The Shorewall team is pleased to announce the availability of Shorewall 4.5.15. ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) Previously, the Shorewall and Shorewall6 install.sh scripts did two things wrong with respect to the /etc/shorewall[6]/routes file: - The existing file was unconditionally removed. - A skeleton file was not installed when SPARSE was not set in the shorewallrc file. Additionally, the installer would remove /etc/shorewall[6]/tcstart. 2) The Shorewall-init install.sh script previously refused to replace /sbin/ifup-local and /sbin/ifdown-local when those files has been installed by an earlier version of Shorewall-init. 3) Previously, Shorewall-init''s integration with NetworkManager was incomplete on SuSE with the result that NetworkManager interface change events were not processed. That has been corrected. 4) Beginning with Shorewall 4.5.8, Shorewall6 has interpreted /32 networks as hosts (/128). /32 IPv6 networks are once again handled correctly. 5) Using service class names such as such as EF, BE, CS1, ... for DSCP didn''t work previously. Thibaut Chèze has provided a fix. 6) An incorrect range test prevented DSCP classes CS6 and CS7 from being accepted. The test has been corrected and those classes are now allowed. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) Prior to this release, Shorewall has only supported blackhole null routing in the /etc/shorewall[6]/routes file and in the NULL_ROUTE_RFC1918 option. Beginning with this release, Shorewall also supports ''unreachable'' and ''prohibit'' routes. In /etc/shorewall/routes, the GATEWAY column may contain ''blackhole'', ''unreachable'' or ''prohibit''. NULL_ROUTE_RFC1918 can also assume those values, in addition to ''Yes'' and ''No'' (case-insensitive). ''Yes'' is equivalent to ''blackhole'' for backward compatibility. Please see http://www.shorewall.net/MultiISP.html#null_routing for details. That section was provided by Mr Dash Four. 2) The ''ifupdown'' script installed by Shorewall-init is now distribution-specific. Previously, the script determined the distribution at run-time. 3) The ${VARDIR}/undo_<provider>_routing scripts no longer invoke a Shorewall internal function so that they may be processed directly by a shell. 4) The compiler now detects multiple entries in /etc/shorewall[6]/routes with the same PROVIDER and DEST and raises an error. If an entry for the ''main'' table in /etc/shorewall/routes has one of the RFC1918 networks as the DEST and if NULL_ROUTE_RFC1918=Yes, then a warning message is issued and the entry in /etc/shorewall/routes is used. 5) Prior to now, the generated shell script has always used routing table (provider) numbers rather than names. To make the script more readable and to aid in debugging, a new USE_RT_NAMES option has been added to shorewall[6].conf. When set to ''Yes'', Shorewall will use routing table (provider) names in the generated script rather than table numbers. When set to ''No'' (the default), routing table numbers will be used. Caution If you set USE_RT_NAMES=Yes and KEEP_RT_TABLES=Yes, then you must insure that all of your providers have entries in /etc/iproute2/rt_tables as well as the following entries: 255 local 254 main 253 default 250 balance 0 unspec Without these entries, the firewall will fail to start. Thank you for using Shorewall, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Own the Future-Intel® Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d