Shorewall 3.4.4 is now available. This release contains a substantial number of bug fixes plus some minor new features.
For those of you on the development mailing list who downloaded a preview
copy for testing, you are urged to download and install the final version as
it contains significant fixes beyond the preview version.
MD5 Sums of the final version are as follows:
3850e1342e4b9e3902a52ec081e2c413 shorewall-3.4.4-1.noarch.rpm
fce50deca157aeb671ff8f801a477e37 shorewall-3.4.4.tar.bz2
9ee5795d9ed6529e601549ceab4a197b shorewall-3.4.4.tgz
2edc49bfdb2ed8ecbe553dca3c4d3867 shorewall-docs-html-3.4.4.tar.bz2
0a2b12728b926c3c4a006efb5bb8daa2 shorewall-docs-html-3.4.4.tgz
31b5051244bde64becb45abea1ffbe70 shorewall-docs-xml-3.4.4.tar.bz2
3a874adf75212c5010091a56e47f2c66 shorewall-docs-xml-3.4.4.tgz
e4d1b7f99a7d42693102f8f7ac332d68 shorewall-lite-3.4.4-1.noarch.rpm
19f9c535e7382515df47a49e5baf60de shorewall-lite-3.4.4.tar.bz2
04090893d1d6a71d17c1e03666e10c92 shorewall-lite-3.4.4.tgz
Problems corrected in 3.4.4:
1) The commands "shorewall add <interface> <zone>" and "shorewall
delete <interface> <zone>" no longer produce spurious error
messages.
2) The command "shorewall delete <interface> <zone>" now actually deletes
entries when it successfully completes. Previously, it would appear
to remove an entry, even when removing that entry should fail. See
"Other Changes" item 2) for additional information.
3) Setting HIGH_ROUTE_MARKS=No no longer causes TC_EXPERT flagging.
4) When run as root, the 'shorewall load' and 'shorewall reload'
commands would fail if the LOGFILE setting in
/etc/shorewall/shorewall.conf specified a non-existant file.
5) Entries in /etc/shorewall/tcrules that specify both a source and
destination port fail with the following diagnostic:
iptables v1.3.3: multiport can only have one option
6) Previously, Shorewall-lite did not allow DHCP traffic through an
interface when the interface was a bridge with 'dhcp' specified
unless there was a bridge on the administrative system with the
same name.
7) SOURCE and DEST are now flagged as invalid zone name to avoid
problems with macros that use those names as keywords.
8) Previously, Shorewall could *increase* the MSS under some
circumstances. This possibility is now eliminated, provided that
the system has TCPMSS match support (be sure to update your
capabilities files!).
9) Firewall zone names other than 'fw' no longer cause a error when
IPSECFILE is not set or is set to 'ipsec'.
10) The 'proxyarp' option on an interface was previously ignored when
the /etc/shorewall/proxyarp file was empty.
11) Previously, if action 'a' was defined then the following
rule generated an error:
a: z1 z2 ...
The trailing ":" is now ignored.
12) Previously, if a RATE/LIMIT was specified on a REJECT rule, the
generated error messages referred to the rule as a DROP rule.
13) The 'nolock' keyword was previously ignored on several
/sbin/shorewall[-lite] commands.
Other changes in 3.4.4:
1) The accounting, masq, rules and tos files now have a 'MARK' column
similar to the column of the same name in the tcrules file. This
column allows filtering by MARK value.
2) The "shorewall show zones" command now flags zone members that have
been added using "shorewall add" by preceding them with a plus sign
("+").
Example:
Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007
fw (firewall)
net (ipv4)
eth0:0.0.0.0/0
loc (ipv4)
br0:0.0.0.0/0
eth4:0.0.0.0/0
eth5:0.0.0.0/0
+eth1:0.0.0.0/0
dmz (ipv4)
eth3:0.0.0.0/0
vpn (ipv4)
tun+:0.0.0.0/0
In the above output, "eth1:0.0.0.0/0" was dynamically added to the
'loc' zone. As part of this change, "shorewall delete" will only
delete entries that have been added dynamically. In earlier
versions, any entry could be deleted although the ruleset was only
changed by deleting entries that had been added dynamically.
3) Eariler generations of Shorewall Lite required that remote root
login via ssh be enabled in order to use the 'load' and 'reload'
commands.
Beginning with this release, you may define an alternative means
for accessing the remote firewall system.
Two new options have been added to shorewall.conf:
RSH_COMMAND
RCP_COMMAND
The default values for these are as follows:
RSH_COMMAND: ssh [EMAIL PROTECTED] ${command}
RCP_COMMAND: scp ${files} [EMAIL PROTECTED]:${destination}
Shell variables that will be set when the commands are envoked are
as follows:
root - root user. Normally 'root' but may be overridden using
the '-r' option.
system - The name/IP address of the remote firewall system.
command - For RSH_COMMAND, the command to be executed on the
firewall system.
files - For RCP_COMMAND, a space-separated list of files to
be copied to the remote firewall system.
destination - The directory on the remote system that the files
are to be copied into.
4) You may now select the compiler to use on the command line using
the '-C' option. This option is available on the following
commands:
check
compile
export
load
reload
restart
start
try
safe-start
save-restart
Example:
shorewall try -C perl .
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
