In the Shorewall/ CVS project:
Problems Corrected:
1) There has been a low continuing level of confusion over the terms
"Source NAT" (SNAT) and "Static NAT". To avoid future
confusion, all
instances of "Static NAT" have been replaced with "One-to-one
NAT"
in the documentation and configuration files.
2) The description of NEWNOTSYN in shorewall.conf has been reworded for
clarity.
Migration Issues:
None.
New Features:
1) To cut down on the number of "Why are these ports closed rather than
stealthed?" questions, the SMB-related rules in
/etc/shorewall/common.def have been changed from ''reject''
to ''DROP''.
2) For easier identification, packets logged under the
''norfc1918''
interface option are now logged out of chains named
''rfc1918''. Previously, such packets were logged under
chains named
''logdrop''.
3) Distributors and developers seem to be regularly inventing new
naming conventions for kernel modules. To avoid the need to change
Shorewall code for each new convention, the MODULE_SUFFIX option has
been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
for module names in your particular distribution. If MODULE_SUFFIX
is not set in shorewall.conf, Shorewall will use the list "o gz ko
o.gz".
To see what suffix is used by your distribution:
ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter
IMPORTANT: Those are back single quotes (upper lefthand corner of
your keyboard).
All of the files listed should have the same suffix (extension). Set
MODULE_SUFFIX to that suffix.
Examples:
If all files end in ".kzo" then set MODULE_SUFFIX="kzo"
If all files end in ".kz.o" then set
MODULE_SUFFIX="kz.o"
4) Support for user defined rule ACTIONS has been implemented through
two new files:
/etc/shorewall/actions - used to list the user-defined ACTIONS.
/etc/shorewall/action.template - For each user defined <action>, copy
this file to
/etc/shorewall/action.<action> and
add the appropriate rules for that
<action>.
Once an <action> has been defined, it may be used like any of the
builtin ACTIONS (ACCEPT, DROP, etc.) in /etc/shorewall/rules.
Example: You want an action that logs a packet at the
''info'' level
and accepts the connection.
In /etc/shorewall/actions, you would add:
LogAndAccept
You would then copy /etc/shorewall/action.template to
/etc/shorewall/LogAndAccept and in that file, you would add the two
rules:
LOG:info
ACCEPT
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
