The ''firewall'' script currently in the /Shorewall CVS project: a) Is approximately 15% faster starting/restarting on my configuration -- please report your experiences with it. b) Reloads Traffic Control/Shaping as part of "shorewall refresh" c) Turns off the shell trace after an error has occured (except when the command being traced is "stop" or "clear"). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
On Thursday 05 December 2002 01:43, Tom Eastep wrote:> The ''firewall'' script currently in the /Shorewall CVS project: > > a) Is approximately 15% faster starting/restarting on my configuration -- > please report your experiences with it. > > b) Reloads Traffic Control/Shaping as part of "shorewall refresh" > > c) Turns off the shell trace after an error has occured (except when the > command being traced is "stop" or "clear"). > > -TomHi Tom; I have compared Shorewall 1.3.11a with the new version in CVS on three of my=20 firewalls. The tests were carried out several times and the average refresh=20 time noted. The results were as follows: 1.3.11a 19.4 seconds CVS 15.8 seconds on a 180mhz pentium pro 1.3.11a 26.4 seconds CVS 21.7 seconds on a 266mhz pentium II. 1.3.11a 14.3 seconds CVS 11.0 seconds on a 160mhz pentium. Regards Steven.
--On Thursday, December 05, 2002 11:32:19 PM +0000 Steven Jan Springl <shorewall@springl.fsnet.co.uk> wrote:> On Thursday 05 December 2002 01:43, Tom Eastep wrote: >> The ''firewall'' script currently in the /Shorewall CVS project: >> >> a) Is approximately 15% faster starting/restarting on my configuration -- >> please report your experiences with it. >> >> b) Reloads Traffic Control/Shaping as part of "shorewall refresh" >> >> c) Turns off the shell trace after an error has occured (except when the >> command being traced is "stop" or "clear"). >> >> -Tom > > Hi Tom; > I have compared Shorewall 1.3.11a with the new version in CVS on three > of my firewalls. The tests were carried out several times and the > average refresh time noted. The results were as follows: > > 1.3.11a 19.4 seconds CVS 15.8 seconds on a 180mhz pentium pro > 1.3.11a 26.4 seconds CVS 21.7 seconds on a 266mhz pentium II. > 1.3.11a 14.3 seconds CVS 11.0 seconds on a 160mhz pentium. > > Regards Steven. > > _______________________________________________ > Shorewall-devel mailing list > Shorewall-devel@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-devel-- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
--On Thursday, December 05, 2002 11:32:19 PM +0000 Steven Jan Springl <shorewall@springl.fsnet.co.uk> wrote:> I have compared Shorewall 1.3.11a with the new version in CVS on three > of my firewalls. The tests were carried out several times and the > average refresh time noted. The results were as follows: > > 1.3.11a 19.4 seconds CVS 15.8 seconds on a 180mhz pentium pro > 1.3.11a 26.4 seconds CVS 21.7 seconds on a 266mhz pentium II. > 1.3.11a 14.3 seconds CVS 11.0 seconds on a 160mhz pentium. >Thanks, Steven! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
In the ''Shorewall'' (Development CVS Tree). 1) A new ''DNAT-'' action has been added for entries in the /etc/shorewall/rules file. DNAT- is intended for advanced users who wish to minimize the number of rules that connection requests must traverse. A Shorewall DNAT rule actually generates two iptables rules: an header rewriting rule in the ''nat'' table and an ACCEPT rule in the ''filter'' table. A DNAT- rule only generates the first of these iptables rules. This is handy when you have several DNAT rules that would generate the same ACCEPT rule. Here are three rules from my previous rules file: DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178 DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179 ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,... These three rules ended up generating _three_ copies of ACCEPT net dmz:206.124.146.177 tcp smtp By writing the rules this way, I end up with only one copy of the ACCEPT rule. DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178 DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179 ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,... 2) The ''shorewall check'' command now prints out the applicable policy between each pair of zones. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
1) An OLD_PING_HANDLING option has been added to shorewall.conf. When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html). When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and policies just like any other connection request. The FORWARDPING option in shorewall.conf is ignored and the ''noping'' and ''filterping'' options in /etc/shorewall/interfaces will generate an error. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
The current CVS version (Project = Shorewall) allows specification of the chain to be used for marking packets in tcrules. The MARK value may optionally be followed by ":P" (PREROUTING) or ":F" (FORWARD). The default is still determined by the setting of MARK_IN_FORWARD_CHAIN in shorewall.conf -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
With ADD_IP_ALIASES=Yes, you may now specify an "alias name" in the
second
column of the /etc/shorewall/nat file and Shorewall will create the alias
with that name.
Example (My configuration):
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
206.124.146.178 eth0:0 192.168.1.5 No No
206.124.146.179 eth0:1 192.168.1.3 No No
192.168.1.193 eth2:0 206.124.146.177 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway root]#
This allows the aliases to be visible to ''ifconfig''.
[root@gateway root]# ifconfig eth0:1
eth0:1 Link encap:Ethernet HWaddr 02:00:08:E3:FA:55
inet addr:206.124.146.179 Bcast:206.124.146.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xb000
[root@gateway root]#
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: teastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net