Shorewall 4.2.5 is now available for download. Problems corrected in 4.2.5 1) If exclusion is used to define a zone in /etc/shorewall/hosts and that zone is used as the SOURCE zone in a DNAT or REDIRECT rule, then Shorewall-perl can generated invalid iptables-restore input. 2) A bug in the Perl Cwd module (see http://rt.cpan.org/Public/Bug/Display.html?id=13851) causes the Shorewall-perl compiler to fail if it doesn''t have at least read access to its current working directory. 4.2.5 contains a workaround. 3) If ''critical'' was specified on an entry in /etc/shorewall6/routestopped, Shorewall6 (Shorewall-perl) would generate an error. 4) In certain cases where exclusion occurred in /etc/shorewall/hosts, Shorewall-perl would generate incorrect iptables-restore input. 5) In certain cases where exclusion occurred in /etc/shorewall/hosts, Shorewall-perl would generate invalid iptables-restore input. 6) The ''shorewall6 refresh'' command runs iptables_restore rather than ip6tables_restore. 7) The commands ''shorewall6 save-start'', ''shorewall6-save-restart'' and ''shorewall6 restore'' were previously broken. 8) The Debian init script was checking $startup in /etc/default/shorewall rather than in /etc/default/shorweall6 9) The Archlinux init scripts for Shorewall6 and Shorewall6 Lite were unconverted Shorewall scripts. 10) When ''detect'' is used in the GATEWAY column of /etc/shorewall/providers, Shorewall-perl now ensures that the gateway was successfully detected. If the gateway cannot be detected, action is taken depending on whether the provider is ''optional'' or not. If the provider is optional, it''s configuration is skipped; if the provider is not optional, the current operation is aborted. 11) The command ''shorewall6 debug start'' would previously fail with ERROR: Command "/sbin/ip6tables -t nat -F" Failed 12) Both ipv4 and ipv6 compiled programs attempt to run the tcclear script itself at run time rather than running the copy of the file in the compiled script. This usually isn''t noticable unless you are running Shorewall Lite or Shorewall6 Lite in which case, the script doesn''t get run (since it is on the administrative system and not the firewall system). 13) If your iptables/kernel included "Extended Connection Tracking Match support" (see the output of "shorewall show capabilities"), then a REDIRECT rule that specified a port list or range would cause Shorewall-perl to create invalid iptables-restore input: Running /usr/sbin/iptables-restore... iptables-restore v1.4.2-rc1: conntrack: Bad value for "--ctorigdstport" option: "1025:65535" Error occurred at line: 191 Try `iptables-restore -h'' or ''iptables-restore --help'' for more information. ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input Known Problems Remaiining: 1) When exclusion is used in an entry in /etc/shorewall/hosts, then Shorewall-shell produces an invalid iptables rule if any of the following OPTIONS are also specified in the entry: blacklist maclist norfc1918 tcpflags New Feature in Shorewall 4.2.5 1) A new ''fallback'' option is added in /etc/shorewall/providers. The option works similar to ''balance'' except that the default route is added in the default routing table (253) rather than in the main table (254). The option can be used by itself or followed by =<number> (e.g, fallback=2). When the option is used by itself, a separate (not balanced) default route is added with a metric equal to the provider''s NUMBER. When the option is used with a number, a balanced route is added with the weight set to the specified number. ''fallback'' is ignored if USE_DEFAULT_RT=Yes in shorewall.conf and is only available with Shorewall-perl. ''fallback'' is useful in situations where: - You want all traffic to be sent via one primary provider unless there is a compelling reason to use a different provider - If the primary provider is down, then you want to balance the outgoing traffic among a set of other providers or to a ordered list of providers. In this case: - Do not specify ''balance'' on any of the providers. - Disable route filtering (''ROUTE_FILTER=No'' in shorewall.conf). - Specify ''fallback'' on those providers that you want to use if the primary is down. - Only the primary provider should have a default route in the main routing table. See http://www.shorewall.net/MultiISP.html#Complete for an example of this option''s use. 2) Shorewall-perl now transparently handles the xtables-addon version of ipp2p. Shorewall detects whether the installed ipp2p is from patch-o-matic-ng or from xtables-addon and proceeds accordingly. If the patch-o-matic-ng version is installed: a) If no DEST PORT is supplied, the default is "--ipp2p". b) If "ipp2p" is supplied as the DEST PORT, it will be passed to iptables-restore as "--ipp2p". If the xtables-addons version is installed: a) If no DEST PORT is supplied, the default is "--edk --gnu --dc --kazaa". b) If "ipp2p" is supplied as the DEST PORT, it will be passed to iptables-restore as "--edk --gnu --dc --kazaa". Shorewall-perl now also accepts a comma-separated list of options (e.g., "edk,gnu,dc,kazaa). Additionally, Shorewall now looks for modules in /lib/modules/$(uname -r)/extra and in /lib/modules/$(uname -r)/extra/ipset This change introduced a new capability ("Old IPP2P Match Syntax") so if you use a capabilities file, be sure to re-generate the file(s) after you have installed 4.2.5. 3) There is now a macro.Git, which opens git-daemon''s port (9418/tcp). 4) There is also a macro.IRC which open''s the Internet Relay Chat port (6667/tcp). -Tom ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword