Shorewall users - Feb 2003 - Proposed Shorewall 1.4.0 Content

Here is the proposed content -- I''m looking for a Beta to start in the 
next week or so with release around the middle of next month. The main 
focus of 1.4 will be to provide external behavior similar to the 
upcoming 2.0 release.

Function from 1.3 that has been omitted from this version includes:

1) The MERGE_HOSTS variable in shorewall.conf is no longer
    supported. Shorewall 1.4 behavior is the same as 1.3 with
    MERGE_HOSTS=Yes.

2. Interface names of the form <device>:<integer> in
    /etc/shorewall/interfaces now generate an error.

3. Shorewall 1.4 implements behavior consistent with
    OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error
    at startup as will specification of the ''noping'' or
''filterping''
    interface options.

4. The ''routestopped'' option in the /etc/shorewall/interfaces
and
    /etc/shorewall/hosts files is no longer supported and will generate
    an error at startup if specified.

5. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
    accepted.

6. The ALLOWRELATED variable in shorewall.conf is no longer
    supported. Shorewall 1.4 behavior is the same as 1.3 with
    ALLOWRELATED=Yes.

7. The ''multi'' interface option is no longer supported.
Shorewall will
    generate rules for sending packets back out the same interface
    that they arrived on in two cases:

    a) There is an _explicit_ policy for the source zone to or from the
    destination zone. An explicit policy names both zones and does not
    use the ''all'' reserved word.

    b) There are one or more rules for traffic for the source zone to
    or from the destination zone including rules that use the
''all''
    reserved word. Exception: If the source and the destination are
    the same zone then the rule must be explicit - it must name the zone
    in both the SOURCE and DESTINATION columns.

Changes for 1.4 include:

1. shorewall.conf has been completely reorganized into logical
    sections.

2. LOG is now a valid action for a rule (/etc/shorewall/rules).

3. The firewall script and version file are now installed in
    /usr/share/shorewall to be consistent with the Debian version.

4. Late arriving DNS replies are now silently dropped in the common
    chain by default.

5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
    longer unconditionally accepts outbound ICMP packets. So if you want
    to ''ping'' from the firewall, you will need the appropriate
rule or
    policy.

6. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).

7. 802.11b devices with names of the form wlan<n> now support the
    ''maclist'' option.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Joe,

Joe Gofton wrote:
> When you say in some of your emails
> about upcoming versions of Shorewall, "xxx is no longer
supported" do you
> mean it looses that functionality all together or your just implementing
> it a different way?
Depends on which function you are talking about. Which one(s) did you 
have in mind?
> 
> Thanks again for the great work.
> 
You''re most welcome.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net