Shorewall 4.3.8 is now available for testing:
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 3 . 8
----------------------------------------------------------------------------
1) Tuomo Soini provided a workaround patch for a problem seen in some
kernel's (see FAQ 82) that caused 'shorewall start' to fail when
USE_DEFAULT_RT=Yes .
2) The swping program was not purging the interface status files when
it first started.
3) When LOG_MARTIANS=Yes with Shorewall-perl, setting logmartians=0 in
an entry in /etc/shorewall/interface failed to suppress martian
logging on the interface.
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
None.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 3 . 8
----------------------------------------------------------------------------
1) The generated program now attempts to detect all dynamic
information when it first starts. If any of those steps fail, an
error message is generated and the state of the firewall is not
changed.
2) Shorewall will now attempt to detect a dynamic gateway by reading
the dhclient lease file for the interface
(/var/run/dhcp/dhclient-<if>.lease).
3) To improve readability of the configuration files, Shorewall now
allows leading white space in continuation lines when the continued
line ends in ":" or ",".
Example (/etc/shorewall/rules):
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net:\
206.124.146.177,\
206.124.146.178,\
206.124.146.180\
dmz tcp 873
The leading white space on the lines that contain just an IP
address is ignored so the SOURCE column effectively contains
"net:206.124.146.177,206.124.147.178,206.124.146.180".
4) The generated script now uses iptables[6]-restore to instantiate
the Netfilter ruleset during processing of the 'stop' command. As a
consequence, the 'critical' option in /etc/shorewall/route_stopped
is no longer needed and will result in a warning.
5) A new AUTOMAKE option has been added to shorewall.conf and
shorewall6.conf. When set to 'Yes', this option causes new behavior
during processing of the 'start' and 'restart' commands; if no
files in /etc/shorewall/ (/etc/shorewall6) have changed since the
last 'start' or 'restart', then the compilation step is skipped and
the script used during the last 'start' or 'restart' is used to
start/restart the firewall.
Note that if a <directory> is specified in the start/restart
command (e.g., "shorewall restart /etc/shorewall.new") then the
setting of AUTOMAKE is ignored.
Note that the 'make' utility must be installed on the firewall
system in order for AUTOMAKE=Yes to work correctly.
6) The 'compile' command now allows you to omit the <pathname>. When
you do that, the <pathname> defaults to /var/lib/shorewall/firewall
(/var/lib/shorewall6/firewall) unless you have overridden VARDIR
using /etc/shorewall/vardir (/etc/shorewall6/vardir).
When combined with AUTOMAKE=Yes, it allows the following:
gateway:~ # shorewall compile
Compiling...
Shorewall configuration compiled to /root/shorewall/firewall
gateway:~ #
...
gateway:~ # shorewall restart
Restarting Shorewall....
done.
gateway:~ #
In other words, you can compile the current configuration then
install it at a later time.
7) Thanks to I. Buijs, it is now possible to rate-limit connections by
source IP or destination IP. The LIMIT:BURST column in
/etc/shorewall/policy (/etc/shorewall6/policy) and the RATE LIMIT
column /etc/shorewall/rules (/etc/shorewall6/rules) have been
extended as follows:
[{s|d}:[[<name>]:]]<rate>/{sec|min}[:<burst>]
When s: is specified, the rate is per source IP address.
When d: is specified, the rate is per destination IP address.
The <name> specifies the name of a hash table -- you get to choose
the name. If you don't specify a name, the name 'shorewall' is
assumed. Rules with the same name have their connection counts
aggregated and the individual rates are applied to the aggregate.
Example:
ACCEPT net fw tcp 22 - - s:ssh:3/min
This will limit SSH connections from net->fw to 3 per minute.
ACCEPT net fw tcp 25 - - s:mail:3/min
ACCEPT net fw tcp 587 - - s:mail:3/min
Since the same hash table name is used in both rules, the above is
equivalent to this single rule:
ACCEPT net fw tcp 25,587 - - s:mail:3/min
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
