http://www1.shorewall.net/pub/shorewall/2.4/shorewall-2.4.2 ftp://www1.shorewall.net/pub/shorewall/2.4/shorewall-2.4.2 Problems Corrected in 2.4.2. 1) The /etc/shorewall/hosts file now includes information about defining a zone using one or more ipsets. 2) A vulnerability involving MACLIST_TTL > 0 or MACLIST_DISPOSITION=ACCEPT has been corrected. 3) It is now possible to specify !<address> in the SUBNET column of /etc/shorewall/masq. Previously, it was necessary to write 0.0.0.0/0!<address>. 4) When <network1>!<network2> was specified in the SUBNET column of /etc/shorewall/masq, IPSEC policies were not correctly applied to the resulting rules. This usually resulted in IPSEC not working through the interface specified in the INTERFACES column. New Features in version 2.4.2 1) A ''loose'' provider option has been added. If you wish to be able to use marking to specify the gateway used by connections originating on the firewall itself, the specify ''loose'' for each provider. It has bee reported that ''loose'' may break the effect of ''track'' so beware if you need ''track'' functionality (you shouldn''t be originating many connections from your firewall to the net anyway). To use ''loose'', you also need to add two entries in /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS $IF_ISP1 $IP_ISP2 $IP_ISP1 $IF_ISP2 $IP_ISP1 $IP_ISP2 where: $IF_ISP1 is the interface to ISP 1. $IF_ISP2 is the interface to ISP 2. $IP_ISP1 is the IP address of $IF_ISP1 $IP_ISP2 is the IP address of $IF_ISP2 2) /sbin/shorewall now issues a warning each time that it finds that startup is disabled. 3) A new COPY column has been added to the /etc/shorewall/providers file. Normally, when a table name/number is given in the DUPLICATE column, the entire table (less default routes) is copied. The COPY column allows you to limit the routes copied to those that go through an interface listed in COPY. For example, if you enter eth0 in INTERFACE, "eth1,eth2" in COPY and ''main'' in DUPLICATE then the new table created will contain those routes through the interfaces eth0, eth1 and eth2. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key