The Shorewall team is pleased to announce the availability of Shorewall 4.4.27.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Shorewall 4.4.27 includes all defect corrections provider by
Shorewall 4.4.26.1.
2) When TC_ENABLED=Shared, CLASSIFY rules could not previously be used
in the tcrules file. Thanks to a patch from Chris Boot, this now
works as expected.
3) When providers were used in an IPv6 configuration, each time that
Shorewall6 was started or restarted, entries as follows would be
added to the IPv4 (!) routing rules:
32767: from all lookup default
One such entry would be added for each provider.
Now, one such an entry is added to the IPv6 routing rules, only if
that entry does not already exist.
4) The formatting of the manpage info in the annotated configuration
files has been improved dramatically.
5) A blrules file generated by 'update -b' would fail the compilation
step with
ERROR: Unknown ACTION (A_blacklog)
if all the following were true:
a) BLACKLIST_DISPOSITION did not specify an audited disposition.
b) BLACKLIST_LOGLEVEL was specified
c) The 'audit' option appeared in one or more blacklist entries.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Up to this point, Shorewall has had a lot of very similar files in
multiple products.
Beginning with this release, the following files are identical.
- /sbin/shorewall
- /sbin/shorewall6
- /sbin/shorewall-lite
- /sbin/shorewall6-lite
The program uses it's own file name to determine which role it is
to assume. It does that by initializing variables that are later
used within the various libraries.
Shorewall and Shorewall6 share use of /usr/share/shorewall/lib.base
/usr/share/shorewall/lib.cli, and /usr/share/shorewall/lib.common.
/usr/share/shorewall6/lib.base is a small file that sets variables
and then sources /usr/share/shorewall/lib.base.
As before, shorewall and shorewall-lite share the same libraries
as do shorewall6 and shorwall6-lite.
Shorewall includes a new library: /usr/share/shorewall/lib.cli-std.
/usr/share/shorewall[6]/lib.cli contains everything needed by the
Lite products.
2) Shorewall now supports the CT target in the Netfilter 'raw'
table. See 'man shorewall-notrack' for details.
The main use of this target is described in this paper:
http://home.regit.org/wp-content/uploads/2011/11/helper-recommandation.pdf.
The paper a product of the vulnerability described in the 4.4.20
release note which introduced the 'sfilter' facility. In the paper,
rules such as the following are recommended:
iptables -A PREROUTING -t raw -p tcp --dport 2121 \
-d 1.2.3.4 -j CT --helper ftp
The equivalent entry in /etc/shorewall/notrack would be:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
CT:helper:ftp 1.2.3.4 - tcp 2121
As part of this change, Shorewall now verifies the helper name in
the HELPER column of the tcrules and tcpri files.
3) The above-referenced paper also advocates careful control of
RELATED rules. To allow such control, two new options have been
introduced in shorewall[6].conf:
- RELATED_DISPOSITION
May be ACCEPT, A_ACCEPT, A_DROP, A_REJECT, DROP or REJECT. For
compatibility with earlier releases, the default is ACCEPT.
match any rule in the RELATED section of the rules file.
- RELATED_LOG_LEVEL
Specifies a level for logging related packets. Default is empty
which means that no logging occurs.
4) The options in shorewall.conf (shorewall6.conf) may now be used as
shell variables in other configuration files.
5) A new option, USE_PHYSICAL_NAMES, has been added to shorewall.conf
and shorewall6.conf. Normally, when the rules compiler creates a
Netfilter chain that relates to an interface, the logical name of
the interface is used as the base for the chain name. For example,
if an interface has logical name OAKLAND and physical name eth0,
then the primary chain for input arriving on that interface is
normally 'OAKLAND_in'. When USE_PHYSICAL_NAMES=Yes, the name would
be 'eth0_in'.
6) CLASSIFY entries in tcrules may now be placed in the FORWARD or
PREROUTING chain by following the class Id with :F or :P
respectively.
Thank you for using Shorewall.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
