The Shorewall team is pleased to announce the availability of Shorewall 4.2.8.
Problems Corrected in Shorewall 4.2.8
1) The 'start -f' command would previously skip the compilation step
unconditionally when the 'make' utility was not installed. Now, the
compilation step is run unconditionally in this case.
2) When ADD_IP_ALIASES=Yes in shorewall.conf, entries in
/etc/shorewall/nat produce this failure at compile time when
using Shorewall-perl:
ERROR: Internal Error in emit : /etc/shorewall/nat (line 12)
3) When LOG_MARTIANS=Yes with Shorewall-perl, setting logmartians=0 in
an entry in /etc/shorewall/interface failed to suppress martian
logging on the interface.
4) Shorewall-perl now generates rules with inversion that are
compatible with iptables 1.4.3.
5) When a network address was specified in the SOURCE or DEST column of
/etc/shorewall/tcfilters, Shorewall-perl was generating an incorrect
netmask.
Known Problems Remaining:
1) When exclusion is used in an entry in /etc/shorewall/hosts, then
Shorewall-shell produces an invalid iptables rule if any of the
following OPTIONS are also specified in the entry:
blacklist
maclist
norfc1918
tcpflags
2) Shorewall-shell generates inversion rules which produce
warnings with iptables 1.4.3.
Example:
iptables -A lan2fw -p 6 --dport 999 -s ! 192.168.20.1 -j ACCEPT
with iptables 1.4.3.1 the following information message is produced:
Using intrapositioned negation (`--option ! this`) is deprecated in
favor of extrapositioned (`! --option this`).
We don't intend to fix this. It's time to migrate to Shorewall-perl
anyway.
New Features in 4.2.8
1) The /usr/share/shorewall/modules and /usr/share/shorewall6/modules
files have been updated for iptables 1.4.3/kernel 2.6.29.
Migration Issues.
1) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
mark values < 256 to be assigned in the OUTPUT chain. This has been
changed so that only high mark values may be assigned
there. Packet marking rules for traffic shaping of packets
originating on the firewall must be coded in the POSTROUTING chain.
2) Previously, Shorewall did not range-check the value of the
VERBOSITY option in shorewall.conf. Beginning with Shorewall 4.2:
a) A VERBOSITY setting outside the range -1 through 2 is rejected.
b) After the -v and -q options are applied, the resulting value is
adjusted to fall within the range -1 through 2.
3) Specifying a destination zone in a NAT-only rule now generates a
warning and the destination zone is ignored. NAT-only rules are:
NONAT
REDIRECT-
DNAT-
4) The default value for LOG_MARTIANS has been changed. Previously,
the defaults were:
Shorewall-perl - 'Off'
Shorewall-shell - 'No'
The new default values are:
Shorewall-perl - 'On'
Shorewall-shell - 'Yes'.
Shorewall-perl users may:
a) Accept the new default -- martians will be logged from all
interfaces with route filtering except those with log_martians=0
in /etc/shorewall/interfaces.
b) Explicitly set LOG_MARTIANS=Off to maintain compatibility with
prior versions of Shorewall.
Shorewall-shell users may:
a) Accept the new default -- martians will be logged from all
interfaces with the route filtering enabled.
b) Explicitly set LOG_MARTIONS=No to maintain compatibility with
prior versions of Shorewall.
5) The value of IMPLICIT_CONTINUE in shorewall.conf (and samples) has
been changed from Yes to No.
6) The 'norfc1918' option is deprecated. Use explicit rules instead.
Note that there is a new 'Rfc1918' macro that acts on addresses
reserved by RFC 1918.
7) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl. Use
ipset-based zones instead.
8) The generated firewall script produced by Shorewall-perl can now
detect the GATEWAY of an interface configured with dhclient.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
