similar to: Shorewall 1.3.1

Shorewall 1.3.3 is now available for download. In this release: 1. Entries in /etc/shorewall/interface that use the wildcard character ("+") now have the "multi" option assumed. 2. The ''rfc1918'' chain in the mangle table has been renamed ''man1918'' to make log messages generated from that chain distinguishable from those generated

Beta code is available at: ftp://ftp.shorewall.net/pub/shorewall/Beta http://www.shorewall.net/pub/shorewall/Beta In this release: 1. Entries in /etc/shorewall/interface that use the wildcard character ("+") now have the "multi" option assumed. 2. The ''rfc1918'' chain in the mangle table has been renamed ''man1918'' to make log

Rafa³ Dutko has just discovered a potentially serious bug in version 1.3.0 and 1.3.1. In both versions, where an interface option appears on multiple interfaces, the option may only be applied to the first interface on which it appears. A corrected firewall script for 1.3.1 is available at: http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall and

This is a bug-fix roleup together with changes to the way ICMP is handled= =2E 1) The ''icmp.def'' file is now empty! The rules in that file were required in ipchains firewalls but are not required in Shorewall. Users who have ALLOWRELATED=3DNo in shorewall.conf should see the Upgrade Issues. 2) A ''FORWARDPING'' option has been added to shorewall.conf.

This is just a role up of the "shorewall refresh" bug fix plus the change that reversed the order of "dhcp" and "rfc1918" filtering. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

This is a minor release of Shorewall. In this release: 1. RFC1918 checking in the mangle table has been streamlined to no longer require packet marking. 2. A ''check'' command has been added that does a cursory validation of the zones, interfaces, hosts, rules and policy files. 3. UPnP probes (UDP port 1900) are now silently dropped unless explictly ACCEPTed. 4. The

Another bug with similar symptoms to the last one has been found by Renato Tirol. The bug fixed by the earlier errata update affects the following options: dhcp dropunclean logunclean norfc1918 routefilter multi filterping noping The bug reported by Renato and fixed in the current errata update affects: routestopped The new update is available at:

Andy Wiggin has contribued a Python program that reads http://www.iana.org/assignments/ipv4-address-space and creates a list of reserved subnets suitable for inclusion in /etc/shorewall/rfc1918. The list produced by Andy''s program will be included in the rfc1918 file included in version 1.3.2 (it''s available now from CVS). Thanks Andy! -Tom -- Tom Eastep \ Shorewall -

Lorenzo Marignoni reports that the Shorewall 1.3.1 Debian package is ready. See http://security.dsi.unimi.it/~lorenzo/debian.html. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

This is becoming a FAQ and should probably be added to the docs. Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net ---------- Forwarded message ---------- Date: Sun, 28 Apr 2002 16:09:01 -0700 (Pacific Daylight Time) From: Tom Eastep <teastep@shorewall.net> To: Carl Spelkens

---------- Forwarded Message ---------- Subject: Re: [Shorewall-users] strange UDP scan results on a Shorewall=20 firewall Date: Sun, 3 Mar 2002 08:33:20 -0800 From: Tom Eastep <teastep@shorewall.net> To: "Scott Duncan" <sduncan@cytechconsult.com> On Saturday 02 March 2002 04:30 am, Scott Duncan wrote: > Yes, the net->all policy is the same on all three (REJECT log

A number of you are flailing around trying to get the subject combination to work. You should all be aware that there are parts of this that don''t currently work and that won''t work well until there are enhancements made to Shorewall (and probably to Netfilter). I. There is no clean way currently to support Road Warriors from a Masquerading Netfilter firewall/gateway. As

I''m beginning to believe that the use of the last column in the rules file to designate redirection/forwarding is too subtle for many users. For 1.3, I think I''ll do something like the following: Current rule: ACCEPT net loc:192.168.1.3 tcp 80 - all New rule: FORWARD net loc:192.168.1.3 tcp 80 Current rule: ACCEPT net fw::3128 tcp 80 - all New rule: REDIRECT net

I forgot to add the last new feature to the previous announcement. Shorewall 2.2.2 is now available. http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.2 ftp://shorewall.net/pub/shorewall/2.2/shorewall-2.2.2 Problems Corrected: 1. The SOURCE column in the /etc/shorewall/tcrules file now correctly allows IP ranges (assuming that your iptables and kernel support ranges). 2.

Beta 1 is now available at: http://shorewall.net/pub/shorewall/testing ftp://shorewall.net/pub/shorewall/testing This is a minor release of Shorewall. Problems Corrected: 1) A problem seen on RH7.3 systems where Shorewall encountered start errors when started using the "service" mechanism has been worked around. 2) Where a list of IP addresses appears in the DEST column of a

http://shorewall.net/pub/shorewall/Beta ftp://shorewall.net/pub/shorewall/Beta Problems Corrected since version 1.4.8: 1) There has been a low continuing level of confusion over the terms "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, all instances of "Static NAT" have been replaced with "One-to-one NAT" in the documentation and

In this release: 1. Whitelist support has been added. 2. Optional SYN Flood protection is now available. 3. Aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES now use the VLSM and broadcast address of the interface''s primary address. 4. Port forwarding rules may now optionally override the contents of the /etc/shorewall/nat file. -Tom -- Tom Eastep \ Shorewall -

1.3.0 is available from the main site -- mirrors will syncronize in 6-12 hours. Features include: 1. The rules syntax for port forwarding and port redirection has been simplified. 2. Compatibility has been maintained with version 1.2 configurations so that users may migrate their configuration at their convenience. WARNING: Compatibility has NOT been maintained with the parameterized

Shorewall 1.4.6 is now available. Thanks to Francesca Smith, the 1.4.6 Sample configurations are also available. The release is currently available at: http://shorewall.net/pub/shorewall ftp://shorewall.net/pub/shorewall It will be available at the other mirrors shortly. This is a minor release of Shorewall. Problems Corrected: 1) A problem seen on RH7.3 systems where Shorewall encountered

Shorewall 1.3.9 is available. In this release: 1. DNS Names are now allowed in Shorewall config files (I still recommend against using them however). 2. The connection SOURCE may now be qualified by both interface and IP address in a Shorewall rule. 3. Shorewall startup is now disabled after initial installation until the file /etc/shorewall/startup_disabled is removed. 4. The