shorewall_code/Shorewall2/releasenotes.txt

158 lines
5.6 KiB
Plaintext
Raw Normal View History

Shorewall 2.0.3
----------------------------------------------------------------------
Problems Corrected since 2.0.2
1) The 'firewall' script is not purging temporary restore files in
/var/lib/shorewall. These files have names of the form
"restore-nnnnn".
2) The /var/lib/shorewall/restore script did not load the kernel
modules specified in /etc/shorewall/modules.
3) Specifying a null common action in /etc/shorewall/actions (e.g.,
:REJECT) results in a startup error.
4) If /var/lib/shorewall does not exist, shorewall start fails.
5) DNAT rules with a dynamic source zone don't work properly. When
used, these rules cause the rule to be checked against ALL input,
not just input from the designated zone.
6) The install.sh script reported installing some files in
/etc/shorewall when the files were actually installed in
/usr/share/shorewall.
7) Shorewall checks netfilter capabilities before loading kernel
modules. Hence if kernel module autoloading isn't enabled, the
capabilities will be misdetected.
8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
9) The file /etc/init.d/shorewall now gets proper ownership when the
RPM is built by a non-root user.
10) Rules that specify bridge ports in both the SOURCE and DEST
columns no longer cause "shorewall start" to fail.
11) Comments in the rules file have been added to advise users that
"all" in the SOURCE or DEST column does not affect intra-zone
traffic.
12) With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now
passed through the blacklisting chains. Without this change, it is
not possible to blacklist hosts that are mounting certain types of
ICMP-based DOS attacks.
-----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
1) The 'dropNonSyn' standard builtin action has been replaced with the
'dropNotSyn' standard builtin action. The old name can still be used
but will generate a warning.
-----------------------------------------------------------------------
New Features:
1) Shorewall now supports multiple saved configurations.
a) The default saved configuration (restore script) in
/var/lib/shorewall is now specified using the RESTOREFILE option
in shorewall.conf. If this variable isn't set then to maitain
backward compatibility, 'restore' is assumed.
The value of RESTOREFILE must be a simple file name; no slashes
("/") may be included.
b) The "save" command has been extended to be able to specify the
name of a saved configuration.
shorewall save [ <file name> ]
The current state is saved to /var/lib/shorewall/<file name>. If
no <file name> is given, the configuration is saved to
the file determined by the RESTOREFILE setting.
c) The "restore" command has been extended to be able to specify
the name of a saved configuration:
shorewall restore [ <file name> ]
The firewall state is restored from /var/lib/shorewall/<file
name>. If no <file name> is given, the firewall state is
restored from the file determined by the RESTOREFILE setting.
c) The "forget" command has changed. Previously, the command
unconditionally removed the /var/lib/shorewall/save file which
records the current dynamic blacklist. The "forget" command now
leaves that file alone.
Also, the "forget" command has been extended to be able to
specify the name of a saved configuration:
shorewall forget [ <file name> ]
The file /var/lib/shorewall/<file name> is removed. If no <file
name> is given, the file determined by the RESTOREFILE setting
is removed.
d) The "shorewall -f start" command restores the state from the
file determined by the RESTOREFILE setting.
2) "!" is now allowed in accounting rules.
3) Interface names appearing within the configuration are now
verified. Interface names must match the name of an entry in
/etc/shorewall/interfaces (or if bridging is enabled, they must
match the name of an entry in /etc/shorewall/interfaces or the name
of a bridge port appearing in /etc/shorewall/hosts).
4) A new 'rejNotSyn' built-in standard action has been added. This
action responds to "New not SYN" packets with an RST.
The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
action. The old name will be accepted until the next major release
of Shorewall but will generate a warning.
Several new logging actions involving "New not SYN" packets have
been added:
logNewNotSyn -- logs the packet with disposition = LOG
dLogNewNotSyn -- logs the packet with disposition = DROP
rLogNewNotSyn -- logs the packet with disposition = REJECT
The packets are logged at the log level specified in the
LOGNEWNOTSYN option in shorewall.conf. If than option is empty or
not specified, then 'info' is assumed.
Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
A: To simulate the behavior of NEWNOTSYN=No:
a) Add 'NoNewNotSyn' to /etc/shorewall/actions.
b) Create /etc/shorewall/action.NoNewNotSyn containing:
dLogNotSyn
dropNotSyn
c) Early in your rules file, place:
NoNewNotSyn all all tcp
B: Drop 'New not SYN' packets from the net only. Don't log them.
a) Early in your rules file, place:
dropNotSyn net all tcp
5) Slackware users no longer have to modify the install.sh script
before installation. Tuomo Soini has provided a change that allows
the INIT and FIREWALL variables to be specified outside the script
as in:
DEST=/etc/rc.d INIT=rc.firewall ./install.sh