Shorewall announce - Dec 2004 - Shorewall 2.2.0 RC1

http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-RC1
ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-RC1

Problems Corrected:
     1. The syntax of the add and delete command has been clarified in
        the help summary produced by /sbin/shorewall.

New Features:
     1. TCP OpenVPN tunnels are now supported using the
''openvpn'' tunnel
        type. OpenVPN entries in /etc/shorewall/tunnels have this
        format:
        
            openvpn[:{tcp|udp}][:<port>]    <zone>       
<gateway>
        
        Examples:
        
            openvpn:tcp         net    1.2.3.4    # TCP tunnel on port 5000
            openvpn:3344        net    1.2.3.4    # UDP on port 3344
            openvpn:tcp:4455    net    1.2.3.4    # TCP on port 4455
        
     2. A new ''ipsecvpn'' script is included in the tarball and
in the
        RPM. The RPM installs the file in the Documentation directory
        (/usr/share/doc/packages/shorewall-2.2.0-0RC1).
        
        This script is intended for use on Roadwarrior laptops for
        establishing an IPSEC SA to/from remote networks. The script has
        some limitations:
        
            - Only one instance of the script may be used at a time.
            - Only the first SPD accessed will be instantiated at the
        remote gateway. So while the script creates SPDs to/from the
        remote gateway and each network listed in the NETWORKS setting
        at the front of the script, only one of these may be used at a
        time.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-RC1
> ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-RC1
> 
> Problems Corrected:
>      1. The syntax of the add and delete command has been clarified in
>         the help summary produced by /sbin/shorewall.
> 
> New Features:
>      1. TCP OpenVPN tunnels are now supported using the
''openvpn'' tunnel
>         type. OpenVPN entries in /etc/shorewall/tunnels have this
>         format:
>         
>             openvpn[:{tcp|udp}][:<port>]    <zone>       
<gateway>
>         
>         Examples:
>         
>             openvpn:tcp         net    1.2.3.4    # TCP tunnel on port 5000
openvpn has it''s onw iana registred port since a november and now
it''s
the default 1194. it''d be a better default.
yours.

-- 
   Levente                               "Si vis pacem para bellum!"

On Sun, 2004-12-19 at 18:35 +0100, Farkas Levente wrote:
> openvpn has it''s onw iana registred port since a november and now
it''s
> the default 1194. it''d be a better default.
> yours.
> 
I thought about that but what about the people who have working OpenVPN
tunnels that upgrade? Is it okay for their tunnels to stop working until
they change their configuration?

How is OpenVPN itself handling this issue?

-Tom 
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Sun, 2004-12-19 at 09:44 -0800, Tom Eastep wrote:
> On Sun, 2004-12-19 at 18:35 +0100, Farkas Levente wrote:
> 
> > openvpn has it''s onw iana registred port since a november and
now it''s
> > the default 1194. it''d be a better default.
> > yours.
> > 
> 
> I thought about that but what about the people who have working OpenVPN
> tunnels that upgrade? Is it okay for their tunnels to stop working until
> they change their configuration?
> 
> How is OpenVPN itself handling this issue?
I''m proposing this change for RC2 -- comments?

39) The IANA has recently registered port 1194 for use by OpenVPN. In
    previous versions of Shorewall (and OpenVPN), the default port was
    5000. To deal with this change of default, the OPENVPNPORT option
    has been added to shorewall.conf. If this option is not set then
    the OpenVPN port will continue to default to 5000. Otherwise, it
    will default to the value of this option (which is set to 1194 in
    the released shorewall.conf file).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>>How is OpenVPN itself handling this issue?
> 
> 
> I''m proposing this change for RC2 -- comments?
> 
> 39) The IANA has recently registered port 1194 for use by OpenVPN. In
>     previous versions of Shorewall (and OpenVPN), the default port was
>     5000. To deal with this change of default, the OPENVPNPORT option
>     has been added to shorewall.conf. If this option is not set then
>     the OpenVPN port will continue to default to 5000. Otherwise, it
>     will default to the value of this option (which is set to 1194 in
>     the released shorewall.conf file).
I think for the long term it is more logistic that port 1194 is the 
default. When it is documented people should be able to see it for them 
selves.

-- 
Groeten,
Peter


ERROR WRITING MAXCONNECTBPS

-
- Heb je een Dreambox 7000S ?
- Kijk eens op http://www.dreamvcr.com
- Kijk ook op http://www.lindeman.org
- ICQ 22383596
- Uptime lindeman.org - 20 days, 19 hours and 56 minutes, 0 users logged in.

On Sun, 2004-12-19 at 20:30 +0100, Peter Lindeman wrote:
> 
> I think for the long term it is more logistic that port 1194 is the 
> default. When it is documented people should be able to see it for them 
> selves.
> 
One thing that I''ve learned from Shorewall -- NOT ALL PEOPLE READ
DOCUMENTAITON. In particular, they don''t read release notes and upgrade
issues. And when they don''t, then it takes my time to straighten them
out. 

And "in the long term", 1194 will be the default since that is the
setting in shorewall.conf.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> -----Original Message-----
> From: shorewall-users-bounces@lists.shorewall.net 
> [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf 
> Of Tom Eastep
> Sent: Sunday, December 19, 2004 7:45 PM
> To: Shorewall Users
> Subject: Re: [Shorewall-users] Shorewall 2.2.0 RC1
> 
> 
> On Sun, 2004-12-19 at 18:35 +0100, Farkas Levente wrote:
> 
> > openvpn has it''s onw iana registred port since a november 
> and now it''s 
> > the default 1194. it''d be a better default.
> > yours.
> > 
> 
> I thought about that but what about the people who have 
> working OpenVPN
> tunnels that upgrade? Is it okay for their tunnels to stop 
> working until
> they change their configuration?
> 
> How is OpenVPN itself handling this issue?
> 
> 
Tom:
I was also going to suggest to switch the default openvpn port in your newer
releases to match the iana assigned port. 
The last few minor version updates of OpenVPN come with the default set as
1194.At startup, openvpn prints a warning notice to the console indicating
new the default port. If an openvpn user updates the version on only one
side of a tunnel, and he''s relying on the default port (no port
specified in
the openvpn conf file) the connection will break. 

My guess is that most people explicitly state the vpn port in their openvpn
configurations, then duplicate that in their firewall rules. For these users
there would be no problem, since upgrading either shorewall of openvpn does
not overwrite any config files.

-- 
Micha

On Sun, 2004-12-19 at 22:31 +0200, Micha Silver wrote:
> 
> My guess is that most people explicitly state the vpn port in their openvpn
> configurations, then duplicate that in their firewall rules. For these
users
> there would be no problem, since upgrading either shorewall of openvpn does
> not overwrite any config files.
> 
Okay -- I''ll change the default to 1194 in RC2 and I will add an item
to
the Upgrade Issues.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> On Sun, 2004-12-19 at 18:35 +0100, Farkas Levente wrote:
> 
> 
>>openvpn has it''s onw iana registred port since a november and
now it''s
>>the default 1194. it''d be a better default.
>>yours.
>>
> 
> 
> I thought about that but what about the people who have working OpenVPN
> tunnels that upgrade? Is it okay for their tunnels to stop working until
> they change their configuration?
> 
> How is OpenVPN itself handling this issue?
since it''s new feature in openvpn, there is not too much people who use
this. for those who use the old defualt will recognize it inmediately, 
for those who start use this probably like to official default. imho...

-- 
   Levente                               "Si vis pacem para bellum!"