Shorewall 5.2.8 is now available for download. Problems Corrected:
1) Certain restrictions that apply to wildcard interfaces (interface
name ends in '+') were previously not enforced when the logical
interface name did not end in '+' but the physical interface name
did end in '+'. That has been corrected.
2) To ensure that error messages appear in the correct place in the
output stream, stderr is now redirected to stdout when the
configured PAGER is used by a command.
3) Since Shorewall 5.1.0, the Shorewall uninstall.sh script has
incorrectly removed ${SBINDIR}/shorewall, while the Shorewall-core
uninstall.sh script has failed to remove that file. Both scripts
have been corrected.
4) Previously, the Shorewall CLI included a spurious hyphen ('-')
between the product name (e.g., 'Shorewall6') and the version when
printing a command output banner.
Example:
Shorewall6 Lite 5.2.8-RC1 Logwatch at foo8 - Thu 17 Sep 2020 ...
That has been corrected.
5) The shorewall-snat(5) manpage previously stated that a
comma-separated list of IP address could be specified for
SNAT. That statement was in error and has been removed. As part of
this change, IPv4 Example 6 has been updated to use the
PROBABILITY column.
New Features:
1) The 'show tc' command now shows the classifiers associated with
each interface (as displayed by the 'show classifiers'
command). This integrated qdisc/filter information is also included
in the output of the 'dump' command. This change deprecates the
'show classifiers' ('show filters') command, as that command's
output is now included in the 'show tc' output.
2) Shorewall6 has traditionally generated rules for IPv6 anycast
addresses. These rules include:
a) Packets with these destination IP addresses are dropped by
REJECT rules.
b) Packets with these source IP addresses are dropped by the
'nosmurfs' interface option and by the 'dropSmurfs' action.
c) Packets with these destination IP addresses are not logged
during policy enforcement.
d) Packets with these destination IP addresses are processes by
the 'Broadcast' action.
Beginning with this release, individual network interfaces can be
excluded from this treatment through use of the 'omitanycast'
option in /etc/shorewall6/interfaces.
Note: This option was named 'noanycast' in earlier Beta releases.
3) Duplicate function names have been eliminated between the
Shorewall-core lib.cli shell library and the Shorewall lib.cli-std
library.
4) The 'status' command in Shorewall[6]-lite now precedes the
configuration directory name with the administrative host name
separated with a colon (":").
Example (Firewall script generated on host 'debianvm'):
root@gateway:~# shorewall-lite status
Shorewall Lite-5.2.8 Status at gateway - Tue 15 Sep 2020 03:09:15
Shorewall Lite is running
State:Started Tue 15 Sep 2020 03:08:33 PM PDT from
debianvm:/home/teastep/shorewall/gateway/shorewall/
(/var/lib/shorewall-lite/firewall compiled Tue 15 Sep 2020
03:08:28 PM PDT by Shorewall version 5.2.8)
root@gateway:~#
5) Tuomo Soini has contributed a macro that handles NFS v1.4+ (no
dynamic ports).
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
