Shorewall 4.3.11 is now available for testing.
Much of what is in this release is below the surface. Many of the
modules have been reorganized to provide for more readable code and to
eliminate a lot of parameter passing.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 3 . 11
----------------------------------------------------------------------------
1. Previously, specifying a source port for SCTP in
/etc/shorewall/tcfilters would cause an invalid rule to be
generated.
2. The list of networks returned by the ''shorewall iprange''
command
was not minimal.
3. When AUTOMAKE=Yes, the ''shorewall start''
(''shorewall6 start'')
command used the wrong compiled script to start the firewall.
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
None.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 3 . 11
----------------------------------------------------------------------------
1) Shorewall attaches an SFQ queuing discipline to each leaf HTB
class. SFQ ensures that each ''flow'' gets equal access to
the
interface.
The default definition of a ''flow'' corresponds to a TCP
connection. So if one internal system is running BitTorrent, for
example, it can have lots of ''flows'' and can thus take up
a larger
share of the bandwidth than a system having only a single active
connection.
The ''flow'' classifier (module cls_flow) works around this
by
letting you define what a ''flow'' is. The clasifier must be
used
carefully or it can block off all traffic on an interface!
To use the ''flow'' classifier, you specify
''flow=<keys>'' in the
OPTIONS column of an HTB leaf class (one that has no
sub-classes). I recommend that you use the following:
Shaping internet-bound traffic flow=nfct-src
Shaping traffic bound for your
local net flow=dst
These will cause a ''flow'' to consists of the traffic
to/from each
internal system.
2) In order to generalize support for learning the gateway for dynamic
interfaces, a new ''findgw'' extension script (user exit)
has been
added.
The exit will be invoked in a function that has a single argument:
$1 = <name of an interface>
If the function can determine the gateway for the passed interface,
it should write the gateway to standard out. Here is a sample
/etc/shorewall/findgw that works with dhclient (dhcp3) in Debian
Lenny:
if [ -f /var/lib/dhcp3/dhclient-${1}.leases ]; then
grep ''option routers''
/var/lib/dhcp3/dhclient-${1}.leases |\
tail -n 1 |\
while read j1 j2 gateway; do echo $gateway; return 0; done
fi
The same code works on Ubuntu Jaunty if you replace
''.leases'' with
''.lease'' (don''t you just love the consistency
between
distributions?).
3) An IPV6 ''Trcrt'' macro has been added.
Happy testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals.
Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, &
iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://www.creativitycat.com
