Shorewall announce - Oct 2003 - Shorewall 1.4.8 RC1

10/30/2003 - Shorewall 1.4.8 RC1


Given the small number of new features and the relatively few lines of
code that were changed, there will be no Beta for 1.4.8.

I am particularly interested in people testing:

a) The interface to ''ftwall''
b) Handling of <zone>_frwd chains (those of you who had problems with
1.4.7b or that have reported extra rules in these chains).

http://shorewall.net/pub/shorewall/Beta
ftp://shorewall.net/pub/shorewall/Beta

Problems Corrected since version 1.4.7:

     1. Tuomo Soini has supplied a correction to a problem that occurs
        using some versions of ''ash''. The symptom is that
"shorewall
        start" fails with:
         
           local: --limit: bad variable name
           iptables v1.2.8: Couldn''t load match
        `-j'':/lib/iptables/libipt_-j.so:
           cannot open shared object file: No such file or directory
           Try `iptables -h'' or ''iptables --help'' for
more information.
        
     2. Andres Zhoglo has supplied a correction that avoids trying to
        use the multiport match iptables facility on ICMP rules.
         
           Example of rule that previously caused "shorewall start" to
        fail:
         
                   ACCEPT      loc  $FW  icmp    0,8,11,12
        
     3. Previously, if the following error message was issued, Shorewall
        was left in an inconsistent state.
         
           Error: Unable to determine the routes through interface xxx
        
     4. Handling of the LOGUNCLEAN option in shorewall.conf has been
        corrected.
     5. In Shorewall 1.4.2, an optimization was added. This optimization
        involved creating a chain named "<zone>_frwd" for most
zones
        defined using the /etc/shorewall/hosts file. It has since been
        discovered that in many cases these new chains contain redundant
        rules and that the "optimization" turns out to be less than
        optimal. The implementation has now been corrected.
     6. When the MARK value in a tcrules entry is followed by ":F" or
        ":P", the ":F" or ":P" was previously only
applied to the first
        Netfilter rule generated by the entry. It is now applied to all
        entries.
     7. An incorrect comment concerning Debian''s use of the SYBSYSLOCK
        option has been removed from shorewall.conf.
     8. Previously, neither the ''routefilter'' interface option
nor the
        ROUTE_FILTER parameter were working properly. This has been
        corrected (thanks to Eric Bowles for his analysis and patch).
        The definition of the ROUTE_FILTER option has changed however.
        Previously, ROUTE_FILTER=Yes was documented as enabling route
        filtering on all interfaces (which didn''t work). Beginning with
        this release, setting ROUTE_FILTER=Yes will enable route
        filtering of all interfaces brought up while Shorewall is
        started. As a consequence, ROUTE_FILTER=Yes can coexist with the
        use of the ''routefilter'' option in the interfaces
file.
Migration Issues:
     1. The definition of the ROUTE_FILTER option in shorewall.conf has
        changed as described in item 8) above.
New Features:
     1. A new QUEUE action has been introduced for rules. QUEUE allows
        you to pass connection requests to a user-space filter such as
        ftwall (http://p2pwall.sourceforge.net). The ftwall program
        allows for effective filtering of p2p applications such as
        Kazaa. For example, to use ftwall to filter P2P clients in the
        ''loc'' zone, you would add the following rules:
        
           QUEUE   loc         net    tcp
           QUEUE   loc         net    udp
           QUEUE   loc         fw     udp
        
        You would normally want to place those three rules BEFORE any
        ACCEPT rules for loc->net udp or tcp.
        
        Note: When the protocol specified is TCP ("tcp",
"TCP" or "6"),
        Shorewall will only pass connection requests (SYN packets) to
        user space. This is for compatibility with ftwall.
     2. A BLACKLISTNEWNONLY option has been added to shorewall.conf.
        When this option is set to "Yes", the blacklists (dynamic and
        static) are only consulted for new connection requests. When set
        to "No" (the default if the variable is not set), the
blacklists
        are consulted on every packet.
        
        Setting this option to "No" allows blacklisting to stop
existing
        connections from a newly blacklisted host but is more expensive
        in terms of packet processing time. This is especially true if
        the blacklists contain a large number of entries.
     3. Chain names used in the /etc/shorewall/accounting file may now
        begin with a digit ([0-9]) and may contain embedded dashes
        ("-").

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net