Beta 2 is now available for testing. This version completes my planned consolidation of IPv4/IPv6 and Standard/Lite. At this point:
* There are no remaining IPv6-only code modules
* The only code modules that are unique to the Standard or Lite
environments are two new ones:
* lib.cli-std - Used by Shorewall and Shorewall6
* lib.cli-lite - Used by Shorewall Lite and Shorewall6
Lite
There is one problem corrected:
1) When TC_ENABLED=Shared, CLASSIFY rules could not previously be used
in the tcrules file. Thanks to a patch from Chris Boot, this now
works as expected.
New Features:
1) Shorewall now supports the CT target in the Netfilter 'raw'
table. See 'man shorewall-notrack' for details.
The main use of this target is described in this paper:
http://home.regit.org/wp-content/uploads/2011/11/helper-recommandation.pdf.
The paper a product of the vulnerability described in the 4.4.20
Shorewall release note which introduced the 'sfilter' facility. In
the paper, rules such as the following are recommended:
iptables -A PREROUTING -t raw -p tcp --dport 2121 \
-d 1.2.3.4 -j CT --helper ftp
The equivalent entry in /etc/shorewall/notrack would be:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
CT:helper:ftp 1.2.3.4 - tcp 2121
3) The above-referenced paper also advocates careful control of
RELATED packets. To allow such control, two new options have been
introduced in shorewall[6].conf:
- RELATED_DISPOSITION
May be ACCEPT, A_ACCEPT, A_DROP, A_REJECT, DROP or REJECT. For
compatibility with earlier releases, the default is ACCEPT.
This determines what happens to RELATED packets that fail to
match any rule in the RELATED section of the rules file.
- RELATED_LOG_LEVEL
Specifies a level for logging related packets. Default is empty
which means that no logging occurs.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Cloud Services Checklist: Pricing and Packaging Optimization This white paper is intended to serve as a reference, checklist and point of discussion for anyone considering optimizing the pricing and packaging model of a cloud services business. Read Now! http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
