Problems Corrected:
1) A problem seen on RH7.3 systems where Shorewall encountered start
errors when started using the "service" mechanism has been worked
around.
2) A problem introduced in earlier snapshots has been corrected. This
problem caused incorrect netfilter rules to be created when the
destination zone in a rule was qualified by an address in CIDR
format.
Example:
ACCEPT fw net:206.124.146.0/24 tcp pop3
New Features:
1) A ''newnotsyn'' interface option has been added. This option
may be
specified in /etc/shorewall/interfaces and overrides the setting
NEWNOTSYN=No for packets arriving on the associated interface.
2) The means for specifying a range of IP addresses in
/etc/shorewall/masq to use for SNAT is now
documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges.
3) Shorewall can now add IP addresses to subnets other than the first
one on an interface.
4) DNAT[-] rules may now be used to load balance (round-robin) over a
set of servers. Up to 256 servers may be specified in a range of
addresses given as <first address>-<last address>.
Example:
DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
Note that this capability has previously been available using a
combination of a DNAT-rule and one or more ACCEPT rules. That
technique is still preferable for load-balancing over a large number
of servers (> 16) since specifying a range in the DNAT rule causes
one filter table ACCEPT rule to be generated for each IP address in
the range.
5) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
have been removed and have been replaced by code that detects
whether these capabilities are present in the current kernel. The
output of the start, restart and check commands have been enhanced
to report the outcome:
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Verifying Configuration...
6) Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables
releases and allows for rules which match against elements in
netfilter''s connection tracking table.
Shorewall automatically detects the availability of this extension
and reports its availability in the output of the start, restart and
check commands.
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Available
Verifying Configuration...
If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:
a) To handle ''norfc1918'' filtering, Shorewall will not
create chains
in the mangle table but will rather do all ''norfc1918''
filtering in
the filter table (rfc1918 chain).
b) Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table
is extended to check that the original destination address was the
same as specified (or defaulted to) in the DNAT rule.
7) The shell used to interpret the firewall script
(/usr/share/shorewall/firewall) may now be specified using the
SHOREWALL_SHELL parameter in shorewall.conf.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net
Simon Matter
2003-Jun-29 23:36 UTC
[Shorewall-users] Re: [Shorewall-announce] Snapshot 20030629
Tom Eastep schrieb:> > Problems Corrected: > > 1) A problem seen on RH7.3 systems where Shorewall encountered start > errors when started using the "service" mechanism has been worked > around. > > 2) A problem introduced in earlier snapshots has been corrected. This > problem caused incorrect netfilter rules to be created when the > destination zone in a rule was qualified by an address in CIDR > format. > > Example: > > ACCEPT fw net:206.124.146.0/24 tcp pop3 > > New Features: > > 1) A ''newnotsyn'' interface option has been added. This option may be > specified in /etc/shorewall/interfaces and overrides the setting > NEWNOTSYN=No for packets arriving on the associated interface.Tom, Thanks for this new feature. I have a box with assymetric routing on the LAN/WAN interfaces and I was a bit worried that I had to set NEWNOTSYN=Yes. Now I do it only on the internal interfaces with the new ''newnotsyn'' interface option. As always, shorewall improves with every release. Thanks for the good job!!!! Simon> > 2) The means for specifying a range of IP addresses in > /etc/shorewall/masq to use for SNAT is now > documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges. > > 3) Shorewall can now add IP addresses to subnets other than the first > one on an interface. > > 4) DNAT[-] rules may now be used to load balance (round-robin) over a > set of servers. Up to 256 servers may be specified in a range of > addresses given as <first address>-<last address>. > > Example: > > DNAT net loc:192.168.10.2-192.168.10.5 tcp 80 > > Note that this capability has previously been available using a > combination of a DNAT-rule and one or more ACCEPT rules. That > technique is still preferable for load-balancing over a large number > of servers (> 16) since specifying a range in the DNAT rule causes > one filter table ACCEPT rule to be generated for each IP address in > the range. > > 5) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options > have been removed and have been replaced by code that detects > whether these capabilities are present in the current kernel. The > output of the start, restart and check commands have been enhanced > to report the outcome: > > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Verifying Configuration... > > 6) Support for the Connection Tracking Match Extension has been > added. This extension is available in recent kernel/iptables > releases and allows for rules which match against elements in > netfilter''s connection tracking table. > > Shorewall automatically detects the availability of this extension > and reports its availability in the output of the start, restart and > check commands. > > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Connection Tracking Match: Available > Verifying Configuration... > > If this extension is available, the ruleset generated by Shorewall > is changed in the following ways: > > a) To handle ''norfc1918'' filtering, Shorewall will not create chains > in the mangle table but will rather do all ''norfc1918'' filtering in > the filter table (rfc1918 chain). > > b) Recall that Shorewall DNAT rules generate two netfilter rules; > one in the nat table and one in the filter table. If the Connection > Tracking Match Extension is available, the rule in the filter table > is extended to check that the original destination address was the > same as specified (or defaulted to) in the DNAT rule. > > 7) The shell used to interpret the firewall script > (/usr/share/shorewall/firewall) may now be specified using the > SHOREWALL_SHELL parameter in shorewall.conf. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > _______________________________________________ > Shorewall-announce mailing list > Shorewall-announce@lists.shorewall.net > http://lists.shorewall.net/mailman/listinfo/shorewall-announce
