Shorewall 4.2.1 is available from all Shorewall Mirrors
Problems corrected in Shorewall 4.2.1
1) A description of the CONNBYTES column has been added to
shorewall-tcrules(5).
2) Previously, Shorewall-perl would accept zero as the <max> value in
the CONNBYTES column of tcrules even when the <min> field was
non-zero. A value of zero for <max> was equivalent to omitting
<max>.
3) iptables 1.4.1 discontinued support of syntax generated by
shorewall in some cases. Shorewall now detects when the new syntax
is required and uses it instead.
4) The Shorewall-perl implementation of the LENGTH column in
/etc/shorewall/tcrules was incomplete with the result that
all LENGTH rules matched. Thanks to Lennart Sorensen for the patch.
5) The ''export'' command no longer fails with the error:
/sbin/shorewall: 1413: Syntax error: "(" unexpected (expecting
"fi")
Other changes in Shorewall 4.2.1
1) With the recent renewed interest in DOS attacks, it seems
appropriate to have connection limiting support in Shorewall. To
that end, a CONNLIMIT column has been added to both the policy and
rules files.
The content of these columns is of the format
[!] <limit>[:<mask>]
where
<limit> is the limit on simultaneous TCP connections.
<mask> specifies the size of the network to which
the limit applies and is specified as a
CIDR mask length. The default value for
<mask> is 32 which means that each remote
IP address can have <limit> TCP connections
active at once.
! Not allowed in the policy file. In the rules file, it
causes connections to match when the number of
current connections exceeds <limit>.
When specified in the policy file, the limit is enforced on all
connections that are subject to the given policy (just like
LIMIT:BURST). The limit is checked on new connections before the
connection is passed through the rules in the NEW section of the
rules file.
It is important to note that while the limit is only checked for
those destinations specified in the DEST column, the number of
current connections is calculated over all destinations and not
just the destination specified in the DEST column.
Use of this feature requires the connlimit match capability in your
kernel and iptables. If you use a capabilities file when compiling
your Shorewall configuration(s), then you need to regenerate the
file using Shorewall or Shorewall-lite 4.2.1.
2) Shorewall now supports time/date restrictions on entries in the
rules file via a new TIME column.
The contents of this column is a series of one or more "time
elements" separated by apersands ("&"). Possible time
elements are:
utc Times are expressed in Greenwich Mean Time.
localtz Times are expressed in local civil time (default)
timestart=hh:mm[:ss]
timestop=hh:mm[:ss] Start and stop time of day for rule
weekdays=ddd[,ddd]... where ddd is Mon,Tue,Wed,Thu,Fri,Sat or
Sun
monthdays=dd[,dd]... where dd is an ordinal day of the month.
datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
where yyyy = Year
first mm = Month
dd = Day
hh = Hour
2nd mm = Minute
ss = Second
Examples:
1) utc×tart=10:00×top=12:00
Between 10am and 12 noon each day, GMT
2) datestart=2008-11-01T12:00
Beginning November 1, 2008 at noon LCT.
Use of this feature requires the time match capability in your
kernel and iptables. If you use a capabilities file when compiling
your Shorewall configuration(s), then you need to regenerate the
file using Shorewall or Shorewall-lite 4.2.1.
-Tom
--
Tom Eastep \ The ultimate result of shielding men from the
Shoreline, \ effects of folly is to fill the world with fools.
Washington, USA \ -Herbert Spencer
http://shorewall.net \________________________________________________
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/