The Shorewall team is pleased to announce the availability of Shorewall
4.4.10.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Startup Errors (those that are detected before the state of the
system has been altered), were previously not sent to the
STARTUP_LOG.
2) A regression of sorts occurred in Shorewall 4.4.9. Previously, a
Perl extension script could end with a call to add_rule(). Such a
script fails under Shorewall 4.4.9 unless the ''trace''
option is
specified on the run line.
While this issue has been corrected, users are advised to always
end their Perl extension scripts with the following line to insure
that the script returns a ''true'' value:
1;
3) Under rare circumstances involving a complex configuration,
OPTIMIZE=13 and OPTIMIZE=15 could cause invalid iptables-restore
input to be generated.
Sample error message:
iptables-restore v1.4.8: Couldn''t load target
`sys2sys'':/usr/local/libexec/xtables/libipt_sys2sys.so:
cannot open shared object file: No such file or directory
4) Previously, if the ''optional'' option was given to an
interface with
a wildcard physical name, specific instances of the interface were
never considered usable.
Example:
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net ppp+ - optional
/etc/shorewall/providers:
#PROVIDER NUMBER MARK DUPLICATE INTERFACE ...
XYZTEL 1 - main ppp0
The XYZTEL provider was never usable.
This configuration now works correctly.
5) The ''forget'' command now correctly removes saved ipsets.
----------------------------------------------------------------------------
N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Shorewall 4.4.10 includes a new ''Shorewall Init'' package.
This new
package provides two related features:
a) It allows the firewall to be closed prior to bringing up
network devices. This insures that unwanted connections are not
allowed between the time that the network comes up and when the
firewall is started.
b) It integrates with NetworkManager and distribution ifup/ifdown
systems to allow for ''event-driven'' startup and
shutdown.
The two facilities can be enabled separately.
When Shorewall-init is first installed, it does nothing until you
configure it.
The configuration file is /etc/default/shorewall-init on
Debian-based systems and /etc/sysconfig/shorewall-init otherwise.
There are two settings in the file:
PRODUCTS - lists the Shorewall packages that you want to
integrate with Shorewall-init. Example:
PRODUCTS="shorewall shorewall6"
IFUPDOWN When set to 1, enables integration with
NetworkManager and the ifup/ifdown scripts.
To close your firewall before networking starts:
a) in the Shorewall-init configuration file, set PRODUCTS to the
firewall products installed on your system.
b) be sure that your current firewall script(s) (normally in
/var/lib/<product>/firewall) is(are) compiled with the 4.4.10
compiler.
Shorewall and Shorewall6 users can execute these commands:
shorewall compile
shorewall6 compile
Shorewall-lite and Shorewall6-lite users can execute these
commands on the administrative system.
shorewall export <firewall-name-or-ip-address>
shorewall6 export <firewall-name-or-ip-address>
That''s all that is required.
To integrate with NetworkManager and ifup/ifdown, additional steps
are required. You probably don''t want to enable this feature if you
run a link status monitor like swping or LSM.
a) In the Shorewall-init configuration file, set IFUPDOWN=1.
b) In your Shorewall interfaces file(s), set the
''required'' option
on any interfaces that must be up in order for the firewall to
start. At least one interface must have the ''required''
or
''optional'' option if you perform the next optional
step. If
''required'' is specified on an interface with a
wildcard name
(the physical name ends with ''+''), then at least one
interface
that matches the name must be in a usable state for the
firewall to start successfully.
c) (Optional) -- If you have specified at least one
''required''
or ''optional interface, you can then disable automatic firewall
startup at boot time.
On Debian-based systems, set startup=0 in
/etc/default/<product>.
On other systems, use your service startup configuration tool
(chkconfig, insserv, ...) to disable startup.
The following actions occur when an interface comes up:
FIREWALL INTERFACE ACTION
STATE
----------------------------------
Any Required start
stopped Optional start
started - restart
The following actions occur when an interface goes down:
In the INTERFACE column, ''-'' indicates neither required
nor
optional
FIREWALL INTERFACE ACTION
STATE
----------------------------------
Any Required stop
stopped Optional start
started - restart
For optional interfaces, the
/var/lib/<product>/<interface>.state
files are maintained to reflect the state of the interface.
Please note that the action is carried out using the current
compiled script; the configuration is not recompiled.
A new option has been added to shorewall.conf and
shorewall6.conf. The REQUIRE_INTERFACE option determines the
outcome when an attempt to start/restart/restore/refresh the
firewall is made and none of the optional interfaces are available.
