---------------------------
2.1 Configuration Additions
---------------------------

2.1 adds additional frameworks, and thus some 
additional configuration files.

* conf/no_log_ports

Often, there are port drops which are showing up in your
logs which you simply do not want logged.  Instead of
having to turn off default logging, you can just
add the port to conf/no_log_ports, and connections
to that port will not be logged.

* conf/blocked_outgoing

Many folks requested the ability to block
specific outgoing connections (napster, etc).
To prevent connections -TO- specific ports,
add those ports to conf/blocked_outgoing. 
This drops connections to that port for BOTH
NAT'd clients -and- the firewall itself

- gShield now pulls DNS server information from
/etc/resolv.conf if you set that variable to "AUTO"
in gShield.cof

- gShield contains a new option: NAT_LOG_INVALID
If set to yes, it gShield will log additional 
information related to INVALID drops which
often show in the log (see section 3.1 of
the netfilter FAQ).

---------------------------
2.6 Additions
---------------------------

* gShield.conf Changes

The services.rules script for gShield has undergone
serious revision in v2.6-- it has been converted to case
statements to make the script more readable.

What this means for users of gShield is that the main
configuration file (gShield.conf) has undergone some changes.
Don't worry, the changes are well commented in gShield.conf

The good news is that just about every service is now forwardable;
the bad news is you should change your "old" configurations to take
advantage of these changes.

I -have- built in some logic to the new services file such that if you
REALLY like putting "YES" as opposed to "OPEN" for a service, gShield
will still understand what you mean.

* User-defined files

gShield now can easily deal 
with any specific commands you need it to run.

gShield does this by looking for two files in FW_ROOT:

	- gshield.first
	- gshield.last

gshield.first is sourced immediately after the tables are
flushed; gshield.last is sourced at the very end of gShield.

So, for example, say I want to get mail each time gShield is run:

$ echo "echo 'gShield run on `date`' | mail godot" > /etc/firewall/gshield.first

Or, for example, I want to ensure my host at 187.12.12.12 has full access
to the firewall machine, and I want this rule pushed to the top of the 
firewall rules:

$ echo "iptables -I INPUT -s 187.12.12.12 -j ACCEPT > /etc/firewall/gshield.last

---------------------------
2.6.1 Additions
---------------------------

Starting with 2.6.1, you can set
BLACKLISTED to "AUTO" in gShield.conf

Setting this to AUTO will cause gShield
to pull out any client addresses in
in hosts.deny which are prefixed
prefixed by ALL and drop all and use
those addresses to generate its blacklisted
client list.

If you do not know how to deal
with hosts.deny see 'man hosts_access'

There -are- some limitations:

a) gShield pays attention -only-
to listings prefixed by ALL

b) gShield cannot deal with
hole domains like tcpd can --
it needs to be a numeric ip, 
resolvable hostname or range.
range (no more using .aol.com ;p) 

c) If set to AUTO, gShield WILL NOT
read black_listed_hosts

---------------------------
2.6.7 Additions
---------------------------

* conf/blocked_outgoing

	an extension to blocking specific ports, many folks requested
	the ability to completely block access to specific addresses
	or ranges -- drop those address you wish NO access to from within
	the firewall milieu (which includes NAT'd clients)

* GRE specific logging

	you can guess where I'm going here, but the first step is to set up
	a framework for at least adding GRE protocol logging

* Basic VNC forwarding support

	at least for -single- VNC forwards, this can be configured
	directly in services.rules
