Beta 1 is now available for testing. ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ----------------------------------------------------------------------------
1) Previously /var/log/shorewall*-init.log was created in the wrong
Selinux context. The rpm's have been modified to correct that
issue.
2) An issue with params processing on RHEL6 has been corrected. The
problem manifested as the following type of warning:
WARNING: Param line (export OLDPWD) ignored at
/usr/share/shorewall/Shorewall/Config.pm line 2993.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) When TC_ENABLED=Simple, ACK packets are now placed in the highest
priority class. An ACK packet is a TCP packet with the ACK flag set
and no data payload.
Rationale: Entries in /etc/shorewall[6]/tcpri affect both incoming
and outgoing connections. If a particular application, SMTP for
example, is placed in priority class 3, then outgoing ACK packets
for incoming email were previously placed in priority class 3 as
well. This could have the effect of slowing down incoming mail when
the goal was to give outgoing mail a lower priority. By
unconditionally placing ACK packets in priority class 1, this issue
is avoided.
2) Up to this point, the Perl-based rules compiler has not accepted
ICMP type lists. This is in contrast to the shell-based compiler
which did support such lists.
Support for ICMP (and ICMPv6) type lists has now been restored.
3) A Shorewall user has contributed a macro for Puppet.
4) Beginning with this release, it is possible to install Shorewall
and Shorewall6 in an arbitrary location.
The simplest form of this capability is the BASE environmental
variable. When set, it causes Shorewall to be installed relate to a
specified directory.
For example:
BASE=/usr/local/ ./install.sh
will install Shorewall's components in
/usr/local/etc/shorewall/
/usr/local/sbin/
/usr/local/share/shorewall/
/usr/local/share/man/
/usr/local/var/lib
When run as root, the necessary files are installed in
/etc/default, /etc/init.d/ etc.
When run as non-root, /etc is not modified.
There are several restrictions and considerations:
a) Shorewall and Shorewall6 must be installed in the same BASE
directory.
b) When Shorewall Init is used, /etc/default/shorewall-init
(/etc/sysconfig/shorewall-init) must set four additional
variables:
ETC - name of the BASE /etc directory
SBIN - name of the BASE /sbin directory
SHARE - name of the BASE /usr/share directory
VAR - name of the BASE /var directory
If BASE=/usr/local/ then
ETC=/usr/local/etc/
SBIN=/usr/local/sbin/
SHARE=/usr/local/share/
VAR=/usr/local/var/lib/
c) The CONFIG_PATH variable (if set) in shorewall.conf and
shorewall6.conf must be adjusted accordingly.
If BASE=/usr/local/ then the Shorewall CONFIG_PATH would be:
CONFIG_PATH=/usr/local/etc/shorewall:/usr/local/share/shorewall
and for Shorewall6, it would be
CONFIG_PATH=/usr/local/etc/shorewall6:/usr/local/share
/shorewall6:/usr/local/share/shorewall/
(folded)
The ETC, SBIN, SHARE and VAR variables may also be passed to
install.sh (in addition to the existing MANDIR variable). When
passed together with BASE, they override BASE if the value is an
absolute path name (begins with '/'); otherwise, they are appended
to base. If BASE is not passed, then their values must be absolute
path names.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