With REQUIRE_INTERFACE=No (the default), the operation is
performed. If REQUIRE_INTERFACE=Yes, then the operation fails and
the firewall is placed in the stopped state. This option is
suitable for a laptop with both ethernet and wireless
interfaces. If either come up, the firewall starts. If neither
comes up, the firewall remains in the stopped state. Similarly, if
an optional interface goes down and there are no optional
interfaces remaining in the up state, then the firewall is stopped.
Shorewall-init may be installed on Debian-based systems, SuSE-based
systems and RedHat-based systems.
On Debian-based systems, during system shutdown the firewall is
opened prior to network shutdown (/etc/init.d/shorewall stop
performs a ''clear'' operation rather than a
''stop''). This is
required by Debian standards. You can change this default behavior
by setting SAFESTOP=1 in /etc/default/shorewall
(/etc/default/shorewall6, ...).
2) All of the CLIs now support the -a option of the ''version''
command.
Example:
gateway:~# shorewall6 version -a
4.4.10-RC1
shorewall: 4.4.10-RC1
shorewall-lite: 4.4.10-RC1
shorewall6-lite: 4.4.10-RC1
shorewall-init: 4.4.10-RC1
gateway:~#
3) Beginning with this release, the ''restart'' and
''refresh'' commands
now retain the contents of the dynamic blacklist as well as the
current UPnP rules. The dynamic blacklist is also preserved over
stop/start.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
ThinkGeek and WIRED''s GeekDad team up for the Ultimate
GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
You mention "shorewall compile" when explaining shorewall-init. I''ve only ever used "start/stop/restart" on my firewall. Do these do the "compile" as part of their process or do I need to start doing an explicit "compile" once I get things how I want them to save my configuration for the next reboot? -- Brad Clarke On Sat, Jun 12, 2010 at 9:13 AM, Tom Eastep <teastep@shorewall.net> wrote:> The Shorewall team is pleased to announce the availability of Shorewall > 4.4.10. > > ---------------------------------------------------------------------------- > P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E > ---------------------------------------------------------------------------- > > 1) Startup Errors (those that are detected before the state of the > system has been altered), were previously not sent to the > STARTUP_LOG. > > 2) A regression of sorts occurred in Shorewall 4.4.9. Previously, a > Perl extension script could end with a call to add_rule(). Such a > script fails under Shorewall 4.4.9 unless the ''trace'' option is > specified on the run line. > > While this issue has been corrected, users are advised to always > end their Perl extension scripts with the following line to insure > that the script returns a ''true'' value: > > 1; > > 3) Under rare circumstances involving a complex configuration, > OPTIMIZE=13 and OPTIMIZE=15 could cause invalid iptables-restore > input to be generated. > > Sample error message: > > iptables-restore v1.4.8: Couldn''t load target > `sys2sys'':/usr/local/libexec/xtables/libipt_sys2sys.so: > cannot open shared object file: No such file or directory > > 4) Previously, if the ''optional'' option was given to an interface with > a wildcard physical name, specific instances of the interface were > never considered usable. > > Example: > > /etc/shorewall/interfaces: > > #ZONE INTERFACE BROADCAST OPTIONS > net ppp+ - optional > > /etc/shorewall/providers: > > #PROVIDER NUMBER MARK DUPLICATE INTERFACE ... > XYZTEL 1 - main ppp0 > > The XYZTEL provider was never usable. > > This configuration now works correctly. > > 5) The ''forget'' command now correctly removes saved ipsets. > > ---------------------------------------------------------------------------- > N E W F E A T U R E S I N T H I S R E L E A S E > ---------------------------------------------------------------------------- > > 1) Shorewall 4.4.10 includes a new ''Shorewall Init'' package. This new > package provides two related features: > > a) It allows the firewall to be closed prior to bringing up > network devices. This insures that unwanted connections are not > allowed between the time that the network comes up and when the > firewall is started. > > b) It integrates with NetworkManager and distribution ifup/ifdown > systems to allow for ''event-driven'' startup and shutdown. > > The two facilities can be enabled separately. > > When Shorewall-init is first installed, it does nothing until you > configure it. > > The configuration file is /etc/default/shorewall-init on > Debian-based systems and /etc/sysconfig/shorewall-init otherwise. > > There are two settings in the file: > > PRODUCTS - lists the Shorewall packages that you want to > integrate with Shorewall-init. Example: > > PRODUCTS="shorewall shorewall6" > > IFUPDOWN When set to 1, enables integration with > NetworkManager and the ifup/ifdown scripts. > > To close your firewall before networking starts: > > a) in the Shorewall-init configuration file, set PRODUCTS to the > firewall products installed on your system. > > b) be sure that your current firewall script(s) (normally in > /var/lib/<product>/firewall) is(are) compiled with the 4.4.10 > compiler. > > Shorewall and Shorewall6 users can execute these commands: > > shorewall compile > shorewall6 compile > > Shorewall-lite and Shorewall6-lite users can execute these > commands on the administrative