The first Beta Version is available at:
http://www.shorewall.net/pub/shorewall/Beta
ftp://ftp.shorewall.net/pub/shorewall/Beta
New features include:
1) "shorewall refresh" now reloads the traffic shaping rules (tcrules
and tcstart).
2) "shorewall debug [re]start" now turns off debugging after an error
occurs. This places the point of the failure near the end of the
trace rather than up in the middle of it.
3) "shorewall [re]start" has been speeded up by more than 40% with
my configuration. Your milage may vary.
4) A "shorewall show classifiers" command has been added which shows
the current packet classification filters. The output from this
command is also added as a separate page in "shorewall monitor"
5) ULOG (must be all caps) is now accepted as a valid syslog level and
causes the subject packets to be logged using the ULOG target rather
than the LOG target. This allows you to run ulogd (available from
www.gnumonks.org/projects/ulogd) and log all Shorewall messages to
a separate log file.
6) If you are running a kernel that has a FORWARD chain in the mangle
table ("shorewall show mangle" will show you the chains in the
mangle table), you can set MARK_IN_FORWARD=Yes in
shorewall.conf. This allows for marking incoming packets based on their
destination even when you are using Masquerading or SNAT.
7) Since adding commands to files that don''t already exist seems to be
a
challenging notion for some users, I have cluttered up the
/etc/shorewall directory with empty ''init'',
''start'', ''stop'' and
''stopped'' files. If you already have a file with one of
these names,
don''t worry -- the upgrade process won''t overwrite your
file.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> The first Beta Version is available at: > > http://www.shorewall.net/pub/shorewall/Beta > ftp://ftp.shorewall.net/pub/shorewall/Beta >Here is a little patch to make NEWNOTSYN=No work. --- firewall~ 2002-12-19 21:49:32.000000000 +0200 +++ firewall 2002-12-19 22:06:04.000000000 +0200 @@ -234,7 +234,7 @@ [ -n "$ALLOWRELATED" ] && state="$state,RELATED" run_iptables -A $1 -m state --state $state -j ACCEPT [ -z "$NEWNOTSYN" ] && \ - run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn + run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn fi eval ${1}_exists=Yes -- Tuomo Soini <tis@foobar.fi> http://tis.foobar.fi/
Thanks, Tuomo! -Tom --On Thursday, December 19, 2002 10:09:42 PM +0200 Tuomo Soini <tis@foobar.fi> wrote:> Tom Eastep wrote: >> The first Beta Version is available at: >> >> http://www.shorewall.net/pub/shorewall/Beta >> ftp://ftp.shorewall.net/pub/shorewall/Beta >> > > Here is a little patch to make NEWNOTSYN=No work. > > --- firewall~ 2002-12-19 21:49:32.000000000 +0200 > +++ firewall 2002-12-19 22:06:04.000000000 +0200 > @@ -234,7 +234,7 @@ > [ -n "$ALLOWRELATED" ] && state="$state,RELATED" > run_iptables -A $1 -m state --state $state -j ACCEPT > [ -z "$NEWNOTSYN" ] && \ > - run_iptables -A $1 -m state --state NEW -p tcp !--syn -j > newnotsyn + run_iptables -A $1 -m state --state NEW -p tcp ! > --syn -j newnotsyn fi > > eval ${1}_exists=Yes > > -- > Tuomo Soini <tis@foobar.fi> > http://tis.foobar.fi/ > > _______________________________________________ > Shorewall-devel mailing list > Shorewall-devel@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-devel-- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
New beta is a lot faster. On my firewall: 1.3.11 real 0m8.389s user 0m2.461s sys 0m5.072s 1.3.12beta1+fix real 0m4.155s user 0m1.697s sys 0m2.348s -- Tuomo Soini <tis@foobar.fi> http://tis.foobar.fi/
--On Thursday, December 19, 2002 10:35:11 PM +0200 Tuomo Soini <tis@foobar.fi> wrote:> New beta is a lot faster. On my firewall: > > 1.3.11 > real 0m8.389s > user 0m2.461s > sys 0m5.072s > > 1.3.12beta1+fix > real 0m4.155s > user 0m1.697s > sys 0m2.348s >Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net