Seattle Firewall
Changes in version 3.2
3.2 Includes some key changes:
- The format of the /etc/seawall/servers
file has changed
A new CLIENTS column (column 3) has been added that
allows you to restrict the set of clients that can
connect to a given server. The first time that you start
Seattle Firewall 3.2, your current file will be converted
to the new format. If you did not install 3.2 using the install.sh
script, your old servers file will
be saved in /etc/seawall/servers-3.2.bkout.
- A new strong
variable has been added that works as follows:
- If strong="yes" or
strong="Yes" on a standalone system,
the set of TCP clients that can run on the
firewall system is determined by the /etc/seawall/apps
file just as it is on a masquerading gateway.
- If strong="No" or
strong="no" on a masquerading gateway
system, the set of TCP clients that can run on
the firewall system is unrestricted.
- If strong="", the behavior is
equivalant to strong="Yes" on a
masquerading gateway and strong="No" on
a standalone system; this is exactly the pre-3.2
behavior.
- A new localports
variable has been added. See the
documentation of this variable for
details.
- A new nonmasq
variable has been added to define
interfaces on a system that are to be enabled but that
are not to be masqueraded nor forwarded to/from the
internet.
- A new pptpclient
variable has been added to specify that you are running the PPTP client
on your firewall system.
- A new dnslocalports
variable has been added for users
of dnscache.
- Seattle Firewall no longer accepts TCP non-SYN
packets with source port 53 (Domain Name Service). If you
find that you need to accept such packets, please add the
following line to your /etc/seawall/apps file if you use
your ISP's name servers:
PROTOCOL |
PORT(s) |
SERVER(s) |
LOCAL PORT(s) |
tcp |
53 |
Your ISP's first
Name Server |
|
tcp |
53 |
Your ISP's
second Name Server |
|
- If you do not use your ISP's
name servers and need to accept TCP non-SYN packets from
port 53, add the following to /etc/seawall/apps:
PROTOCOL |
PORT(s) |
SERVER(s) |
LOCAL PORT(s) |
tcp |
53 |
0.0.0.0/0 |
|
Less visible changes carried forward from version
3.1.2 include:
- TCP servers running on a standalone system may
now be defined in /etc/seawall/servers. Previously, such
servers could only be defined if the firewall was on a
masquerading gateway.
- The "ip" program may now be installed
in either /sbin or /usr/sbin.
- It is no longer necessary for ipsec0 to be active
when IPSec endpoints are present on the firewall system.
Also changed in this version:
- Seattle Firewall now supports P-T-P devices in
the local
and dmz
specifications.
Last updated 7/4/2000 - Tom
Eastep