Shorewall 3.4.4 is now available. This release contains a substantial number of bug fixes plus some minor new features. For those of you on the development mailing list who downloaded a preview copy for testing, you are urged to download and install the final version as it contains significant fixes beyond the preview version. MD5 Sums of the final version are as follows: 3850e1342e4b9e3902a52ec081e2c413 shorewall-3.4.4-1.noarch.rpm fce50deca157aeb671ff8f801a477e37 shorewall-3.4.4.tar.bz2 9ee5795d9ed6529e601549ceab4a197b shorewall-3.4.4.tgz 2edc49bfdb2ed8ecbe553dca3c4d3867 shorewall-docs-html-3.4.4.tar.bz2 0a2b12728b926c3c4a006efb5bb8daa2 shorewall-docs-html-3.4.4.tgz 31b5051244bde64becb45abea1ffbe70 shorewall-docs-xml-3.4.4.tar.bz2 3a874adf75212c5010091a56e47f2c66 shorewall-docs-xml-3.4.4.tgz e4d1b7f99a7d42693102f8f7ac332d68 shorewall-lite-3.4.4-1.noarch.rpm 19f9c535e7382515df47a49e5baf60de shorewall-lite-3.4.4.tar.bz2 04090893d1d6a71d17c1e03666e10c92 shorewall-lite-3.4.4.tgz Problems corrected in 3.4.4: 1) The commands "shorewall add <interface> <zone>" and "shorewall delete <interface> <zone>" no longer produce spurious error messages. 2) The command "shorewall delete <interface> <zone>" now actually deletes entries when it successfully completes. Previously, it would appear to remove an entry, even when removing that entry should fail. See "Other Changes" item 2) for additional information. 3) Setting HIGH_ROUTE_MARKS=No no longer causes TC_EXPERT flagging. 4) When run as root, the ''shorewall load'' and ''shorewall reload'' commands would fail if the LOGFILE setting in /etc/shorewall/shorewall.conf specified a non-existant file. 5) Entries in /etc/shorewall/tcrules that specify both a source and destination port fail with the following diagnostic: iptables v1.3.3: multiport can only have one option 6) Previously, Shorewall-lite did not allow DHCP traffic through an interface when the interface was a bridge with ''dhcp'' specified unless there was a bridge on the administrative system with the same name. 7) SOURCE and DEST are now flagged as invalid zone name to avoid problems with macros that use those names as keywords. 8) Previously, Shorewall could *increase* the MSS under some circumstances. This possibility is now eliminated, provided that the system has TCPMSS match support (be sure to update your capabilities files!). 9) Firewall zone names other than ''fw'' no longer cause a error when IPSECFILE is not set or is set to ''ipsec''. 10) The ''proxyarp'' option on an interface was previously ignored when the /etc/shorewall/proxyarp file was empty. 11) Previously, if action ''a'' was defined then the following rule generated an error: a: z1 z2 ... The trailing ":" is now ignored. 12) Previously, if a RATE/LIMIT was specified on a REJECT rule, the generated error messages referred to the rule as a DROP rule. 13) The ''nolock'' keyword was previously ignored on several /sbin/shorewall[-lite] commands. Other changes in 3.4.4: 1) The accounting, masq, rules and tos files now have a ''MARK'' column similar to the column of the same name in the tcrules file. This column allows filtering by MARK value. 2) The "shorewall show zones" command now flags zone members that have been added using "shorewall add" by preceding them with a plus sign ("+"). Example: Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007 fw (firewall) net (ipv4) eth0:0.0.0.0/0 loc (ipv4) br0:0.0.0.0/0 eth4:0.0.0.0/0 eth5:0.0.0.0/0 +eth1:0.0.0.0/0 dmz (ipv4) eth3:0.0.0.0/0 vpn (ipv4) tun+:0.0.0.0/0 In the above output, "eth1:0.0.0.0/0" was dynamically added to the ''loc'' zone. As part of this change, "shorewall delete" will only delete entries that have been added dynamically. In earlier versions, any entry could be deleted although the ruleset was only changed by deleting entries that had been added dynamically. 