Shorewall devel - Dec 2002 - New in CVS

If this information is useful, please help other people find it:
Share via:

Tom Eastep

2002-Dec-05 01:43 UTC

[Shorewall-devel] New in CVS

The ''firewall'' script currently in the /Shorewall CVS project:

a) Is approximately 15% faster starting/restarting on my configuration -- 
please report your experiences with it.

b) Reloads Traffic Control/Shaping as part of "shorewall refresh"

c) Turns off the shell trace after an error has occured (except when the 
command being traced is "stop" or "clear").

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ shorewall.sf.net
ICQ: #60745924  \ teastep@shorewall.net

Steven Jan Springl

2002-Dec-05 23:32 UTC

[Shorewall-devel] New in CVS

On Thursday 05 December 2002 01:43, Tom Eastep wrote:> The ''firewall'' script currently in the /Shorewall CVS
project:
>
> a) Is approximately 15% faster starting/restarting on my configuration --
> please report your experiences with it.
>
> b) Reloads Traffic Control/Shaping as part of "shorewall refresh"
>
> c) Turns off the shell trace after an error has occured (except when the
> command being traced is "stop" or "clear").
>
> -Tom
Hi Tom;
 I have compared Shorewall 1.3.11a with the new version in CVS on three of my=20
firewalls. The tests were carried out several times and the average refresh=20
time noted. The results were as follows:

1.3.11a   19.4 seconds     CVS  15.8 seconds   on a 180mhz pentium pro
1.3.11a   26.4 seconds     CVS  21.7 seconds   on a 266mhz pentium II.
1.3.11a   14.3 seconds     CVS  11.0 seconds   on a 160mhz pentium.

Regards Steven.

Tom Eastep

2002-Dec-05 23:49 UTC

[Shorewall-devel] New in CVS

--On Thursday, December 05, 2002 11:32:19 PM +0000 Steven Jan Springl 
<shorewall@springl.fsnet.co.uk> wrote:
> On Thursday 05 December 2002 01:43, Tom Eastep wrote:
>> The ''firewall'' script currently in the /Shorewall CVS
project:
>>
>> a) Is approximately 15% faster starting/restarting on my configuration
--
>> please report your experiences with it.
>>
>> b) Reloads Traffic Control/Shaping as part of "shorewall
refresh"
>>
>> c) Turns off the shell trace after an error has occured (except when
the
>> command being traced is "stop" or "clear").
>>
>> -Tom
>
> Hi Tom;
>  I have compared Shorewall 1.3.11a with the new version in CVS on three
> of my  firewalls. The tests were carried out several times and the
> average refresh  time noted. The results were as follows:
>
> 1.3.11a   19.4 seconds     CVS  15.8 seconds   on a 180mhz pentium pro
> 1.3.11a   26.4 seconds     CVS  21.7 seconds   on a 266mhz pentium II.
> 1.3.11a   14.3 seconds     CVS  11.0 seconds   on a 160mhz pentium.
>
> Regards Steven.
>
> _______________________________________________
> Shorewall-devel mailing list
> Shorewall-devel@shorewall.net
> shorewall.net/mailman/listinfo/shorewall-devel

--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ shorewall.sf.net
ICQ: #60745924  \ teastep@shorewall.net

Tom Eastep

2002-Dec-05 23:50 UTC

[Shorewall-devel] New in CVS

--On Thursday, December 05, 2002 11:32:19 PM +0000 Steven Jan Springl 
<shorewall@springl.fsnet.co.uk> wrote:
>  I have compared Shorewall 1.3.11a with the new version in CVS on three
> of my  firewalls. The tests were carried out several times and the
> average refresh  time noted. The results were as follows:
>
> 1.3.11a   19.4 seconds     CVS  15.8 seconds   on a 180mhz pentium pro
> 1.3.11a   26.4 seconds     CVS  21.7 seconds   on a 266mhz pentium II.
> 1.3.11a   14.3 seconds     CVS  11.0 seconds   on a 160mhz pentium.
>
Thanks, Steven!
-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ shorewall.sf.net
ICQ: #60745924  \ teastep@shorewall.net

Tom Eastep

2002-Dec-30 17:13 UTC

[Shorewall-devel] New in CVS

In the ''Shorewall'' (Development CVS Tree).

1) A new ''DNAT-'' action has been added for entries in the
   /etc/shorewall/rules file. DNAT- is intended for advanced users who
   wish to minimize the number of rules that connection requests must
   traverse.

   A Shorewall DNAT rule actually generates two iptables rules: an
   header rewriting rule in the ''nat'' table and an ACCEPT rule
in the
   ''filter'' table. A DNAT- rule only generates the first of
these
   iptables rules. This is handy when you have several DNAT rules that
   would generate the same ACCEPT rule.

   Here are three rules from my previous rules file:

	DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178
	DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179
	ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...

   These three rules ended up generating _three_ copies of

	 ACCEPT net  dmz:206.124.146.177 tcp smtp

   By writing the rules this way, I end up with only one copy of the
   ACCEPT rule.

	DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178
	DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179
	ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...

2) The ''shorewall check'' command now prints out the applicable
policy
   between each pair of zones.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ shorewall.sf.net
Washington USA \ teastep@shorewall.net

Tom Eastep

2003-Jan-20 16:24 UTC

[Shorewall-devel] New in CVS

1) An OLD_PING_HANDLING option has been added to shorewall.conf. When
   set to Yes, Shorewall ping handling is as it has always been (see
   shorewall.net/ping.html).

   When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
   policies just like any other connection request. The FORWARDPING
   option in shorewall.conf is ignored and the ''noping'' and
   ''filterping'' options in /etc/shorewall/interfaces will
generate an
   error.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
AIM: teastep  \ shorewall.net
ICQ: #60745924 \ teastep@shorewall.net

Tom Eastep

2003-Jan-23 15:20 UTC

[Shorewall-devel] New in CVS

The current CVS version (Project = Shorewall) allows specification of the 
chain to be used for marking packets in tcrules. The MARK value may 
optionally be followed by ":P" (PREROUTING) or ":F"
(FORWARD). The default
is still determined by the setting of MARK_IN_FORWARD_CHAIN in 
shorewall.conf

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
AIM: teastep  \ shorewall.net
ICQ: #60745924 \ teastep@shorewall.net

Tom Eastep

2003-Jan-24 11:51 UTC

[Shorewall-devel] New in CVS

With ADD_IP_ALIASES=Yes, you may now specify an "alias name" in the
second
column of the /etc/shorewall/nat file and Shorewall will create the alias 
with that name.

Example (My configuration):

#EXTERNAL       INTERFACE               INTERNAL        ALL     LOCAL
206.124.146.178 eth0:0                  192.168.1.5     No      No
206.124.146.179 eth0:1                  192.168.1.3     No      No
192.168.1.193   eth2:0                  206.124.146.177 No      No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway root]#

This allows the aliases to be visible to ''ifconfig''.

[root@gateway root]# ifconfig eth0:1
eth0:1    Link encap:Ethernet  HWaddr 02:00:08:E3:FA:55
          inet addr:206.124.146.179  Bcast:206.124.146.255 
Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:11 Base address:0xb000

[root@gateway root]#

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
AIM: teastep  \ shorewall.net
ICQ: #60745924 \ teastep@shorewall.net

Seemingly Similar Threads

Search for more seemingly similar threads