[Shorewall-devel] Shorewall 5.2.5 Beta 2

Sat, 06 Jun 2020 13:01:00 -0700 

Shorewall 5.2.5 Beta2 is now available for testing.

Changes since Beta 1:

1)  Previously, if the dynamic-blacklisting default timeout was set in
    a variable in the params file and the variable was used in setting
    DYNAMIC_BLACKLIST, then the 'allow' command would fail with
    the message:

        ERROR: Invalid value (ipset-only,disconnect,timeout=) for
               DYNAMIC_BLACKLIST

    That has been corrected.

2)  Traditionally, Shorewall has logged state change messages using
    the 'user' syslog facility. Beginning with this release, these
    messages will be logged using the 'daemon' facility to more
    accurately reflect that these messages relate to a service.

3)  The DYNAMIC_BLACKLIST setting now allows a 'log' option to be
    specified for ipset-based blacklisting. When this option is given,
    successful 'blacklist' and 'allow' commands generate a 'daemon.info'
    log message.

4)  When ipset-based dynamic blacklisting is enabled, the generated
    ruleset has traditionally refreshed the 'timeout' of an ipset
    entry when a packet from blacklisted host is received. This has
    the unfortunate side effect that it can change a permanent entry
    (timeout 0) to a temporary (one with non-zero timeout). Beginning
    with this release, this timeout refresh can be avoided by
    specifying the 'noupdate' option in the DYNAMIC_BLACKLIST
    setting.

5)  To allow Shorewall's ipset-based blacklisting to play nicely with
    fail2ban, the 'blacklist!' CLI command has been added.

    The command

        blacklist! <ip>

    is equivalent to

        blacklist <ip> timeout 0

    thus allowing 'blacklist!' to be specified as the 'blocktype' in
    /etc/fail2ban/actions.d/shorewall.conf.

Thank you for testing,

-Tom
-- 
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                      \________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel














    











					Reply via email to