Shorewall users - Jan 2012 - Shorewall 4.5.0 Beta 3

Beta 3 is now available for testing.

Problems Corrected:

1)  The value ''0'' is once again accepted in the IN_BANDWIDTH
columns of

    tcinterfaces and tcrules, and causes no ingress policing to be
    configured.

2)  MARK_IN_FORWARD_CHAIN=Yes no longer generates an error when 
    $FW:<address> is entered in the SOURCE column of the tcrules file.

New Features:

1)  The route_rules file has been renamed to ''rtrules''. The
Shorewall
    and Shorewall6 installers will perform the rename on an existing
    file.

    If both files exist, route_rules will be processed and rtrules 
    will be ignored.

2)  Run-time address variables (e.g., &eth0) may now be used in the
    SOURCE column of the rtrules file.

3)  A ''PROBABILITY'' column has been added to the tcrules
files. It
    causes the rule to match randomly with the probability specified in
    the column. See shorewall-tcrules(5) and shorewall6-tcrules(5) for
    details.

    This column provides an alternative to the balance=<weight> option
    in the providers file.

    Example:

    /etc/shorewall/shorewall.conf

    MARK_IN_FORWARD_CHAIN=No
    ...
    USE_DEFAULT_RT=Yes
    ...
    TC_BITS=0
    PROVIDER_BITS=2
    PROVIDER_OFFSET=16
    MASK_BITS=8
    ZONE_BITS=4

    Note: PROVIDER_OFFSET=16 and ZONE_BITS=4 means that the provider
    	  mask will be 0xf0000.
 
    /etc/shorewall/providers:

    #NAME    NUMBER MARK DUP  INTERFACE GATEWAY       OPTIONS
    ComcastB 1      -    -    eth1      70.90.191.126 loose,balance
    ComcastC 2      -    -    eth0      detect	      loose,balance

    Note: The ''loose'' option is specified so that the compiler
will not
    	  generate and rules based on interface IP addresses. That way
	  we have complete control over the priority of such rules 
	  through entries in the rtrules file.

    /etc/shorewall/rtrules

    #SOURCE             DEST  PROVIDER  PRIORITY
    70.90.191.120/29    -     ComcastB  1000
    &eth0	    	-     ComcastC  1000

    Note: eth0 has a dynamic address, so &eth0 is used in the SOURCE
    	  column.

    Note: Priority = 1000 means that these rules will come before rules
    	  that select a provider based on marks.

    /etc/shorewall/tcrules

    #MARK		SOURCE	DEST	PROTO	DEST
    #						PORT(S)
    CONTINUE		-	70.90.191.120/29
    CONTINUE		-	10.0.10.0/24

    # 70.90.191.120/29 is the local public subnet. 10.0.10.0/24 is a 
    # local network on eth1.

    0X10000/0xf0000	eth2	- ; probability=0.66666667
    0x20000/0xf0000	eth2	- ; test=0/0x30000

    #  The above two split traffic entering the firewall through eth2
    #  (local LAN) between the two providers with 2/3 of the traffic
    #  going to eth1 and 1/3 going to eth0.  

    CONTINUE	fw:70.90.191.120/29
    CONTINUE	fw		172.20.1.0/22
    CONTINUE	fw		70.90.191.120/29
    CONTINUE	fw		10.0.10.0/24
    
    # Similar to rules above

    0X10000/0xf0000	fw	- ; probability=0.66666667
    0x20000/0xf0000	fw	- ; test=0/0x30000

    # Again, split traffic from the firewall 2:1 in favor of eth1.

Thank you for testing,
-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a
complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox