The Shorewall team is pleased to announce the availability of Shorewall
4.5.6.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release includes the defect repairs from Shorewall 4.5.5.1
through 4.5.5.4.
2) Previously, the tcrules file was not processed when
TC_ENABLED=No. That meant that to use features like TPROXY, it was
necessary to set TC_ENABLED=Yes and create a dummy
/etc/shorewall/tcstart file. Now, only MANGLE_ENABLED=Yes is
required.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Support for size tables has been added in complex TC.
The OPTIONS column of /etc/shorewall/tcdevices now allows a
'linklayer' option whose value may be 'ethernet', 'atm' or 'adsl';
the last two are synonyms.
When 'linklayer' is specified, it may be followed by additional
options:
mtu=<mtu> - The device MTU; default 2048 (will be rounded up to
a power of two)
mpu=<mpubytes> - Minimum packet size used in
calculations. Smaller packets will be rounded
up to this size
tsize=<tablesize> - Size table entries; default is 512
overhead=<overheadbytes> - Number of overhead bytes per packet.
See tc-stab (8) for details about these options.
2) It is now possible to specify the LS (linksharing) rate for an HFSC
class in /etc/shorewall/tcclasses. See shorewall-tcclasses (5) for
details.
3) It is now possible to specify that a leaf class will use the RED
(Random Early Detection) queuing discipline rather than SFQ or
pfifo. A new class OPTION is defined:
red=(<red option>=<value>, ...)
When specified on a leaf class, causes the class to use the RED
(Random Early Detection) queuing discipline rather than
SFQ. See tc-red (8) for additional information.
Allowable <red option>s are:
min <min>
Average queue size in bytes at which marking becomes a
possibility.
max <max>
At this average queue size, the marking probability is
maximal. Must be at least twice <min> to prevent
synchronous retransmits, higher for low <min>.
probability <probability>
Maximum probability for marking, specified as a floating
point number from 0.0 to 1.0. Suggested values are 0.01 or
0.02 (1 or 2%, respectively).
limit <limit>
Hard limit on the real (not average) queue size in bytes.
Further packets are dropped. Should be set higher than
<max>+<burst>. It is advised to set this a few times higher
than <max>. Shorewall requires that <limit> be at least
twice <min>.
burst <burst>
Used for determining how fast the average queue size is
influenced by the real queue size. Larger values make the
calculation more sluggish, allowing longer bursts of
traffic before marking starts. Real life experiments
support the following guideâ€line:
(<min>+<min>+<max>)/(3*<avpkt>).
avpkt <avpkt>
Optional. Specified in bytes. Used with burst to determine
the time constant for average queue size calculations. 1000
is a good value and is the Shorewall default.
bandwidth <bandwidth>
Optional. This rate is used for calculating the average
queue size after some idle time. Should be set to the
bandwidth of your interface. Does not mean that RED will
shape for you!
ecn
RED can either 'mark' or 'drop'. Explicit Congestion
Notification (ECN) allows RED to notify remote hosts that
their rate exceeds the amount of bandwidth
available. Non-ECN capable hosts can only be notified by
dropping a packet. If this parameter is specified, packets
which indicate that their hosts honor ECN will only be
marked and not dropped, unless the queue size hits limit
bytes. Needs a tc binary with RED support compiled
in. Recommended.
4) The handling of the USER/GROUP column of the rules file has been
rewritten. As part of this rewrite:
a) The ability to specify a program name (e.g., +prog) has been
eliminated. The kernel feature which that ability depended on
was removed in kernel version 2.6.14.
b) It is now possible to specify UID and/or GID ranges of the form
'low-high' where 'low' and 'high' are integers and low <= high.
5) It is now possible to use Perl-compatible expressions in ?IF
directives. As before, variables must be environmental variables,
options from shorewall.conf, shell variables set in the params file
or capabilities. As previously, capabilities may be entered with
leading '__' rather than '$'.
Example:
?IF $BLACKLIST_LOGLEVEL && ! __LOG_OPTIONS
6) The ?ELSIF directive has been added allowing more convenient
expression of complex include scenarios.
Example (column headings abbreviated to fit release notes format):
#NAME NUM MARK DUP INTERFACE GWAY OPTIONS
?IF $FALLBACK
ComcastB 1 0x10000 - COMB_IF detect fallback
ComcastC 2 0x20000 - COMC_IF detect fallback
?ELSIF $STATISTICAL
ComcastB 1 0x10000 - COMB_IF detect load=0.66666667
ComcastC 2 0x20000 - COMC_IF detect load=0.33333333
?ELSE
ComcastB 1 0x10000 - COMB_IF detect balance=2
ComcastC 2 0x20000 - COMC_IF detect loose,balance
?ENDIF
7) And ORIGINAL DEST column has been added to the masq file, allowing
SNAT rules to match only DNAT traffic to a particular original
source address.
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
