://www.starlight.org"> <img
|
||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||
hspace="10">
|
||
|
||
<20> </a></p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
|
||
if you try it and find it useful, please consider making a donation
|
||
to <a
|
||
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
|
||
Foundation.</font></a> Thanks!</font></p>
|
||
|
||
</td>
|
||
|
||
</tr>
|
||
|
||
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
|
||
|
||
|
||
<p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||
|
||
<br>
|
||
</p>
|
||
<br>
|
||
<br>
|
||
<br>
|
||
<br>
|
||
</body>
|
||
</html>
|