3) Eariler generations of Shorewall Lite required that remote root login via ssh be enabled in order to use the ''load'' and ''reload'' commands. Beginning with this release, you may define an alternative means for accessing the remote firewall system. Two new options have been added to shorewall.conf: RSH_COMMAND RCP_COMMAND The default values for these are as follows: RSH_COMMAND: ssh ${root}@${system} ${command} RCP_COMMAND: scp ${files} ${root}@${system}:${destination} Shell variables that will be set when the commands are envoked are as follows: root - root user. Normally ''root'' but may be overridden using the ''-r'' option. system - The name/IP address of the remote firewall system. command - For RSH_COMMAND, the command to be executed on the firewall system. files - For RCP_COMMAND, a space-separated list of files to be copied to the remote firewall system. destination - The directory on the remote system that the files are to be copied into. 4) You may now select the compiler to use on the command line using the ''-C'' option. This option is available on the following commands: check compile export load reload restart start try safe-start save-restart Example: shorewall try -C perl . -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Sun, Jun 17, 2007 at 08:38:24AM -0700, Tom Eastep wrote:> 8) Previously, Shorewall could *increase* the MSS under some > circumstances. This possibility is now eliminated, provided that > the system has TCPMSS match support (be sure to update your > capabilities files!).Perhaps it would be worthwhile to include a version number in a variable in the capabilities file, and have the compiler reject outdated ones? ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Andrew Suffield wrote:> On Sun, Jun 17, 2007 at 08:38:24AM -0700, Tom Eastep wrote: >> 8) Previously, Shorewall could *increase* the MSS under some >> circumstances. This possibility is now eliminated, provided that >> the system has TCPMSS match support (be sure to update your >> capabilities files!). > > Perhaps it would be worthwhile to include a version number in a > variable in the capabilities file, and have the compiler reject > outdated ones?Good idea. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Sunday 17 June 2007 08:38:24 Tom Eastep wrote:> Shorewall 3.4.4 is now available. This release contains a substantial > number of bug fixes plus some minor new features.Thanks for this great work. Best regards> > For those of you on the development mailing list who downloaded a preview > copy for testing, you are urged to download and install the final version > as it contains significant fixes beyond the preview version. > > MD5 Sums of the final version are as follows: > > 3850e1342e4b9e3902a52ec081e2c413 shorewall-3.4.4-1.noarch.rpm > fce50deca157aeb671ff8f801a477e37 shorewall-3.4.4.tar.bz2 > 9ee5795d9ed6529e601549ceab4a197b shorewall-3.4.4.tgz > 2edc49bfdb2ed8ecbe553dca3c4d3867 shorewall-docs-html-3.4.4.tar.bz2 > 0a2b12728b926c3c4a006efb5bb8daa2 shorewall-docs-html-3.4.4.tgz > 31b5051244bde64becb45abea1ffbe70 shorewall-docs-xml-3.4.4.tar.bz2 > 3a874adf75212c5010091a56e47f2c66 shorewall-docs-xml-3.4.4.tgz > e4d1b7f99a7d42693102f8f7ac332d68 shorewall-lite-3.4.4-1.noarch.rpm > 19f9c535e7382515df47a49e5baf60de shorewall-lite-3.4.4.tar.bz2 > 04090893d1d6a71d17c1e03666e10c92 shorewall-lite-3.4.4.tgz > > Problems corrected in 3.4.4: > > 1) The commands "shorewall add <interface> <zone>" and "shorewall > delete <interface> <zone>" no longer produce spurious error > messages. > > 2) The command "shorewall delete <interface> <zone>" now actually deletes > entries when it successfully completes. Previously, it would appear > to remove an entry, even when removing that entry should fail. See > "Other Changes" item 2) for additional information. > > 3) Setting HIGH_ROUTE_MARKS=No no longer causes TC_EXPERT flagging. > > 4) When run as root, the ''shorewall load'' and ''shorewall reload'' > commands would fail if the LOGFILE setting in > /etc/shorewall/shorewall.conf specified a non-existant file. > > 5) Entries in /etc/shorewall/tcrules that specify both a source and > destination port fail with the following diagnostic: > > iptables v1.3.3: multiport can only have one option > > 6) Previously, Shorewall-lite did not allow DHCP traffic through an > interface when the interface was a bridge with ''dhcp'' specified > unless there was a bridge on the administrative