Shorewall devel - May 2012 - Shorewall 4.5.3 RC 1

RC 1 is now available for testing.

Problems corrected:

1)  Previously, when per-IP rate limiting was invoked, the compiler
    would use the deprecated ''--ratelimit'' option, even if the
    preferred ''--ratelimit-upto'' option was available. Now,
the
    compiler uses the preferred option if it is supported by the
    installed version of iptables.

2)  Prior to this release, using a manual chain in the ACTION column of
    a macro body generated an error:

    ERROR: Invalid Action (mychain) in macro, macro.FOO (line ...)

    This now works correctly and generates a jump to the specified
    manual chain.

New Features:

1)  The ''refresh'' command now allows additional options:

    -d - Run the rules compiler under the Perl debugger.

    -n - Don''t modify routing.

    -T - Produce a Perl Stack trace on errors and warnings.

    -D <directory> - Look in <directory> first for configuration
files.

2)  The interfaces file now supports two formats:

    FORMAT 1 - (default, deprecated)

        Includes the BROADCAST column (UNICAST in Shorewall6).

    FORMAT 2

        Does not include the BROADCAST (UNICAST) column.

    The format is specified by a line line this:

    	FORMAT {1|2}

    The Sample configurations have been updated to use FORMAT 2.

3)  A change has been made in the packaging for Slackware. On
    Slackware, there is an /etc/rc.d/firewall.rc script that looks for
    /etc/rc.d/shorewall.rc and /etc/rc.d/shorewall6.rc and runs them,
    passing it''s own arguments.

    The file installed as firewall.rc is named
    init.slackware.firewall.sh and has traditionally been included in
    the Shorewall package. Beginning with this release, it is moved to
    the Shorewall-core package. This opens the door for releasing
    Slackware versions of the -lite products in the future.

    The init scripts for Slackware are now described in slackware.rc
    as:

	AUXINITSOURCE=init.slackware.firewall.sh
    	AUXINITFILE=rc.firewall
    	INITSOURCE=init.slackware.$PRODUCT.sh
    	INITFILE=rc.$PRODUCT

4)  Previously, errors reported in macros were hard to analyze.

    Example:

       ERROR: Unknown destination zone (bar)
       	      /usr/share/shorewall/macro.SSH (line 11),

    In this case, we don''t know where the SSH macro was invoked
    incorrectly. Beginning with this release, the stack of
    includes/opens will be included in ERROR and WARNING messages.

    Example:

       ERROR: Unknown destination zone (bar)
          /usr/share/shorewall/macro.SSH (line 11)
	  from /etc/shorewall/rules (line 42)

    This shows that the SSH macro was invoked on line 42 of the rules
    file.

5)  There is now a BLACKLIST macro that works as follows:

    - If BLACKLIST_LOGLEVEL is set, then the macro invokes the
      ''blacklog'' action.
    - Otherwise, the macro invokes the BLACKLIST_DISPOSITION action.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

>3)  The GATEWAY column of the tunnels file has been renamed
''GATEWAYS''
>and now accepts a list of host and network addresses as well as IP
>ranges.
Tom

When using "Alternate Specification of Column Values" in the tunnels
file,
Shorewall accepts gateway=value instead of gateways=value.

--------------------------------------------------------------------------------------------

Specifying FORMAT followed by a value other than 1 or 2 in the interfaces file 
produces the following message:

Use of uninitialized value $1 in concatenation (.) or string at 
/usr/share/shorewall/Shorewall/Zones.pm line 937, <$currentfile> line 30.

Steven.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 05/07/2012 07:16 AM, Steven Jan Springl wrote:
>> 3)  The GATEWAY column of the tunnels file has been renamed
''GATEWAYS''
>> and now accepts a list of host and network addresses as well as IP
>> ranges.
>
> Tom
>
> When using "Alternate Specification of Column Values" in the
tunnels file,
> Shorewall accepts gateway=value instead of gateways=value.
>
>
--------------------------------------------------------------------------------------------
>
> Specifying FORMAT followed by a value other than 1 or 2 in the interfaces
file
> produces the following message:
>
> Use of uninitialized value $1 in concatenation (.) or string at
> /usr/share/shorewall/Shorewall/Zones.pm line 937,<$currentfile>  line
30.
Steven,

Here are a couple of patches. The fix for tunnels also allows
''gateway''
for backward compatibility. A similar issue is corrected in the tcrules 
file where the MARK column was recently renamed ACTION.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 05/07/2012 07:45 AM, Tom Eastep wrote:
>
> Here are a couple of patches. The fix for tunnels also allows
''gateway''
> for backward compatibility. A similar issue is corrected in the tcrules
> file where the MARK column was recently renamed ACTION.
>
Here''s an additional patch that avoids the call too
''sort'' out of
Shorewall::Config::split_line1().

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On Monday 07 May 2012 16:44:21 Tom Eastep wrote:
> On 05/07/2012 07:45 AM, Tom Eastep wrote:
> > Here are a couple of patches. The fix for tunnels also allows
''gateway''
> > for backward compatibility. A similar issue is corrected in the
tcrules
> > file where the MARK column was recently renamed ACTION.
> 
> Here''s an additional patch that avoids the call too
''sort'' out of
> Shorewall::Config::split_line1().
> 
> -Tom
Tom

Confirmed, the patches fix both issues.

Thanks.

Steven.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 5/7/12 11:30 AM, Steven Jan Springl wrote:
> 
> Confirmed, the patches fix both issues.
> 
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/