Main Menu

Search Announcements

File Releases
Mailing Lists
Git Repository


Shorewall 1.3.13 released (delayed announcement)

  • Posted by: mhnoyes on 2003-02-22 09:08+0000
  • Updated by: mhnoyes on 2003-02-22 09:08+0000

This is a minor release of Shorewall that has a couple of new features.

New features include:

  1. A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules file. DNAT- is intended for advanced users who wish to minimize the number of rules that connection requests must traverse.

    A Shorewall DNAT rule actually generates two iptables rules: a header rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT- rule only generates the first of these rules. This is handy when you have several DNAT rules that would generate the same ACCEPT rule.

    Here are three rules from my previous rules file:

           DNAT   net  dmz: tcp smtp -
           DNAT   net  dmz: tcp smtp -
           ACCEPT net  dmz: tcp www,smtp,ftp,...

    These three rules ended up generating _three_ copies of

            ACCEPT net  dmz: tcp smtp

    By writing the rules this way, I end up with only one copy of the ACCEPT rule.

           DNAT-  net  dmz: tcp smtp -
           DNAT-  net  dmz: tcp smtp -
           ACCEPT net  dmz: tcp www,smtp,ftp,...
  2. The 'shorewall check' command now prints out the applicable policy between each pair of zones.
  3. A new CLEAR_TC option has been added to shorewall.conf. If this option is set to 'No' then Shorewall won't clear the current traffic control rules during [re]start. This setting is intended for use by people that prefer to configure traffic shaping when the network interfaces come up rather than when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way, your traffic shaping rules can still use the 'fwmark' classifier based on packet marking defined in /etc/shorewall/tcrules.
  4. A new SHARED_DIR variable has been added that allows distribution packagers to easily move the shared directory (default /usr/lib/shorewall). Users should never have a need to change the value of this shorewall.conf setting.

What's Related

Hosted on Get LEAF Linux Embedded Appliance Framework at Fast, secure and Free Open Source software downloads, and powered by phpWebSite.