The Shorewall team is pleased to announce the availability of Shorewall
4.2.7.
Problems corrected in 4.2.7
1) Previously, the ''start'' command set the permission flags
on
/var/lib/shorewall*/state so that it could be read by
non-root users while the ''stop'' command set the
permissions such
that the file could not be read by those users.
Beginning with 4.2.7, both commands will secure the file for
root-only access. If you want the file to be world-readable, then
add
chmod 744 <file name>
To your /etc/shorewall/started, /etc/shorewall/stopped and
/etc/shorewall/restored files.
2) The ''shorewall6 dump'' command now correctly displays the
installed
version of Shorewall-perl. It also displays the IPv6 neighbor table
contents rather than the ARP table contents.
3) Under some circumstances, interface options like nosmurfs and
tcpflags would not be applied to forwarded traffic when using
Shorewall-perl.
4) The following rule was badly mis-handled:
DNAT- loc net:1.2.3.4:2525 tcp 25
The result:
WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules
(line 459)
Can''t call method "inet_htoa" without a package or
object reference
at /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150,
<$currentfile> line 459.
5) Previously, OPTIONS were not allowed with a bridge port in
/etc/shorewall/interfaces. That oversight has been corrected and
now the following OPTIONS are allowed:
blacklist
maclist
norfc1918
nosmurfs
routeback
tcpflags
6) Tuomo Soini provided a workaround patch for a problem seen in some
kernel''s (see FAQ 82) that caused ''shorewall
start'' to fail when
USE_DEFAULT_RT=Yes .
Known Problems Remaining:
1) When exclusion is used in an entry in /etc/shorewall/hosts, then
Shorewall-shell produces an invalid iptables rule if any of the
following OPTIONS are also specified in the entry:
blacklist
maclist
norfc1918
tcpflags
New Features in Shorewall 4.2.7
1) Prior to Shorewall version 3.0.0, rules generated by
/etc/shorewall/tunnels were traversed before those generated by
/etc/shorewall/rules. When SECTIONs were added to the rules file in
3.0.0, traversal of the tunnel rules was deferred until after those
generated by the NEW section of the rules file.
Beginning with Shorewall-perl 4.2.7, the tunnel rules are back
where they started -- right before the first rule generated by the
NEW section of /etc/shorewall/rules.
2) To allow bypassing of connection tracking for certain traffic,
/etc/shorewall/notrack and /etc/shorewall6/notrack files have been
added.
Columns in the file are:
SOURCE - <zone>[:<interface>][:<address list>]
DEST - [<address list>]
PROTO - <protocol name or number>
DEST PORT(S) - <port number list>
SOURCE PORT(S) - <port number list>
USER/GROUP - [<user>][:<group>]
May only be specified if the SOURCE <zone> is $FW.
Traffic that matches all given criteria will not be subject to
connection tracking. For such traffic, your policies and/or rules
must deal with ALL of the packets involved, in both the original
and the opposite directions. All untracked traffic is passed
through the relevant rules in the NEW section of the rules
file. Untracked encapsulated tunnel traffic can be handled by
entries in /etc/shorewall/tunnels just like tracked traffic
is. Because every packet of an untracked connection must pass
through the NEW section rules, it is suggested that rules that deal
with untracked traffic should appear at the top of the file.
Example:
/etc/shorewall/tunnels:
#TYPE ZONE GATEWAY
6to4 net
/etc/shorewall/notrack
#SOURCE DEST PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP
net:!192.88.99.1 - 41
Given that 192.88.99.1 is an anycast address, many hosts can
respond to outward traffic to that address. The entry in
/etc/shorewall/tunnels allows protocol 41 net<->fw. The entry in
/etc/shorewall/notrack prevents the inbound traffic from creating
additional useless conntrack entries.
As part of this change, the ''show'' command is enhanced to
support a
''show raw'' command that is an alias for ''show -t
raw''. The raw
table is where NOTRACK rules are created. The dump command is also
enhanced to display the contents of the raw table.
3) Shorewall-perl supports three additional columns in the
/etc/shorewall/routestopped file:
PROTO -- Protocol name or number
DEST PORT(S) -- comma-separated list of service names and/or port
numbers
SOURCE PORT(S) -- comma-separated list of service names and/or port
numbers.
These columns are only meaningful when the "-f" option to
''shorewall stop'' is used.
As part of this change, the "-f" option to the
''stop'' and ''clear''
commands is now the default when FAST_STOP=Yes in shorewall.conf.
To override this default, use the "-s" option:
shorewall stop -s
Note that if you have entries with one or more of the new columns,
the -s option will result in warning messages.
gateway:~ # shorewall stop -s
Stopping Shorewall...
WARNING: Unknown routestopped option ignored: notrack
WARNING: Unknown routestopped option ignored: 41
WARNING: Unknown routestopped option ignored: notrack
WARNING: Unknown routestopped option ignored: 41
done.
gateway:~ #
4) Shorewall-perl now handles SOURCE PORT lists of more than 15
entries by breaking the containing rule into multiple rules.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com