4.4.10 Beta 1 is now available for testing. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) Startup Errors (those that are detected before the state of the system has been altered), were previously not sent to the STARTUP_LOG. 2) A regression of sorts occurred in Shorewall 4.4.9. Previously, a Perl extension script could end with a call to add_rule(). Such a script would fail in Shorewall 4.4.9 unless the ''trace'' option was specified on the run line. While this issue has been corrected, users are advised to always end their Perl extension scripts with the following line to insure that the script returns a ''true'' value: 1; ---------------------------------------------------------------------------- N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) Shorewall 4.4.10 includes a new ''Shorewall Init'' package. This new package provides two related features: a) It allows the firewall to be closed prior to bringing up network devices. This insures that unwanted connections are not allowed between the time that the network comes up and when the firewall is started. b) It integrates with NetworkManager and distribution ifup/ifdown systems to allow for ''event-driven'' startup and shutdown. The two facilities can be enabled separately. When Shorewall-init is first installed, it does nothing until you configure it. The configuration file is /etc/default/shorewall-init on Debian-based systems and /etc/sysconfig/shorewall-init otherwise. There are two settings in the file: PRODUCTS - lists the Shorewall packages that you want to integrate with Shorewall-init. Example: PRODUCTS="shorewall shorewall6" IFUPDOWN When set to 1, enables integration with NetworkManager and the ifup/ifdown scripts. To close your firewall before networking starts: a) in the Shorewall-init configuration file, set PRODUCTS to the firewall products installed on your system. b) be sure that your current firewall script(s) (normally in /var/lib/<product>/firewall) is(are) compiled with the 4.4.10 compiler. Shorewall and Shorewall6 users can execute these commands: shorewall compile shorewall6 compile Shorewall-lite and Shorewall6-lite users can execute these commands on the administrative system. shorewall export <firewall-name-or-ip-address> shorewall6 export <firewall-name-or-ip-address> That''s all that is required. To integrate with NetworkManager and ifup/ifdown, additional steps are required. You probably don''t want to enable this feature if you run a link status monitor like swping or LSM. a) In the Shorewall-init configuration file, set IFUPDOWN=1. b) In your Shorewall interfaces file(s), set the ''required'' option on any interfaces that must be up in order for the firewall to start. At least one interface must have the ''required'' or ''optional'' option if you perform the next optional step. c) (Optional) -- If you have specified at least one ''required'' or ''optional interface, you can then disable automatic firewall startup at boot time. On Debian-based systems, set start=0 in /etc/default/<product>. On other systems, use your service startup configuration tool (chkconfig, insserv, ...) to disable startup. The following actions occur when an interface comes up: FIREWALL INTERFACE ACTION STATE ---------------------------------- Any Required start stopped Optional start started - restart The following actions occur when an interface goes down: In the INTERFACE column, ''-'' indicates neither required nor optional FIREWALL INTERFACE ACTION STATE ---------------------------------- Any Required stop stopped Optional start started - restart For optional interfaces, the /var/lib/<product>/<interface>.state files are maintained to reflect the state of the interface. Please note that the action is carried out using the current compiled script; the configuration is not recompiled. A new option has been added to shorewall.conf and shorewall6.conf. The REQUIRE_INTERFACE option determines the outcome when an attempt to start/restart/restore/refresh the firewall is made and none of the optional interfaces are available. With REQUIRE_INTERFACE=No (the default), the operation is performed. If REQUIRE_INTERFACE=Yes, then the operation fails and the firewall is placed in the stopped state. This option is suitable for a laptop with both ethernet and wireless interfaces. If either come up, the firewall starts. If neither comes up, the firewall remains in the stopped state. Similarly, if an optional interface goes down and there are no optional interfaces remaining in the up state, then the firewall is stopped. Shorewall-init may be installed on Debian-based systems, SuSE-based systems and RedHat-based systems. Thank you for testing, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
On 5/20/10 12:53 PM, Tom Eastep wrote:> > On Debian-based systems, set start=0 in /etc/default/<product>. >That should be *startup=0* -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
Hi Tom, IMHO 4.5.0 may be better suited to release 4.4.10 as networking is rather central to firewalling, so adding new networking features warrant more than a minor naming update. But of course, it is your call to make. Regards, Trent O''Callaghan -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, 21 May 2010 3:53 AM To: Shorewall Development; Shorewall Users Subject: [Shorewall-users] Shorewall 4.4.10 Beta 1 4.4.10 Beta 1 is now available for testing. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) Startup Errors (those that are detected before the state of the system has been altered), were previously not sent to the STARTUP_LOG. 2) A regression of sorts occurred in Shorewall 4.4.9. Previously, a Perl extension script could end with a call to add_rule(). Such a script would fail in Shorewall 4.4.9 unless the ''trace'' option was specified on the run line. While this issue has been corrected, users are advised to always end their Perl extension scripts with the following line to insure that the script returns a ''true'' value: 1; ---------------------------------------------------------------------------- N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) Shorewall 4.4.10 includes a new ''Shorewall Init'' package. This new package provides two related features: a) It allows the firewall to be closed prior to bringing up network devices. This insures that unwanted connections are not allowed between the time that the network comes up and when the firewall is started. b) It integrates with NetworkManager and distribution ifup/ifdown