Just uploaded to: http://www1.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5 ftp://ftp1.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5 3.0.5 will be at a mirror near you shortly. Problems corrected in Shorewall 3.0.5 1) Previously, if /etc/shorewall/ipsets existed, it was run when Shorewall starts but not when Shorewall was restored. 2) When using the NETKEY IPSEC implementation in kernel 2.6 but without the policy match patch and the Netfilter/IPSEC patches, previously an entry in /etc/shorewall/tunnels was not sufficient in cases where: a) gw<->gw traffic was encrypted b) The gw<->gw policy through the tunnel was not ACCEPT Thanks to Tuomo Soini, this has been corrected. By simply including the remote VPN zone in the GATEWAY ZONE column for the tunnel''s entry, no additional rules are required. 3) Extra blank output lines are no longer produced by install.sh (patch courtesy of Tuomo Soini). 4) TCP packets sent to QUEUE by rules in the ESTABLISHED section of the rules file previously didn''t work (they had the "--syn" parameter added to them which resulted in a rule that no traffic would match). WARNING: If you use the QUEUE target from an action, Shorewall will still insert --syn if the protocol is tcp. So you don''t want to invoke such an action from the ESTABLISHED section of the rules file. 5) The description of the SOURCE column in /etc/shorewall/rules has been improved (patch courtesy of Ed Suominen). 6) The ''allow'', ''drop'' and ''reject'' commands no longer produce iptables errors when executed while Shorewall is not started. 7) The spelling of "maximize-throughput" has been corrected in the code that implements tcclasses parsing. Patch courtesy of Paul Traina. 8) Shorewall now generates the correct match for devices in /etc/shorewall/tcdevices that are actually bridge ports. New Features in Shorewall 3.0.5 1) The facilities available for dealing with the TOS field in /etc/shorewall/tcclasses has been expended. The OPTIONS field is now may contain a comma-separates list of the following: tos=0x<value>[/0x<mask>] (mask defaults to 0xff) - this lets you define a classifier for the given <value>/<mask> combination of the IP packet''s TOS/Precedence/DiffSrv octet (aka the TOS byte). Please note, classifiers override all mark settings, so if you define a classifer for a class, all traffic having that mark will go in it regardless of any mark set on the packet by a firewall/mangle filter. NOTE: multiple tos= statements may be applied per class and per interface, but a given value/mask pair is valid for only ONE class per interface. tos-<tosname> - aliases for the following TOS octet value and mask encodings. TOS encodings of the "TOS byte" have been deprecated in favor of diffserve classes, but programs like ssh, rlogin, and ftp still use them. tos-minimize-delay 0x10/0x10 tos-maximize-throughput 0x08/0x08 tos-maximize-reliability 0x04/0x04 tos-minimize-cost 0x02/0x02 tos-normal-service 0x00/0x1e tcp-ack - defined causes an tc filter to be created that puts all tcp ack packets on that interface that have an size of <=64 Bytes to go in this class. This is useful for speeding up downloads. Please note that the size of the ack packets is limited to 64 bytes as some applications (p2p for example) use to make every packet an ack packet which would cause them all into here. We want only packets WITHOUT payload to match, so the size limit. NOTE: This option is only valid for ONE class per interface. Note that the semantics of ''tos-<tosname>'' have changed slightly. Previously, these were tested using a mask of 0xff (example: tos-minimize-delay was equivalent to 0x10/0xff). Now each bit is tested individually. This enhancement is courtesy of Paul Traina. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642