4.4.10 Beta 1 is now available for testing.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Startup Errors (those that are detected before the state of the
system has been altered), were previously not sent to the
STARTUP_LOG.
2) A regression of sorts occurred in Shorewall 4.4.9. Previously, a
Perl extension script could end with a call to add_rule(). Such a
script would fail in Shorewall 4.4.9 unless the ''trace''
option was
specified on the run line.
While this issue has been corrected, users are advised to always
end their Perl extension scripts with the following line to insure
that the script returns a ''true'' value:
1;
----------------------------------------------------------------------------
N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Shorewall 4.4.10 includes a new ''Shorewall Init'' package.
This new
package provides two related features:
a) It allows the firewall to be closed prior to bringing up
network devices. This insures that unwanted connections are not
allowed between the time that the network comes up and when the
firewall is started.
b) It integrates with NetworkManager and distribution ifup/ifdown
systems to allow for ''event-driven'' startup and
shutdown.
The two facilities can be enabled separately.
When Shorewall-init is first installed, it does nothing until you
configure it.
The configuration file is /etc/default/shorewall-init on
Debian-based systems and /etc/sysconfig/shorewall-init otherwise.
There are two settings in the file:
PRODUCTS - lists the Shorewall packages that you want to
integrate with Shorewall-init. Example:
PRODUCTS="shorewall shorewall6"
IFUPDOWN When set to 1, enables integration with
NetworkManager and the ifup/ifdown scripts.
To close your firewall before networking starts:
a) in the Shorewall-init configuration file, set PRODUCTS to the
firewall products installed on your system.
b) be sure that your current firewall script(s) (normally in
/var/lib/<product>/firewall) is(are) compiled with the 4.4.10
compiler.
Shorewall and Shorewall6 users can execute these commands:
shorewall compile
shorewall6 compile
Shorewall-lite and Shorewall6-lite users can execute these
commands on the administrative system.
shorewall export <firewall-name-or-ip-address>
shorewall6 export <firewall-name-or-ip-address>
That''s all that is required.
To integrate with NetworkManager and ifup/ifdown, additional steps
are required. You probably don''t want to enable this feature if you
run a link status monitor like swping or LSM.
a) In the Shorewall-init configuration file, set IFUPDOWN=1.
b) In your Shorewall interfaces file(s), set the
''required'' option
on any interfaces that must be up in order for the firewall to
start. At least one interface must have the ''required''
or
''optional'' option if you perform the next optional
step.
c) (Optional) -- If you have specified at least one
''required''
or ''optional interface, you can then disable automatic firewall
startup at boot time.
On Debian-based systems, set start=0 in /etc/default/<product>.
On other systems, use your service startup configuration tool
(chkconfig, insserv, ...) to disable startup.
The following actions occur when an interface comes up:
FIREWALL INTERFACE ACTION
STATE
----------------------------------
Any Required start
stopped Optional start
started - restart
The following actions occur when an interface goes down:
In the INTERFACE column, ''-'' indicates neither required
nor
optional
FIREWALL INTERFACE ACTION
STATE
----------------------------------
Any Required stop
stopped Optional start
started - restart
For optional interfaces, the
/var/lib/<product>/<interface>.state
files are maintained to reflect the state of the interface.
Please note that the action is carried out using the current
compiled script; the configuration is not recompiled.
A new option has been added to shorewall.conf and
shorewall6.conf. The REQUIRE_INTERFACE option determines the
outcome when an attempt to start/restart/restore/refresh the
firewall is made and none of the optional interfaces are available.
With REQUIRE_INTERFACE=No (the default), the operation is
performed. If REQUIRE_INTERFACE=Yes, then the operation fails and
the firewall is placed in the stopped state. This option is
suitable for a laptop with both ethernet and wireless
interfaces. If either come up, the firewall starts. If neither
comes up, the firewall remains in the stopped state. Similarly, if
an optional interface goes down and there are no optional
interfaces remaining in the up state, then the firewall is stopped.
Shorewall-init may be installed on Debian-based systems, SuSE-based
systems and RedHat-based systems.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
On 5/20/10 12:53 PM, Tom Eastep wrote:> > On Debian-based systems, set start=0 in /etc/default/<product>. >That should be *startup=0* -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
Hi Tom,
IMHO 4.5.0 may be better suited to release 4.4.10 as networking is rather
central to firewalling, so adding new networking features warrant more than
a minor naming update.
But of course, it is your call to make.
Regards,
Trent O''Callaghan
-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Friday, 21 May 2010 3:53 AM
To: Shorewall Development; Shorewall Users
Subject: [Shorewall-users] Shorewall 4.4.10 Beta 1
4.4.10 Beta 1 is now available for testing.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Startup Errors (those that are detected before the state of the
system has been altered), were previously not sent to the
STARTUP_LOG.
2) A regression of sorts occurred in Shorewall 4.4.9. Previously, a
Perl extension script could end with a call to add_rule(). Such a
script would fail in Shorewall 4.4.9 unless the ''trace''
option was
specified on the run line.
While this issue has been corrected, users are advised to always
end their Perl extension scripts with the following line to insure
that the script returns a ''true'' value:
1;
----------------------------------------------------------------------------
N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Shorewall 4.4.10 includes a new ''Shorewall Init'' package.
This new
package provides two related features:
a) It allows the firewall to be closed prior to bringing up
network devices. This insures that unwanted connections are not
allowed between the time that the network comes up and when the
firewall is started.
b) It integrates with NetworkManager and distribution ifup/ifdown
systems to allow for ''event-driven'' startup and
shutdown.
