On Fri, 2007-11-23 at 14:22 -0800, Tom Eastep wrote: > On Fri, 2007-11-23 at 21:43 +0000, Steven Jan Springl wrote: > > Tom > > > > When providers contains: > > > > isp1 1 1 main eth1:192.168.0.253 192.168.0.254 shared > > isp2 2 2 main eth1:192.168.1.253 192.168.1.254 shared > > > > The following error is produced: > > > > ERROR: Invalid option (shared) : /etc/shorewall/providers (line 10) > > > > Revision 7711 suggests 'shared' has been removed, but the release notes > > state > > that it is required. > > It has been removed.
Steven, Somehow, I managed to include the wrong release notes with the release :-(. I've updated the copy in the release subvolume and I have attached the updated release notes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Shorewall 4.1 Patch Release 0.
----------------------------------------------------------------------------
R E L E A S E 4 . 1 H I G H L I G H T S
----------------------------------------------------------------------------
1) Support is included for multiple internet providers through the same
ethernet interface.
2) Support for NFLOG has been added.
Problems corrected in Shorewall 4.1.1.
1) Previously, incorrect output was generated by parameter lists to
ULOG or NFLOG.
2) Specifying NFQUEUE(<queue-number>) in the POLICY column of the
policy file resulted in an error.
Other changes in Shorewall 4.1.1.
1) You now specify an interface address in the INTERFACE column of
/etc/shorewall/providers in place of the 'shared' provider option.
See New Feature 1) below.
New Features in Shorewall 4.1.
1) Shorewall 4.1.0 contains experimental support for multiple Internet
providers through a single ethernet interface. Configuring two
providers through a single interface differs from two providers
through two interfaces in several ways.
a) Only ethernet (or ethernet-like) interfaces can be used. For
inbound traffic, the MAC addresses of the gateway routers is used
to determine which provider a packet was received through. Note
that only routed traffic can be categorized using this technique.
b) You must specify the address on the interface that corresponds to
a particular provider in the INTERFACE column by following the
interface name with a colon (":") and the address.
c) Entries in /etc/shorewall/masq must be qualified by the provider
name (or number).
d) This feature requires Realm Match support in your kernel and
iptables. If you use a capabilities file, you need to regenerate
the file with Shorewall 4.0.6 or Shorewall-lite 4.0.6.
e) You must add route_rules entries for networks that are accessed
through a particular provider.
f) If you have additional IP addresses through either provider,
you must add route_rules to direct traffic FROM each of those
addresses through the appropriate provider.
Example:
Providers Blarg (1) and Avvanta (2) are both connected to
eth0. The firewall's IP address with Blarg is 206.124.146.176/24
(gateway 206.124.146.254) and the IP address from Avvanta is
130.252.144.8/24 (gateway 130.252.144.254). We have a second IP
address (206.124.146.177) from Blarg.
/etc/shorewall/providers:
#PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY
Blarg 1 1 main eth0:206.124.146.176
206.124.146.254 ...
Avvanta 2 2 main eth0:130.252.144.8
130.252.144.254 ...
/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
eth0(Blarg) 130.252.144.8 206.124.146.176
eth0(Avvanta) 206.124.146.176 130.252.144.8
eth0(Blarg) eth1 206.124.146.176
eth0(Avvanta) eth1 130.252.144.8
/etc/shorewall/route_rules:
#SOURCE DEST PROVIDER PRIORITY
- 206.124.146.0/24 Blarg 1000
- 130.252.144.0/24 Avvanta 1000
206.124.146.177 - Blarg 26000
2) You may now include the name of a table (nat, mangle or filter) in
a 'shorewall refresh' command by following the name with a colon
(e.g., mangle:). This causes all non-builtin chains in the table to
be reloaded.
Example:
shorewall refresh nat:
3) When no chain name is given to the 'shorewall refresh' command, the
mangle table is refreshed along with the blacklist chain (if
any). This allows you to modify /etc/shorewall/tcrules and install
the changes using 'shorewall refresh'.
4) Support for the NFLOG log target has been added. NFLOG is a
successor to ULOG. In addition, both ULOG and NFLOG may be followed
by a list of up to three numbers in parentheses.
The first number specifies the netlink group (1-32). If omitted
(e.g., NFLOG(,0,10)) then a value of 1 is assumed.
The second number specifies the maximum number of bytes to copy. If
omitted, 0 (no limit) is assumed.
The third number specifies the number of log messages that should
be buffered in the kernel before they are sent to user space. The
default is 1.
Examples:
/etc/shorewall/shorewall.conf:
MACLIST_LOG_LEVEL=NFLOG(1,0,1)
/etc/shorewall/rules:
ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080
5) Shorewall-perl 4.1.0 implements an alternative syntax for macro
parameters and for the NFQUEUE queue number. Rather than following
the macro name (or NFQUEUE) with a slash ("/") and the parameter,
the parameter may be enclosed in parentheses.
Examples -- each pair shown below are equivalent:
DNS/ACCEPT DNS(ACCEPT)
NFQUEUE/3 NFQUEUE(3)
The old syntax is still be accepted but will cease to be documented
in some future Shorewall release.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
