teastep at shorewall.net
Thu Sep 16 11:40:21 PDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
1) IP ranges in the routestopped and tunnels files now work.
2) Rules where an IP range appears in both the source and destination
~ now work correctly.
3) With complex proxy arp configurations involving two or more
~ ordered pairs of interfaces, the /proc/sys/net/ipv4/conf/*/proxy_arp
~ flags were sometimes set incorrectly. This has been fixed.
~ Users looking at their restore file (generated by "shorewall save")
~ may see that one of these flags might be first reset then set in
~ rapid succession. This is expected and is harmless since the correct
~ value (1) results.
1) To improve interoperability, tunnels of type 'OpenVPN'
~ no longer enforce use of the specified port as the
~ source port as well as the destination port.
2) During "shorewall start", IP addresses to be added as a consequence
~ of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted
~ when /etc/shorewall/nat and /etc/shorewall/masq are processed then
~ the are re-added later. This is done to help ensure that the
~ addresses can be added with the specified labels but can have
~ the undesirable side effect of causing routes to be quietly
~ deleted. A new RETAIN_ALIASES option has been added to
~ shorewall.conf; when this option is set to Yes, existing addresses
~ will not be deleted. Regardless of the setting of RETAIN_ALIASES,
~ addresses added during "shorewall start" are still deleted at a
~ subsequent "shorewall stop" or "shorewall restart".
3) Users with a large black list (from /etc/shorewall/blacklist) may
~ want to set the new DELAYBLACKLISTLOAD option in
~ shorewall.conf. When DELAYBLACKLISTLOAD=Yes, Shorewall will
~ enable new connections before loading the blacklist rules. While
~ this may allow connections from blacklisted hosts to slip by during
~ the loading of the blacklist, it can substantially reduce the time
~ that all new connections are disabled during "shorewall [re]start".
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Shorewall-devel