Shorewall 4.4.22 Beta 1 is now available for testing. ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ----------------------------------------------------------------------------
1) In 4.4.21, a harmless 'undefined variable' Perl diagnostic was
issued when the compiler was displaying the iptables/kernel
capabilities.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Three new parameterized standard actions are included in this release.
Invalid - Packets in the INVALID connection tracking state
Broadcast - Broadcast and Multicast Packets
NotSyn - TCP packets that have the SYN flag set and all
other flags reset.
The standard default Drop and Reject actions have been modified to
use these new actions.
Each accepts two parameters:
a) Action to perform on matching packets.
b) 'audit' flag. If 'audit', then the action will be audited.
The new actions deprecate the following built-in actions:
allowBcast - use Broadcast(ACCEPT)
allowInvalid - use Invalid(ACCEPT)
dropInvalid - use Invalid(DROP)
dropBroadcast - use Broadcast(DROP)
dropNotSyn - use NotSyn(DROP)
rejNotSyn - use NotSyn(REJECT)
2) Up to this point, the Perl-based compiler has stored rules
internally in iptables/ip6tables command strings. This has
made the optimizing the ruleset difficult and has made the
optimizer the most defect-dense part of the code.
This release marks to first step toward converting the compiler to
use an internal rule representation that is easier to optimize and
that is easy to convert to iptables/ip6tables commands effeciently.
The parser still generates iptables/ip6table rules which are then
converted into the internal form.
This last change has a chance of de-stablizing the compiler, so I will
very much appreciate all of the testing that you can give it.
Thanks for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
