From: Simon M. <sim...@ch...> - 2003-06-30 06:36:11
|
Tom Eastep schrieb: > > Problems Corrected: > > 1) A problem seen on RH7.3 systems where Shorewall encountered start > errors when started using the "service" mechanism has been worked > around. > > 2) A problem introduced in earlier snapshots has been corrected. This > problem caused incorrect netfilter rules to be created when the > destination zone in a rule was qualified by an address in CIDR > format. > > Example: > > ACCEPT fw net:206.124.146.0/24 tcp pop3 > > New Features: > > 1) A 'newnotsyn' interface option has been added. This option may be > specified in /etc/shorewall/interfaces and overrides the setting > NEWNOTSYN=No for packets arriving on the associated interface. Tom, Thanks for this new feature. I have a box with assymetric routing on the LAN/WAN interfaces and I was a bit worried that I had to set NEWNOTSYN=Yes. Now I do it only on the internal interfaces with the new 'newnotsyn' interface option. As always, shorewall improves with every release. Thanks for the good job!!!! Simon > > 2) The means for specifying a range of IP addresses in > /etc/shorewall/masq to use for SNAT is now > documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges. > > 3) Shorewall can now add IP addresses to subnets other than the first > one on an interface. > > 4) DNAT[-] rules may now be used to load balance (round-robin) over a > set of servers. Up to 256 servers may be specified in a range of > addresses given as <first address>-<last address>. > > Example: > > DNAT net loc:192.168.10.2-192.168.10.5 tcp 80 > > Note that this capability has previously been available using a > combination of a DNAT-rule and one or more ACCEPT rules. That > technique is still preferable for load-balancing over a large number > of servers (> 16) since specifying a range in the DNAT rule causes > one filter table ACCEPT rule to be generated for each IP address in > the range. > > 5) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options > have been removed and have been replaced by code that detects > whether these capabilities are present in the current kernel. The > output of the start, restart and check commands have been enhanced > to report the outcome: > > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Verifying Configuration... > > 6) Support for the Connection Tracking Match Extension has been > added. This extension is available in recent kernel/iptables > releases and allows for rules which match against elements in > netfilter's connection tracking table. > > Shorewall automatically detects the availability of this extension > and reports its availability in the output of the start, restart and > check commands. > > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Connection Tracking Match: Available > Verifying Configuration... > > If this extension is available, the ruleset generated by Shorewall > is changed in the following ways: > > a) To handle 'norfc1918' filtering, Shorewall will not create chains > in the mangle table but will rather do all 'norfc1918' filtering in > the filter table (rfc1918 chain). > > b) Recall that Shorewall DNAT rules generate two netfilter rules; > one in the nat table and one in the filter table. If the Connection > Tracking Match Extension is available, the rule in the filter table > is extended to check that the original destination address was the > same as specified (or defaulted to) in the DNAT rule. > > 7) The shell used to interpret the firewall script > (/usr/share/shorewall/firewall) may now be specified using the > SHOREWALL_SHELL parameter in shorewall.conf. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ te...@sh... > _______________________________________________ > Shorewall-announce mailing list > Sho...@li... > http://lists.shorewall.net/mailman/listinfo/shorewall-announce |