I have a couple of remotely located systems with the Ubuntu-packaged
shorewall 5.0.4 and would like to move to building the current release
5.1.6 instead.
Is there a way to cause apt to forget the package is installed, without
disturbing the actual installation? I'm worried that if I apt-get remove
shorewall these systems may be left inaccessible to go ahead and
build/install 5.1.6, or if I do the build/install first I'm worried that a
subsequent apt-get remove will hose the 5.1.6 installation.
Advice welcome - thanks ...
On Tue, Aug 22, 2017 at 5:55 PM, Tom Eastep <[email protected]> wrote:
> Shorewall 5.1.6 is now available for download.
>
> Problems Corrected:
>
> 1) This release contains defect repair through Shorewall 5.1.5.2.
>
> 2) http://www.shorewall.net/shorewall_extension_scripts.htm states
> that $SHAREDIR and $CONFDIR can be used in extension scripts, that
> has not been true for some time. Beginning with this release, those
> variables are once again available in the generated script.
>
> 3) Under very rare circumstances, when OPTIMIZE level 8 was used,
> messages such as the following could be issued during compilation:
>
> Use of uninitialized value in hash element at
> /usr/share/shorewall/Shorewall/Rules.pm line 818.
> Use of uninitialized value in concatenation (.) or string at
> /usr/share/shorewall/Shorewall/Rules.pm line 823.
>
> That has been corrected.
>
> 4) Previously, Shorewall's treatment of wildcard interfaces differed
> from Netfilter's. Shorewall did not consider 'eth' to match 'eth+'
> while Netfilter did. Beginning with this release, Shorewall is
> consistent with Netfilter.
>
> 5) Previously, systemd could attempt to start the IPv4 and IPv6
> firewalls simultaneously, which might lead to iptables-restore and
> ip6tables-restore being run at the same time resulting in a failure
> to start one of the firewalls.
>
> Beginning with this release, Shorewall and Shorwall6 will be
> started serially as will Shorewall-lite and Shorewall6-lite.
>
> 6) To prevent other init systems from starting the IPv4 and IPv6
> firewalls in parallel, the ip[6]-tables-restore '--wait' option, if
> available, is used. This change introduces a new
> RESTORE_WAIT_OPTION capability.
>
> Note: If the new capability is not available on your system, and
> you don't run systemd, you can still avoid the parallel start
> problem by configuring the same LOCKFILE in both your
> shorewall.conf and shorewall6.conf files.
>
> 7) Previously, the RDP macro only allowed TCP traffic, even though RDP
> also requires UDP. That has been corrected so that both protocols
> are allowed.
>
> New Features:
>
> 1) The SPARSE option in shorewallrc originally caused only
> shorewall[6].conf to be installed in /etc/shorewall[6], but later
> the conntrack and params files were also installed. To prevent
> these additional files from being installed, SPARSE may now be set
> to 'Very', either by editing the file directly or by using the
> configure or configure.pl scripts.
>
> This setting is recommended if you wish to use a single set of
> configuration files for both IPv4 and IPv6 as described at
> http://www.shorewall.org/SharedConfig.html.
>
> 2) Two new run-time extensions scripts have been added:
>
> - enabled
>
> Invoked when an optional interface has been successfully enabled
> using the 'enable' command.
>
> - disabled
>
> Invoked when an optional interface has been successfully disabled
> using the 'disable' command.
>
> Like all run-time extension scripts, the contents of each script
> are placed in a function body. In the case of these new scripts,
> the function is passed arguments:
>
> $1 = the physical name of the interface
> $2 = the logical name of the interface
> $3 = the name of the Provider, if any, associated with the
> interface.
>
> 3) When a zone (z1) is defined to be a sub-zone of another zone (z2),
> the compiler now verifies that the two zones have at least one
> interface in common. If they do not, a warning message is
> generated:
>
> WARNING: Zone z1 is defined to be a sub-zone of z2, yet the two
> zones have no interface in common
>
> 4) Runtime address variables may now be used as the server IP address
> and Runtime port variables may be used as the server port in DNAT
> rules.
>
> Example:
>
> DNAT net $FW:ð1:%{PORT} tcp 9999
>
> 5) Previously, systemd could attempt to start the IPv4 and IPv6
> firewalls simultaneously, which might lead to iptables-restore and
> ip6tables-restore being run at the same time resulting in a failure
> to start one of the firewalls.
>
> Beginning with this release, Shorewall and Shorwall6 will be
> started serially as will Shorewall-lite and Shorewall6-lite.
>
> 6) To prevent problems when other init systems start the IPv4 and IPv6
> firewalls in parallel, the ip[6]-tables '--wait' option, if
> available, is used. The amount of time to wait is determined by the
> setting of MUTEX_TIMEOUT (default 60 seconds). This change
> introduces a new RESTORE_WAIT_OPTION capability.
>
> Note: If the new capability is not available on your system, and
> you don't run systemd, you can still avoid the parallel start
> problem by configuring the same LOCKFILE in both your
> shorewall.conf and shorewall6.conf files.
>
> 7) Previously, the sample configuration files specified
> MODULE_SUFFIX="ko ko.xz", whereas the default .conf files specified
> MODULE_SUFFIX=ko. The latter no longer works on RHEL7-based
> systems. Beginning with this release, the default .conf files also
> specify MODULE_SUFFIX=:ko ko.xz".
>
> Thank you for using Shorewall,
>
> -Tom
> --
> Tom Eastep \ Q: What do you get when you cross a mobster with
> Shoreline, \ an international standard?
> Washington, USA \ A: Someone who makes you an offer you can't
> http://shorewall.org \ understand
> \_______________________________________________
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
