Beta 3 is now available for testing.
Problems Corrected since Beta 2:
1) The compiler now handles compile for export when the directory
layout of the remote firewall is different from that of the
administrative system.
2) A directory name can once again be specified when the -e compile
option is specified.
New Features:
1) Multiple UID/GIDs separated by commas may now be given in the
USER/GROUP column of the rules files.
2) A warning message is now issued if the ''blacklist'' option
is
specified for a zone (the ''blacklist'' option has been
deprecated
for several releases).
3) Shorewall-init now compiles the Shorewall and Shorewall6 firewall
scripts if they don''t exist when needed.
Thank you for testing.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> New Features: > > 1) Multiple UID/GIDs separated by commas may now be given in the > USER/GROUP column of the rules files. > > 2) A warning message is now issued if the ''blacklist'' option is > specified for a zone (the ''blacklist'' option has been deprecated > for several releases). > > 3) Shorewall-init now compiles the Shorewall and Shorewall6 firewall > scripts if they don''t exist when needed.Nice, thank you! I''ll give it a go to see how it works in the coming days. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> 1) Multiple UID/GIDs separated by commas may now be given in the > USER/GROUP column of the rules files.That works a treat, thank you.> 2) A warning message is now issued if the ''blacklist'' option is > specified for a zone (the ''blacklist'' option has been deprecated > for several releases).That doesn''t seem to be working as expected - if I have "blacklist" defined in any of my zones, and even if I do not have blacklist (but do have blrules), blacklst/blackout chains are still created (and they are empty!) alongside the "new" ~blacklist0/~blacklist1, which isn''t what is needed.> 3) Shorewall-init now compiles the Shorewall and Shorewall6 firewall > scripts if they don''t exist when needed.I''ll go through this later as I need to prepare a small test case, but looking at the init script, $PRODUCT compile is executed, which is promising. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/11/2012 05:14 PM, Mr Dash Four wrote:>> 1) Multiple UID/GIDs separated by commas may now be given in the >> USER/GROUP column of the rules files. > That works a treat, thank you. > >> 2) A warning message is now issued if the ''blacklist'' option is >> specified for a zone (the ''blacklist'' option has been deprecated >> for several releases). > That doesn''t seem to be working as expected - if I have "blacklist" > defined in any of my zones, and even if I do not have blacklist (but > do have blrules), blacklst/blackout chains are still created (and > they are empty!) alongside the "new" ~blacklist0/~blacklist1, which > isn''t what is needed.(Surprisingly large) patch attached.> >> 3) Shorewall-init now compiles the Shorewall and Shorewall6 >> firewall scripts if they don''t exist when needed. > I''ll go through this later as I need to prepare a small test case, > but looking at the init script, $PRODUCT compile is executed, which > is promising.Thanks. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> That doesn''t seem to be working as expected - if I have "blacklist" >> defined in any of my zones, and even if I do not have blacklist (but >> do have blrules), blacklst/blackout chains are still created (and >> they are empty!) alongside the "new" ~blacklist0/~blacklist1, which >> isn''t what is needed. > > (Surprisingly large) patch attached.OK, this now works when the blacklist file is empty, but when there is some content in it, as well as in the blrules file, both files are taken into account, creating blacklst/blackout as well as ~blacklistX chains. Is that how it is supposed to work? I thought blrules took precedence over the deprecated blacklist? Is that not the case? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/12/2012 03:35 PM, Mr Dash Four wrote:>>> That doesn''t seem to be working as expected - if I have >>> "blacklist" defined in any of my zones, and even if I do not have >>> blacklist (but do have blrules), blacklst/blackout chains are >>> still created (and they are empty!) alongside the "new" >>> ~blacklist0/~blacklist1, which isn''t what is needed. >> >> (Surprisingly large) patch attached. > OK, this now works when the blacklist file is empty, but when there > is some content in it, as well as in the blrules file, both files are > taken into account, creating blacklst/blackout as well as ~blacklistX > chains. Is that how it is supposed to work?Yes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/