Shorewall users - Jan 2010 - Shorewall 4.4.7 RC1

The Shorewall team is pleased to announce the availability of Shorewall
4.4.7 RC1.

The release is available at:

http://www.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.7-RC1

ftp://ftp.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.7-RC1

This release features a number of enhancements:

1)  The OPTIMIZE option value is now a bit-map with each bit
    controlling a separate set of optimizations.

    - The low-order bit (value 1) controls optimizations available in
      earlier releases. We refer to this optimization as "optimization
      1".

    - The next bit (value 2) suppresses superfluous ACCEPT rules in a
      policy chain that implements an ACCEPT policy. Any ACCEPT rules
      that immediately preceed the final blanket ACCEPT rule in the
      chain are now omitted. We refer to this optimization as
      "optimization 2".

    - The next bit (value 4 or "optimization 4") enables the following
      additional optimizations:

      a) Empty chains are optimized away.
      b) Chains with one rule are optimized away.
      c) If a built-in chain has a single rule that branches to a
         second chain, then the rules from the second chain are moved
         to the built-in chain and the target chain is omitted.
      d) Chains with no references are deleted.
      e) Accounting chains are subject to optimization if the new
         OPTIMIZE_ACCOUNTING option is set to ''Yes'' (default
is ''No'').
      f) If a chain ends with an unconditional branch to a second chain
         (other than to ''reject''), then the branch is deleted
from the
         first chain and the rules from the second chain are appended
         to it. 

      The following chains are exempted from optimization 4:

          action chains (user-created).
          accounting chains (unless OPTIMIZE_ACCOUNTING=Yes)
          dynamic
          forwardUPnP
          logdrop
          logreject
          rules chains (those of the form zonea2zoneb or zonea-zoneb).
          UPnP (nat table).

    To enable all possible optimizations, set OPTIMIZE to 7 (1 + 2 +
    4).

2)  Shorewall now combines identical logging chains. Previously, a
    separate chain was created for each logging rule.

3)  Beginning with Shorewall 4.4.7, accounting can be disabled by
    setting ACCOUNTING=No in shorewall.conf. This allows you to keep a
    set of accounting rules configured in /etc/shorewall/accounting and
    to then enable and disable them by simply toggling the setting of
    ACCOUNTING.

    Similarly, dynamic blacklisting can be disabled by setting
    DYNAMIC_BLACKLIST=No. This saves a jump rule in the INPUT
    and FORWARD filter chains..

4)  Shorewall can now automatically assign mark values to providers in
    cases where ''track'' is specified (or TRACK_PROVIDERS=Yes)
but
    packet marking is otherwise not used for directing connections to a
    particular provider. Simply specify ''-'' in the MARK column
and
    Shorewall will automatically assign a mark value.

5)  Support for TPROXY has been added. See
    http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY.

6)  Traditionally, Shorewall has loaded all modules that could possibly
    be needed twice; once in the compiler, and once when the generated
    script is initialized. The latter can be a time-consuming process
    on slow hardware.

    Beginning with 4.4.7, there is a LOAD_HELPERS_ONLY option in
    shorewall.conf. For existing users, LOAD_HELPERS_ONLY=No is the
    default.

    For new users that employ the sample configurations,
    LOAD_HELPERS_ONLY=Yes will be the default. That setting causes only
    a small subset of modules to be loaded; it is assumed that the
    remaining modules will be autoloaded. Additionally, capability
    detection in the compiler is deferred until each capability is
    actually used. As a consequence, no modules are autoloaded
    unnecessarily.

    Modules loaded when LOAD_HELPERS_ONLY=Yes are the protocol helpers. 
    These cannot be autoloaded.
     
    In addition, the nf_conntrack_sip module is loaded with
    sip_direct_media=0. This setting is slightly less secure than
    sip_direct_media=1, but it solves many VOIP problems that users
    routinely encounter.

-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com