Tom Eastep schrieb:>
> This is a minor release of Shorewall.
>
> Problems Corrected:
>
> 1) TCP connection requests rejected out of the common chain are now
> properly rejected with TCP RST; previously, some of these requests
> were rejeced with an ICMP port-unreachable response.
>
> 2) ''traceroute -I'' from behind the firewall previously
timed out on the
> first hop (e.g., to the firewall). This has been worked around.
>
> New Features:
>
> 1) Where an entry in the/etc/shorewall/hosts file specifies a
> particular host or network, Shorewall now creates an intermediate
> chain for handling input from the related zone. This can
> substantially reduce the number of rules traversed by connections
> requests from such zones.
>
> 2) Any file may include an INCLUDE directive. An INCLUDE directive
> consists of the word INCLUDE followed by a file name and causes the
> contents of the named file to be logically included into the file
> containing the INCLUDE. File names given in an INCLUDE directive
> are assumed to reside in /etc/shorewall or in an alternate
> configuration directory if one has been specified for the command.
>
> Examples:
> shorewall/params.mgmt:
> MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
> TIME_SERVERS=4.4.4.4
> BACKUP_SERVERS=5.5.5.5
> ----- end params.mgmt -----
>
> shorewall/params:
> # Shorewall 1.3 /etc/shorewall/params
> [..]
> #######################################
>
> INCLUDE params.mgmt
>
> # params unique to this host here
> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
> ----- end params -----
>
> shorewall/rules.mgmt:
> ACCEPT net:$MGMT_SERVERS $FW tcp 22
> ACCEPT $FW net:$TIME_SERVERS udp 123
> ACCEPT $FW net:$BACKUP_SERVERS tcp 22
> ----- end rules.mgmt -----
>
> shorewall/rules:
> # Shorewall version 1.3 - Rules File
> [..]
> #######################################
>
> INCLUDE rules.mgmt
>
> # rules unique to this host here
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> ----- end rules -----
>
> INCLUDE''s may be nested to a level of 3 -- further nested
INCLUDE
> directives are ignored.
>
> 3) Routing traffic from an interface back out that interface continues
> to be a problem. While I firmly believe that this should never
> happen, people continue to want to do it. To limit the damage that
> such nonsense produces, I have added a new ''routeback''
option in
> /etc/shorewall/interfaces and /etc/shorewall/hosts. When used in
> /etc/shorewall/interfaces, the ''ZONE'' column may not
contain ''-''; in
> other words, ''routeback'' can''t be used as an
option for a multi-zone
> interface. The ''routeback'' option CAN be specified
however on
> individual group entries in /etc/shorewall/hosts.
>
> The ''routeback'' option is similar to the old
''multi'' option with two
> exceptions:
>
> a) The option pertains to a particular zone,interface,address tuple.
>
> b) The option only created infrastructure to pass traffic from
> (zone,interface,address) tuples back to themselves (the
''multi''
> option affected all (zone,interface,address) tuples associated with
> the given ''interface'').
>
> See the ''Upgrade Issues'' for information about how
this new option
> may affect your configuration.
Tom,
Thank you for another release of shorewall. It has made firewalling on
Linux a dream!
BTW, the ''Upgrade Issues'' link is broken in
http://www.shorewall.net/seattlefirewall_index.htm
Regards,
Simon
>
> -Tom
> --
> Tom Eastep \ Shorewall - iptables made easy
> Shoreline, \ http://www.shorewall.net
> Washington USA \ teastep@shorewall.net
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm