Shorewall 4.3.7 is available for testing.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 3 . 7
----------------------------------------------------------------------------
1) Klemens Rutz reported a problem that affects all Shorewall-perl 4.2
and 4.3 versions.
The problem:
a) Only occurs when there are more than one non-firewall zone.
b) Results in the following interface options not being applied to
forwarded traffic.
blacklist
dhcp
maclist (when MACLIST_TABLE=filter)
norfc1918
nosmurfs
tcpflags
2) Matt LaPlante reported a problem whereby a valid DNAT- rule was
badly mis-handled.
The rule:
DNAT- loc net:1.2.3.4:2525 tcp 25
The result:
WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules
(line 459)
Can't call method "inet_htoa" without a package or object reference
at /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150,
<$currentfile> line 459.
3) Previously, OPTIONS were not allowed with a bridge port in
/etc/shorewall/interfaces. That oversight has been corrected and
now the following OPTIONS are allowed:
blacklist
maclist
norfc1918
nosmurfs
routeback
tcpflags
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 3 . 7
----------------------------------------------------------------------------
1) The file /var/lib/shorewall/.restore has been renamed to
/var/lib/shorewall/firewall. A similar change has been made in
Shorewall6.
When a successful start or restart is completed, the script that
executed the command copies itself to to
/var/lib/shorewall[6/firewall.
2) Dynamic zone support is once again available for IPv4. This support
is built on top of ipsets so you must have installed the
xtable-addons.
Dynamic zones are available when Shorewall-lite is used as well.
Note that the dynamic zone support built into Shorewall provides no
additional functionality over what is provided by simply defining a
zone in terms of an ipset (see
http://www1.shorewall.net/ipsets.html#Dynamic).
You define a zone as having dynamic content in one of two ways:
- By specifying nets=dynamic in the OPTIONS column of an entry for
the zone in /etc/shorewall/interfaces; or
- By specifying <interface>:dynamic in the HOST(S) column of an
entry for the zone in /etc/shorewall/hosts.
When there are any dynamic zones present in your configuration,
Shorewall (Shorewall-lite) will:
a) Execute the following commands during 'shorewall start' or
'shorewall-lite start'.
ipset -U :all: :all:
ipset -U :all: :default:
ipset -F
ipset -X
ipset -R < ${VARDIR}/ipsets.save
where $VARDIR normally contains /var/lib/shorewall
(/var/lib/shorewall-lite) but may be modified by
/etc/shorewall/vardir (/etc/shorewall-lite/vardir).
b) During 'start', 'restart' and 'restore' processing, Shorewall
will then attempt to create an ipset named <zone>_<interface>
for each zone/interface pair that has been specified as
dynamic. The type of ipset created is 'iphash' so that only
individual IPv4 addresses may be added to the set.
c) Execute the following commands during 'shorewall stop' or
'shorewall-lite stop':
if ipset -S > ${VARDIR}/ipsets.tmp; then
mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
fi
The 'shorewall add' and 'shorewall delete' commands are supported
with their original syntax:
add <interface>[:<host-list>] ... <zone>
delete <interface>[:<host-list>] ... <zone>
In addition, the 'show dynamic' command is added that lists the
dynamic content of a zone.
show dynamic <zone>
These commands are supported by shorewall-lite as well.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
