This Beta completes implementation the new features that I am planning for 4.4.21.
Problems Corrected:
1) The compiler now correctly rejects the DEFAULTS directive in the
rules file and in macros.
2) An empty parameter list (e.g., DROP:Drop()) in the POLICY column of
the policy file is now handled correctly.
3) The parameterized macros now correctly audit all rulings
when :audit is specified. As part of this change, the Drop and
Reject actions now accept two additional parameters:
4th The action to be applied to accepted ICMP packets.
FIRST PARAMETER DEFAULT
- ACCEPT
audit A_ACCEPT
5th The action to be applied to UPnP (udp port 1900) and late
DNS replies (udp source port 53)
FIRST PARAMETER DEFAULT
- DROP
audit A_DROP
New Features:
1) The 'shorewall update' (and 'shorewall6 update') now updates
shorewall.conf *before* validating the configuration.
2) Macros may now specify a default parameter value using the DEFAULT
directive.
DEFAULT <default>
Example macro.Foo -- by default, accepts connections on ficticous
tcp port 'foo'.
DEFAULT ACCEPT
PARAM - - tcp foo
3) Shorewall6 now supports ipsets.
This support has been validated on Kernel 2.6.37 with
xtables-addons 1.36.
Unlike iptables, which has separate configurations for IPv4 and
IPv6, ipset has a single configuration that handles both. This
means the SAVE_IPSETS=Yes in shorewall.conf or shorewall6.conf
won't work correctly. To work around this issue, Shorewall-init is
now capable restoring ipset contents during 'start' and saving them
during 'stop'.
To direct Shorewall-init to save/restore ipset contents, set the
SAVE_IPSETS option in /etc/sysconfig/shorewall-init
(/etc/default/shorewall-init on Debian and derivatives). The value
of the option is a file name where the contents of the ipsets will
be save to and restored from. Shorewall-init will create any
necessary directories during the first 'save' operation.
If you configure Shorewall-init to save/restore ipsets, be sure to
set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.
As part of this change, Shorewall and Shorewall6 will only restore
saved ipsets if SAVE_IPSETS=Yes in shorewall.conf
(shorewall6.conf). It previously did so if any ipset rules were
present in the configuration.
4) Shorewall6 now supports dynamic zones:
1) The nets=dynamic option is allowed in /etc/shorewall6/interfaces
2) The HOSTS column of /etc/shorewall6/hosts may now contain
<interface>:dynamic.
3) /sbin/shorewall6 now supports the 'add' and 'delete' commands.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense.. http://p.sf.net/sfu/splunk-d2d-c1
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
