similar to: Shorewall 1.2.8

Shorewall 1.3.9 is available. In this release: 1. DNS Names are now allowed in Shorewall config files (I still recommend against using them however). 2. The connection SOURCE may now be qualified by both interface and IP address in a Shorewall rule. 3. Shorewall startup is now disabled after initial installation until the file /etc/shorewall/startup_disabled is removed. 4. The

Given the embarassing problems with "out of the box" installations of 1.2= =2E4,=20 I''m releasing 1.2.5. In this release: - SNAT is now supported - A "shorewall version" command has been added. - The default value of STATEDIR has been changed to conform with Linux FH= S 2.2. -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \

In an email yesterday evening, Perry Nguyen expressed concern about the moving of the ''restarted'' file from /var/lib/shorewall to $STATEDIR (STATEDIR is set in your shorewall.conf file and defaults to /var/state/shorewall). I''m afraid I was a bit short with Perry for which I apologize. Here''s the story: 1. What is the ''restarted'' file

See http://security.dsi.unimi.it/~lorenzo/debian.html -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

This is becoming a FAQ and should probably be added to the docs. Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net ---------- Forwarded message ---------- Date: Sun, 28 Apr 2002 16:09:01 -0700 (Pacific Daylight Time) From: Tom Eastep <teastep@shorewall.net> To: Carl Spelkens

---------- Forwarded Message ---------- Subject: Re: [Shorewall-users] strange UDP scan results on a Shorewall=20 firewall Date: Sun, 3 Mar 2002 08:33:20 -0800 From: Tom Eastep <teastep@shorewall.net> To: "Scott Duncan" <sduncan@cytechconsult.com> On Saturday 02 March 2002 04:30 am, Scott Duncan wrote: > Yes, the net->all policy is the same on all three (REJECT log

I''m beginning to believe that the use of the last column in the rules file to designate redirection/forwarding is too subtle for many users. For 1.3, I think I''ll do something like the following: Current rule: ACCEPT net loc:192.168.1.3 tcp 80 - all New rule: FORWARD net loc:192.168.1.3 tcp 80 Current rule: ACCEPT net fw::3128 tcp 80 - all New rule: REDIRECT net

This is a minor release of Shorewall. In this release: 1. RFC1918 checking in the mangle table has been streamlined to no longer require packet marking. 2. A ''check'' command has been added that does a cursory validation of the zones, interfaces, hosts, rules and policy files. 3. UPnP probes (UDP port 1900) are now silently dropped unless explictly ACCEPTed. 4. The

"shorewall refresh" is not handling FORWARDPING=Yes properly in 1.3.7a. After a refresh, the configuration is the same as it would be with FORWARDPING=No. There''s a corrected firewall script available from http://www.shorewall.net/errata.htm. Sorry for the inconvenience... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ:

This is a bug-fix roleup together with changes to the way ICMP is handled= =2E 1) The ''icmp.def'' file is now empty! The rules in that file were required in ipchains firewalls but are not required in Shorewall. Users who have ALLOWRELATED=3DNo in shorewall.conf should see the Upgrade Issues. 2) A ''FORWARDPING'' option has been added to shorewall.conf.

Shorewall.net will be unavailable for approximately two hours this evening beginning at 23:00 GMT (16:00 PDT) for installation of RH7.3. The http and ftp mirrors will still be available and mail will be queued in the backup MX. The mailing list archives and site/archive search will not be available. Apologies for any inconvenience this may cause. -Tom -- Tom Eastep \ Shorewall - iptables

I''ve completed the maintenance and everything seems to be back up now. Sorry for any inconvenience, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Let me know if there are any problems. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Shorewall 1.2.4 will have the following changes: a) ''#'' comments now allowed at end-of-line in all config files. b) Firewall zone may be renamed c) Protection against concurrent state-changing operations (start, stop, restart, refresh, clear) d) ''shorewall start'' no longer fails if ''detect'' is specified for an interface with netmask

Apt-get sources are listed at: http://wecurity.dsi.unimi.it/~lorenzo/debian.html -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Shorewall 1.3.4 is available: 1. A new /etc/shorewall/routestopped file has been added. This file is intended to eventually replace the routestopped option in the /etc/shorewall/interface and /etc/ shorewall/hosts files. This new file makes remote firewall administration easier by allowing any IP or subnet to be enabled while Shorewall is stopped. 2. An /etc/shorewall/stopped

The maintenance (adding RAM) took a little longer than I planned: 1) Shutdown - 1 minute 2) Open Case - 30 seconds At this point, I emember that I can''t add RAM to this box without removing the Mother Board (hinge-mounted in case) - slap forehead. 3) Remove cables, PCI NIC & MB - 2 minutes 4) Add RAM - 1 Minute 5) Get the %$#@ MB back in the case and aligned -- 15 Minutes 6)

Lorenzo Marignoni reports that: o Shorewall 1.2.10 is in the Debian Testing Branch o Shorewall 1.2.11 is in the Debian Unstable Branch Thanks, Lorenzo! -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Please don''t download 1.2.7or install -- it''s quite broken. I''ll have 1.2.8 out shortly .... -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Rafa³ Dutko has just discovered a potentially serious bug in version 1.3.0 and 1.3.1. In both versions, where an interface option appears on multiple interfaces, the option may only be applied to the first interface on which it appears. A corrected firewall script for 1.3.1 is available at: http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall and