The first Beta Version is available at: http://www.shorewall.net/pub/shorewall/Beta ftp://ftp.shorewall.net/pub/shorewall/Beta New features include: 1) "shorewall refresh" now reloads the traffic shaping rules (tcrules and tcstart). 2) "shorewall debug [re]start" now turns off debugging after an error occurs. This places the point of the failure near the end of the trace rather than up in the middle of it. 3) "shorewall [re]start" has been speeded up by more than 40% with my configuration. Your milage may vary. 4) A "shorewall show classifiers" command has been added which shows the current packet classification filters. The output from this command is also added as a separate page in "shorewall monitor" 5) ULOG (must be all caps) is now accepted as a valid syslog level and causes the subject packets to be logged using the ULOG target rather than the LOG target. This allows you to run ulogd (available from www.gnumonks.org/projects/ulogd) and log all Shorewall messages to a separate log file. 6) If you are running a kernel that has a FORWARD chain in the mangle table ("shorewall show mangle" will show you the chains in the mangle table), you can set MARK_IN_FORWARD=Yes in shorewall.conf. This allows for marking incoming packets based on their destination even when you are using Masquerading or SNAT. 7) Since adding commands to files that don''t already exist seems to be a challenging notion for some users, I have cluttered up the /etc/shorewall directory with empty ''init'', ''start'', ''stop'' and ''stopped'' files. If you already have a file with one of these names, don''t worry -- the upgrade process won''t overwrite your file. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> The first Beta Version is available at: > > http://www.shorewall.net/pub/shorewall/Beta > ftp://ftp.shorewall.net/pub/shorewall/Beta >Here is a little patch to make NEWNOTSYN=No work. --- firewall~ 2002-12-19 21:49:32.000000000 +0200 +++ firewall 2002-12-19 22:06:04.000000000 +0200 @@ -234,7 +234,7 @@ [ -n "$ALLOWRELATED" ] && state="$state,RELATED" run_iptables -A $1 -m state --state $state -j ACCEPT [ -z "$NEWNOTSYN" ] && \ - run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn + run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn fi eval ${1}_exists=Yes -- Tuomo Soini <tis@foobar.fi> http://tis.foobar.fi/
Thanks, Tuomo! -Tom --On Thursday, December 19, 2002 10:09:42 PM +0200 Tuomo Soini <tis@foobar.fi> wrote:> Tom Eastep wrote: >> The first Beta Version is available at: >> >> http://www.shorewall.net/pub/shorewall/Beta >> ftp://ftp.shorewall.net/pub/shorewall/Beta >> > > Here is a little patch to make NEWNOTSYN=No work. > > --- firewall~ 2002-12-19 21:49:32.000000000 +0200 > +++ firewall 2002-12-19 22:06:04.000000000 +0200 > @@ -234,7 +234,7 @@ > [ -n "$ALLOWRELATED" ] && state="$state,RELATED" > run_iptables -A $1 -m state --state $state -j ACCEPT > [ -z "$NEWNOTSYN" ] && \ > - run_iptables -A $1 -m state --state NEW -p tcp !--syn -j > newnotsyn + run_iptables -A $1 -m state --state NEW -p tcp ! > --syn -j newnotsyn fi > > eval ${1}_exists=Yes > > -- > Tuomo Soini <tis@foobar.fi> > http://tis.foobar.fi/ > > _______________________________________________ > Shorewall-devel mailing list > Shorewall-devel@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-devel-- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
New beta is a lot faster. On my firewall: 1.3.11 real 0m8.389s user 0m2.461s sys 0m5.072s 1.3.12beta1+fix real 0m4.155s user 0m1.697s sys 0m2.348s -- Tuomo Soini <tis@foobar.fi> http://tis.foobar.fi/
--On Thursday, December 19, 2002 10:35:11 PM +0200 Tuomo Soini <tis@foobar.fi> wrote:> New beta is a lot faster. On my firewall: > > 1.3.11 > real 0m8.389s > user 0m2.461s > sys 0m5.072s > > 1.3.12beta1+fix > real 0m4.155s > user 0m1.697s > sys 0m2.348s >Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net