shorewall_code/STABLE/releasenotes.txt

This is a minor release of Shorewall.

Problems Corrected:

1) A problem seen on RH7.3 systems where Shorewall encountered start
   errors when started using the "service" mechanism has been worked
   around.

2) Where a list of IP addresses appears in the DEST column of a DNAT[-]
   rule, Shorewall incorrectly created multiple DNAT rules in the nat
   table (one for each element in the list). Shorewall now correctly
   creates a single DNAT rule with multiple "--to-destination" clauses.

3) Corrected a problem in Beta 1 where DNS names containing a "-" were
   mis-handled when they appeared in the DEST column of a rule.

4) The handling of z1!z2 in the SOURCE column of DNAT and REDIRECT
   rules has been corrected.

5) The message "Adding rules for DHCP" is now suppressed if there are
   no DHCP rules to add.

6) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was
   being tested before it was set.

7) Corrected handling of MAC addresses in the SOURCE column of the
   tcrules file. Previously, these addresses resulted in an invalid
   iptables command.

8) The "shorewall stop" command is now disabled when
   /etc/shorewall/startup_disabled exists. This prevents people from
   shooting themselves in the foot prior to having configured
   Shorewall.

9) A change introduced in version 1.4.6 caused error messages during
   "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
   being added to a PPP interface; the addresses were successfully
   added in spite of the messages.
   
   The firewall script has been modified to eliminate the error
   messages.

Migration Issues:

1) In earlier versions, an undocumented feature allowed entries in
   the host file as follows:

      z    eth1:192.168.1.0/24,eth2:192.168.2.0/24

   This capability was never documented and has been removed in 1.4.6
   to allow entries of the following format:

      z   eth1:192.168.1.0/24,192.168.2.0/24

2) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
   removed from /etc/shorewall/shorewall.conf. These capabilities are
   now automatically detected by Shorewall (see below).

New Features:

1) A 'newnotsyn' interface option has been added. This option may be
   specified in /etc/shorewall/interfaces and overrides the setting
   NEWNOTSYN=No for packets arriving on the associated interface.

2) The means for specifying a range of IP addresses in
   /etc/shorewall/masq to use for SNAT is now
   documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges.

3) Shorewall can now add IP addresses to subnets other than the first
   one on an interface.

4) DNAT[-] rules may now be used to load balance (round-robin) over a
   set of servers. Any number of servers may be specified in a range of
   addresses given as <first address>-<last address> and multiple
   ranges or individual servers may be specified in a comma-separated
   list.

   Example:

	DNAT net loc:192.168.10.2-192.168.10.5,192.168.10.44 tcp 80

5) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
   have been removed and have been replaced by code that detects
   whether these capabilities are present in the current kernel. The
   output of the start, restart and check commands have been enhanced
   to report the outcome:

   Shorewall has detected the following iptables/netfilter capabilities:
      NAT: Available
      Packet Mangling: Available
      Multi-port Match: Available
   Verifying Configuration...

6) Support for the Connection Tracking Match Extension has been
   added. This extension is available in recent kernel/iptables
   releases and allows for rules which match against elements in
   netfilter's connection tracking table.

   Shorewall automatically detects the availability of this extension
   and reports its availability in the output of the start, restart and
   check commands.

   Shorewall has detected the following iptables/netfilter capabilities:
      NAT: Available
      Packet Mangling: Available
      Multi-port Match: Available
      Connection Tracking Match: Available
   Verifying Configuration...

   If this extension is available, the ruleset generated by Shorewall
   is changed in the following ways:

   a) To handle 'norfc1918' filtering, Shorewall will not create chains
      in the mangle table but will rather do all 'norfc1918' filtering in
      the filter table (rfc1918 chain).

   b) Recall that Shorewall DNAT rules generate two netfilter rules;
      one in the nat table and one in the filter table. If the Connection
      Tracking Match Extension is available, the rule in the filter table
      is extended to check that the original destination address was the
      same as specified (or defaulted to) in the DNAT rule.

7) The shell used to interpret the firewall script
   (/usr/share/shorewall/firewall) may now be specified using the
   SHOREWALL_SHELL parameter in shorewall.conf.

8) An 'ipcalc' command has been added to /sbin/shorewall.

      ipcalc [ <address> <netmask> | <address>/<vlsm> ]

   Examples:

      [root@wookie root]# shorewall ipcalc 192.168.1.0/24
         CIDR=192.168.1.0/24
         NETMASK=255.255.255.0
         NETWORK=192.168.1.0
         BROADCAST=192.168.1.255
      [root@wookie root]#

      [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0
         CIDR=192.168.1.0/24
         NETMASK=255.255.255.0
         NETWORK=192.168.1.0
         BROADCAST=192.168.1.255
      [root@wookie root]#

   Warning:

      If your shell only supports 32-bit signed arithmatic (ash or
      dash), then the ipcalc command produces incorrect information for
      IP addresses 128.0.0.0-1 and for /1 networks. Bash should produce
      correct information for all valid IP addresses.

9) An 'iprange' command has been added to /sbin/shorewall. 

      iprange <address>-<address>

   This command decomposes a range of IP addressses into a list of
   network and host addresses. The command can be useful if you need to
   construct an efficient set of rules that accept connections from a
   range of network addresses.

   Note: If your shell only supports 32-bit signed arithmetic (ash or
   dash) then the range may not span 128.0.0.0.

   Example:

      [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9
      192.168.1.4/30
      192.168.1.8/29
      192.168.1.16/28
      192.168.1.32/27
      192.168.1.64/26
      192.168.1.128/25
      192.168.2.0/23
      192.168.4.0/22
      192.168.8.0/22
      192.168.12.0/29
      192.168.12.8/31
      [root@gateway root]#

10) A list of host/net addresses is now allowed in an entry in
    /etc/shorewall/hosts.

    Example:

	foo	eth1:192.168.1.0/24,192.168.2.0/24

11) The "shorewall check" command now includes the chain name when
    printing the applicable policy for each pair of zones. 

    Example:

	Policy for dmz to net is REJECT using chain all2all

    This means that the policy for connections from the dmz to the
    internet is REJECT and the applicable entry in the
    /etc/shorewall/policy was the all->all policy.

12) Support for the 2.6 Kernel series has been added.