-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://shorewall.net/pub/shorewall/2.1/shorewall-2.1.9 ftp://shorewall.net/pub/shorewall/2.1/shorewall-2.1.9 Problems Corrected: 1) IP ranges in the routestopped and tunnels files now work. 2) Rules where an IP range appears in both the source and destination ~ now work correctly. 3) With complex proxy arp configurations involving two or more ~ ordered pairs of interfaces, the /proc/sys/net/ipv4/conf/*/proxy_arp ~ flags were sometimes set incorrectly. This has been fixed. ~ Users looking at their restore file (generated by "shorewall save") ~ may see that one of these flags might be first reset then set in ~ rapid succession. This is expected and is harmless since the correct ~ value (1) results. New Features: 1) To improve interoperability, tunnels of type ''OpenVPN'' ~ no longer enforce use of the specified port as the ~ source port as well as the destination port. 2) During "shorewall start", IP addresses to be added as a consequence ~ of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted ~ when /etc/shorewall/nat and /etc/shorewall/masq are processed then ~ the are re-added later. This is done to help ensure that the ~ addresses can be added with the specified labels but can have ~ the undesirable side effect of causing routes to be quietly ~ deleted. A new RETAIN_ALIASES option has been added to ~ shorewall.conf; when this option is set to Yes, existing addresses ~ will not be deleted. Regardless of the setting of RETAIN_ALIASES, ~ addresses added during "shorewall start" are still deleted at a ~ subsequent "shorewall stop" or "shorewall restart". 3) Users with a large black list (from /etc/shorewall/blacklist) may ~ want to set the new DELAYBLACKLISTLOAD option in ~ shorewall.conf. When DELAYBLACKLISTLOAD=Yes, Shorewall will ~ enable new connections before loading the blacklist rules. While ~ this may allow connections from blacklisted hosts to slip by during ~ the loading of the blacklist, it can substantially reduce the time ~ that all new connections are disabled during "shorewall [re]start". - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBSd4VO/MAbZfjDLIRAhADAKDADnhuLQMk3PVidLoecKU4VVpc0gCfW49e 0GOqSntWiYETXTcEXJFACqY=6MlN -----END PGP SIGNATURE-----