On Sunday 17 June 2007 08:38:24 Tom Eastep wrote:
> Shorewall 3.4.4 is now available. This release contains a substantial
> number of bug fixes plus some minor new features.
Thanks for this great work.
Best regards
>
> For those of you on the development mailing list who downloaded a preview
> copy for testing, you are urged to download and install the final version
> as it contains significant fixes beyond the preview version.
>
> MD5 Sums of the final version are as follows:
>
> 3850e1342e4b9e3902a52ec081e2c413 shorewall-3.4.4-1.noarch.rpm
> fce50deca157aeb671ff8f801a477e37 shorewall-3.4.4.tar.bz2
> 9ee5795d9ed6529e601549ceab4a197b shorewall-3.4.4.tgz
> 2edc49bfdb2ed8ecbe553dca3c4d3867 shorewall-docs-html-3.4.4.tar.bz2
> 0a2b12728b926c3c4a006efb5bb8daa2 shorewall-docs-html-3.4.4.tgz
> 31b5051244bde64becb45abea1ffbe70 shorewall-docs-xml-3.4.4.tar.bz2
> 3a874adf75212c5010091a56e47f2c66 shorewall-docs-xml-3.4.4.tgz
> e4d1b7f99a7d42693102f8f7ac332d68 shorewall-lite-3.4.4-1.noarch.rpm
> 19f9c535e7382515df47a49e5baf60de shorewall-lite-3.4.4.tar.bz2
> 04090893d1d6a71d17c1e03666e10c92 shorewall-lite-3.4.4.tgz
>
> Problems corrected in 3.4.4:
>
> 1) The commands "shorewall add <interface> <zone>" and "shorewall
> delete <interface> <zone>" no longer produce spurious error
> messages.
>
> 2) The command "shorewall delete <interface> <zone>" now actually deletes
> entries when it successfully completes. Previously, it would appear
> to remove an entry, even when removing that entry should fail. See
> "Other Changes" item 2) for additional information.
>
> 3) Setting HIGH_ROUTE_MARKS=No no longer causes TC_EXPERT flagging.
>
> 4) When run as root, the 'shorewall load' and 'shorewall reload'
> commands would fail if the LOGFILE setting in
> /etc/shorewall/shorewall.conf specified a non-existant file.
>
> 5) Entries in /etc/shorewall/tcrules that specify both a source and
> destination port fail with the following diagnostic:
>
> iptables v1.3.3: multiport can only have one option
>
> 6) Previously, Shorewall-lite did not allow DHCP traffic through an
> interface when the interface was a bridge with 'dhcp' specified
> unless there was a bridge on the administrative system with the
> same name.
>
> 7) SOURCE and DEST are now flagged as invalid zone name to avoid
> problems with macros that use those names as keywords.
>
> 8) Previously, Shorewall could *increase* the MSS under some
> circumstances. This possibility is now eliminated, provided that
> the system has TCPMSS match support (be sure to update your
> capabilities files!).
>
> 9) Firewall zone names other than 'fw' no longer cause a error when
> IPSECFILE is not set or is set to 'ipsec'.
>
> 10) The 'proxyarp' option on an interface was previously ignored when
> the /etc/shorewall/proxyarp file was empty.
>
> 11) Previously, if action 'a' was defined then the following
> rule generated an error:
>
> a: z1 z2 ...
>
> The trailing ":" is now ignored.
>
> 12) Previously, if a RATE/LIMIT was specified on a REJECT rule, the
> generated error messages referred to the rule as a DROP rule.
>
> 13) The 'nolock' keyword was previously ignored on several
> /sbin/shorewall[-lite] commands.
>
> Other changes in 3.4.4:
>
> 1) The accounting, masq, rules and tos files now have a 'MARK' column
> similar to the column of the same name in the tcrules file. This
> column allows filtering by MARK value.
>
> 2) The "shorewall show zones" command now flags zone members that have
> been added using "shorewall add" by preceding them with a plus sign
> ("+").
>
> Example:
>
> Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007
>
> fw (firewall)
> net (ipv4)
> eth0:0.0.0.0/0
> loc (ipv4)
> br0:0.0.0.0/0
> eth4:0.0.0.0/0
> eth5:0.0.0.0/0
> +eth1:0.0.0.0/0
> dmz (ipv4)
> eth3:0.0.0.0/0
> vpn (ipv4)
> tun+:0.0.0.0/0
>
> In the above output, "eth1:0.0.0.0/0" was dynamically added to the
> 'loc' zone. As part of this change, "shorewall delete" will only
> delete entries that have been added dynamically. In earlier
> versions, any entry could be deleted although the ruleset was only
> changed by deleting entries that had been added dynamically.
>
> 3) Eariler generations of Shorewall Lite required that remote root
> login via ssh be enabled in order to use the 'load' and 'reload'
> commands.
>
> Beginning with this release, you may define an alternative means
> for accessing the remote firewall system.
>
> Two new options have been added to shorewall.conf:
>
> RSH_COMMAND
> RCP_COMMAND
>
> The default values for these are as follows:
>
> RSH_COMMAND: ssh [EMAIL PROTECTED] ${command}
> RCP_COMMAND: scp ${files} [EMAIL PROTECTED]:${destination}
>
> Shell variables that will be set when the commands are envoked are
> as follows:
>
> root - root user. Normally 'root' but may be overridden using
> the '-r' option.
>
> system - The name/IP address of the remote firewall system.
>
> command - For RSH_COMMAND, the command to be executed on the
> firewall system.
>
> files - For RCP_COMMAND, a space-separated list of files to
> be copied to the remote firewall system.
>
> destination - The directory on the remote system that the files
> are to be copied into.
>
> 4) You may now select the compiler to use on the command line using
> the '-C' option. This option is available on the following
> commands:
>
> check
> compile
> export
> load
> reload
> restart
> start
> try
> safe-start
> save-restart
>
> Example:
>
> shorewall try -C perl .
>
> -Tom
--
Jorge Armando Medina
Calcom de México S.A de C.V.
Telefono: 01 (664) 6238311
Email: [EMAIL PROTECTED]
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