Simon Matter
2003-Jun-30 00:32 UTC
[Shorewall-users] Re: [Shorewall-announce] Snapshot 20030629
Simon Matter schrieb:> > Tom Eastep schrieb: > > > > Problems Corrected: > > > > 1) A problem seen on RH7.3 systems where Shorewall encountered start > > errors when started using the "service" mechanism has been worked > > around. > > > > 2) A problem introduced in earlier snapshots has been corrected. This > > problem caused incorrect netfilter rules to be created when the > > destination zone in a rule was qualified by an address in CIDR > > format. > > > > Example: > > > > ACCEPT fw net:206.124.146.0/24 tcp pop3 > > > > New Features: > > > > 1) A ''newnotsyn'' interface option has been added. This option may be > > specified in /etc/shorewall/interfaces and overrides the setting > > NEWNOTSYN=No for packets arriving on the associated interface. > > Tom, > > Thanks for this new feature. I have a box with assymetric routing on the > LAN/WAN interfaces and I was a bit worried that I had to set > NEWNOTSYN=Yes. Now I do it only on the internal interfaces with the new > ''newnotsyn'' interface option. As always, shorewall improves with every > release. Thanks for the good job!!!!Ups, I was using shorewall-1.4.5_20030623-1 which was fine. Now, with 1.4.5_20030629-1 I get the following on RH 7.3 with ''shorewall check'': Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Notice: The ''check'' command is unsupported and problem reports complaining about errors that it didn''t catch will not be accepted Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available /usr/share/shorewall/firewall: [: too many arguments Connection Tracking Match: Not available Verifying Configuration... Loading Modules... Determining Zones... Zones: net loc dmz sec dev Validating interfaces file... Validating hosts file... Determining Hosts in Zones... Net Zone: eth5:0.0.0.0/0 Local Zone: eth1:10.0.0.0/8 DMZ Zone: eth3:0.0.0.0/0 Sec Zone: eth2:0.0.0.0/0 Dev Zone: eth4:0.0.0.0/0 I assume the following patch should do it: --- shorewall-1.4.5_20030629-1.noarch/usr/share/shorewall/firewall.orig Sun Jun 29 18:14:41 2003 +++ shorewall-1.4.5_20030629-1.noarch/usr/share/shorewall/firewall Mon Jun 30 09:29:09 2003 @@ -3364,7 +3364,7 @@ { local setting - [ $1 = "Yes" ] && { setting="Available"; shift; } || setting="Not available" + [ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available" echo " " $@: $setting } Regards, Simon> > Simon > > > > > 2) The means for specifying a range of IP addresses in > > /etc/shorewall/masq to use for SNAT is now > > documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges. > > > > 3) Shorewall can now add IP addresses to subnets other than the first > > one on an interface. > > > > 4) DNAT[-] rules may now be used to load balance (round-robin) over a > > set of servers. Up to 256 servers may be specified in a range of > > addresses given as <first address>-<last address>. > > > > Example: > > > > DNAT net loc:192.168.10.2-192.168.10.5 tcp 80 > > > > Note that this capability has previously been available using a > > combination of a DNAT-rule and one or more ACCEPT rules. That > > technique is still preferable for load-balancing over a large number > > of servers (> 16) since specifying a range in the DNAT rule causes > > one filter table ACCEPT rule to be generated for each IP address in > > the range. > > > > 5) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options > > have been removed and have been replaced by code that detects > > whether these capabilities are present in the current kernel. The > > output of the start, restart and check commands have been enhanced > > to report the outcome: > > > > Shorewall has detected the following iptables/netfilter capabilities: > > NAT: Available > > Packet Mangling: Available > > Multi-port Match: Available > > Verifying Configuration... > > > > 6) Support for the Connection Tracking Match Extension has been > > added. This extension is available in recent kernel/iptables > > releases and allows for rules which match against elements in > > netfilter''s connection tracking table. > > > > Shorewall automatically detects the availability of this extension > > and reports its availability in the output of the start, restart and > > check commands. > > > > Shorewall has detected the following iptables/netfilter capabilities: > > NAT: Available > > Packet Mangling: Available > > Multi-port Match: Available > > Connection Tracking Match: Available > > Verifying Configuration... > > > > If this extension is available, the ruleset generated by Shorewall > > is changed in the following ways: > > > > a) To handle ''norfc1918'' filtering, Shorewall will not create chains > > in the mangle table but will rather do all ''norfc1918'' filtering in > > the filter table (rfc1918 chain). > > > > b) Recall that Shorewall DNAT rules generate two netfilter rules; > > one in the nat table and one in the filter table. If the Connection > > Tracking Match Extension is available, the rule in the filter table > > is extended to check that the original destination address was the > > same as specified (or defaulted to) in the DNAT rule. > > > > 7) The shell used to interpret the firewall script > > (/usr/share/shorewall/firewall) may now be specified using the > > SHOREWALL_SHELL parameter in shorewall.conf. > > > > -Tom > > -- > > Tom Eastep \ Shorewall - iptables made easy > > Shoreline, \ http://www.shorewall.net > > Washington USA \ teastep@shorewall.net > > _______________________________________________ > > Shorewall-announce mailing list > > Shorewall-announce@lists.shorewall.net > > http://lists.shorewall.net/mailman/listinfo/shorewall-announce > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Tom Eastep
2003-Jun-30 07:17 UTC
[Shorewall-users] Re: [Shorewall-announce] Snapshot 20030629
On Mon, 2003-06-30 at 00:31, Simon Matter wrote:> > I assume the following patch should do it: >Yes, thanks Simon. I''ve applied the patch to my tree. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net