[Shorewall-users] Shorewall 4.5.21

Thu, 05 Sep 2013 12:20:14 -0700 

Shorewall 4.5.21 is now available for testing. Please note that the
release was uploaded twice so be sure that you are getting the latest
versions:

MD5s:

1fcc48a083f55116ca3ddf1a3f9339c5  shorewall-core-4.5.21-Beta1.tar.bz2
2543d3fc838645eddff5c470a58d1036  shorewall-core-4.5.21-Beta1.tgz
66d7f0db9d0637de65579470ef7de9ed  shorewall-core-4.5.21-0Beta1.noarch.rpm
59d86312dbc22b27c5dcb68b15cfd8d6  shorewall6-4.5.21-Beta1.tar.bz2
9dec98fc3157ebadfd1e5043c8f028c8  shorewall6-4.5.21-Beta1.tgz
e14d68bec0860f09fcdad8966d4d26c0  shorewall6-4.5.21-0Beta1.noarch.rpm
46dd629f63c7d194848e5194d9862b4c  shorewall-4.5.21-Beta1.tar.bz2
e8bf3e20529fedf505823c32ad21dcb5  shorewall-4.5.21-Beta1.tgz
029567f6830a34463fd0d0311bbd55c6  shorewall-4.5.21-0Beta1.noarch.rpm
544f890647097d1b44d762f1860df88d  shorewall-lite-4.5.21-Beta1.tar.bz2
4bcefebaaef5e9a459e8775c563f649e  shorewall-lite-4.5.21-Beta1.tgz
e8dfad71d1f6025e805d9c80c56e2a8d  shorewall-lite-4.5.21-0Beta1.noarch.rpm
5996a98e6b9593e45594175722e0881e  shorewall-init-4.5.21-Beta1.tar.bz2
403ecc7cc1438518c9078f7a84793a83  shorewall-init-4.5.21-Beta1.tgz
6585b50657bbede70606071af6de3034  shorewall-init-4.5.21-0Beta1.noarch.rpm
74d6a1674166ad7c371e6017330249ef  shorewall6-lite-4.5.21-Beta1.tar.bz2
cc74cab4346bc5595fc5a724de15eb22  shorewall6-lite-4.5.21-Beta1.tgz
5e0f6b934d16580381ce407c9c1a16d6  shorewall6-lite-4.5.21-0Beta1.noarch.rpm
ce7bede0b8c2e6c8703706d3be897ab5  shorewall-docs-xml-4.5.21-Beta1.tar.bz2
9694d0068029224daa0414be0f0a740e  shorewall-docs-xml-4.5.21-Beta1.tgz
8cc74de9faaf211afdc86a9e7f03704a  shorewall-docs-html-4.5.21-Beta1.tar.bz2
bf98c5122a33fe562d3fd8f998656194  shorewall-docs-html-4.5.21-Beta1.tgz

Problems corrected:

1)  ip[6]tables 4.5.20 introduced an incompatible change that causes
    the program to fail if there is another instance of either iptables
    or ip6tables already running. This behavior can be avoided if the
    new -w option is specified.

    To work around this problem, the compiler now uses the -w option
    (when available) during capabilities determination so that
    shorewall and shorewall6 compilations can proceed in parallel.

New Features:

1)  When a REJECT target is specified, Shorewall normally handles the
    packet as follows:

    - If the destination address is a broadcast or multicast address,
      the packet is dropped.

    - If the protocol is IGMP (1), then the packet is dropped.

    - If the protocol is TCP (6) then the packet is rejected with an
      RST.

    - If the protocol is UDP (17) then the packet is rejected with
      a 'port-unreachable' ICMP (ICMP6).

    - If the protocol is ICMP (ICMP6), then the packet is rejected
      with a 'host-unreachable' ('addr-unreachable') ICMP (ICMP6).

    - Otherwise, the packet is rejected with a 'host-prohibited'
      (adm-prohibited) ICMP (ICMP6).

    Beginning with this release, this behavior may be modified using
    the new REJECT_ACTION option in shorewall.conf (shorewall6.conf).

    REJECT_ACTION=<action>

    where <action> is the name of an action that implements your
    alternative handling. The 'nolog' option is automatically assumed
    for the named <action> and it is recommended that the 'inline'
    option be specified for the action in /etc/shorewall/actions.

    The following action implements the standard behavior described
    above:

    ?format 2
    #TARGET             SOURCE  DEST    PROTO
    Broadcast(DROP)     -       -       -
    DROP                -       -       2
    INLINE              -       -       6       ; -j REJECT --reject-with 
tcp-reset
    ?if __ENHANCED_REJECT
    INLINE              -       -       17      ; -j REJECT
    ?if __IPV4
    INLINE              -       -       1       ; -j REJECT --reject-with 
icmp-host-unreachable
    INLINE              -       -       -       ; -j REJECT --reject-with 
icmp-host-prohibited
    ?else
    INLINE              -       -       58      ; -j REJECT --reject-with 
icmp6-addr-unreachable
    INLINE              -       -       -       ; -j REJECT --reject-with 
icmp6-adm-prohibited
    ?endif
    ?else
    INLINE              -       -       -       ; -j REJECT
    ?endif

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to