similar to: Shorewall 1.3.3 Beta Available

Shorewall 1.3.3 is now available for download. In this release: 1. Entries in /etc/shorewall/interface that use the wildcard character ("+") now have the "multi" option assumed. 2. The ''rfc1918'' chain in the mangle table has been renamed ''man1918'' to make log messages generated from that chain distinguishable from those generated

I''m beginning to believe that the use of the last column in the rules file to designate redirection/forwarding is too subtle for many users. For 1.3, I think I''ll do something like the following: Current rule: ACCEPT net loc:192.168.1.3 tcp 80 - all New rule: FORWARD net loc:192.168.1.3 tcp 80 Current rule: ACCEPT net fw::3128 tcp 80 - all New rule: REDIRECT net

This is a bug-fix roleup together with changes to the way ICMP is handled= =2E 1) The ''icmp.def'' file is now empty! The rules in that file were required in ipchains firewalls but are not required in Shorewall. Users who have ALLOWRELATED=3DNo in shorewall.conf should see the Upgrade Issues. 2) A ''FORWARDPING'' option has been added to shorewall.conf.

This is just a role up of the "shorewall refresh" bug fix plus the change that reversed the order of "dhcp" and "rfc1918" filtering. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

As promised, 1.3.1 is now available: 1. The handling of "all <zone> CONTINUE" policies has been corrected. Use of these policies greatly simplifies whitelisting and other nested zone configuration. 2. Added an /etc/shorewall/rfc1918 configuration file for defining the behavior of the ''norfc1918'' interface option. -Tom -- Tom Eastep \ Shorewall -

This is a minor release of Shorewall. In this release: 1. RFC1918 checking in the mangle table has been streamlined to no longer require packet marking. 2. A ''check'' command has been added that does a cursory validation of the zones, interfaces, hosts, rules and policy files. 3. UPnP probes (UDP port 1900) are now silently dropped unless explictly ACCEPTed. 4. The

Andy Wiggin has contribued a Python program that reads http://www.iana.org/assignments/ipv4-address-space and creates a list of reserved subnets suitable for inclusion in /etc/shorewall/rfc1918. The list produced by Andy''s program will be included in the rfc1918 file included in version 1.3.2 (it''s available now from CVS). Thanks Andy! -Tom -- Tom Eastep \ Shorewall -

Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Shorewall 1.2.4 will have the following changes: a) ''#'' comments now allowed at end-of-line in all config files. b) Firewall zone may be renamed c) Protection against concurrent state-changing operations (start, stop, restart, refresh, clear) d) ''shorewall start'' no longer fails if ''detect'' is specified for an interface with netmask

This is becoming a FAQ and should probably be added to the docs. Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net ---------- Forwarded message ---------- Date: Sun, 28 Apr 2002 16:09:01 -0700 (Pacific Daylight Time) From: Tom Eastep <teastep@shorewall.net> To: Carl Spelkens

---------- Forwarded Message ---------- Subject: Re: [Shorewall-users] strange UDP scan results on a Shorewall=20 firewall Date: Sun, 3 Mar 2002 08:33:20 -0800 From: Tom Eastep <teastep@shorewall.net> To: "Scott Duncan" <sduncan@cytechconsult.com> On Saturday 02 March 2002 04:30 am, Scott Duncan wrote: > Yes, the net->all policy is the same on all three (REJECT log

There''s a lot new in 1.3.10: 1) You may now define the contents of a zone dynamically with the "shorewall add" and "shorewall delete" commands. These commands are expected to be used primarily within FreeS/Wan updown scripts. 2) Shorewall can now do MAC verification on ethernet segments. You can specify the set of allowed MAC addresses on the segment and you can

o There are lots of changes in the firewall structure -- beware if you use /etc/shorewall/start to insert rules into the Shorewall-generated ruleset. o Sub-zones may now be excluded from DNAT and REDIRECT rules. o The names of the columns in a number of configuration files have been changed to be more consistent and self-explanatory. o The sample configuration files have been updated for 1.3.

http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 Problems Corrected: 1. The "shorewall check" command results in the (harmless) error message: /usr/share/shorewall/firewall: line 2753: check_dupliate_zones: command not found 2. The

Shorewall 2.0.0 is now in Beta so this is a good time to begin thinking about preparing to migrate to the 2.0 Shorewall series. Shorewall 2.0 makes a number of incompatible changes in the configuration files. Luckily, you will be able to make changes ahead of time to your 1.4 configuration that will ease the migration when the time comes. a) Shorewall 2.0 doesn''t allow you to specify

Shorewall 2.2.0 is expected to be released in the February/March timeframe so it is now time to begin thinking about preparing to upgrade. This is particularly important for those of you still running Shorewall 1.4 since support for that version will end with the release of 2.2. For those of you still running Shorewall 1.4, here are some things that you can do ahead of time to ease the upgrade to

http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 Problems Corrected: 1. The "shorewall check" command results in the (harmless) error message: /usr/share/shorewall/firewall: line 2753: check_dupliate_zones: command not found 2. The

Shorewall 1.3.9 is available. In this release: 1. DNS Names are now allowed in Shorewall config files (I still recommend against using them however). 2. The connection SOURCE may now be qualified by both interface and IP address in a Shorewall rule. 3. Shorewall startup is now disabled after initial installation until the file /etc/shorewall/startup_disabled is removed. 4. The

Let me know if there are any problems. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta3 ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta3 Problems Corrected: 1. Missing ''#'' in the rfc1918 file has been corrected. 2. The INSTALL file now includes special instructions for Slackware users. New Features: 1. In CLASSIFY rules