similar to: Shorewall 1.2.6

This is becoming a FAQ and should probably be added to the docs. Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net ---------- Forwarded message ---------- Date: Sun, 28 Apr 2002 16:09:01 -0700 (Pacific Daylight Time) From: Tom Eastep <teastep@shorewall.net> To: Carl Spelkens

---------- Forwarded Message ---------- Subject: Re: [Shorewall-users] strange UDP scan results on a Shorewall=20 firewall Date: Sun, 3 Mar 2002 08:33:20 -0800 From: Tom Eastep <teastep@shorewall.net> To: "Scott Duncan" <sduncan@cytechconsult.com> On Saturday 02 March 2002 04:30 am, Scott Duncan wrote: > Yes, the net->all policy is the same on all three (REJECT log

Shorewall 1.3.9 is available. In this release: 1. DNS Names are now allowed in Shorewall config files (I still recommend against using them however). 2. The connection SOURCE may now be qualified by both interface and IP address in a Shorewall rule. 3. Shorewall startup is now disabled after initial installation until the file /etc/shorewall/startup_disabled is removed. 4. The

Rafa³ Dutko has just discovered a potentially serious bug in version 1.3.0 and 1.3.1. In both versions, where an interface option appears on multiple interfaces, the option may only be applied to the first interface on which it appears. A corrected firewall script for 1.3.1 is available at: http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall and

Let me know if there are any problems. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Shorewall 1.3.4 is available: 1. A new /etc/shorewall/routestopped file has been added. This file is intended to eventually replace the routestopped option in the /etc/shorewall/interface and /etc/ shorewall/hosts files. This new file makes remote firewall administration easier by allowing any IP or subnet to be enabled while Shorewall is stopped. 2. An /etc/shorewall/stopped

Shorewall 1.2.4 will have the following changes: a) ''#'' comments now allowed at end-of-line in all config files. b) Firewall zone may be renamed c) Protection against concurrent state-changing operations (start, stop, restart, refresh, clear) d) ''shorewall start'' no longer fails if ''detect'' is specified for an interface with netmask

The maintenance (adding RAM) took a little longer than I planned: 1) Shutdown - 1 minute 2) Open Case - 30 seconds At this point, I emember that I can''t add RAM to this box without removing the Mother Board (hinge-mounted in case) - slap forehead. 3) Remove cables, PCI NIC & MB - 2 minutes 4) Add RAM - 1 Minute 5) Get the %$#@ MB back in the case and aligned -- 15 Minutes 6)

In this release: 1. The ''try'' command now accepts an optional timeout. If the timeout is given in the command, the standard configuration will automatically be restarted after the new configuration has been running for that length of time. This prevents a remote admin from being locked out of the firewall in the case where the new configuration starts but prevents

Lorenzo Marignoni reports that: o Shorewall 1.2.10 is in the Debian Testing Branch o Shorewall 1.2.11 is in the Debian Unstable Branch Thanks, Lorenzo! -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

This is a minor release of Shorewall. In this release: 1. A "shorewall try" command has been added. This command attempts to restart Shorewall using an alternate configuration and if that attempt fails, Shorewall is automatically started with the default configuration. This is useful for remote administration where a failed restart of Shorewall can leave you isolated from

Apt-get sources are listed at: http://wecurity.dsi.unimi.it/~lorenzo/debian.html -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

This is a minor release of Shorewall which rolls up a number of bug fixes. New features include: 1. A NEWNOTSYN option has been added to shorewall.conf. This option determines whether Shorewall accepts TCP packets which are not part of an established connection and that are not ''SYN'' packets (SYN flag on and ACK flag off). 2. The need for the

"shorewall refresh" is not handling FORWARDPING=Yes properly in 1.3.7a. After a refresh, the configuration is the same as it would be with FORWARDPING=No. There''s a corrected firewall script available from http://www.shorewall.net/errata.htm. Sorry for the inconvenience... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ:

This version of Shorewall includes the ability to filter by MAC address.=20 The following problems have been corrected: 1. Change LOCKFILE to SUBSYSLOCK in /etc/shorewall/shorewall.conf. 2. The firewall will no longer start if no interfaces are defined. 3. Replaced ''let'' builtin with ''expr'' so that Shorewall will work with ash. -Tom --=20 Tom Eastep \

John, I''m taking the liberty of copying the Shorwall Development list since I believe that these issues will be of interest. On Tue, 6 Aug 2002, Links at Momsview wrote: > Tom, > I''m not sure if you ever saw this document but it describes some of the > reasons you are seeing strange packets > after setting up NEW not SYN >

I''ve established a web site (http://wookie.shorewall.net) where you can see the changes that I''m making to the documentation for the upcoming release (currently 1.3.4). Since Ron has been tied up with other projects, I''ve taken a hack at rewriting the Quick Start Guide. It''s been broken into three separate guides as several people suggested and the two- and

This is a minor release of Shorewall. In this release: 1. RFC1918 checking in the mangle table has been streamlined to no longer require packet marking. 2. A ''check'' command has been added that does a cursory validation of the zones, interfaces, hosts, rules and policy files. 3. UPnP probes (UDP port 1900) are now silently dropped unless explictly ACCEPTed. 4. The

In this version: 1) You may now define the contents of a zone dynamically with the "shorewall add" and "shorewall delete" commands. These commands are expected to be used primarily within FreeS/Wan updown scripts. 2) Shorewall can now do MAC verification on ethernet segments. You can specify the set of allowed MAC addresses on the segment and you can optionally

In this version: 1) You may now define the contents of a zone dynamically with the "shorewall add" and "shorewall delete" commands. These commands are expected to be used primarily within FreeS/Wan updown scripts. 2) Shorewall can now do MAC verification on ethernet segments. You can specify the set of allowed MAC addresses on the segment and you can optionally