The two facilities can be enabled separately.
When Shorewall-init is first installed, it does nothing until you
configure it.
The configuration file is /etc/default/shorewall-init on
Debian-based systems and /etc/sysconfig/shorewall-init otherwise.
There are two settings in the file:
PRODUCTS - lists the Shorewall packages that you want to
integrate with Shorewall-init. Example:
PRODUCTS="shorewall shorewall6"
IFUPDOWN When set to 1, enables integration with
NetworkManager and the ifup/ifdown scripts.
To close your firewall before networking starts:
a) in the Shorewall-init configuration file, set PRODUCTS to the
firewall products installed on your system.
b) be sure that your current firewall script(s) (normally in
/var/lib/<product>/firewall) is(are) compiled with the 4.4.10
compiler.
Shorewall and Shorewall6 users can execute these commands:
shorewall compile
shorewall6 compile
Shorewall-lite and Shorewall6-lite users can execute these
commands on the administrative system.
shorewall export <firewall-name-or-ip-address>
shorewall6 export <firewall-name-or-ip-address>
That''s all that is required.
To integrate with NetworkManager and ifup/ifdown, additional steps
are required. You probably don''t want to enable this feature if you
run a link status monitor like swping or LSM.
a) In the Shorewall-init configuration file, set IFUPDOWN=1.
b) In your Shorewall interfaces file(s), set the
''required'' option
on any interfaces that must be up in order for the firewall to
start. At least one interface must have the ''required''
or
''optional'' option if you perform the next optional
step.
c) (Optional) -- If you have specified at least one
''required''
or ''optional interface, you can then disable automatic firewall
startup at boot time.
On Debian-based systems, set start=0 in /etc/default/<product>.
On other systems, use your service startup configuration tool
(chkconfig, insserv, ...) to disable startup.
The following actions occur when an interface comes up:
FIREWALL INTERFACE ACTION
STATE
----------------------------------
Any Required start
stopped Optional start
started - restart
The following actions occur when an interface goes down:
In the INTERFACE column, ''-'' indicates neither required
nor
optional
FIREWALL INTERFACE ACTION
STATE
----------------------------------
Any Required stop
stopped Optional start
started - restart
For optional interfaces, the
/var/lib/<product>/<interface>.state
files are maintained to reflect the state of the interface.
Please note that the action is carried out using the current
compiled script; the configuration is not recompiled.
A new option has been added to shorewall.conf and
shorewall6.conf. The REQUIRE_INTERFACE option determines the
outcome when an attempt to start/restart/restore/refresh the
firewall is made and none of the optional interfaces are available.
With REQUIRE_INTERFACE=No (the default), the operation is
performed. If REQUIRE_INTERFACE=Yes, then the operation fails and
the firewall is placed in the stopped state. This option is
suitable for a laptop with both ethernet and wireless
interfaces. If either come up, the firewall starts. If neither
comes up, the firewall remains in the stopped state. Similarly, if
an optional interface goes down and there are no optional
interfaces remaining in the up state, then the firewall is stopped.
Shorewall-init may be installed on Debian-based systems, SuSE-based
systems and RedHat-based systems.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
On 5/20/10 5:54 PM, Trent O''Callaghan wrote:> Hi Tom, > > IMHO 4.5.0 may be better suited to release 4.4.10 as networking is rather > central to firewalling, so adding new networking features warrant more than > a minor naming update. > > But of course, it is your call to make.If you don''t install Shorewall-init and you don''t define any ''required'' or ''wait'' interfaces, then there is absolutely no difference between 4.4.9 and 4.4.10-Beta1. That''s why Shorewall-init is a separate product which you can choose to ignore. The 4.5 branch was terminated some time ago and it is unlikely to be resurrected. I''m in my mid 60''s and I''m finding that I am more interested in travel and trying to restore my health than I am in working every free hour on Shorewall. As you reach my age, you find that the most precious things in your life are time and health, not hacking fun. And maintaining both stable and development branches adds considerable extra demand on my time. So unless some eager young people out there are willing to take this project by the horns and move it rapidly forward on both stable and development branches, you are going to be stuck with a single "mostly stable" branch that I will develop cautiously but possibly with an occasional hiccup. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
Thanks for the perspective Tom. I commented without knowing the effort I was asking for. Sorry. -Trent O''Callaghan -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, 21 May 2010 10:24 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall 4.4.10 Beta 1 On 5/20/10 5:54 PM, Trent O''Callaghan wrote:> Hi Tom, > > IMHO 4.5.0 may be better suited to release 4.4.10 as networking is > rather central to firewalling, so adding new networking features > warrant more than a minor naming update. > > But of course, it is your call to make.If you don''t install Shorewall-init and you don''t define any ''required'' or ''wait'' interfaces, then there is absolutely no difference between 4.4.9 and 4.4.10-Beta1. That''s why Shorewall-init is a separate product which you can choose to ignore. The 4.5 branch was terminated some time ago and it is unlikely to be resurrected. I''m in my mid 60''s and I''m finding that I am more interested in travel and trying to restore my health than I am in working every free hour on Shorewall. As you reach my age, you find that the most precious things in your life are time and health, not hacking fun. And maintaining both stable and development branches adds considerable extra demand on my time. So unless some eager young people out there are willing to take this project by the horns and move it rapidly forward on both stable and development branches, you are going to be stuck with a single "mostly stable" branch that I will develop cautiously but possibly with an occasional hiccup. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------