Shorewall 5.2.6 Beta 1 is now available for testing. Problems Corrected:
1) When compiling for export, the compiler generates a firewall.conf
file which is later installed on the remote firewall system as
${VARDIR}/firewall.conf. Previously, the CLI on that firewall was
not processing the file, resulting in some features not being
available:
- Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH,
SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART,
DYNAMIC_BLACKLIST and PAGER are not supplied.
- scfilter file supplied at compile time.
- dumpfilter file supplied at compile time.
That has been corrected.
2) When compiling for export, the compiler generates a firewall.conf
file which is later installed on the remote firewall system as
${VARDIR}/firewall.conf. Currently, the CLI on that firewall is
not processing the file, resulting in some features not being
available:
- Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH,
SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART,
DYNAMIC_BLACKLIST and PAGER are not supplied.
- scfilter file supplied at compile time.
- dumpfilter file supplied at compile time.
New Features:
1) The 'actions' file now supports a 'dport' option to go along with
the 'proto' option. Using these two options can now restrict an
action to a particular service. See shorewall-actions(5) for
details.
Example limiting net->all SSH connections to 3/min per source IP:
/etc/shorewall/actions:
SSHLIMIT proto=tcp,\ # Blacklist overzealous SSHers
dport=ssh
/etc/shorewall/action.SSLHIMIT
ACCEPT { RATE=s:3/min:3 }
BLACKLIST:$LOG_LEVEL:net_SSHLIMIT
/etc/shorewall/rules:
SSHLIMIT net all
2) The change to 'show actions' implemented in 5.2.5.1 (see below)
has been further extended.
- "?IF...?ELSE...?ENDIF" sequences are now shown in the output
- Continuation lines are now shown in the output so that all
action options are now displayed
- If an action appears in both /usr/share/shorewall[6]/actions.std
and in /etc/shorewall[6]/actions, then the one in the actions
file is shown followed by the one in the actions.std file.
3) To emphasize that it specifies destination ports, the PORT column
in the snat file has been renamed DPORT. Beginning with this
release, both 'port' and 'dport' are accepted in the alternative
input format.
Thank you for testing,
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