system. > > shorewall export <firewall-name-or-ip-address> > shorewall6 export <firewall-name-or-ip-address> > > That''s all that is required. > > To integrate with NetworkManager and ifup/ifdown, additional steps > are required. You probably don''t want to enable this feature if you > run a link status monitor like swping or LSM. > > a) In the Shorewall-init configuration file, set IFUPDOWN=1. > > b) In your Shorewall interfaces file(s), set the ''required'' option > on any interfaces that must be up in order for the firewall to > start. At least one interface must have the ''required'' or > ''optional'' option if you perform the next optional step. If > ''required'' is specified on an interface with a wildcard name > (the physical name ends with ''+''), then at least one interface > that matches the name must be in a usable state for the > firewall to start successfully. > > c) (Optional) -- If you have specified at least one ''required'' > or ''optional interface, you can then disable automatic firewall > startup at boot time. > > On Debian-based systems, set startup=0 in > /etc/default/<product>. > > On other systems, use your service startup configuration tool > (chkconfig, insserv, ...) to disable startup. > > The following actions occur when an interface comes up: > > FIREWALL INTERFACE ACTION > STATE > ---------------------------------- > Any Required start > stopped Optional start > started - restart > > The following actions occur when an interface goes down: > > In the INTERFACE column, ''-'' indicates neither required nor > optional > > FIREWALL INTERFACE ACTION > STATE > ---------------------------------- > Any Required stop > stopped Optional start > started - restart > > For optional interfaces, the /var/lib/<product>/<interface>.state > files are maintained to reflect the state of the interface. > > Please note that the action is carried out using the current > compiled script; the configuration is not recompiled. > > A new option has been added to shorewall.conf and > shorewall6.conf. The REQUIRE_INTERFACE option determines the > outcome when an attempt to start/restart/restore/refresh the > firewall is made and none of the optional interfaces are available. > With REQUIRE_INTERFACE=No (the default), the operation is > performed. If REQUIRE_INTERFACE=Yes, then the operation fails and > the firewall is placed in the stopped state. This option is > suitable for a laptop with both ethernet and wireless > interfaces. If either come up, the firewall starts. If neither > comes up, the firewall remains in the stopped state. Similarly, if > an optional interface goes down and there are no optional > interfaces remaining in the up state, then the firewall is stopped. > > Shorewall-init may be installed on Debian-based systems, SuSE-based > systems and RedHat-based systems. > > On Debian-based systems, during system shutdown the firewall is > opened prior to network shutdown (/etc/init.d/shorewall stop > performs a ''clear'' operation rather than a ''stop''). This is > required by Debian standards. You can change this default behavior > by setting SAFESTOP=1 in /etc/default/shorewall > (/etc/default/shorewall6, ...). > > 2) All of the CLIs now support the -a option of the ''version'' command. > > Example: > > gateway:~# shorewall6 version -a > 4.4.10-RC1 > shorewall: 4.4.10-RC1 > shorewall-lite: 4.4.10-RC1 > shorewall6-lite: 4.4.10-RC1 > shorewall-init: 4.4.10-RC1 > gateway:~# > > 3) Beginning with this release, the ''restart'' and ''refresh'' commands > now retain the contents of the dynamic blacklist as well as the > current UPnP rules. The dynamic blacklist is also preserved over > stop/start. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > ThinkGeek and WIRED''s GeekDad team up for the Ultimate > GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the > lucky parental unit. See the prize list and enter to win: > http://p.sf.net/sfu/thinkgeek-promo > _______________________________________________ > Shorewall-announce mailing list > Shorewall-announce@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-announce > >------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On 6/12/10 2:14 PM, Brad Clarke wrote:> You mention "shorewall compile" when explaining shorewall-init. I''ve > only ever used "start/stop/restart" on my firewall. Do these do the > "compile" as part of their processYes (you might want to read http://www.shorewall.net/Introduction.html, particularly, the section entitled "Compile then execute"). -Tom PS. Did you *really* need to quote the entire release announcement as part of your question? -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On Sat, Jun 12, 2010 at 8:55 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 6/12/10 2:14 PM, Brad Clarke wrote: >> You mention "shorewall compile" when explaining shorewall-init. I''ve >> only ever used "start/stop/restart" on my firewall. Do these do the >> "compile" as part of their process > > Yes (you might want to read http://www.shorewall.net/Introduction.html, > particularly, the section entitled "Compile then execute").Thanks. After reading that and poking around in /var/lib/shorewall it makes sense now.> > PS. Did you *really* need to quote the entire release announcement as > part of your question?Sorry, I just hit reply and started typing...gmail wraps it all up :) Brad C ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo