thr3ads.net - Shorewall users - Shorewall 4.5.15 [Apr 2013]

If this information is useful, please help other people find it:
Share via:
Tom Eastep
2013-Apr-01 17:40 UTC
Shorewall 4.5.15

The Shorewall team is pleased to announce the availability of Shorewall
4.5.15.

----------------------------------------------------------------------------
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  Previously, the Shorewall and Shorewall6 install.sh scripts did two
    things wrong with respect to the /etc/shorewall[6]/routes file:

    - The existing file was unconditionally removed.
    - A skeleton file was not installed when SPARSE was not set in
      the shorewallrc file.

    Additionally, the installer would remove /etc/shorewall[6]/tcstart.

2)  The Shorewall-init install.sh script previously refused to replace
    /sbin/ifup-local and /sbin/ifdown-local when those files has been
    installed by an earlier version of Shorewall-init.

3)  Previously, Shorewall-init''s integration with NetworkManager was
    incomplete on SuSE with the result that NetworkManager interface
    change events were not processed. That has been corrected.

4)  Beginning with Shorewall 4.5.8, Shorewall6 has interpreted /32
    networks as hosts (/128). /32 IPv6 networks are once again handled
    correctly.

5)  Using service class names such as such as EF, BE, CS1, ... for DSCP
    didn''t work previously. Thibaut Chèze has provided a fix.

6)  An incorrect range test prevented DSCP classes CS6 and CS7 from
    being accepted. The test has been corrected and those classes are
    now allowed.

----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  Prior to this release, Shorewall has only supported blackhole null
    routing in the /etc/shorewall[6]/routes file and in the
    NULL_ROUTE_RFC1918 option.

    Beginning with this release, Shorewall also supports
''unreachable''
    and ''prohibit'' routes.

    In /etc/shorewall/routes, the GATEWAY column may contain
    ''blackhole'', ''unreachable'' or
''prohibit''.

    NULL_ROUTE_RFC1918 can also assume those values, in addition to
    ''Yes'' and ''No'' (case-insensitive).
''Yes'' is equivalent to
    ''blackhole'' for backward compatibility.

    Please see http://www.shorewall.net/MultiISP.html#null_routing for
    details. That section was provided by Mr Dash Four.

2)  The ''ifupdown'' script installed by Shorewall-init is now
    distribution-specific. Previously, the script determined the
    distribution at run-time.

3)  The ${VARDIR}/undo_<provider>_routing scripts no longer invoke
    a Shorewall internal function so that they may be processed
    directly by a shell.

4)  The compiler now detects multiple entries in
    /etc/shorewall[6]/routes with the same PROVIDER and DEST and raises
    an error. If an entry for the ''main'' table in
/etc/shorewall/routes
    has one of the RFC1918 networks as the DEST and if
    NULL_ROUTE_RFC1918=Yes, then a warning message is issued and the
    entry in /etc/shorewall/routes is used.

5)  Prior to now, the generated shell script has always used routing
    table (provider) numbers rather than names. To make the script more
    readable and to aid in debugging, a new USE_RT_NAMES option has
    been added to shorewall[6].conf.

    When set to ''Yes'', Shorewall will use routing table
(provider)
    names in the generated script rather than table numbers. When set
    to ''No'' (the default), routing table numbers will be used.

    Caution

    If you set USE_RT_NAMES=Yes and KEEP_RT_TABLES=Yes, then you must
    insure that all of your providers have entries in
    /etc/iproute2/rt_tables as well as the following entries:

        255 local
	254 main
	253 default
	250 balance
	0 unspec

    Without these entries, the firewall will fail to start.

Thank you for using Shorewall,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
Shorewall users - Apr 2013 - Shorewall 4.5.15

Shorewall 4.5.15
