The Shorewall Team is pleased to announce the availability of Shorewall
4.5.0.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release includes all defect repair included in
4.4.27.1-4.4.27.3.
2) The start and restart commands in Shorewall Lite and Shorewall6
Lite now correctly handle the 'trace' and 'debug'
keywords. Previously, those keywords were ignored.
3) The 'ip route list' command on recent Linux systems (Ubuntu 11.10,
for example) displays the IPv4 routing table in a seemingly random
order. In the 'show routing' and 'dump' commands, Shorewall and
Shorewall-lite now sort the output into the traditional
'Most-specific to most-general' order.
4) Previously, specifying 'No' in the HAVEROUTE column of
/etc/shorewall6/proxyndp resulted in a run-time error. The code has
been corrected so that no error occurs.
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) The rules generated by the following interface options are now
traversed after those generated by the blrules file.
dhcp
maclist
nosmurfs
sfilter
tcpflags
As part of this change, the BLACKLIST section in the rules file has
been eliminated. If you have rules in that section, you must move
them to the blrules file prior to installing this Shorewall
version.
2) The timeout interval after which the previous state is restored
may now be specified in the safe-start and safe-restart commands.
3) The packing of the Shorewall products has been changed. Beginning
with this release, the packages are:
- Shorewall Core -- Core libraries installed in
/usr/share/shorewall/
- Shorewall -- Requires Shorewall Core. Together with
Shorewall Core, provides IPv4 firewalling.
- Shorewall6 -- Requires Shorewall. Provides IPv6 firewalling.
- Shorewall Lite -- Requires Shorewall Core. As before.
- Shorewall6 Lite -- Requires Shorewall Core. As before.
- Shorewall Init -- As before.
4) Shorewall and Shorewall6 now share a single install.sh file as do
Shorewall Lite and Shorewall6 Lite.
5) Functions common to both /usr/share/shorewall/prog.header and
/usr/share/shorewall/prog.header6 are now in a new library -
lib.core. The files /usr/share/shorewall/prog.footer is now used
for both IPv4 and IPv6.
6) Run-time address variables (e.g., ð0) may now be used in the
SOURCE column of the rtrules files.
7) The route_rules file has been renamed to 'rtrules'. The Shorewall
and Shorewall6 installers will perform the rename on an existing
file.
If both files exist, route_rules will be processed and rtrules
will be ignored with a warning.
8) A 'PROBABILITY' column has been added to the tcrules files. It
causes the rule to match randomly with the probability specified in
the column. See shorewall-tcrules(5) and shorewall6-tcrules(5) for
details.
9) An alternative to the balance=<weight> option in the providers file
is now available. This alternative works when there are multiple
links to the same ISP where both links use an ethernet interface (as
opposed to PPP0E) and have the same default gateway.
As part of this change, the generated firewall script now
automatically maintains the
/var/lib/shorewall[6][-lite]/interface.status files used by SWPING
and by LSM.
See http://www.shorewall.net/MultiISP.html#load for additional
information.
Example that sends 1/3 of the connections to the ComcastC provider
and the rest to ComcastB:
/etc/shorewall/shorewall.conf
MARK_IN_FORWARD_CHAIN=No
...
USE_DEFAULT_RT=Yes
/etc/shorewall/providers:
#NAME NUMBER MARK DUP INTERFACE GATEWAY OPTIONS
ComcastB 1 - - eth1 70.90.191.126
loose,balance,load=0.66666667
ComcastC 2 - - eth0 67.170.120.1
loose,fallback,load=0.33333333
Note: The 'loose' option is specified so that the compiler will not
generate and rules based on interface IP addresses. That way
we have complete control over the priority of such rules
through entries in the rtrules file.
/etc/shorewall/rtrules
#SOURCE DEST PROVIDER PRIORITY
70.90.191.120/29 - ComcastB 1000
ð0 - ComcastC 1000
Note: eth0 has a dynamic address, so ð0 is used in the SOURCE
column.
Note: Priority = 1000 means that these rules will come before rules
that select a provider based on marks.
10) The Shorewall files in /etc/default and /etc/sysconfig now support
two new options that affect how '/etc/init.d/shorewall start'
and '/etc/init.d/shorewall restart' behave:
STARTOPTIONS -- options to the start commmand.
RESTARTOPTIONS -- options to the restart command.
For example, if you always want 'start' to flush the conntrack
table, then you would have:
STARTOPTIONS="-p"
11) The Git repository has been reorganized to place the samples and
manpages under their corresponding product directories. For
example, trunk/manpage6 was moved to trunk/Shorewall6/manpages.
----------------------------------------------------------------------------
M I G R A T I O N I S S U E S
----------------------------------------------------------------------------
1) If you are migrating from Shorewall 4.2.x or earlier, please see
http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt
2) The BLACKLIST section of the rules file has been eliminated.
If you have entries in that file section, you must move them to the
blrules file.
3) This version of Shorewall requires the Digest::SHA1 Perl module.
Debian: libdigest-sha1-perl
Fedora: perl-Digest-SHA1
OpenSuSE: perl-Digest-SHA1
4) The generated firewall script now maintains the
/var/lib/shorewall[6][-lite]/interface.status files used by SWPING
and by LSM.
Thank you for using Shorewall.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
