7/28/2001 - The current version of Shorewall is 1.1.11. In this version
- A "shorewall refresh" command has been added to allow for
refreshing the rules associated with the broadcast address on a dynamic
interface. This command should be used in place of "shorewall
restart" when the internet interface's IP address changes.
- The /etc/shorewall/start file (if any) is now processed after all
temporary rules have been deleted. This change prevents the accidental
removal of rules added during the processing of that file.
- The "dhcp" interface option is now applicable to firewall
interfaces used by a DHCP server running on the firewall.
- The RPM can now be built from the .tgz file using "rpm -tb"
7/6/2001 - The current version of Shorewall is 1.1.10. In this version
- Shorewall now enables Ipv4 Packet Forwarding by default. Packet forwarding
may be disabled by specifying IP_FORWARD=Off in
/etc/shorewall/shorewall.conf. If you don't want Shorewall to enable or
disable packet forwarding, add IP_FORWARDING=Keep to your
/etc/shorewall/shorewall.conf file.
- The "shorewall hits" command no longer lists extraneous service
names in its last report.
- Erroneous instructions in the comments at the head of the firewall script
have been corrected.
6/23/2001 - The current version of Shorewall is 1.1.9. In this version
- The "tunnels" file really is in the RPM now.
- SNAT can now be applied to port-forwarded connections.
- A bug which would cause firewall start failures in some dhcp configurations
has been fixed.
- The firewall script now issues a message if you have the name of an
interface in the second column in an entry in /etc/shorewall/masq and that
interface is not up.
- You can now configure Shorewall so that it doesn't require the NAT and/or
mangle netfilter modules.
- Thanks to Alex Polishchuk, the "hits" command
from seawall is now in shorewall.
- Support for IPIP tunnels has been added.
6/18/2001 - The current version of Shorewall is 1.1.8. In this version
6/2/2001 - The current version of Shorewall is 1.1.7. In this version
- The TOS rules are now deleted when the firewall is stopped.
- The .rpm will now install regardless of which version of iptables is
installed.
- The .rpm will now install without iproute2 being installed.
- The documentation has been cleaned up.
- The sample configuration files included in Shorewall have been formatted
to 80 columns for ease of editing on a VGA console.
5/25/2001 - The current version of Shorewall is 1.1.6. In this version
- You may now rate-limit the packet log.
- Previous versions of
Shorewall have an implementation of Static NAT which violates the principle
of least surprise. NAT only occurs for packets arriving at (DNAT) or
send from (SNAT) the interface named in the INTERFACE column of
/etc/shorewall/nat. Beginning with version 1.1.6, NAT effective regardless
of which interface packets come from or are destined to. To get
compatibility with prior versions, I have added a new "ALL "ALL
INTERFACES" column to /etc/shorewall/nat. By placing
"no" or "No" in the new column, the NAT behavior of
prior versions may be retained.
- The treatment of IPSEC Tunnels where the remote
gateway is a standalone system has been improved. Previously, it was
necessary to include an additional rule allowing UDP port 500 traffic to
pass through the tunnel. Shorewall will now create this rule automatically
when you place the name of the remote peer's zone in a new GATEWAY ZONE
column in /etc/shorewall/tunnels.
5/20/2001 - The current version of Shorewall is 1.1.5. In this version
5/10/2001 - The current version of Shorewall is 1.1.4. In this version
- Accepting RELATED connections is now
optional.
- Corrected problem where if "shorewall start" aborted early
(due to kernel configuration errors for example), superfluous 'sed' error
messages were reported.
- Corrected rules generated for port redirection.
- The order in which iptables kernel modules are loaded has been
corrected (Thanks to Mark Pavlidis).
4/28/2001 - The current version of Shorewall is 1.1.3. In this version
- Correct message issued when Proxy ARP address added (Thanks to Jason Kirtland).
- /tmp/shorewallpolicy-$$ is now removed if there is an error while starting the firewall.
- /etc/shorewall/icmp.def and /etc/shorewall/common.def are now used to define the icmpdef and common chains unless overridden by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
- In the .lrp, the file /var/lib/lrpkg/shorwall.conf has been corrected. An extra space after "/etc/shorwall/policy" has been removed and "/etc/shorwall/rules" has been added.
- When a sub-shell encounters a fatal error and has stopped the firewall, it now kills the main shell so that the main shell will not continue.
- A problem has been corrected where a sub-shell stopped the firewall and main shell continued resulting in a perplexing error message
referring to "common.so" resulted.
- Previously, placing "-" in the PORT(S) column in /etc/shorewall/rules resulted in an error message during start. This has been corrected.
- The first line of "install.sh" has been corrected -- I had inadvertently deleted the initial "#".
4/12/2001 - The current version of Shorewall is 1.1.2. In this version
- Port redirection now works again.
- The icmpdef and common chains may
now be user-defined.
- The firewall no longer fails to start if "routefilter" is
specified for an interface that isn't started. A warning message is now
issued in this case.
- The LRP Version is renamed "shorwall" for 8,3 MSDOS file
system compatibility.
- A couple of LRP-specific problems were corrected.
4/8/2001 - Shorewall is now affiliated with the Leaf
Project 
4/5/2001 - The current version of Shorewall is 1.1.1. In this version:
- The common chain is traversed from INPUT, OUTPUT and FORWARD before
logging occurs
- The source has been cleaned up dramatically
- DHCP DISCOVER packets with RFC1918 source addresses no longer
generate log messages. Linux DHCP clients generate such packets and it's
annoying to see them logged.
3/25/2001 - The current version of Shorewall is 1.1.0. In this version:
- Log messages now indicate the packet disposition.
- Error messages have been improved.
- The ability to define zones consisting of an enumerated set of hosts
and/or subnetworks has been added.
- The zone-to-zone chain matrix is now sparse so that only those chains
that contain meaningful rules are defined.
- 240.0.0.0/4 and 169.254.0.0/16 have been added to the source
subnetworks whose packets are dropped under the norfc1918 interface
option.
- Exits are now provided for executing an user-defined script when a
chain is defined, when the firewall is initialized, when the firewall is
started, when the firewall is stopped and when the firewall is cleared.
- The Linux kernel's route filtering facility can now be specified
selectively on network interfaces.
3/19/2001 - The current version of Shorewall is 1.0.4. This version:
- Allows user-defined zones. Shorewall now has only one pre-defined
zone (fw) with the remaining zones being defined in the new configuration
file /etc/shorewall/zones. The /etc/shorewall/zones file released in this
version provides behavior that is compatible with Shorewall 1.0.3.
- Adds the ability to specify logging in entries in the
/etc/shorewall/rules file.
- Correct handling of the icmp-def chain so that only ICMP packets are
sent through the chain.
- Compresses the output of "shorewall monitor" if awk is
installed. Allows the command to work if awk isn't installed (although
it's not pretty).
3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix
release with no new features.
- The PATH variable in the firewall script now includes /usr/local/bin
and /usr/local/sbin.
- DMZ-related chains are now correctly deleted if the DMZ is deleted.
- The interface OPTIONS for "gw" interfaces are no longer
ignored.
3/8/2001 - The current version of Shorewall is 1.0.2. It supports an
additional "gw" (gateway) zone for tunnels and it supports IPSEC
tunnels with end-points on the firewall. There is also a .lrp available now.