Problems Corrected in 3.0.4
1) The shorewall.conf file is once again "console friendly". Patch is
courtesy of Tuomo Soini.
2) A potential security hole has been closed. Previously, Shorewall ACCEPTed
all traffic from a bridge port that was sent back out on the same port. If
the port was described in /etc/shorewall/hosts using the wildcard
"+" (eg,
xenbr0:vif+), this could lead to traffic being passed in variance with the
supplied policies and rules.
3) Previously, an intra-zone policy of NONE would cause a startup error. That
problem has been corrected.
4) When RETAIN_ALIASES=Yes, the script produced by "shorewall save"
did not
add the retained aliases. This means that the following sequence of
events resulted in missing aliases:
shorewall start
shorewall restart
shorewall save
reboot
shorewall -f start (which is the default during boot up)
5) When a 2.x standard action is invoked with a log level (example
"AllowPing:info"), logging does not occur.
New Features in 3.0.4
1) By popular demand, the ''Limit'' action described at
http://www1.shorewall.net/PortKnocking.html#Limit has been made a standard
action. Limit requires ''recent match'' support in your
kernel and iptables.
2) DISABLE_IPV6 no longer disabled local (loopback) IPV6 traffic. This
change is reported to improve Java startup time on some distributions.
3) Shorewall now contains support for wildcard ports. In
/etc/shorewall/hosts, you may specify the port name with trailing
"+" then
use specific port names in rules.
Example:
/etc/shorewall/hosts
vpn br0:tap+
/etc/shorewall/hosts
DROP vpn:tap0 vpn:tap1 udp 9999
4) For the benefit of those who run Shorewall on distributions that
don''t
autoload kernel modules, /etc/shorewall/modules now contains load commands
for a wide range of Netfilter modules.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key