The Shorewall Team is pleased to announce the availability of Shorewall
4.5.8.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release includes the defect repair from Shorewall 4.5.7.1.
2) The restriction that TTL and HL rules could only be placed in the
FORWARD chain prevented these rules from being used to hide a router
from traceroute[6]. It is now allowed to place these rules in the
PREROUTING chain by following the specification with ':P' (e.g.,
'TTL(+1):P').
3) Previously, the macro.SNMP macro opened both UDP ports 161 and 162
from SOURCE to DEST. This is against the usual practice of opening
these ports in the opposite direction. Beginning with this release,
port 162 is opened in to SOURCE to DEST as before, while port 161
is opened from DEST to SOURCE.
4) Previously, when compiling for export, both
/etc/shorewall/shorewall[6].conf and the shorewall[6].conf in the
configuration directory were processed. Now, only the copy in the
configuration directory is processed.
5) The 'iptables_raw' module has been added to the modules.essential
file.
6) Several corrections have been made to the Fedora/Redhat init script
for Shorewall-init.
7) The <directory> parameter to the 'try' command is now documented in
the shorewall(8) and shorewall6(8) manpages.
8) Some redundant interface-option rules have been removed in
configurations with multiple zones configured on a single
interface.
9) Previously, when compiling for export, the compilation would fail
if the setting of SHAREDIR in the firewall's shorewallrc was
different from the setting on the admin system. Such compilations
now succeed.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release attempts to alleviate the confustion that results
from different usage of the VARDIR variable name.
Beginning with Shorewall 4.5.2, 'VARDIR' became a variable in the
shorewallrc file with the default value '/var/lib'. This was at
odds with the usage of VARDIR in /etc/$product/vardir, where the
variable VARDIR holds the state directory for a particular product
(e.g., /var/lib/shorewall).
To eliminate this issue going forward, a VARLIB variable has been
added to shorewallrc to assume the role previously filled by
VARDIR while VARDIR now defaults to '${VARDIR}/${PRODUCT}'.
When a pre-4.5.8 shorewallrc file is present, VARLIB is set to
${VARDIR} and VARDIR is set to ${VARLIB}/${PRODUCT}. If VARLIB is
set in the shorewallrc file and VARDIR is not, then VARDIR also
defaults to ${VARDIR}/${PRODUCT}. When using the tarball installer,
the existing shorewallrc file (~/.shorewallrc or
${SHAREDIR}/shorewallrc) will be updated and the original will be
saved as shorewallrc.bak.
Note that since there is only a single shorewallrc file on a
system, the only means for overriding the ${VARLIB}/${PRODUCT}
default setting for VARDIR is still the /etc/$product/vardir file.
2) A new 'stoppedrules' file has been added and the 'routestopped'
file is now deprecated. The new file is processed when
'routestopped' does not exist or is empty.
See stoppedrules(5) for details about the new file.
3) When the -e option (compile for export) is specified in the 'check'
and 'compile' commands, the current working directory is now
automatically included in the CONFIG_PATH.
4) When the -e option is specified in a 'compile' command that
specifies no script name, the default is now 'firewall' in the
current working directory. In other words:
shorewall compile -e
creates 'firewall' and 'firewall.conf' in the current working
directory.
5) Multiple UID/GIDs separated by commas may now be given in the
USER/GROUP column of the rules files.
6) A warning message is now issued if the 'blacklist' option is
specified for a zone (the 'blacklist' option has been deprecated
for several releases).
7) A PRIORITY column has been added to the tcfilter files. See
shorewall-tcfilters(5) and shorewall6-tcfilters(5) for details.
As part of this change, the method of assigning priorities to
filters where the PRIORITY is not specified has changed.
Previously, all ipv4 filters were assigned priority 10 while
all ipv6 filters were assigned priority 11. Now, for each device,
the compiler maintains a "high-water priority" that has an initial
value of 0. When a filter has no priority specified, the high-water
priority is incremented by 1 and assigned to the filter. When a
priority greater than the high-water priority is entered in this
column, the high-water priority is set to the specified priority.
An attempt to assign a priority value greater than 65535
(explicitly or implicitly) raises an error.
8) It is now possible to explicitly assign priorities to
classification filters created by shorewall for the following:
- Filter that classifies packets based on their firewall mark
value.
- Filter that classifies ACK packets via the 'tcp-ack' class
option.
- Filter that classifies packets based on TOS value.
Example:
#DEVICE MARK RATE: CEIL PRIORITY OPTIONS
# DMAX:UMAX
eth0 1:50 5*full/10 full 1 tcp-ack:15,\
tos-minimize-delay:20
In this example, the classifier filters would be evaluated in this
order:
- tcp-ack (priority 15)
- tos-minimize-delay (priority 20)
- Mark value 1 (priority 50)
In other words, the filters are evaluated in ascending priority
order. If one filter doesn't match, the packet is passed to the
next filter.
See shorewall-tcclasses(5) and shorewall6-tcclasses(5) for
additional information.
9) The PRIORITY column in the tcclasses file is now optional for HFSC
classes. If that priority is omitted, then an explicit priority
must be specified for the MARK value and for the 'tcp-ack' and
'tos*' options if those are used.
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
