Shorewall 4.6.8 is now available for download. Problems Corrected:
1) This release includes defect repair from Shorewall 4.6.6.2 and
earlier releases.
2) Previously, when the -n option was specified and NetworkManager was
installed on the target system, the Shorewall-init installer would
still create
${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless
of the setting of $CONFDIR. That has been corrected such that the
directory
${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is
created instead.
3) Previously, handling of the IPTABLES and IP6TABLES actions in the
conntrack file was broken. nfw provided a fix on IRC.
4) The Shorewall-core and Shorewall6 installers would previously
report incorrectly that the product release was not installed. Matt
Darfeuille provided fixes.
New Features:
1) The CLI programs (shorewall, shorewall6, etc) now support 'open'
and 'close' commands. The 'open' command temporarily opens the
firewall for a specified type of connection; the syntax is:
open [ [ ] ]
The and may be any of the following:
- a host IP address
- a network IP address
- a valid DNS name (usual warnings apply)
- the word 'all', indicating that the or is
not restricted
The protocol may be specified by number or by a name. Same with
.
Example: Open SSH connections to 1.2.3.4 in Shorewall:
shorewall open all 1.2.3.4 tcp ssh
The 'close' command reverses the effect of an earlier 'open'
command and has two forms:
close
close [ is the number displayed in the
'num' column of the 'shorewall list opens' command (see below).
In the second form, the parameters must match those of the earlier
'open' command to be reversed. All temporary connections opens may
be deleted by simply restarting the firewall.
Both commands require that the firewall be in the started state and
that DYNAMIC_BLACKLIST=Yes in the active configuration.
The iptables rules created via 'open' commands can be displayed
using the 'show opens' command.
Example (after the above open command was executed):
Shorewall 4.6.8 Temporarily opened connections at gateway - Fri Mar
6 09:47:06 PST 2015
Chain dynamic (14 references)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0
1.2.3.4 multiport dports 22
root@gateway:~#
2) A 'safesets' command is now available to proactively save changes
to ipset contents. Using this command can guard against accidental
loss of ipset changes in the event of a system failure before a
'stop' command has been completed. The exact action taken by the
command depends on the setting of SAVE_IPSETS in shorewall[6].conf.
3) The SOURCE and DEST columns in the rtrules file may now contains
comma-separated lists of addresses.
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
