releasenotes.txt

sharewall is very good

    table to be reloaded.

    Example:

        shorewall refresh nat:

3)  When no chain name is given to the 'shorewall refresh' command, the
    mangle table is refreshed along with the blacklist chain (if
    any). This allows you to modify /etc/shorewall/tcrules and install
    the changes using 'shorewall refresh'.

4)  Support for the NFLOG log target has been added. NFLOG is a
    successor to ULOG. In addition, both ULOG and NFLOG may be followed
    by a list of up to three numbers in parentheses.

    The first number specifies the netlink group (1-32). If omitted
    (e.g., NFLOG(,0,10)) then a value of 1 is assumed.

    The second number specifies the maximum number of bytes to copy. If
    omitted, 0 (no limit) is assumed.

    The third number specifies the number of log messages that should
    be buffered in the kernel before they are sent to user space. The
    default is 1.

    Examples:

    /etc/shorewall/shorewall.conf:

        MACLIST_LOG_LEVEL=NFLOG(1,0,1)

    /etc/shorewall/rules:

        ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080

5)  Shorewall-perl 4.2 implements an alternative syntax for macro
    parameters and for the NFQUEUE queue number. Rather than following
    the macro name (or NFQUEUE) with a slash ("/") and the parameter,
    the parameter may be enclosed in parentheses.

    Examples -- each pair shown below are equivalent:

    DNS/ACCEPT          DNS(ACCEPT)
    NFQUEUE/3           NFQUEUE(3)
    
    The old syntax will still be accepted but will cease to be documented
    in some future Shorewall release.

6)  Shorewall 4.2 contains enhanced operational logging capabilities
    through a set of related enhancements to Shorewall-common and
    Shorewall-perl. The enhancements are not supported by
    Shorewall-shell nor are they supported by Shorewall-lite except
    when the script is compiled using Shorewall-perl.

    a)  The STARTUP_LOG option in /etc/shorewall/shorewall.conf gives
        the name of the Shorewall operational log. The log will be
        created if it does not exist.

    b)  The LOG_VERBOSITY option in /etc/shorewall/shorewall.conf gives
        the verbosity at which logging will occur. It uses the same
        value range as VERBOSITY:

        -1    Do not log
        0     Almost quiet
        1     Only major steps
        2     Verbose

    c)  An absolute VERBOSITY may be specified on the command line
        using the -v option followed by -1,0,1 or 2.

        Example:

                shorewall -v2 check

    d)  The /etc/init.d/shorewall script supplied with the
        shorewall.net packages sets '-v0' as the default. This may be
        overridden with the OPTIONS setting in /etc/defaults/shorewall or
        /etc/sysconfig/shorewall.

    Logging occurs on both Shorewall-perl and the generated script when
    the following commands are issued:

        start
        restart
        refresh

    Messages in the log are always timestamped.

    This change implemented two new options to the Shorewall-perl
    compiler (/usr/share/shorewall-perl/compiler.pl).

        --log=<logfile>
        --log_verbosity={-1|0-2}

    The --log option is ignored when --log_verbosity is not supplied or
    is supplied with value -1.

    To avoid a proliferation of parameters to
    Shorewall::Compiler::compile(), that function has been changed to
    use named parameters. Parameter names are:

         object          Object file. If omitted or '', the
                         configuration is syntax checked. 
         directory       Directory. If omitted or '', configuration
                         files are located using
                         CONFIG_PATH. Otherwise, the directory named by
                         this parameter is searched first.
         verbosity       Verbosity; range -1 to 2
         timestamp       0|1 -- timestamp messages.
         debug           0|1 -- include stack trace in warning/error
                         messages. 
         export          0|1 -- compile for export.
         chains          List of chains to be reloaded by 'refresh'.
         log             File to log compiler messages to.
         log_verbosity   Log Verbosity; range -1 to 2.

    Those parameters that are supplied must have defined values.

    Defaults are:

             object         '' ('check' command)
             directory      ''
             verbosity      1
             timestamp      0
             debug          0
             export         0
             chains         ''
             log            ''
             log_verbosity  -1
             

    Example:

    use lib '/usr/share/shorewall-perl/';
    use Shorewall::Compiler;

    compiler( object        => '/root/firewall', 
              log           => '/root/compile.log',
              log_verbosity => 2 );

7)  Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
    mark values < 256 to be assigned in the OUTPUT chain. This has been
    changed so that only high mark values may be assigned
    there. Packet marking rules for traffic shaping of packets
    originating on the firewall must be coded in the POSTROUTING chain.

8)  Previously, Shorewall did not range-check the value of the
    VERBOSITY option in shorewall.conf. Beginning with Shorewall 4.2:

    a) A VERBOSITY setting outside the range -1 through 2 is rejected.
    b) After the -v and -q options are applied, the resulting value is
       adjusted to fall within the range -1 through 2.

9)  The tcdevices file has been extended to include an OPTIONS
    column. Currently only a single option is defined.

    classify   When specified, you must use explicit CLASSIFY tcrules
               to classify traffic by class. Shorewall will not create
               any CLASSIFY rules to classify traffic by mark value.

    See http://www.shorewall.net/traffic_shaping.htm for further
    information.

