Shorewall users - Dec 2011 - Shorewall 4.4.27

The Shorewall team is pleased to announce the availability of Shorewall
4.4.27.

----------------------------------------------------------------------------
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  Shorewall 4.4.27 includes all defect corrections provider by
    Shorewall 4.4.26.1.

2)  When TC_ENABLED=Shared, CLASSIFY rules could not previously be used
    in the tcrules file. Thanks to a patch from Chris Boot, this now
    works as expected.

3)  When providers were used in an IPv6 configuration, each time that
    Shorewall6 was started or restarted, entries as follows would be
    added to the IPv4 (!) routing rules:

        32767:  from all lookup default

    One such entry would be added for each provider.

    Now, one such an entry is added to the IPv6 routing rules, only if
    that entry does not already exist.

4)  The formatting of the manpage info in the annotated configuration
    files has been improved dramatically.

5)  A blrules file generated by ''update -b'' would fail the
compilation
    step with 
    
	ERROR: Unknown ACTION (A_blacklog)

    if all the following were true:

    a) BLACKLIST_DISPOSITION did not specify an audited disposition.
    b) BLACKLIST_LOGLEVEL was specified
    c) The ''audit'' option appeared in one or more blacklist
entries.

----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  Up to this point, Shorewall has had a lot of very similar files in
    multiple products.

    Beginning with this release, the following files are identical.

    - /sbin/shorewall
    - /sbin/shorewall6
    - /sbin/shorewall-lite 
    - /sbin/shorewall6-lite

    The program uses it''s own file name to determine which role it is
    to assume. It does that by initializing variables that are later
    used within the various libraries.

    Shorewall and Shorewall6 share use of /usr/share/shorewall/lib.base
    /usr/share/shorewall/lib.cli, and /usr/share/shorewall/lib.common.

    /usr/share/shorewall6/lib.base is a small file that sets variables
    and then sources /usr/share/shorewall/lib.base.

    As before, shorewall and shorewall-lite share the same libraries
    as do shorewall6 and shorwall6-lite.

    Shorewall includes a new library: /usr/share/shorewall/lib.cli-std.
    /usr/share/shorewall[6]/lib.cli contains everything needed by the
    Lite products.

2)  Shorewall now supports the CT target in the Netfilter
''raw''
    table. See ''man shorewall-notrack'' for details.

    The main use of this target is described in this paper: 

http://home.regit.org/wp-content/uploads/2011/11/helper-recommandation.pdf.

    The paper a product of the vulnerability described in the 4.4.20
    release note which introduced the ''sfilter'' facility. In
the paper,
    rules such as the following are recommended:

    	  iptables -A PREROUTING -t raw -p tcp --dport 2121 \
       	       -d 1.2.3.4 -j CT --helper ftp

    The equivalent entry in /etc/shorewall/notrack would be:

    	#ACTION    	 SOURCE   DEST   PROTO    DEST
	#                                   	  PORT(S)
	CT:helper:ftp    1.2.3.4  -	 tcp	  2121

    As part of this change, Shorewall now verifies the helper name in
    the HELPER column of the tcrules and tcpri files.

3)  The above-referenced paper also advocates careful control of
    RELATED rules. To allow such control, two new options have been
    introduced in shorewall[6].conf:

    - RELATED_DISPOSITION

      May be ACCEPT, A_ACCEPT, A_DROP, A_REJECT, DROP or REJECT. For
      compatibility with earlier releases, the default is ACCEPT.
      match any rule in the RELATED section of the rules file.

    - RELATED_LOG_LEVEL

      Specifies a level for logging related packets. Default is empty
      which means that no logging occurs.

4)  The options in shorewall.conf (shorewall6.conf) may now be used as
    shell variables in other configuration files.

5)  A new option, USE_PHYSICAL_NAMES, has been added to shorewall.conf
    and shorewall6.conf. Normally, when the rules compiler creates a
    Netfilter chain that relates to an interface, the logical name of
    the interface is used as the base for the chain name. For example,
    if an interface has logical name OAKLAND and physical name eth0,
    then the primary chain for input arriving on that interface is
    normally ''OAKLAND_in''. When USE_PHYSICAL_NAMES=Yes, the
name would
    be ''eth0_in''.

6)  CLASSIFY entries in tcrules may now be placed in the FORWARD or
    PREROUTING chain by following the class Id with :F or :P
    respectively.

Thank you for using Shorewall.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a
complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox