RC 1 is now available for testing.
Problems Corrected.
1) Previously, if
a) syn flood protection was enabled in a policy that
specified ''all'' for the SOURCE or DEST, and
b) there was only one pair of zones matching that policy, and
c) PROPAGATE_POLICIES=Yes in shorewall.conf, and
d) logging was specified on the policy
then the chain implementing the chain had "all" in its name while
the logging rule did not.
Example
On a simple standalone configuration, /etc/shorewall/policy
has:
#SOURCE DEST POLICY LOGGING
net all DROP info
then the chain implementing syn flood protection would be named
@net2all while the logging rule would indicate net2fw.
Now, the chain will be named @net2fw.
New Features:
1) A Munin macro has been contributed by Tuomo Soini.
2) The Shorewall6 accounting, tcrules and rules files now include a
HEADERS column which allows matching based on the IPv6 extension
and protocol headers included in a packet.
The contents of the column are:
[any:|exactly:]<header list>
where <header list> is a comma-separated list of headers from the
following:
Long Name Short Name Number
--------------------------------------
auth ah 50
esp esp 51
hop-by-hop hop 0
route ipv6-route 41
frag ipv6-frag 44
none ipv6-nonxt 59
protocol proto 255
If ''any:'' is specified, the rule will match if any of the
listed
headers are present. If ''exactly:'' is specified, the will
match
packets that exactly include all specified headers. If neither is
given, ''any:'' is assumed.
This change adds a new capability (Header Match) so if you use a
capabilities file, you will need to regenerate using this release.
Thank you for testing.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
On 11/26/10 8:22 AM, Tom Eastep wrote:> > Long Name Short Name Number > -------------------------------------- > auth ah 50 > esp esp 51The protocol numbers above are reversed. I''ve corrected the online copies and these corrections will be included in 4.4.15 Final. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
Tom Having recreated the capabilities file, "shorewall start" produces the following message: WARNING: Unknown capability (HEADER_MATCH) ignored : /etc/shorewall2/capabilities (line 54) Note, this also happens with shorewall6. ------------------------------------------------------------------------------------------------------------- The following entry in the routes file: 0 10.1.1.0/24 - - produces the following message: Use of uninitialized value $physical in concatenation (.) or string at /usr/share/shorewall/Shorewall/Providers.pm line 690, <$currentfile> line 9. Steven. ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
On 11/26/10 4:18 PM, Steven Jan Springl wrote:> Tom > > Having recreated the capabilities file, "shorewall start" produces the > following message: > > WARNING: Unknown capability (HEADER_MATCH) > ignored : /etc/shorewall2/capabilities (line 54) > > Note, this also happens with shorewall6. > > ------------------------------------------------------------------------------------------------------------- > > The following entry in the routes file: > > 0 10.1.1.0/24 - - > > produces the following message: > > Use of uninitialized value $physical in concatenation (.) or string > at /usr/share/shorewall/Shorewall/Providers.pm line 690, <$currentfile> line > 9.The attached patches should correct these problems. Thanks for testing, Steven. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
Tom The patches have corrected the problems. Thanks. Steven. ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev