Just some stuff that was laying around in CVS:
1. Added ''DNAT-'' target.
2. Print policies in ''check'' command.
3. Added CLEAR_TC option.
4. Added SHARED_DIR option.
[teastep@wookie Shorewall]$ cat releasenotes.txt
This is a minor release of Shorewall that has a couple of new features.
New features include:
1) A new ''DNAT-'' action has been added for entries in the
/etc/shorewall/rules file. DNAT- is intended for advanced users who
wish to minimize the number of rules that connection requests must
traverse.
A Shorewall DNAT rule actually generates two iptables rules: a
header rewriting rule in the ''nat'' table and an ACCEPT rule
in the
''filter'' table. A DNAT- rule only generates the first of
these
rules. This is handy when you have several DNAT rules that would
generate the same ACCEPT rule.
Here are three rules from my previous rules file:
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
These three rules ended up generating _three_ copies of
ACCEPT net dmz:206.124.146.177 tcp smtp
By writing the rules this way, I end up with only one copy of the
ACCEPT rule.
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
2) The ''shorewall check'' command now prints out the applicable
policy
between each pair of zones.
3. A new CLEAR_TC option has been added to shorewall.conf. If this
option is set to ''No'' then Shorewall won''t clear
the current
traffic control rules during [re]start. This setting is intended
for use by people that prefer to configure traffic shaping when
the network interfaces come up rather than when the firewall
is started. If that is what you want to do, set TC_ENABLED=Yes and
CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
way, your traffic shaping rules can still use the ''fwmark''
classifier based on packet marking defined in /etc/shorewall/tcrules.
4. A new SHARED_DIR variable has been added that allows distribution
packagers to easily move the shared directory (default
/usr/lib/shorewall). Users should never have a need to change the
value of this shorewall.conf setting.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net
Tom,
Thank You for adding these features to Shorewall and all the hard work you
put into this product and support.
Mike
-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Tuesday, January 14, 2003 2:19 PM
To: Shorewall Users; Shorewall Announcements
Subject: [Shorewall-users] Shorewall-1.3.13
Just some stuff that was laying around in CVS:
1. Added ''DNAT-'' target.
2. Print policies in ''check'' command.
3. Added CLEAR_TC option.
4. Added SHARED_DIR option.
[teastep@wookie Shorewall]$ cat releasenotes.txt
This is a minor release of Shorewall that has a couple of new features.
New features include:
1) A new ''DNAT-'' action has been added for entries in the
/etc/shorewall/rules file. DNAT- is intended for advanced users who
wish to minimize the number of rules that connection requests must
traverse.
A Shorewall DNAT rule actually generates two iptables rules: a
header rewriting rule in the ''nat'' table and an ACCEPT rule
in the
''filter'' table. A DNAT- rule only generates the first of
these
rules. This is handy when you have several DNAT rules that would
generate the same ACCEPT rule.
Here are three rules from my previous rules file:
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
These three rules ended up generating _three_ copies of
ACCEPT net dmz:206.124.146.177 tcp smtp
By writing the rules this way, I end up with only one copy of the
ACCEPT rule.
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
2) The ''shorewall check'' command now prints out the applicable
policy
between each pair of zones.
3. A new CLEAR_TC option has been added to shorewall.conf. If this
option is set to ''No'' then Shorewall won''t clear
the current
traffic control rules during [re]start. This setting is intended
for use by people that prefer to configure traffic shaping when
the network interfaces come up rather than when the firewall
is started. If that is what you want to do, set TC_ENABLED=Yes and
CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
way, your traffic shaping rules can still use the ''fwmark''
classifier based on packet marking defined in /etc/shorewall/tcrules.
4. A new SHARED_DIR variable has been added that allows distribution
packagers to easily move the shared directory (default
/usr/lib/shorewall). Users should never have a need to change the
value of this shorewall.conf setting.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://mail.shorewall.net/mailman/listinfo/shorewall-users
--On Tuesday, January 14, 2003 03:07:19 PM -0600 "Martinez, Mike (MHS-ACS)" <Mike.Martinez@mhs-helpdesk.com> wrote:> > Thank You for adding these features to Shorewall and all the hard work you > put into this product and support. >You''re welcome, Mike! -Tom - Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Tom There''s no reason you should let a complete stranger question your better judgement, but weren''t you supposed to be taking a break from all of this? cheers Julian At 12:19 14/01/03 -0800, Tom Eastep wrote:>Just some stuff that was laying around in CVS: > ><snip>-- jc@ljchurch.co.uk www.ljchurch.co.uk