Shorewall users - Apr 2009 - Shorewall 4.2.8

The Shorewall team is pleased to announce the availability of Shorewall
4.2.8.

Problems Corrected in Shorewall 4.2.8

1)  The ''start -f'' command would previously skip the
compilation step
    unconditionally when the ''make'' utility was not installed.
Now, the
    compilation step is run unconditionally in this case.

2)  When ADD_IP_ALIASES=Yes in shorewall.conf, entries in
    /etc/shorewall/nat produce this failure at compile time when
    using Shorewall-perl:

    ERROR: Internal Error in emit : /etc/shorewall/nat (line 12)

3)  When LOG_MARTIANS=Yes with Shorewall-perl, setting logmartians=0 in
    an entry in /etc/shorewall/interface failed to suppress martian
    logging on the interface.

4)  Shorewall-perl now generates rules with inversion that are
    compatible with iptables 1.4.3.

5) When a network address was specified in the SOURCE or DEST column of
   /etc/shorewall/tcfilters, Shorewall-perl was generating an incorrect
   netmask.

Known Problems Remaining:

1)  When exclusion is used in an entry in /etc/shorewall/hosts, then
    Shorewall-shell produces an invalid iptables rule if any of the
    following OPTIONS are also specified in the entry:

        blacklist
        maclist
        norfc1918
        tcpflags

2)  Shorewall-shell generates inversion rules which produce
    warnings with iptables 1.4.3.

    Example:

    iptables -A  lan2fw  -p 6  --dport 999  -s ! 192.168.20.1  -j ACCEPT

    with iptables 1.4.3.1 the following information message is produced:

    Using intrapositioned negation (`--option ! this`) is deprecated in
    favor of extrapositioned (`! --option this`).

    We don''t intend to fix this. It''s time to migrate to
Shorewall-perl
    anyway.

New Features in 4.2.8

1)  The /usr/share/shorewall/modules and /usr/share/shorewall6/modules
    files have been updated for iptables 1.4.3/kernel 2.6.29.

Migration Issues.

1)  Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
    mark values < 256 to be assigned in the OUTPUT chain. This has been
    changed so that only high mark values may be assigned
    there. Packet marking rules for traffic shaping of packets
    originating on the firewall must be coded in the POSTROUTING chain.

2)  Previously, Shorewall did not range-check the value of the
    VERBOSITY option in shorewall.conf. Beginning with Shorewall 4.2:

    a) A VERBOSITY setting outside the range -1 through 2 is rejected.
    b) After the -v and -q options are applied, the resulting value is
       adjusted to fall within the range -1 through 2.

3)  Specifying a destination zone in a NAT-only rule now generates a
    warning and the destination zone is ignored. NAT-only rules are:

             NONAT
             REDIRECT-
             DNAT-

4)  The default value for LOG_MARTIANS has been changed. Previously,
    the defaults were:

        Shorewall-perl - ''Off''
        Shorewall-shell - ''No''

    The new default values are:

        Shorewall-perl - ''On''
        Shorewall-shell - ''Yes''.

    Shorewall-perl users may:
    a) Accept the new default -- martians will be logged from all
       interfaces with route filtering except those with log_martians=0
       in /etc/shorewall/interfaces.

    b) Explicitly set LOG_MARTIANS=Off to maintain compatibility with
       prior versions of Shorewall.

    Shorewall-shell users may:

    a) Accept the new default -- martians will be logged from all
       interfaces with the route filtering enabled.

    b) Explicitly set LOG_MARTIONS=No to maintain compatibility with
       prior versions of Shorewall.

5)  The value of IMPLICIT_CONTINUE in shorewall.conf (and samples) has
    been changed from Yes to No.

6)  The ''norfc1918'' option is deprecated. Use explicit rules
instead.
    Note that there is a new ''Rfc1918'' macro that acts on
addresses
    reserved by RFC 1918.

7)  DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl. Use
    ipset-based zones instead.

8)  The generated firewall script produced by Shorewall-perl can now
    detect the GATEWAY of an interface configured with dhclient.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p