The Shorewall team is pleased to announce the availability of Shorewall 4.4.23.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release includes all problem corrections included in Shorewall
4.4.22.1 - 4.4.22.3.
2) Previously, the contents of the NET1 and NET2 columns in
/etc/shorewall/netmap were not validated by the rules compiler. As
a result, invalid entries in those columns could cause the compiled
script to fail while running iptables-restore.
3) The 'hits' command could issue an 'invalid number' diagnostic when
run under busybox ash. That diagnostic has been eliminated.
4) If a zone had multiple interfaces and neither 'routefilter' nor
'routeback' was specified on the interfaces, then traffic between
the interfaces could fail with a log message such as this one:
Sep 4 22:20:41 pilot kernel: [427181.381412]
Shorewall:sfilter1:DROP:IN=eth3 OUT=eth4
MAC=fe:ff:ff:ff:ff:ff:00:16:3e:7f:a0:b9:08:00 SRC=192.168.2.2
DST=192.168.2.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=10893 SEQ=2
--------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) The leading '#!/bin/sh' line has been deleted from non-executable
shell modules.
2) When 'shorewall update' or 'shorewall6 update' results in no change
to the .conf file, a message is issued, the .bak file is removed
and the command terminates without error.
Note: This change was also included in Shorewall 4.4.22.3.
3) Support has been added for 'stateless NAT'. Stateless NAT is very
simmilar to NATMAP but differs from it in a couple of ways:
a. It does not rely on connection tracking, but is rather
implemented in the Netfilter raw table.
b. Both the source and destination address can be rewritten in all
three raw table chains: PREROUTING, OUTPUT and POSTROUTING.
When used together with stateful NAT, it allows a single router to
handle a duplicate network address situation.
Suppose that a VPN using interface tun0 is used to connect to
another organization, and that both intranets have network
192.168.1.0/24.
To allow the two organizations to communicate, they decide to use
172.20.1.0/24 to address the other's 192.168.1.0/24.
The following four entries are required in /etc/shorewall/netmap:
#TYPE NET1 INTERFACE NET2
SNAT 192.168.1.0/24 tun0 172.20.1.0/24
DNAT 172.20.1.0/24 tun0 192.168.1.0/24
DNAT:T 172.20.1.0/24 tun0 192.168.1.0.24
SNAT:P 192.168.1.0/24 tun0 172.20.1.0/24
Stateless NAT entries differ from NETMAP entries in the TYPE
column. For stateless entries, both the type of address
translation (DNAT or SNAT) and the chain (O for OUTPUT, P for
PREROUTING and T for POSTROUTING) are given.
4) A new section (ALL) has been added to /etc/shorewall/rules and to
/etc/shorwall6/rules. When present, the NEW section must be the
first section in the file and contains rules that are applied to
packets regardless of their connection tracking state.
5) The generated script now detects and removes stale lock files.
6) Jonathan Underwood has contributed Fedora/Redhat init script and
.service files. The .service files are used with systemd which
manages the startup sequence in Fedora 16.
When installing using the install scripts:
a) If /lib/systemd/system exists, the .service files are installed
there and are activated using /sbin/systemctl. When installing
into a directory, setting the SYSTEMD environmental variable to
a non-empty value will also trigger this behavior.
b) If /etc/redhat-release exists, the Fedora/Redhat init script
will be installed in /etc/init.d. When installing into a
directory, setting the FEDORA environmental variable to a
non-empty value will also trigger this behavior.
7) Previously, when a provider interface went 'soft down' (UP and
configured but not usable) or came back up from being 'soft down',
the firewall had to be reloaded ('/var/lib/shorewall/firewall
restart') to disable or enable the interface.
Beginning with this release, the compiled IPv4 script supports two
new commands:
- disable <interface>
- enable <interface>
The 'disable' command removes all policy routing added as a result
of the interface's entry in /etc/shorewall/providers and and any
traffic shaping configuration on the interface. The 'enable'
command restores policy routing and traffic shaping and refreshes the
interfaces's entries in /proc.
8) Shorewall now uses /sys/module/ to determine which modules are
loaded, thus speeding up start/restart.
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Malware Security Report: Protecting Your Business, Customers, and the Bottom Line. Protect your business and customers by understanding the threat from malware and how it can impact your online business. http://www.accelacomm.com/jaw/sfnl/114/51427462/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
