Problems Corrected:
1) A problem seen on RH7.3 systems where Shorewall encountered start
errors when started using the "service" mechanism has been worked
around.
2) A problem introduced in earlier snapshots has been corrected. This
problem caused incorrect netfilter rules to be created when the
destination zone in a rule was qualified by an address in CIDR
format.
Example:
ACCEPT fw net:206.124.146.0/24 tcp pop3
New Features:
1) A ''newnotsyn'' interface option has been added. This option
may be
specified in /etc/shorewall/interfaces and overrides the setting
NEWNOTSYN=No for packets arriving on the associated interface.
2) The means for specifying a range of IP addresses in
/etc/shorewall/masq to use for SNAT is now
documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges.
3) Shorewall can now add IP addresses to subnets other than the first
one on an interface.
4) DNAT[-] rules may now be used to load balance (round-robin) over a
set of servers. Up to 256 servers may be specified in a range of
addresses given as <first address>-<last address>.
Example:
DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
Note that this capability has previously been available using a
combination of a DNAT-rule and one or more ACCEPT rules. That
technique is still preferable for load-balancing over a large number
of servers (> 16) since specifying a range in the DNAT rule causes
one filter table ACCEPT rule to be generated for each IP address in
the range.
5) The NAT_ENABLED and MANGLE_ENABLED configuration options have been
removed and have been replaced by code that detects whether these
capabilities are present in the current kernel. The output of the
start, restart and check commands have been enhanced to report the
outcome:
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Verifying Configuration...
6) Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables
releases and allows for rules which match against elements in
netfilter''s connection tracking table.
Shorewall automatically detects the availability of this extension
and reports its availability in the output of the start, restart and
check commands.
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Connection Tracking Match: Available
Verifying Configuration...
If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:
a) To handle ''norfc1918'' filtering, Shorewall will not
create chains
in the mangle table but will rather do all ''norfc1918''
filtering in
the filter table (rfc1918 chain).
b) Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table
is extended to check that the original destination address was the
same as specified (or defaulted to) in the DNAT rule.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net