The Shorewall team is pleased to announce the availability of Shorewall
4.4.5.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 5
----------------------------------------------------------------------------
1) The change which removed the 15 port limitation on
/etc/shorewall/routestopped was incomplete. The result was that if
more than 15 ports were listed, an error was generated.
2) If any interfaces had the ''bridge'' option specified,
compilation
failed with the error:
Undefined subroutine &Shorewall::Rules::match_source_interface called
at /usr/share/shorewall/Shorewall/Rules.pm line 2319.
3) The compiler now flags port number 0 as an error in all
contexts. Previously, port 0 was allowed with the result that
invalid iptables-restore input could be generated in some cases.
4) The ''show policies'' command now works in Shorewall6 and
Shorewall6-lite.
5) Traffic shaping modules from /lib/modules/<version>/net/sched/ are
now correctly loaded. Previously, that directory was not
searched. Additionally, Shorewall6 now tries to load the cls_flow
module; previously, only Shorewall attempts to load that module.
6) The Shorewall6-lite shorecap program was previously including the
IPv4 base library rather than the IPv6 version. Also, Shorewall6
capability detection was determing the availablity of the mangle
capability before it had determined if ip6tables was installed.
7) The setting of MODULE_SUFFIX was previously ignored except when
compiling for export.
8) Detection of the Enhanced Reject capability in the compiler was
broken for IPv4 compilations.
9) The ''reload -c'' command would ignore the setting of
DONT_LOAD in
shorewall.conf. The ''reload'' command without
''-c'' worked as
expected.
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
None.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 5
----------------------------------------------------------------------------
1) Shorewall now allows DNAT rules that change only the destination
port.
Example:
DNAT loc net::456 udp 234
That rule will modify the destination port in UDP packets received
from the ''loc'' zone from 456 to 234. Note that if the
destination
is the firewall itself, then the destination port will be rewritten
but that no ACCEPT rule from the loc zone to the $FW zone will have
been created to handle the request. So such rules should probably
exclude the firewall''s IP addresses in the ORIGINAL DEST column.
2) Systems that do not log Netfilter messages locally can now set
LOGFILE=/dev/null in shorewall.conf.
3) The ''shorewall show connections'' and ''shorewall
dump'' commands now
display the current number of connections and the max supported
connections.
Example:
shorewall show connections
Shorewall 4.5.0 Connections (62 out of 65536) at gateway - Sat ...
In that case, there were 62 current connections out of a maximum
number supported of 65536.
Happy Holidays and the Best of New Years,
-The Shorewall Team
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev