Shorewall 5.2.6 is now available for download. Problems Corrected:
1) This release includes defect repair up through Shorewall version
5.2.5.2.
2) When compiling for export, the compiler generates a firewall.conf
file which is later installed on the remote firewall system as
${VARDIR}/firewall.conf. Previously, the CLI on that firewall was
not processing the file, resulting in some features not being
available:
- Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH,
SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART,
DYNAMIC_BLACKLIST and PAGER are not supplied.
- scfilter file supplied at compile time.
- dumpfilter file supplied at compile time.
That has been corrected.
3) A bug in iptables (see
https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1)
prevents the '--queue-cpu-fanout' option from being applied unless
that option is the last one specified. Unfortunately, Shorewall
places the '--queue-bypass' option last if that option is also
specified.
This release works around this issue by ensuring that the
'--queue-cpu-fanout' option appears last.
4) The -D 'compile', 'check', 'reload' and 'Restart' option was
previously omitted from the output of 'shorewall help'. It is now
included. As part of this change, an incorrect and conflicting
description of the -D option was removed from the 'remote-restart'
section of shorewall(8).
5) Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT
policies were not completely optimized by optimize level 2 (ACCEPT
rules preceding the final unconditional ACCEPT were not
deleted). That has been corrected such that these rules are now
optimized.
New Features:
1) The 'actions' file now supports a 'dport' option to go along with
the 'proto' option. Using these two options can now restrict an
action to a particular service. See shorewall-actions(5) for
details.
Example limiting net->all SSH connections to 3/min per source IP:
/etc/shorewall/actions:
SSHLIMIT proto=tcp,\ # Blacklist overzealous SSHers
dport=ssh
/etc/shorewall/action.SSLHIMIT
ACCEPT { RATE=s:3/min:3 }
BLACKLIST:$LOG_LEVEL:net_SSHLIMIT
/etc/shorewall/rules:
SSHLIMIT net all
2) The change to 'show actions' implemented in 5.2.5.1 (see below)
has been further extended.
- "?IF...?ELSE...?ENDIF" sequences are now shown in the output
- Continuation lines are now shown in the output so that all
action options are now displayed
- If an action appears in both /usr/share/shorewall[6]/actions.std
and in /etc/shorewall[6]/actions, then the entry in the actions
file is shown followed by the entry in the actions.std file.
3) To emphasize that it specifies destination ports, the PORT column
in the snat file has been renamed DPORT. Beginning with this
release, both 'port' and 'dport' are accepted in the alternative
input format.
4) The snat file now supports ?FORMAT 2, which adds an SPORT (source
port) column immediately to the right of the DPORT (destination
port) column.
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