system with the > same name. > > 7) SOURCE and DEST are now flagged as invalid zone name to avoid > problems with macros that use those names as keywords. > > 8) Previously, Shorewall could *increase* the MSS under some > circumstances. This possibility is now eliminated, provided that > the system has TCPMSS match support (be sure to update your > capabilities files!). > > 9) Firewall zone names other than ''fw'' no longer cause a error when > IPSECFILE is not set or is set to ''ipsec''. > > 10) The ''proxyarp'' option on an interface was previously ignored when > the /etc/shorewall/proxyarp file was empty. > > 11) Previously, if action ''a'' was defined then the following > rule generated an error: > > a: z1 z2 ... > > The trailing ":" is now ignored. > > 12) Previously, if a RATE/LIMIT was specified on a REJECT rule, the > generated error messages referred to the rule as a DROP rule. > > 13) The ''nolock'' keyword was previously ignored on several > /sbin/shorewall[-lite] commands. > > Other changes in 3.4.4: > > 1) The accounting, masq, rules and tos files now have a ''MARK'' column > similar to the column of the same name in the tcrules file. This > column allows filtering by MARK value. > > 2) The "shorewall show zones" command now flags zone members that have > been added using "shorewall add" by preceding them with a plus sign > ("+"). > > Example: > > Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007 > > fw (firewall) > net (ipv4) > eth0:0.0.0.0/0 > loc (ipv4) > br0:0.0.0.0/0 > eth4:0.0.0.0/0 > eth5:0.0.0.0/0 > +eth1:0.0.0.0/0 > dmz (ipv4) > eth3:0.0.0.0/0 > vpn (ipv4) > tun+:0.0.0.0/0 > > In the above output, "eth1:0.0.0.0/0" was dynamically added to the > ''loc'' zone. As part of this change, "shorewall delete" will only > delete entries that have been added dynamically. In earlier > versions, any entry could be deleted although the ruleset was only > changed by deleting entries that had been added dynamically. > > 3) Eariler generations of Shorewall Lite required that remote root > login via ssh be enabled in order to use the ''load'' and ''reload'' > commands. > > Beginning with this release, you may define an alternative means > for accessing the remote firewall system. > > Two new options have been added to shorewall.conf: > > RSH_COMMAND > RCP_COMMAND > > The default values for these are as follows: > > RSH_COMMAND: ssh ${root}@${system} ${command} > RCP_COMMAND: scp ${files} ${root}@${system}:${destination} > > Shell variables that will be set when the commands are envoked are > as follows: > > root - root user. Normally ''root'' but may be overridden using > the ''-r'' option. > > system - The name/IP address of the remote firewall system. > > command - For RSH_COMMAND, the command to be executed on the > firewall system. > > files - For RCP_COMMAND, a space-separated list of files to > be copied to the remote firewall system. > > destination - The directory on the remote system that the files > are to be copied into. > > 4) You may now select the compiler to use on the command line using > the ''-C'' option. This option is available on the following > commands: > > check > compile > export > load > reload > restart > start > try > safe-start > save-restart > > Example: > > shorewall try -C perl . > > -Tom-- Jorge Armando Medina Calcom de México S.A de C.V. Telefono: 01 (664) 6238311 Email: jmedina@calcom.com.mx ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Jorge Armando Medina wrote:> On Sunday 17 June 2007 08:38:24 Tom Eastep wrote: >> Shorewall 3.4.4 is now available. This release contains a substantial >> number of bug fixes plus some minor new features. > > Thanks for this great work.You''re most welcome. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
I would like to thank you all for a great and quality software. My hearty congratulations to all the geeks involved in the activity. Hope to see many more releases. ==========================Miles to Go before I sleep ==========================Manjunath ____________________________________________________________________________________ Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/