10) COMMENT lines are now supported in macro bodies by Shorewall-perl
    and are ignored by the Shorewall-shell compiler.

    COMMENT lines in macros work slightly differently from COMMENT
    lines in other files. COMMENT lines in macros are ignored if
    COMMENT support is not available or if there was a COMMENT in use
    when the top-level macro was invoked. This allows the
    following:

        /etc/shorewall/macro.SSH:

            #ACTION SOURCE  PROTO   DEST    SOURCE  RATE    USER/
            #                       PORT(S) PORT(S) LIMIT   GROUP
            COMMENT My SSH Macro
            PARAM   -       -       tcp     22

        /etc/shorewall/rules:

            COMMENT Allow SSH from home
            SSH/ALLOW     net:$MYIP        $FW
            COMMENT
   
        The comment line in macro.SSH will not override the 
        COMMENT line in the rules file and the generated rule will show

                /* Allow SSH from home */

        when displayed through the Shorewall show and dump commands.

    If a macro is invoked and there is no current comment, then the
    name of the macro automatically becomes the current comment. This
    makes macros self-commenting.   

11) If the program named in SHOREWALL_SHELL doesn't exist or is not
    executable, Shorewall and Shorewall-lite now both fall back to
    /bin/sh after issuing a warning message. Previously, both
    terminated with a fatal error.

12) Shorewall-perl now generates fatal error conditions if there are
    no IPv4 zones defined or there are no interfaces defined.

13) Shorewall now unconditionally uses tc filter rules to classify
    traffic by MARK value. Previously, Shorewall used the CLASSIFY
    target in the POSTROUTING chain if it was available.

14) The Shorewall installers (install.sh) now work on Windows
    under Cygwin. By default, they install under the user id and group
    of the person doing the install. This can be overridden by
    specifying OWNER and GROUP explicitly.

    Example:

        OWNER=foo GROUP=bar ./install.sh

    To install Shorewall-perl under Cygwin:

    $ tar -zxf shorewall-perl-4.x.y.tar.bz2
    $ tar -zxf shorewall-common-4.x.y.tar.bz2
    $ cd shorewall-perl-4.x.y
    $ ./install.sh
    $ cd ../shorewall-common-4.x.y
    $ ./install.sh
    
    The 'shorewall' program is installed in /bin/ (a.k.a, /usr/bin/).

15) When installing on Cygwin, /etc/shorewall is no longer fully
    populated. Rather, only the shorewall.conf and params files are
    installed. As always, the full configuration file set is installed
    in /usr/share/shorewall/configfiles.

16) Specifying a destination zone in a NAT-only rule now generates a
    warning and the destination zone is ignored. NAT-only rules are:

             NONAT
             REDIRECT-
             DNAT-

17)  The /etc/shorewall/masq and /etc/shorewall/nat file now accept a
    comma-separated list of interface names where before only a single
    interface name could be listed (Shorewall-perl only).

    This feature is not for beginners. It iterates over the
    list of interfaces, substituting each interface in place of the
    list and processing the resulting entry according to the semantics
    of earlier Shorewall versions. If you don't know where to use this,
    don't try.

    Example 1:

    /etc/shorewall/masq:

    #INTERFACE              SOURCE          ADDRESS
    eth0,eth1               eth2            1.2.3.4

    equivalent to:

    #INTERFACE              SOURCE          ADDRESS
    eth0                    eth2            1.2.3.4
    eth1                    eth2            1.2.3.4

    Example 2:

    /etc/shorewall/masq:

    #INTERFACE                       SOURCE      ADDRESS
    eth0,eth1::192.168.1.0/24        eth2        1.2.3.4

    equivalent to:

    #INTERFACE              SOURCE          ADDRESS
    eth0::192.168.1.0/24    eth2            1.2.3.4
    eth1::192.168.1.0/24    eth2            1.2.3.4

    Example 3:

    /etc/shorewall/nat:

    #EXTERNAL        INTERFACE       INTERNAL
    206.124.146.178  eth0,wlan0      192.168.1.3

    equivalent to:

    #EXTERNAL        INTERFACE       INTERNAL
    206.124.146.178  eth0            192.168.1.3
    206.124.146.178  wlan0           192.168.1.3

18) Previously, the INTERFACE name used in the masq, nat and netmap
    files had to exactly match the name of an interface from the
    interfaces file. Beginning with Shorewall-perl 4.1.4, the
    interface may loosely match a wildcard entry in the interfaces
    file.

    Example:

    /etc/shorewall/interfaces:

        vpn        tun+        

    /etc/shorewall/masq:

        tun1        192.168.4.0/24

19) Previously, Shorewall classified non-firewall zones as either
    'simple' or 'complex'. Attributes of a zone which made it 'complex'
    included:

    - The zone was of type 'ipsec' or 'ipsec4' or it had a hosts
      entry with the 'ipsec' options.
    - The zone had OPTIONS, IN OPTIONS or OUT OPTIONS
    - The zone had more than one network on a given interface
    - The zone had a hosts file entry with an exclusion.
    - The zone had a hosts file entry specifying an ipset.

    The handling of 'simple' and 'complex' zones was different.

    -  complex zones had their own 'forward' chain (named
       '<zone>_frwd').
    -  complex zones with exclusions had their own 'input' and
       'output' chains.