I usually don''t have a Beta for a minor release but for 4.4.4,
I''m
making an exception. Two of the changes in 4.4.4 are rather pervasive so
I would like to give them additional testing prior to final release.
The Beta is available at:
http://www.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.4-Beta1/
ftp://ftp.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.4-Beta1/
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 4
----------------------------------------------------------------------------
1) In some simple one-interface configurations, the following Perl
run-time error messages were issued:
Generating Rule Matrix...
Use of uninitialized value in concatenation (.) or string at
/usr/share/shorewall/Shorewall/Chains.pm line 649.
Use of uninitialized value in concatenation (.) or string at
/usr/share/shorewall/Shorewall/Chains.pm line 649.
Creating iptables-restore input...
2) The Shorewall operations log (specified by STARTUP_LOG) is now
secured 0600.
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
None.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 4
----------------------------------------------------------------------------
1) The Shorewall packages now include a logrotate script. Note that
while the RPMs do not depend on the logrotate package, RPM
installation will produce an error message if that package is not
installed.
2) The limit of 15 entries in a port list has been relaxed in
/etc/shorewall/routestopped.
3) The following seemingly valid configuration produces a fatal
error reporting "Duplicate interface name (p+)"
/etc/shorewall/zones:
#ZONE TYPE
fw firewall
world ipv4
z1:world bport4
z2:world bport4
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
world br0 - bridge
world br1 - bridge
z1 br0:p+
z2 br1:p+
That is because the Shorewall implementation requires each bridge
port to have a unique name.
To work around this problem, a new ''physical'' interface
option has
been created. The above configuration may be defined using the
following in /etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
world br0 - bridge
world br1 - bridge
z1 br0:x+ - physical=p+
z2 br1:y+ - physical=p+
In this configuration, ''x+'' is the logical name for ports
p+ on
bridge br0 while ''y+'' is the logical name for ports p+ on
bridge
br1.
If you need to refer to a particular port on br1 (for example
p1023), you write it as y1023; Shorewall will translate that name
to p1023 when needed.
It is allowed to have a physical name ending in ''+'' with a
logical
name that does not end with ''+''. The reverse is not
allowed; that
is, if the logical name ends in ''+'' then the physical name
must
also end in ''+''.
This feature is not restricted to bridge ports. Beginning with this
release, the interface name in the INTERFACE column can be
considered a logical name for the interface where the actual
interface name is specified using the ''physical'' option.
If no
''physical'' option is present, then the physical name is
assumed to
be the same as the logical name. As before, the logical interface
name is used throughout the rest of the configuration to refer to
the interface.
4) Previously, Shorewall has used the character ''2'' to form
the name
of chains involving zones and/or the word ''all'' (e.g.,
fw2net,
all2all). When zones names are given numeric suffixes, these
generated names are hard to read (e.g., foo1232bar). To make these
names clearer, a ZONE2ZONE option has been added.
ZONE2ZONE has a default value of "2" but can also be given the
value "-" (e.g., ZONE2ZONE="-") which causes Shorewall
to separate
the two parts of the name with a hyphen (e.g., foo123-bar).
5) Only one instance of this warning is now generated; previously, one
instance of a similar warning was generated for each COMMENT
encountered.
COMMENTs ignored -- require comment support in iptables/Netfilter
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what''s new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july