Shorewall users - May 2012 - Shorewall 4.5.3

Shorewall 4.5.3 is now available for download.

----------------------------------------------------------------------------
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  This version includes all defect repairs from Shorewall 4.5.2.1 -
    4.5.2.4.

2)  The LOCKFILE setting in shorewall.conf and shorewall6.conf had
    inadvertently become undocumented. It is now documented again.

3)  In an initial installation of Shorewall, Shorewall6, Shorewall Lite
    or Shorewall6 Lite was done under Shorewall 4.5.2, then the
    firewall would not start up at boot even though the installer
    indicated that it would. That defect has been corrected.

4)  Previously, when per-IP rate limiting was invoked, the compiler
    would use the deprecated ''--ratelimit'' option, even if the
    preferred ''--ratelimit-upto'' option was available. Now,
the
    compiler uses the preferred option if it is supported by the
    installed version of iptables.

5)  Prior to this release, using a manual chain in the ACTION column of
    a macro body generated an error:

    ERROR: Invalid Action (mychain) in macro, macro.FOO (line ...)

    This now works correctly and generates a jump to the specified
    manual chain.

6)  If SHAREDIR was other than /usr/share and $CONFDIR/shorewall/init
    did not exist, then an error message similar to this is emited:

      Processing /usr/local/share/shorewall/init ...
      Usage: /etc/init.d/shorewall
                 {start|stop|refresh|restart|force-reload|status}

7)  Prevously, a line with the single word COMMENT in the tunnels file
    would generate the following error:

        ERROR: Zone must be specified

    Now, such a line correctly resets the current rule comment.

8)  In Shorewall 4.5.2, the MARK column in the tcrules file was renamed
    to ACTION but only ''mark'' was accepted in the alternate
    specification format. Now both ''mark'' and
''action'' are accepted.

9)  The alternative method of provider balancing using the statistic
    match feature of iptables/Netfilter was missing some logic, with
    the result that it was ineffective.

10) If a logical interface name was used by itself in the SOURCE column
    of the rtrules file, the generated routing rule would contain the
    logical name rather than the physical name.

----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

2)  Shorewall''s TPROXY support is incomplete. A new and slightly
    different implementation of TPROXY will be available in Shorewall
    4.5.4.

----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  The ''-T'' option is now supported in the Shorewall and
Shorewall6
    ''load'', ''reload'',
''restart'' and ''start'' commands. As with the
    ''check'' command, it causes a Perl stack trace to be
printed along
    with compiler WARNING and ERROR messages.

2)  The debuggability of assertion failures has been improved.

    - A Perl stack trace is now generated unconditionally on an
      assertion failure.

    - Relevant data is passed as additional arguments to assertion
      checks so that setting a breakpoint in
      Shorewall::Config::assert() can now allows examination of the
      data structures surrounding the failure.

3)  The GATEWAY column of the tunnels file has been renamed
''GATEWAYS''
    and now accepts a list of host and network addresses as well as IP
    ranges.

    Exclusion is not permitted.

    In the alternate specification format, both ''gateway'' and
    ''gateways'' are accepted as the column name.

4)  The ''refresh'' command now allows additional options:

    -d - Run the rules compiler under the Perl debugger.

    -n - Don''t modify routing.

    -T - Produce a Perl Stack trace on errors and warnings.

    -D <directory> - Look in <directory> first for configuration
files.

5)  The interfaces file now supports two formats:

    FORMAT 1 - (default, deprecated)

        Includes the BROADCAST column (UNICAST in Shorewall6).

    FORMAT 2

        Does not include the BROADCAST (UNICAST) column.

    The format is specified by a line line this:

    	FORMAT {1|2}

    The Sample configurations have been updated to use FORMAT 2.

6)  A change has been made in the packaging for Slackware. On
    Slackware, there is an /etc/rc.d/firewall.rc script that looks for
    /etc/rc.d/shorewall.rc and /etc/rc.d/shorewall6.rc and runs them,
    passing it''s own arguments.

    The file installed as firewall.rc is named
    init.slackware.firewall.sh and has traditionally been included in
    the Shorewall package. Beginning with this release, it is moved to
    the Shorewall-core package. This opens the door for releasing
    Slackware versions of the -lite products in the future.

    The init scripts for Slackware are now described in slackware.rc
    as:

	AUXINITSOURCE=init.slackware.firewall.sh
    	AUXINITFILE=rc.firewall
    	INITSOURCE=init.slackware.$PRODUCT.sh
    	INITFILE=rc.$PRODUCT

7)  Previously, errors reported in macros were hard to analyze.

    Example:

       ERROR: Unknown destination zone (bar)
       	      /usr/share/shorewall/macro.SSH (line 11),

    In this case, we don''t know where the SSH macro was invoked
    incorrectly. Beginning with this release, the stack of
    includes/opens will be included in ERROR and WARNING messages.

    Example:

       ERROR: Unknown destination zone (bar)
          /usr/share/shorewall/macro.SSH (line 11)
	  from /etc/shorewall/rules (line 42)

    This shows that the SSH macro was invoked on line 42 of the rules
    file.

8)  There is now a BLACKLIST macro that works as follows:

    - If BLACKLIST_LOGLEVEL is set, then the macro invokes the
      ''blacklog'' action.
    - Otherwise, the macro invokes the BLACKLIST_DISPOSITION action.

9)  An RST action has been added which matches tcp packets with the RST
    flag set. The action accepts two optional parameters:

    - Action (DEFAULT, ACCEPT or DROP). Default is DROP.
    - Audit  (''audit'' or omitted). Default is omitted.

Thank you for using Shorewall,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/