Shorewall 5.1.11 is now available for download. Problems Corrected:
1) This release contains defect repair from releases through 5.1.10.2.
2) Previously, if DYNAMIC_BLACKLIST=ipset,disconnect..., the CLI would
verify the existence of the 'conntrack' utility on the local system
when the command was 'remote-start', 'remote-reload' or
'remote-restart'. Now, that verification is only done for the
blacklist-oriented commands ('blacklist', 'allow', 'drop', etc.).
3) Previously, when DYNAMIC_BLACKLIST=ipsec..., the CLI required the
firewall to be started in order to run the 'allow' command. Now,
the command only requires that the dynamic blacklist ipset
exists.
4) Previously, if an address variable was used in the stoppedrules
file, the 'clear' command could fail in two different ways,
depending on whether the related interface was optional or not.
If the interface was optional, the failure message was similar to
the following:
$ shorewall clear
Clearing Shorewall....
Preparing iptables-restore input...
/var/lib/shorewall/firewall: 3064: [: !=: unexpected operator
Running /sbin/iptables-restore...
IPv4 Forwarding Enabled
done.
If the interface was not optional, the result was similar to:
$ shorewall debug clear
Clearing Shorewall....
Preparing iptables-restore input...
Running debug_restore_input...
Bad argument `6'
Try `iptables -h' or 'iptables --help' for more information.
ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -s
172.17.211.254 -d -p 6 --dport 22 -i enp2s0 -j ACCEPT"
Failed
Terminated
This problem has been corrected.
5) Previously, the 'clear' command enabled forwarding
unconditionally. Beginning with this release, 'clear' will
conditionally enable/disable forwarding in the same manner as
'stop'.
6) In multi-ISP configurations, it is possible for an IPSEC-tunneled
connection from the Internet to be forwarded back out to the
Internet (for example, if all traffic from the remote endpoint is
sent through the tunnel). If the provider handling the tunnel has
the 'track' option (or if TRACK_PROVIDERS=Yes), then the outgoing
tunneled connection is sent back out that interface by
default (since the encapsulated initial packet arrived through that
interface). Since this is not always desirable, Shorewall now
clears the tracking mark on the connection while processing the
first packet, allowing the connection to not match routing rules
that are dependent on the tracking mark.
New Features:
1) Previously, the 'show' command was not available to non-root
users. Beginning with this release, non-root users may now
run the following 'show' commands:
show action <action>
show actions
show ip
show macro <macro>
show macros
show routing
2) When a RATE is specified on a policy, the rate is enforced in a
chain whose name begins with '@' (e.g., @net-dmz). Previously, log
messages in the chain omitted the '@', leading to possible
confusion. Beginning with this release, the log message will
reflect the chain's actual name (including the '@').
3) To improve efficiency, TCP CT entries in the conntrack file and
TCP entries in the rules file that specify a HELPER will now
assume that 'tcp:syn' had been specified. That way, the generated
ip[6]tables rule will only match on the first packet of the
three-way handshake.
4) Now that the route caches have been removed from the kernel,
Multi-ISP really doesn't work without the 'track' provider option.
As a consequence, TRACK_PROVIDERS=Yes is now the default. Note that
the 'track' option may still be turned off using 'notrack', when
TRACK_PROVIDERS=Yes.
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
