Shorewall users - Jun 2008 - Shorewall 4.2.0 Beta2

Beta2 was released last weekend.

Problems Corrected in Shorewall 4.2.0 Beta 2

1) When ''norfc1918'' was specified on an interface with an RFC
1918 IP
    address, the compiled script would terminate without changing the
    state of the firewall. Under these circumstances, the script now
    issues a warning message and continues.

Problems Corrected in Shorewall-perl 4.2.0 Beta 2

1) Except in /etc/shorewall/hosts, ipset names may now be preceded by
    ''!'' to specify that matching IP addresses are not members
of the
    set.

Problems Corrected in Shorewall-shell 4.2.0 Beta 2.

1) When DYNAMIC_ZONES=Yes, certain configurations would produce an
    invalid /var/lib/shorewall/chains file at run-time. The invalid file
    contents resulted in errors during processing of the "shorewall
add"
    command.

Other Changes in Shoreall 4.2.0 Beta 2.

1) A ''save'' extension script is added. The script is run after
    iptables-save has completed successfully.

    The ''load'' and ''reload'' commands copy
the save script (if any) to
    /etc/shorewall-lite/ on the remove firewall system. The
''export''
    command copies the file to the same directory as the
''firewall'' and
    ''firewall.conf'' scripts.

    I have the following commands in my ''save'' script:

      [ -s /root/ipsets.save ] && cp -a /root/ipsets.save 
/root/ipsets.save.backup
      ipset -S > /root/ipsets.save

    These commands complement my ''init'' script:

      qt modprobe ifb numifbs=1
      qt ip link set dev ifb0 up

      if [ "$COMMAND" = start ]; then
          ipset -U :all: :all:
          ipset -U :all: :default:
          ipset -F
          ipset -X
          ipset -R < /root/ipsets.save
      fi

    Those two scripts allow me to save and restore the contents of my
    ipsets automatically under Shorewall-perl/Shorewall-lite (my
    routestopped file does not use ipsets).

2) A HELPER column is included in the tcrules file. The value in this
    column names one of the Netfilter protocol ''helper'' module
sets
    (ftp, sip, amanda, etc).

    See http://www.shorewall.net/traffic_shaping.htm for an example.

3) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl.

4) Farkas Levante has contributed a macro.Mail macro that covers SMTP,
    SMTPS and submission.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Tom Eastep wrote:
> Beta2 was released last weekend.
Note that Beta2 has the same bug described at 
http://www.shorewall.net/pub/shorewall/4.0/shorewall-4.0.12/known_problems.txt.

The patch mentioned in that file also applies (with offset) to 4.2.0 Beta 2.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php