Shorewall 4.4.12 is now available for download.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Previously, the Shorewall6-lite version of shorecap was using
iptables rather than ip6tables, with the result that many
capabilities that are only available in IPv4 were being reported as
available.
2) In a number of cases, Shorewall6 generated incorrect rules
involving the IPv6 multicast network. The rules specified
ff00::/10 where they should have specified ff00::/8. Also, rules
instantiated when the firewall was stopped used ff80::/10 rather
than fe80::/10 (IPv6 Link Local network).
3) Previously, using a destination port-range with :random produced a
fatal compilation error in REDIRECT rules.
4) A number of problems associated with Shorewall-init and Upstart
have been corrected.
If you use Shorewall-init, then when upgrading to this version, be
sure to recompile all firewall scripts before you take interfaces
down or reboot.
5) Previously, the Shorewall installer (install.sh) failed to install
/usr/share/shorewall/configfiles/Makefile and rather issued the
following message:
install-file: command not found
This caused the Makefile to be omitted from RPMs as well.
6) When ''any'' was used in the SOURCE column, a duplicate rule
was
generated in all "fw2*" ("fw-* if ZONE2ZONE="-").
If ''any'' was used
in the DEST column, then a duplicate rule appeared in all "*2fw"
(*-fw) chains.
7) A port range that omitted the first port number (e.g., ":80") was
rejected with the following error:
ERROR: Invalid/Unknown tcp port/service (0) : ......
8) AUTOMAKE=Yes has been broken for some time. It is now working
correctly.
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, Shorewall-init cannot reliably close
the firewall before interfaces come up.
----------------------------------------------------------------------------
N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Support has been added for ADD and DEL rules in
/etc/shorewall/rules. ADD allows either the SOURCE or DESTINATION
IP address to be added to an ipset; DEL deletes an address
previously added.
2) Per-ip log rate limiting has been added in the form of the LOGLIMIT
option in shorewall.conf. When LOGLIMIT is specified, LOGRATE and
LOGBURST are ignored.
LOGRATE and LOGBURST are now deprecated.
LOGLIMIT value format is [{s|d}:]<rate>[/<unit>][:<burst>]
If the value starts with ''s:'' then logging is limited per
source
IP. If the value starts with ''d:'', then logging is limited
per
destination IP. Otherwise, the overall logging rate is limited.
<unit> is one of sec, min, hour, day.
If <burst> is not specified, then a value of 5 is assumed.
3) The sample configurations now include a ''Universal''
configuration
that will start on any system and protect that system while
allowing the system to forward traffic.
As part of this change, several additional features were added:
- You may now specify "physical=+" in the interfaces file.
- A ''COMPLETE'' option is added to shorewall.conf and
shorewall6.conf. When you set this option to Yes, you are
asserting that the configuration is complete so that your set of
zones encompasses any hosts that can send or receive traffic
to/from/through the firewall. This causes Shorewall to omit the
rules that catch packets in which the source or destination IP
address is outside of any of your zones. Default is No. It is
recommended that this option only be set to Yes if:
o You have defined an interface whose effective physical setting
is ''+''
o That interface is assigned to a zone.
o You have no CONTINUE policies or rules.
4) ''icmp'' is now accepted as a synonym for
''ipv6-icmp'' in IPv6
compilations.
5) Shorewall now detects the presence of a recent ipset iptables
module and uses its new syntax. This avoids a warning on iptables
1.4.9. This change involves a new capabilities file version so if
you use a capabilities file, be sure to regenerate it with 4.4.12
shorewall-lite or shorewall6-lite.
6) Blacklisting can now be done by destination IP address as well as
by source address.
The /etc/shorewall/blacklist and /etc/shorewall6/blacklist files
now have an optional OPTIONS column. Initially, this column can
contain either ''from'' (the default) or
''to''; the latter causes the
address(es) in the ADDRESS/SUBNET column to be interpreted as a
DESTINATION address rather than a source address.
Note that static blacklisting is still restricted to traffic
ARRIVING on an interface that has the ''blacklist'' option
set. So to
block traffic from your local network to an internet host, you must
specify ''blacklist'' on your internal interface.
Similarly, dynamic blacklisting has been enhanced to recognize the
''from'' and ''to'' keywords.
Example:
shorewall drop to 1.2.3.4
This command will silently drop connection requests to1.2.3.4.
The reciprocal of that command would be:
shorewall allow to 1.2.3.4
7) The status command now displays the directory containing the .conf
file (shorewall.conf or shorewall6.conf) when the running
configuration was compiled.
Example:
gateway:/etc/shorewall# shorewall status
Shorewall-4.4.12-RC1 Status at gateway - Thu Aug 12 ...
Shorewall is running
State:Started (Thu Aug 12 19:41:48 PDT 2010) from /etc/shorewall/
gateway:/etc/shorewall#
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
This SF.net email is sponsored by
Make an app they can''t live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev