thr3ads.net - Shorewall users - Shorewall 2.4.2 [Jul 2005]

If this information is useful, please help other people find it:
Share via:
Tom Eastep
2005-Jul-21 15:54 UTC
Shorewall 2.4.2

http://www1.shorewall.net/pub/shorewall/2.4/shorewall-2.4.2
ftp://www1.shorewall.net/pub/shorewall/2.4/shorewall-2.4.2

Problems Corrected in 2.4.2.

1) The /etc/shorewall/hosts file now includes information about
   defining a zone using one or more ipsets.

2) A vulnerability involving MACLIST_TTL > 0 or
   MACLIST_DISPOSITION=ACCEPT has been corrected.

3) It is now possible to specify !<address> in the SUBNET column of
   /etc/shorewall/masq. Previously, it was necessary to write
   0.0.0.0/0!<address>.

4) When <network1>!<network2> was specified in the SUBNET column of
   /etc/shorewall/masq, IPSEC policies were not correctly applied to
   the resulting rules. This usually resulted in IPSEC not working
   through the interface specified in the INTERFACES column.

New Features in version 2.4.2

1) A ''loose'' provider option has been added. If you wish to be
able to
   use marking to specify the gateway used by connections originating
   on the firewall itself, the specify ''loose'' for each
provider. It
   has bee reported that ''loose'' may break the effect of
''track'' so
   beware if you need ''track'' functionality (you
shouldn''t be
   originating many connections from your firewall to the net anyway).

   To use ''loose'', you also need to add two entries in
   /etc/shorewall/masq:

   #INTERFACE           SUBNET          ADDRESS
   $IF_ISP1             $IP_ISP2        $IP_ISP1
   $IF_ISP2             $IP_ISP1        $IP_ISP2

   where:

        $IF_ISP1        is the interface to ISP 1.
        $IF_ISP2        is the interface to ISP 2.
        $IP_ISP1        is the IP address of $IF_ISP1
        $IP_ISP2        is the IP address of $IF_ISP2

2) /sbin/shorewall now issues a warning each time that it finds that
   startup is disabled.

3) A new COPY column has been added to the /etc/shorewall/providers
   file. Normally, when a table name/number is given in the DUPLICATE
   column, the entire table (less default routes) is copied. The COPY
   column allows you to limit the routes copied to those that go
   through an interface listed in COPY. For example, if you enter
   eth0 in INTERFACE, "eth1,eth2" in COPY and ''main''
in DUPLICATE then
   the new table created will contain those routes through the
   interfaces eth0, eth1 and eth2.

--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
Shorewall users - Jul 2005 - Shorewall 2.4.2

Shorewall 2.4.2
