Shorewall 4.4.21 is now available for download. ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ----------------------------------------------------------------------------
1) All problems corrections included in Shorewall 4.4.20.1 - 4.4.20.3
(see below).
2) The following error message
FOREWARD_CLEAR_MARK=Yes requires MARK Target in your kernel
and iptables
has been corrected to read
FORWARD_CLEAR_MARK=Yes requires MARK Target in your kernel
and iptables
3) The TPROXY target in the tcrules file could previously cause a
failure during iptables restore like this:
Running /usr/sbin/iptables-restore...
Bad argument `3128'
Error occurred at line: 110
Try `iptables-restore -h' or 'iptables-restore --help' for more
information.
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
4) The 'balance' and 'fallback' options in /etc/shorewall/providers
have always been mutually exclusive but the compiler previously
didn't enforce that restriction. Now it does.
5) The Shorewall and Shorewall6 'load' and 'reload' commands
previously used the setting of RSH_COMMAND and RCP_COMMAND from
/etc/shorewall/shorewall.conf (/etc/shorewall6/shorewall6.conf).
These commands now use the .conf file in the current working
directory.
6) The ipset modules are now automatically loaded by Shorewall6 when
LOAD_HELPERS_ONLY=No is specified in shorewall6.conf. Additionally,
there is now a /usr/share/shorewall6/modules.ipset file that lists
all of the required modules.
7) TPROXY was previously not described in shorewall-tcrules(5) or
shorewall6-tcrules(5). These descriptions have been added.
In addition, Shorewall6 now correctly handles the third TPROXY
parameter (<ip address>). Previously, the following error was
generated:
ERROR: Invalid MARK (TPROXY(10,3128,::1)) :
/etc/shorewall6/tcrules (line 4)
8) With LOAD_HELPERS_ONLY=Yes, the compiler could use the deprectated
--set parameter to the ipset match when --match-set was
appropriate.
9) If 'shorewall clear' was executed when there was no
/var/lib/shorewall/firewall file, the following incorrect error
message was produced:
ERROR: Shorewall6 has never been started
The message now reads:
ERROR: Shorewall has never been started
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) AUTOMAKE=Yes now causes all directories on the CONFIG_PATH to be
searched for files newer than the script that last
started/restarted the firewall. Previously, only /etc/shorewall
(/etc/shorewall6) was searched.
2) FORMAT-2 actions may now specify default parameter values using the
DEFAULTS directive.
DEFAULTS <def1>,<def2>,...
Where <def1> is the default value for the first parameter, <def2>
is the default value for the second parameter and so on. To specify
an empty default, use '-'. Note that the corresponding parameter
variable ($n) will still expand to '-' but will be treated as empty
by the builtin actions such as dropInvalid.
The DEFAULTS directive also determines the maximum number of
parameters that an action may have. If more parameters are passed
than have default values, an error message is issued.
3) Parameterized macros may now specify a default parameter value
using the DEFAULT directive.
DEFAULT <default>
Example macro.Foo -- by default, accepts connections on ficticous
tcp port 'foo'.
DEFAULT ACCEPT
PARAM - - tcp foo
4) The standard Drop and Reject actions are now parameterized. Each
has 5 parameters:
1) Pass 'audit' if you want all ACCEPTs, DROPs and REJECTs audited.
Pass '-' otherwise.
2) The action to be applied to Auth requests:
FIRST PARAMETER DEFAULT
- REJECT
audit A_REJECT
3) The action to be applied to SMB traffic. The default depends on
the action and its first parameter:
ACTION FIRST PARAMETER DEFAULT
Reject - REJECT
Drop - DROP
Reject audit A_REJECT
Drop audit A_DROP
4) The action to be applied to accepted ICMP packets.
FIRST PARAMETER DEFAULT
- ACCEPT
audit A_ACCEPT
5) The action to be applied to UPnP (udp port 1900) and late DNS
replies (udp source port 53)
FIRST PARAMETER DEFAULT
- DROP
audit A_DROP
The parameters can be passed in the POLICY column of the policy
file.
Examples:
SOURCE DEST POLICY
net all DROP:Drop(audit):audit #Same as
#DROP:A_DROP:audit
SOURCE DEST POLICY
net all DROP:Drop(-,DROP) #DROP rather than REJECT Auth
The parameters can also be specified in shorewall.conf:
Example:
DROP_DEFAULT=Drop(-,DROP)
5) An 'update' command has been added to /sbin/shorewall and
/sbin/shorewall6. The command updates the shorewall.conf
(shorewall6.conf) file then validates the configuration. The
updated file will set any options not specified in the old file
with their default values, and will move any deprecated options
with non-default values to a 'deprecated options' section at the
end of the file. Each such deprecated option will generate a
warning message.
Your original shorewall.conf (shorewall6.conf) file will be saved as
shorewall.conf.bak (shorewall6.conf.bak).
The 'update' command accepts the same options as the 'check'
command plus a '-a' option that causes the updated file to be
annotated with manpage documentation.
6) Shorewall6 now supports ipsets.
Unlike iptables, which has separate configurations for IPv4 and
IPv6, ipset has a single configuration that handles both. This
means the SAVE_IPSETS=Yes in shorewall.conf or shorewall6.conf
won't work correctly. To work around this issue, Shorewall-init is
now capable restoring ipset contents during 'start' and saving them
during 'stop'.
To direct Shorewall-init to save/restore ipset contents, set the
SAVE_IPSETS option in /etc/sysconfig/shorewall-init
(/etc/default/shorewall-init on Debian and derivatives). The value
of the option is a file name where the contents of the ipsets will
be saved to and restored from. Shorewall-init will create any
parent directories during the first 'save' operation.
If you configure Shorewall-init to save/restore ipsets, be sure to
set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.
As part of this change, Shorewall and Shorewall6 will only restore
saved ipsets if SAVE_IPSETS=Yes in shorewall.conf
(shorewall6.conf).
7) Shorewall6 now supports dynamic zones:
1) The nets=dynamic option is allowed in /etc/shorewall6/interfaces
2) The HOSTS column of /etc/shorewall6/hosts may now contain
<interface>:dynamic.
3) /sbin/shorewall6 now supports the 'add' and 'delete' commands.
Thank you for using Shorewall,
-The Shorewall Team
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
PGP.sig
Description: This is a digitally signed message part
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
