2003-11-17 22:06:32 +01:00
|
|
|
|
This is a minor release of Shorewall.
|
2003-03-18 16:16:33 +01:00
|
|
|
|
|
2004-01-31 04:24:02 +01:00
|
|
|
|
Problems Corrected since version 1.4.9:
|
2003-03-18 16:16:33 +01:00
|
|
|
|
|
2004-01-31 04:24:02 +01:00
|
|
|
|
1. The column descriptions in the action.template file did not match
|
|
|
|
|
the column headings. That has been corrected.
|
2003-07-23 16:25:05 +02:00
|
|
|
|
|
2004-01-31 04:24:02 +01:00
|
|
|
|
2. The presence of IPV6 addresses on devices generates error messages
|
|
|
|
|
during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are
|
|
|
|
|
specified in /etc/shorewall/shorewall.conf.
|
2003-10-07 00:38:40 +02:00
|
|
|
|
|
2004-01-31 04:24:02 +01:00
|
|
|
|
3. The CONTINUE action in /etc/shorewall/rules now works correctly. A
|
|
|
|
|
couple of problems involving rate limiting have been
|
|
|
|
|
corrected. These bug fixes courtesy of Steven Jan Springl.
|
2003-10-08 17:07:18 +02:00
|
|
|
|
|
2004-01-31 04:24:02 +01:00
|
|
|
|
4. Shorewall now tries to avoid sending an ICMP response to broadcasts
|
|
|
|
|
and smurfs.
|
|
|
|
|
|
|
|
|
|
5. Specifying "-" or "all" in the PROTO column of an action no longer
|
|
|
|
|
causes a startup error.
|
2003-10-08 17:07:18 +02:00
|
|
|
|
|
2004-02-08 22:11:04 +01:00
|
|
|
|
6. Fixed a problem in which the firewall would encounter an error
|
|
|
|
|
during startup while processing the /etc/shorewall/masq file.
|
|
|
|
|
|
|
|
|
|
7. Atheros WiFi cards were previously excluded from use with the
|
|
|
|
|
"maclist" interface option.
|
|
|
|
|
|
2004-02-09 22:11:21 +01:00
|
|
|
|
8. (Fix from Steven Jan Springl) In the /etc/shorewall/masq entry
|
|
|
|
|
|
|
|
|
|
eth0:!10.1.1.150 <20>0.0.0.0/0!10.1.0.0/16 <20> <20> 10.1.2.16
|
|
|
|
|
|
|
|
|
|
the !10.1.0.0/16 is ignored.
|
|
|
|
|
|
2004-03-20 17:53:24 +01:00
|
|
|
|
9. A startup error occurs if the USER/GROUP column of the tcrules file
|
|
|
|
|
is empty.
|
|
|
|
|
|
|
|
|
|
10. The following syntax previously produced a startup error:
|
|
|
|
|
|
|
|
|
|
DNAT z1!z2,z3 z4:...
|
|
|
|
|
|
|
|
|
|
That has been corrected so that multiple excluded zones may now be
|
|
|
|
|
listed in a DNAT or REDIRECT rule.
|
|
|
|
|
|
|
|
|
|
11. Use of user-defined actions frequently resulted in a WARNING that
|
|
|
|
|
the rule was a policy.
|
|
|
|
|
|
|
|
|
|
12. Thanks to Sean Mathews, a long-standing problem with proxy ARP and
|
|
|
|
|
IPSEC has been corrected!!
|
|
|
|
|
|
2004-04-20 22:15:14 +02:00
|
|
|
|
13. The rfc1918 file has been updated.
|
|
|
|
|
|
2004-06-29 17:33:47 +02:00
|
|
|
|
14. An exploitable vulnerability that allows local non-root users to
|
|
|
|
|
cause arbitrary files to be overwritten has been eliminated.
|
|
|
|
|
|
2004-06-30 21:50:39 +02:00
|
|
|
|
15) The security vulnerability fix failed under Slackware 9.1.
|
|
|
|
|
|
|
|
|
|
16) The security vulnerability fix failed if mktemp was not installed.
|
2004-06-29 17:33:47 +02:00
|
|
|
|
|
2004-01-13 23:27:57 +01:00
|
|
|
|
Migration Issues:
|
2003-10-21 22:26:23 +02:00
|
|
|
|
|
2004-01-13 23:27:57 +01:00
|
|
|
|
None.
|
2003-10-23 01:24:58 +02:00
|
|
|
|
|
2004-01-13 23:27:57 +01:00
|
|
|
|
New Features:
|
2003-11-17 22:06:32 +01:00
|
|
|
|
|
2004-01-31 04:24:02 +01:00
|
|
|
|
1) The INTERFACE column in the /etc/shorewall/masq file may now
|
|
|
|
|
specify a destination list.
|
2003-11-17 22:06:32 +01:00
|
|
|
|
|
2004-01-31 04:24:02 +01:00
|
|
|
|
Example:
|
2003-11-17 22:06:32 +01:00
|
|
|
|
|
2004-01-31 04:24:02 +01:00
|
|
|
|
#INTERFACE SUBNET ADDRESS
|
|
|
|
|
eth0:192.0.2.3,192.0.2.16/28 eth1
|
2003-11-17 22:06:32 +01:00
|
|
|
|
|
2004-01-31 04:24:02 +01:00
|
|
|
|
If the list begins with "!" then SNAT will occur only if the
|
|
|
|
|
destination IP address is NOT included in the list.
|
2003-11-17 22:06:32 +01:00
|
|
|
|
|
2004-01-31 04:24:02 +01:00
|
|
|
|
2) Output traffic control rules (those with the firewall as the source)
|
|
|
|
|
may now be qualified by the effective userid and/or effective group
|
|
|
|
|
id of the program generating the output. This feature is courtesy of
|
|
|
|
|
Fr<46>d<EFBFBD>ric LESPEZ.
|
2003-11-17 22:06:32 +01:00
|
|
|
|
|
2004-01-31 04:24:02 +01:00
|
|
|
|
A new USER column has been added to /etc/shorewall/tcrules.
|
2003-11-17 22:06:32 +01:00
|
|
|
|
|
2004-01-31 04:24:02 +01:00
|
|
|
|
It may contain :
|
2003-11-17 22:06:32 +01:00
|
|
|
|
|
2004-01-31 04:24:02 +01:00
|
|
|
|
[<user name or number>]:[<group name or number>]
|
2003-11-17 22:06:32 +01:00
|
|
|
|
|
2004-01-31 04:24:02 +01:00
|
|
|
|
The colon is optionnal when specifying only a user.
|
2003-11-17 22:06:32 +01:00
|
|
|
|
|
2004-01-31 04:24:02 +01:00
|
|
|
|
Examples : john: / john / :users / john:users
|
2003-11-17 22:06:32 +01:00
|
|
|
|
|
2004-01-31 04:24:02 +01:00
|
|
|
|
3) A "detectnets" interface option has been added for entries in
|
|
|
|
|
/etc/shorewall/interfaces. This option automatically taylors the
|
|
|
|
|
definition of the zone named in the ZONE column to include just
|
|
|
|
|
those hosts that have routes through the interface named in the
|
|
|
|
|
INTERFACE column. The named interface must be UP when
|
|
|
|
|
Shorewall is [re]started.
|
2003-11-17 22:06:32 +01:00
|
|
|
|
|
2004-01-31 04:24:02 +01:00
|
|
|
|
WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!
|