[Shorewall-users] Re: [Shorewall-announce] Snapshot 20030629

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Tom Eastep schrieb:
> 
> Problems Corrected:
> 
> 1) A problem seen on RH7.3 systems where Shorewall encountered start
>    errors when started using the "service" mechanism has been worked
>    around.
> 
> 2) A problem introduced in earlier snapshots has been corrected. This
>    problem caused incorrect netfilter rules to be created when the
>    destination zone in a rule was qualified by an address in CIDR
>    format.
> 
>    Example:
> 
>    ACCEPT  fw   net:206.124.146.0/24   tcp   pop3
> 
> New Features:
> 
> 1) A 'newnotsyn' interface option has been added. This option may be
>    specified in /etc/shorewall/interfaces and overrides the setting
>    NEWNOTSYN=No for packets arriving on the associated interface.

Tom,

Thanks for this new feature. I have a box with assymetric routing on the
LAN/WAN interfaces and I was a bit worried that I had to set
NEWNOTSYN=Yes. Now I do it only on the internal interfaces with the new
'newnotsyn' interface option. As always, shorewall improves with every
release. Thanks for the good job!!!!

Simon

> 
> 2) The means for specifying a range of IP addresses in
>    /etc/shorewall/masq to use for SNAT is now
>    documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges.
> 
> 3) Shorewall can now add IP addresses to subnets other than the first
>    one on an interface.
> 
> 4) DNAT[-] rules may now be used to load balance (round-robin) over a
>    set of servers. Up to 256 servers may be specified in a range of
>    addresses given as <first address>-<last address>.
> 
>    Example:
> 
>         DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
> 
>    Note that this capability has previously been available using a
>    combination of a DNAT-rule and one or more ACCEPT rules. That
>    technique is still preferable for load-balancing over a large number
>    of servers (> 16) since specifying a range in the DNAT rule causes
>    one filter table ACCEPT rule to be generated for each IP address in
>    the range.
> 
> 5) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
>    have been removed and have been replaced by code that detects
>    whether these capabilities are present in the current kernel. The
>    output of the start, restart and check commands have been enhanced
>    to report the outcome:
> 
>    Shorewall has detected the following iptables/netfilter capabilities:
>       NAT: Available
>       Packet Mangling: Available
>       Multi-port Match: Available
>    Verifying Configuration...
> 
> 6) Support for the Connection Tracking Match Extension has been
>    added. This extension is available in recent kernel/iptables
>    releases and allows for rules which match against elements in
>    netfilter's connection tracking table.
> 
>    Shorewall automatically detects the availability of this extension
>    and reports its availability in the output of the start, restart and
>    check commands.
> 
>    Shorewall has detected the following iptables/netfilter capabilities:
>       NAT: Available
>       Packet Mangling: Available
>       Multi-port Match: Available
>       Connection Tracking Match: Available
>    Verifying Configuration...
> 
>    If this extension is available, the ruleset generated by Shorewall
>    is changed in the following ways:
> 
>    a) To handle 'norfc1918' filtering, Shorewall will not create chains
>       in the mangle table but will rather do all 'norfc1918' filtering in
>       the filter table (rfc1918 chain).
> 
>    b) Recall that Shorewall DNAT rules generate two netfilter rules;
>       one in the nat table and one in the filter table. If the Connection
>       Tracking Match Extension is available, the rule in the filter table
>       is extended to check that the original destination address was the
>       same as specified (or defaulted to) in the DNAT rule.
> 
> 7) The shell used to interpret the firewall script
>    (/usr/share/shorewall/firewall) may now be specified using the
>    SHOREWALL_SHELL parameter in shorewall.conf.
> 
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ te...@sh...
> _______________________________________________
> Shorewall-announce mailing list
> Sho...@li...
> http://lists.shorewall.net/mailman/listinfo/shorewall-announce