Shorewall users - Mar 2006 - Shorewall 3.2.0 Beta 3

I realize that this is hot on the heels of Beta 2 but it fixes a couple of 
annoying bugs and provides a nice new feature.

http://www1.shorewall.net/pub/shorewall/development/3.2/shorewall-3.2.0-Beta3
ftp://ftp1.shorewall.net/pub/shorewall/development/3.2/shorewall-3.2.0-Beta3

Problems Corrected in 3.2.0 Beta 3

1)  The ''try'' command with an effective verbosity of zero
resulted in an
    error message and the command failed.

2)  /etc/shorwall/Makefile was incorrectly described as %config(noreplace)
    in the RPM .spec file. This prevented updated versions of the file
    from being installed properly.

3)  If you use SAME or SAME:nodst in the ADDRESS column of /etc/shorewall/masq
    and if you set ADD_SNAT_ALIASES=Yes in shorewall.conf, then "shorewall
    start" will fail with the error ''Error: an inet prefix is
expected rather
    than "SAME".''.

Other changes in 3.2.0 Beta 2

2)  A new IMPLICIT_CONTINUE option has been added to shorewall.conf. When
    this option is set to "Yes", it causes subzones to be treated
differently
    with respect to policies.

    Subzones are defined by following their name with ":" and a list
of parent
    zones (in /etc/shorewall/zones). Normally, you want to have a set of
    special rules for the subzone and if a connection doesn''t match any
of
    those subzone-specific rules then you want the parent zone rules to be
    applied. With IMPLICIT_CONTINUE=Yes, that happens automatically.

    If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then
    subzones are not subject to this special treatment.

    With IMPLICIT_CONTINUE=Yes, an implicit CONTINUE policy may be overridden
    by including an explicit policy (one that does not specify "all"
in either
    the SOURCE or the DEST columns).

    Example:

    /etc/shorewall/zones:

        par        ipv4
        chld:par   ipv4

    Traffic to/from the ''chld'' zone will first pass through
the applicable
    ''chld'' rules and if none of those rules match then it will
be passed
through
    the appropriate ''par'' rules. If the connection request
does not match
    any of the ''par'' rules then the relevant
''par'' policy is applied.

    If you want the fw->chld policy to be ACCEPT, simply add this entry to
    /etc/shorewall/policy:

        $FW      chld        ACCEPT

    Traffic from all other zones to ''chld'' will be subject to
the implicit
    CONTINUE policy.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key