The Shorewall team is pleased to announce the availability of Shorewall 4.5.17.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) When INLINE was used in the tcrules file and no target ('-j' part)
is included in the free-form part of the rule, an invalid
iptables rule was generated.
2) Thanks to Roberto Sanchez, many typos in the manpages have been
corrected.
3) A number of issues have been corrected in the Debian and
Redhat/Fedora Shorewall-init SysV init scripts:
a) Settings in ${SHAREDIR}/vardir are now handled correctly.
b) Exit status is now returned correctly.
c) Stale lock files are avoided.
4) When the compiled firewall script is run directly, it no longer
attempts to copy itself onto itself using the 'cp' utility.
5) An optimizer defect that could leave unreferenced chains in the
configuration has been corrected.
6) Unreferenced chains in the IPV6 nat table are now omitted.
7) Rules with trivial exclusion (a single net or ipset preceded by
'!') now generate the iptables matches in the correct
order. Previously, the exclusion match(es) was(were) placed at the
end. This is important in rules that auto-increment nfacct objects.
8) Previously, conntrack helpers were enabled by the 'stop'
command. Now, these helpers are only enabled by the 'clear'
command.
9) Previously, an interface label (e.g., dev:N) could be specified
as the 'physical' interface in /etc/shorewall/interfaces. This
is now disallowed.
10) The Perl function 'shorewall' was not previously exported by
Shorewall::Config, with the result that the function had
to be called as Shorewall::Config::shorewall(...). the function is
now exported and can be called from ?BEGIN PERL blocks as simply
shorewall(...).
11) Previously, two ICMPv6 type names were mis-translated.
address-unreachable was translated to 1/2; should be 1/3
port-unreachable was translated to 1/3; should be 1/4
These translations have been corrected.
12) If a TPROXY IPv6 address was specified in /etc/shorewall6/tcrules
using the [<address>]/vlsm form (e.g.,
'TPROXY(0x100,3129,[2001:470:b:227::44]/64)') then an 'Invalid Address'
error was issued. This has been corrected.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Route types 'blackhole', 'unreachable' and 'prohibit' are no longer
copied to provider routing tables by default when
USE_DEFAULT_RT=No. You may cause them to be copied by including
'blackhole', 'unreachable' and/or 'prohibit' in the COPY list along
with interface names.
2) Previously, the generated script always added a host route to a
provider's gateway in the provider's routing table. Beginning with
this release, the 'noautosrc' provider option can be used to
inhibit this behavior. 'noautosrc' must be used with care since the
absense of such a route can cause start/restart runtime failures.
3) A '-c' (conditional) option has been added to the 'compile' command.
This option causes compilation to proceed if:
a) The specified (or defaulted) firewall script does not exist; or
b) A file on the CONFIG_PATH (including any directory specified in
the command) is newer than the existing script.
4) A new interface option has been added.
destonly
Causes the compiler to omit rules to handle traffic arriving on
the interface.
5) It is now possible to use 'all+' in the SOURCE and DEST columns of
/etc/shorewall[6]/policy file. It has the same meaning as in the
rules file in that it can override default intra-zone ACCEPT
policies.
6) Beginning with this release, most special handling of 'Auth' (TCP
port 113) has been removed. In particular, the Drop default action
will no longer default to silently REJECTing Auth requests but will
rather simply process them like other tcp packets.
7) Traditionally, Shorewall has treated the loopback interface ('lo')
as follows:
- It deals with firewall-to-firewall, firewall-to-vserver,
vserver-to-firewall, and vserver-to-vserver traffic.
- All filtering is done in the OUTPUT flow; all traffic arriving on
'lo' is silently accepted.
- If no firewall-to-firewall policy or rules are defined, then
a simple ACCEPT rule is also included in the OUTPUT chain for
'lo' (after any vserver-oriented jumps).
Beginning with this release, the handling of firewall-to-firewall
traffic can be altered by adding a zone of type 'loopback'.
- 'loopback' zones must be associated with the loopback device in
the interfaces and/or hosts file.
/etc/shorewall/zones
#ZONE TYPE
loop loopback
/etc/shorewall/interfaces
?FORMAT 2
#ZONE INTERFACE OPTIONS
loop lo ...
When this is done, the ACCEPT jumps for 'lo' in the INPUT and
OUTPUT chains are omitted and replaced with jumps to the loop2fw
and fw2loop (loop-fw and fw-lop) chains respectively. This
provides a model similar to other zones for fireall-to-firewall
traffic.
8) A new 'local' zone TYPE has been added to /etc/shorewall[6]/zones.
A 'local' zone is similar to an 'ipv4' ('ipv6') zone, except that
rules and policies to/from a 'local' zone may only be to/from the
firewall zone and vserver zones.
Thank you for using Shorewall,
-Tom
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