systems to allow for ''event-driven'' startup and shutdown. The two facilities can be enabled separately. When Shorewall-init is first installed, it does nothing until you configure it. The configuration file is /etc/default/shorewall-init on Debian-based systems and /etc/sysconfig/shorewall-init otherwise. There are two settings in the file: PRODUCTS - lists the Shorewall packages that you want to integrate with Shorewall-init. Example: PRODUCTS="shorewall shorewall6" IFUPDOWN When set to 1, enables integration with NetworkManager and the ifup/ifdown scripts. To close your firewall before networking starts: a) in the Shorewall-init configuration file, set PRODUCTS to the firewall products installed on your system. b) be sure that your current firewall script(s) (normally in /var/lib/<product>/firewall) is(are) compiled with the 4.4.10 compiler. Shorewall and Shorewall6 users can execute these commands: shorewall compile shorewall6 compile Shorewall-lite and Shorewall6-lite users can execute these commands on the administrative system. shorewall export <firewall-name-or-ip-address> shorewall6 export <firewall-name-or-ip-address> That''s all that is required. To integrate with NetworkManager and ifup/ifdown, additional steps are required. You probably don''t want to enable this feature if you run a link status monitor like swping or LSM. a) In the Shorewall-init configuration file, set IFUPDOWN=1. b) In your Shorewall interfaces file(s), set the ''required'' option on any interfaces that must be up in order for the firewall to start. At least one interface must have the ''required'' or ''optional'' option if you perform the next optional step. c) (Optional) -- If you have specified at least one ''required'' or ''optional interface, you can then disable automatic firewall startup at boot time. On Debian-based systems, set start=0 in /etc/default/<product>. On other systems, use your service startup configuration tool (chkconfig, insserv, ...) to disable startup. The following actions occur when an interface comes up: FIREWALL INTERFACE ACTION STATE ---------------------------------- Any Required start stopped Optional start started - restart The following actions occur when an interface goes down: In the INTERFACE column, ''-'' indicates neither required nor optional FIREWALL INTERFACE ACTION STATE ---------------------------------- Any Required stop stopped Optional start started - restart For optional interfaces, the /var/lib/<product>/<interface>.state files are maintained to reflect the state of the interface. Please note that the action is carried out using the current compiled script; the configuration is not recompiled. A new option has been added to shorewall.conf and shorewall6.conf. The REQUIRE_INTERFACE option determines the outcome when an attempt to start/restart/restore/refresh the firewall is made and none of the optional interfaces are available. With REQUIRE_INTERFACE=No (the default), the operation is performed. If REQUIRE_INTERFACE=Yes, then the operation fails and the firewall is placed in the stopped state. This option is suitable for a laptop with both ethernet and wireless interfaces. If either come up, the firewall starts. If neither comes up, the firewall remains in the stopped state. Similarly, if an optional interface goes down and there are no optional interfaces remaining in the up state, then the firewall is stopped. Shorewall-init may be installed on Debian-based systems, SuSE-based systems and RedHat-based systems. Thank you for testing, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
On 5/20/10 5:54 PM, Trent O''Callaghan wrote:> Hi Tom, > > IMHO 4.5.0 may be better suited to release 4.4.10 as networking is rather > central to firewalling, so adding new networking features warrant more than > a minor naming update. > > But of course, it is your call to make.If you don''t install Shorewall-init and you don''t define any ''required'' or ''wait'' interfaces, then there is absolutely no difference between 4.4.9 and 4.4.10-Beta1. That''s why Shorewall-init is a separate product which you can choose to ignore. The 4.5 branch was terminated some time ago and it is unlikely to be resurrected. I''m in my mid 60''s and I''m finding that I am more interested in travel and trying to restore my health than I am in working every free hour on Shorewall. As you reach my age, you find that the most precious things in your life are time and health, not hacking fun. And maintaining both stable and development branches adds considerable extra demand on my time. So unless some eager young people out there are willing to take this project by the horns and move it rapidly forward on both stable and development branches, you are going to be stuck with a single "mostly stable" branch that I will develop cautiously but possibly with an occasional hiccup. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
Thanks for the perspective Tom. I commented without knowing the effort I was asking for. Sorry. -Trent O''Callaghan -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, 21 May 2010 10:24 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall 4.4.10 Beta 1 On 5/20/10 5:54 PM, Trent O''Callaghan wrote:> Hi Tom, > > IMHO 4.5.0 may be better suited to release 4.4.10 as networking is > rather central to firewalling, so adding new networking features > warrant more than a minor naming update. > > But of course, it is your call to make.If you don''t install Shorewall-init and you don''t define any ''required'' or ''wait'' interfaces, then there is absolutely no difference between 4.4.9 and 4.4.10-Beta1. That''s why Shorewall-init is a separate product which you can choose to ignore. The 4.5 branch was terminated some time ago and it is unlikely to be resurrected. I''m in my mid 60''s and I''m finding that I am more interested in travel and trying to restore my health than I am in working every free hour on Shorewall. As you reach my age, you find that the most precious things in your life are time and health, not hacking fun. And maintaining both stable and development branches adds considerable extra demand on my time. So unless some eager young people out there are willing to take this project by the horns and move it rapidly forward on both stable and development branches, you are going to be stuck with a single "mostly stable" branch that I will develop cautiously but possibly with an occasional hiccup. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------