From: Tom E. <te...@sh...> - 2006-03-27 23:08:37
|
I realize that this is hot on the heels of Beta 2 but it fixes a couple of= =20 annoying bugs and provides a nice new feature. http://www1.shorewall.net/pub/shorewall/development/3.2/shorewall-3.2.0-Bet= a3 ftp://ftp1.shorewall.net/pub/shorewall/development/3.2/shorewall-3.2.0-Beta3 Problems Corrected in 3.2.0 Beta 3 1) The 'try' command with an effective verbosity of zero resulted in an error message and the command failed. 2) /etc/shorwall/Makefile was incorrectly described as %config(noreplace) in the RPM .spec file. This prevented updated versions of the file from being installed properly. 3) If you use SAME or SAME:nodst in the ADDRESS column of /etc/shorewall/m= asq and if you set ADD_SNAT_ALIASES=3DYes in shorewall.conf, then "shorewall start" will fail with the error 'Error: an inet prefix is expected rath= er than "SAME".'. Other changes in 3.2.0 Beta 2 2) A new IMPLICIT_CONTINUE option has been added to shorewall.conf. When this option is set to "Yes", it causes subzones to be treated different= ly with respect to policies. Subzones are defined by following their name with ":" and a list of par= ent zones (in /etc/shorewall/zones). Normally, you want to have a set of special rules for the subzone and if a connection doesn't match any of those subzone-specific rules then you want the parent zone rules to be applied. With IMPLICIT_CONTINUE=3DYes, that happens automatically. If IMPLICIT_CONTINUE=3DNo or if IMPLICIT_CONTINUE is not set, then subzones are not subject to this special treatment. With IMPLICIT_CONTINUE=3DYes, an implicit CONTINUE policy may be overri= dden by including an explicit policy (one that does not specify "all" in eit= her the SOURCE or the DEST columns). Example: /etc/shorewall/zones: par ipv4 chld:par ipv4 Traffic to/from the 'chld' zone will first pass through the applicable 'chld' rules and if none of those rules match then it will be passed=20 through the appropriate 'par' rules. If the connection request does not match any of the 'par' rules then the relevant 'par' policy is applied. If you want the fw->chld policy to be ACCEPT, simply add this entry to /etc/shorewall/policy: $FW chld ACCEPT Traffic from all other zones to 'chld' will be subject to the implicit CONTINUE policy. =2DTom =2D-=20 Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |