The Shorewall Team is pleased to announce the availability of Shorewall
4.5.2.
Package maintainers should note the second Known Problem listed below. A
4.5.2.1 version will be released shortly to work around this limitation.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release includes the defect repairs from Shorewall 4.5.1.1 and
4.5.1.2 (see below).
2) The generated firewall script includes code to automatically create
ipsets that are referenced but that don''t exist. That code was
broken in releases 4.4.22 and later. This defect has been
corrected. As part of the fix, the generated script will now
issue a warning message when it creates an ipset.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
2) The ''configure'' script described below does not work on
RHEL5 and
derivatives. The version of Bash on those systems does not support
features used by the script.
Failure message is:
./configure: line 28: declare: -A: invalid option
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) The ''mss'' option is now supported in the
/etc/shorewall[6]/hosts
files. See the manpages for details.
2) It is now possible to conditionally include or omit configuration
entries based on the settings of shell variables. See
http://www.shorewall.net/configuration_file_basics.htm#Conditional
for details.
3) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been
renamed ACTION to reflect the expanded set of actions that can be
specified in the column.
4) Some users are finding these ipset warnings objectionable:
- Warning when a referenced ipset does not exist.
- Warning when using [src] in a destination column or [dst] in a
source column.
These warnings may now be suppressed by setting IPSET_WARNINGS=No
in shorewall.conf and/or shorewall6.conf.
5) The evolution of the Shorewall installation process
continues. Testers are invited to provide comments and suggestions
about the following.
Beginning with this release, the installers accept a configuration
file as a parameter. Options set in the configuration file are as
follows:
BUILD (optional) -- Platform on which the installation is being
performed. Possible values are:
apple - OS X
archlinux - ArchLinux
cygwin - Cygwin running under Windows
debian - Debian and derivatives
linux - Generic Linux system
redhat - Fedora, RHEL and derivatives
suse - SLES and OpenSuSE
If no value is assigned, then the installer
will detect the platform.
HOST (Optional) -- Allowed values are same as for BUILD. If not
specified, the BUILD setting is used.
CONFDIR (Req''d) -- Directory where product configuration
directory is installed. Normally /etc.
SHAREDIR (Req''d) -- Directory where architecture-independent
product files are installed. Normally
/usr/share.
LIBEXECDIR (Req''d) -- Directory where product executables are
installed. Normally /usr/share or
/usr/libexec.
PERLLIBDIR (Req''d) -- Directory where Shorewall Perl modules are
to be installed. Traditionally
/usr/share/shorewall.
SBINDIR (Req''d) -- Directory where product CLI programs are
installed. Normally /sbin
MANDIR (Req.d) -- Directory where manpages are
installed. Mornally /usr/share/man.
INITFILE (Optional)
-- Optional. If given, specifies the installed
filename of the initscript. Normally
set to $PRODUCT which the installers expand
to the name of the product being installed.
If not specified, no init script will be
installed.
INITSOURCE (Optional)
-- Must be specified if INITFILE is specified.
Gives the name of the file to be installed
as the INITFILE.
INITDIR (Optional) -- Directory where SysV init scripts are
installed. Must be specified if INITFILE is
specified.
ANNOTATED (Optional)
-- If non-empty, indicates that the
configuration files are to be annotated with
manpage information. Normally empty.
SYSTEMD (Optional) -- Name of the directory where .service files
are to be installed. Should only be specified
on systems running systemd.
SYSCONFDIR (Optional)
-- Name of the directory where subsystem
init configuration information is stored.
On Debian and derivates, this is
/etc/default. On other systems, it is
/etc/sysconfig.
SYSCONFFILE (Optional)
-- Name of the file to be installed in the
SYSCONFIGDIR. The installed name of the file
will always be the product name (shorewall,
shorewall-lite, etc.)
SPARSE (Optional) -- If non-empty, causes only the .conf file to
be installed in
${CONFDIR}/${PRODUCT}/. Otherwise, all of
the product''s skeleton configuration files
will be installed.
TEMPDIR (Optional) -- If non-empty, the generated firewall script
will export the variable TMPDIR with
value $TEMPDIR.
VARDIR (Required) -- Directory where product state information
is stored. Normally /var/lib.
This setting was previously stored in the
optional vardir file in the product''s
configuration directory.
Each of the product tarballs contains a set of configuration files
for the various HOSTS:
shorewallrc.apple
shorewallrc.archlinux
shorewallrc.cygwin
shorewallrc.debian
shorewallrc.default (for HOST ''linux'')
shorewallrc.redhat
shorewallrc.suse
To aid distribution packagers, a configure script has been added.
The arguments to the script are the usual list of
<option>=<value>
assignments. The supported options are the same as those above,
although they may be in lower case and may be optionally preceded
by ''--''.
The configure script uses the setting of --host to select the
appropriate rc file. It reads that file to establish default
settings and then applies the values specified in the argument
list. To allow use with the %configure RPM macro, only the last
occurrence of a particular option setting is applied. The resulting
settings are written to a file named ''shorewallrc'' in the
current
working directory and are also written to standard out.
When Shorewall-core is installed on a system (with no DESTDIR), it
copies the specified configuration file into root''s
~/.shorewallrc. The ~/.shorewallrc file is then used, by default,
when installing the other packages.
To further aid use with %configure, several aliases are supported:
alias option
----- ------
sharedstatedir vardir
datadir sharedir
sysconfdir confdir
The configuration file is also copied to
${SHAREDIR}/shorewall/shorewallrc where the CLI programs and init
scripts can find it. Those programs are modified by the installer
when ${SHAREDIR} is not /usr/share.
When using Shorewall-lite or Shorewall6-lite, if the remote
firewall''s shorewallrc file differs from that on the firewall, then
a copy of the remote file should be placed in the firewall''s
configuration directory on the administrative system.
Beginning with this release, using /etc/shorewall-lite/vardir
and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in
favor of the VARDIR setting in shorewallrc.
NOTE: While the name of the variable remains VARDIR, the
meaning is slightly different. When set in shorewallrc,
each product (shorewall-lite, and shorewall6-lite) will
create a directory under the specified path name to
hold state information.
Example:
VARDIR=/opt/var/lib/
The state directory for shorewall-lite will be
/opt/var/lib/shorewall-lite/ and the directory for
shorewall6-lite will be /opt/var/lib/shorewall6-lite.
When VARDIR is set in /etc/shorewall[6]-lite/vardir, the
product will save its state in the specified directory.
Thank you for using Shorewall.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
On 04/10/2012 11:52 AM, Tom Eastep wrote:> The Shorewall Team is pleased to announce the availability of Shorewall > 4.5.2. > > 5) The evolution of the Shorewall installation process > continues. Testers are invited to provide comments and suggestions > about the following. > > Beginning with this release, the installers accept a configuration > file as a parameter.I needed to make the attached changes to shorewallrc.redhat to preserve the current locations of files for the Fedora RPMS. I know you can override them but it does seem like these should be the defaults. Also, /etc/shorewall{,6}-lite/Makefile probably should go in /usr/share/shorewall{,6}-lite. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 http://www.nwra.com ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
On 4/11/12 2:42 PM, Orion Poplawski wrote:> On 04/10/2012 11:52 AM, Tom Eastep wrote: >> The Shorewall Team is pleased to announce the availability of Shorewall >> 4.5.2. >> >> 5) The evolution of the Shorewall installation process >> continues. Testers are invited to provide comments and suggestions >> about the following. >> >> Beginning with this release, the installers accept a configuration >> file as a parameter. > > I needed to make the attached changes to shorewallrc.redhat to preserve > the current locations of files for the Fedora RPMS. I know you can > override them but it does seem like these should be the defaults. > > Also, /etc/shorewall{,6}-lite/Makefile probably should go in > /usr/share/shorewall{,6}-lite.Done. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
On Wed, 11 Apr 2012 15:42:58 -0600 Orion Poplawski <orion@cora.nwra.com> wrote:> +PERLLIBDIR=${PREFIX}/share/perl5I think this should be ${PREFIX}/share/perl5/vendor_perl accodring fedora perl packaging guidelines. Only system perl installs to /usr/share/perl5. -- Tuomo Soini <tis@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
On 04/11/2012 03:42 PM, Tom Eastep wrote:> On 4/11/12 2:42 PM, Orion Poplawski wrote:>> Also, /etc/shorewall{,6}-lite/Makefile probably should go in >> /usr/share/shorewall{,6}-lite. > > Done.I''ve decided to hold off on this last change until 4.5.3. I think it needs discussion on the development list. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
On 04/12/2012 03:59 AM, Tuomo Soini wrote:> On Wed, 11 Apr 2012 15:42:58 -0600 > Orion Poplawski<orion@cora.nwra.com> wrote: > >> +PERLLIBDIR=${PREFIX}/share/perl5 > > I think this should be ${PREFIX}/share/perl5/vendor_perl accodring > fedora perl packaging guidelines. > > Only system perl installs to /usr/share/perl5. >Ah, yes, that is true. It uses the output of: # perl -V:installvendorlib installvendorlib=''/usr/share/perl5/vendor_perl''; -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 http://www.nwra.com ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
On 04/11/2012 03:42 PM, Orion Poplawski wrote:> On 04/10/2012 11:52 AM, Tom Eastep wrote: >> The Shorewall Team is pleased to announce the availability of Shorewall >> 4.5.2. >> >> 5) The evolution of the Shorewall installation process >> continues. Testers are invited to provide comments and suggestions >> about the following. >> >> Beginning with this release, the installers accept a configuration >> file as a parameter. > > I needed to make the attached changes to shorewallrc.redhat to preserve the > current locations of files for the Fedora RPMS. I know you can override them > but it does seem like these should be the defaults.Also as another heads up, with http://fedoraproject.org/wiki/Features/UsrMove in Fedora 17, /sbin moves to /usr/sbin and /lib/systemd moves to /usr/lib/systemd. There are compat symlinks so nothing breaks but it is something to keep in mind. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 http://www.nwra.com ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
On 4/12/12 8:40 AM, Orion Poplawski wrote:> On 04/12/2012 03:59 AM, Tuomo Soini wrote: >> On Wed, 11 Apr 2012 15:42:58 -0600 >> Orion Poplawski<orion@cora.nwra.com> wrote: >> >>> +PERLLIBDIR=${PREFIX}/share/perl5 >> >> I think this should be ${PREFIX}/share/perl5/vendor_perl accodring >> fedora perl packaging guidelines. >> >> Only system perl installs to /usr/share/perl5. >> > > Ah, yes, that is true. It uses the output of: > > # perl -V:installvendorlib > installvendorlib=''/usr/share/perl5/vendor_perl''; > >I''ve updated the file accordingly. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
On 04/12/2012 08:52 AM, Tom Eastep wrote:> On 04/11/2012 03:42 PM, Tom Eastep wrote: >> On 4/11/12 2:42 PM, Orion Poplawski wrote: > >>> Also, /etc/shorewall{,6}-lite/Makefile probably should go in >>> /usr/share/shorewall{,6}-lite. >> >> Done. > > I''ve decided to hold off on this last change until 4.5.3. I think it > needs discussion on the development list. > > -TomSure. The reason I suggested it is that in general only user configuration files belong in /etc. If the user has no business modifying it, it really doesn''t belong there. I really don''t know anything about these particular files and whether or not they are user modifiable. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 http://www.nwra.com ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
On Thu, 12 Apr 2012 07:52:46 -0700 Tom Eastep <teastep@shorewall.net> wrote:> On 04/11/2012 03:42 PM, Tom Eastep wrote: > > On 4/11/12 2:42 PM, Orion Poplawski wrote: > > >> Also, /etc/shorewall{,6}-lite/Makefile probably should go in > >> /usr/share/shorewall{,6}-lite. > > > > Done. > > I''ve decided to hold off on this last change until 4.5.3. I think it > needs discussion on the development list.This is same as removing whole Makefile - as he confessed he didn''t have slightest idea what this file does - and there is no reason why user couldn''t edit Makefile ... I''d just leave it there. -- Tuomo Soini <tis@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2