This is a minor release of Shorewall that has a couple of new features.
New features include:
1) An OLD_PING_HANDLING option has been added to shorewall.conf. When
set to Yes, Shorewall ping handling is as it has always been (see
http://www.shorewall.net/ping.html).
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
policies just like any other connection request. The FORWARDPING
option in shorewall.conf is ignored and the 'noping' and
'filterping' options in /etc/shorewall/interfaces will generate an
error.
2) It is now possible to direct Shorewall to create a "label" such as
"eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label
instead of just the interface name:
a) In the INTERFACE column of /etc/shorewall/masq
b) In the INTERFACE column of /etc/shorewall/nat
3) The ability to name your VLAN interfaces using the $dev.$vid
convention (e.g., "eth0.0") has been restored. This capability was
inadvertently broken in version 1.3.12.
4) Support has been added for defining OpenVPN tunnels in the
/etc/shorewall/tunnels file.
5) When an interface name is entered in the SUBNET column of the
/etc/shorewall/masq file, Shorewall previously masqueraded traffic
from only the first subnet defined on that interface. It did not
masquerade traffic from:
a) The subnets associated with other addresses on the interface.
b) Subnets accessed through local routers.
Beginning with Shorewall 1.3.14, if you enter an interface name in
the SUBNET column, shorewall will use the firewall's routing table
to construct the masquerading/SNAT rules.
Example 1 -- This is how it works in 1.3.14.
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
When upgrading to Shorewall 1.3.14, if you have multiple local
subnets connected to an interface that is specified in the SUBNET
column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
file will need changing. In most cases, you will simply be able to
remove redundant entries. In some cases though, you might want to change
from using the interface name to listing specific subnetworks if the
change described above will cause masquerading to occur on
subnetworks that you don't wish to masquerade.
Example 2 -- Suppose that your current config is as follows:
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
In this case, the second entry in /etc/shorewall/masq is no longer
required.
Example 3 -- What if your current configuration is like this?
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
In this case, you would want to change the entry in
/etc/shorewall/masq to:
#INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
distrib
>
Mandriva
>
9.1
>
ppc
>
media
>
updates
>
by-pkgid
>
0df505abd1868475bdd53b51edd03d10
>
files
>
35
