[Shorewall-newbies] Shorewall 1.4.9
teastep at shorewall.net
Tue Jan 13 13:52:10 PST 2004
Shorewall 1.4.9 is now available.
Unless something urgent comes up, this will be the last release of Shorewall
Release notes are attached.
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
-------------- next part --------------
This is a minor release of Shorewall.
Problems Corrected since version 1.4.8:
1) There has been a low continuing level of confusion over the terms
"Source NAT" (SNAT) and "Static NAT". To avoid future confusion, all
instances of "Static NAT" have been replaced with "One-to-one NAT"
in the documentation and configuration files.
2) The description of NEWNOTSYN in shorewall.conf has been reworded for
3) Wild-card rules (those involving "all" as SOURCE or DEST) will no
longer produce an error if they attempt to add a rule that would
override a NONE policy. The logic for expanding these wild-card
rules now simply skips those (SOURCE,DEST) pairs that have a NONE
4) DNAT rules that also specified SNAT now work reliably. Previously,
there were cases where the SNAT specification was effectively
1) The documentation has been completely rebased to Docbook XML. The
documentation is now released as separate HTML and XML packages.
2) To cut down on the number of "Why are these ports closed rather than
stealthed?" questions, the SMB-related rules in
/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
3) For easier identification, packets logged under the 'norfc1918'
interface option are now logged out of chains named
'rfc1918'. Previously, such packets were logged under chains named
4) Distributors and developers seem to be regularly inventing new
naming conventions for kernel modules. To avoid the need to change
Shorewall code for each new convention, the MODULE_SUFFIX option has
been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
for module names in your particular distribution. If MODULE_SUFFIX
is not set in shorewall.conf, Shorewall will use the list "o gz ko
To see what suffix is used by your distribution:
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
All of the files listed should have the same suffix (extension). Set
MODULE_SUFFIX to that suffix.
If all files end in ".kzo" then set MODULE_SUFFIX="kzo"
If all files end in ".kz.o" then set MODULE_SUFFIX="kz.o"
5) Support for user defined rule ACTIONS has been implemented through
two new files:
/etc/shorewall/actions - used to list the user-defined ACTIONS.
/etc/shorewall/action.template - For each user defined <action>, copy
this file to
add the appropriate rules for that
Once an <action> has been defined, it may be used like any of the
builtin ACTIONS (ACCEPT, DROP, etc.) in /etc/shorewall/rules.
Example: You want an action that logs a packet at the 'info' level
and accepts the connection.
In /etc/shorewall/actions, you would add:
You would then copy /etc/shorewall/action.template to
/etc/shorewall/action.LogAndAccept and in that file, you would add the two
6) The default value for NEWNOTSYN in shorewall.conf is now "Yes"
(non-syn TCP packets that are not part of an existing connection are
filtered according to the rules and policies rather than being
dropped). I have made this change for two reasons:
a) NEWNOTSYN=No tends to result in lots of "stuck" connections since
any timeout during TCP session tear down results in the firewall
dropping all of the retries.
b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
lots of confusing messages when a connection got "stuck". While I
could have changed the default value of LOGNEWNOTSYN to suppress
logging, I dislike defaults that silently throw away packets.
7) The common.def file now contains an entry that silently drops ICMP
packets with a null source address. Ad Koster reported a case where
these were occuring frequently as a result of a broken system on his
More information about the Shorewall-newbies