From 244008a12b0116714b93ed221e6d16c91edcd469 Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 14 Dec 2006 21:09:49 +0000 Subject: [PATCH] Update web site for 3.3.6/3.2.7 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5121 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- web/News.htm | 5 ++++- web/shorewall_index.htm | 18 +++++++++--------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/web/News.htm b/web/News.htm index 3ee491771..9a50cbbc0 100644 --- a/web/News.htm +++ b/web/News.htm @@ -20,11 +20,14 @@ Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

-

November 18, 2006
+

December 14, 2006

+2006-11-14 Shorewall 3.2.7
+ +
Problems Corrected in 3.2.7

1)  Handling of saved ipsets in /etc/shorewall/ipsets is broken when
    used on a system running Shorewall Lite. If there is a file named
    'ipsets' on the CONFIG_PATH when the firewall script is compiled,
    then the compiled script attempts to restore the ipsets from that
    file (which may not exist on the firewall system).

2)  The 'try' command failed on systems whose /bin/sh is Busybox ash:

        /sbin/shorewall: export: 2158: Illegal option -n

3)  Previously, Shorewall has assumed that the root user is named
    'root'. Beginning with this release, the root user may have a
    different name. This required the addition of an '-r' option for
    the 'shorewall load' and 'shorewall reload' commands.

        [re]load [ -e ] [ -c ] [ -r <root user> ] [ <dir> ] system

    Example: shorewall reload -r foobar firewall

4)  On systems with a light-weight shell such as ash or dash for /bin/sh,
    the output of "shorewall show macros" was garbled.

Other Changes in 3.2.7

1)  Prior to this release, on firewall systems with Shorewall Lite
    installed, the local modules file is used to determine which kernel
    modules to load. Beginning with this release, if there is a
    'modules' file in the export directory when the firewall script is
    compiled, then that file will be copied into the compiled script
    and used on the firewall system.

2)  When syslogd is run with the -C option (which in some
    implementations causes syslogd to log to an in-memory circular
    buffer), /sbin/shorewall will now use the 'logread' command to read
    the log from that buffer. This is for combatibility with OpenWRT.

3)  Failures of the start, restart and restore commands are now logged
    using 'logger'. These failures are logged with the 'kern' facility 
    and 'err' priority. As part of this change, normal state changes
    are now logged with the 'kern' facility and 'info' priority.
2006-11-18 Shorewall 3.2.6
 
Problems Corrected in 3.2.6.

1)  When using a light-weight shell (e.g., ash) with multiple
providers, the /etc/iproute2/rt_tables database may become corrupted.

2)  A startup error occurred when the LENGTH or TOS column was
    non-empty in /etc/shorewall/tcrules.

3)  A startup error resulted when whitespace as included in LOGFORMAT.

4)  Previously, when conntrack match support was not available, the
    'norfc1918' option on an interface or host group was incorrectly
    filtering IPSEC traffic whose source IP address was reserved by RFC
    1918.

5)  If a DNAT or REDIRECT rule was used where the effective policy
    between the source and final destination zones is ACCEPT, the ACCEPT
    part of the rule was not generated. This was intended as an
    optimizaiton but it could lead to confusing results if there was a
    DROP or REJECT rule following.

    This optimization has been removed. You may always use DNAT- and
    REDIRECT- to suppress generation of the ACCEPT rule.

6)  Shorewall[-lite] previously would return an error exit status to a
    "start" command where Shorewall was already running. It not returns
    a "success" status.

7)  The install.sh scripst have been corrected to work properly when 
    used to create packages on Slackware and Arch Linux.

5)  A change in version 3.2.5 broke Mac Filtration in some
    cases. Result was:

      Setting up MAC Filtration -- Phase 1...
      iptables v1.3.6: policy match: invalid policy `--dir'
      Try `iptables -h' or 'iptables --help' for more information.
      ERROR: Command "/sbin/iptables -A eth1_fwd -s 0.0.0.0/0 -m state 
             --state NEW -m policy --pol --dir in -j eth1_mac" Failed

6)  At VERBOSITY 1 and higher, the 'shorewall add' and 'shorewall
    delete' commands generated a fractured message. The message
    contents depended in the setting of IPSECFILE as follows:

    IPSECFILE=ipsec

        ipsec...

    IPSECFILE=zones

        IPSEC...

    The messages have been corrected and are only produced at VERBOSITY
    2 and higher as follows:

    IPSECFILE=ipsec

        Processing /etc/shorewall/ipsec...

    IPSECFILE=zones

        Processing IPSEC...

7)  Previously, when <action>:none appeared in a rule, the name of the
    action chain created was preceded by "%" and might have a one- or
    two-digit number appended. If both <action> and <action>:none
    appeared, then two chains were created. This has been corrected
    such that <action> and <action>:none are treated identically.

8)  If SAVE_IPSETS=Yes in shorewall.conf, the "shorewall[-lite] save"
    command produced error messages as follows:

       Dynamic Rules Saved
       Currently-running Configuration Saved to /var/lib/shorewall/restore
       grep: /var/lib/shorewall/restore-base: No such file or directory
       grep: /var/lib/shorewall/restore-base: No such file or directory
       Current Ipset Contents Saved to
       /var/lib/shorewall/restore-ipsets

9)  If BRIDGING=No in shorewall.conf, then an attempt to define a zone
    using ipsets fails as follows:

    ERROR: BRIDGING=Yes is needed for this zone definition: z eth0:+iset

Other Changes in 3.2.6.

1)  The "shorewall [re]load" command now supports a "-c" option.

    Example:

        shorewall reload -c gateway

    When -c is given, Shorewall will capture the capabilities of the
    remote system to a file named "capabilities" in the export
    directory before compiling the configuration.

    If the file "capabilities" does not currently exist in the 
    export directory then "-c" is automatically assumed.

2)  If 0 (zero) is specified for the IN-BANDWIDTH in
    /etc/shorewall/tcdevices then no ingress qdisc will be created for
    the device.
diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm index 1eefbbd46..faa4d44b8 100644 --- a/web/shorewall_index.htm +++ b/web/shorewall_index.htm @@ -20,7 +20,7 @@ Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

-

2006-11-19

+

2006-12-14

Table of Contents

Introduction @@ -104,17 +104,17 @@ Features page.

Current Shorewall Versions

The current Stable Release version -is  3.2.6
+is  3.2.7

The previous Stable Release version is 3.0.9
@@ -130,17 +130,17 @@ problems and The current Development Release version -is 3.3.5
+is 3.3.6
Get them from the download sites