diff --git a/Shorewall-lite/fallback.sh b/Shorewall-lite/fallback.sh index 0d1c8516c..c24beeeab 100755 --- a/Shorewall-lite/fallback.sh +++ b/Shorewall-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.3.6 +VERSION=4.3.7 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index be2cb1d16..5585f7c26 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.3.6 +VERSION=4.3.7 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index 886aeec2c..fab7283a1 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 4.3.6 +%define version 4.3.7 %define release 0base Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -98,6 +98,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sun Mar 01 2009 Tom Eastep tom@shorewall.net +- Updated to 4.3.7-0base * Fri Feb 27 2009 Tom Eastep tom@shorewall.net - Updated to 4.3.6-0base * Sun Feb 22 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index b0409c925..c2ddc5640 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.3.6 +VERSION=4.3.7 usage() # $1 = exit status { diff --git a/Shorewall/Makefile b/Shorewall/Makefile index 1ee948e2e..f2a7876d4 100644 --- a/Shorewall/Makefile +++ b/Shorewall/Makefile @@ -1,7 +1,7 @@ # Shorewall Makefile to restart if config-files are newer than last restart VARDIR=$(shell /sbin/shorewall show vardir) CONFDIR=/etc/shorewall -RESTOREFILE?=.restore +RESTOREFILE?=firewall all: $(VARDIR)/${RESTOREFILE} $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/* diff --git a/Shorewall/Shorewall/Compiler.pm b/Shorewall/Shorewall/Compiler.pm index d7e589eb6..9d97bce61 100644 --- a/Shorewall/Shorewall/Compiler.pm +++ b/Shorewall/Shorewall/Compiler.pm @@ -43,7 +43,7 @@ use Shorewall::Raw; our @ISA = qw(Exporter); our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG ); our @EXPORT_OK = qw( $export ); -our $VERSION = 4.2.6; +our $VERSION = 4.3.7; our $export; @@ -763,7 +763,7 @@ EOF run_started_exit fi - [ $0 = ${VARDIR}/.restore ] || cp -f $(my_pathname) ${VARDIR}/.restore + [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall fi date > ${VARDIR}/restarted diff --git a/Shorewall/Shorewall/Config.pm b/Shorewall/Shorewall/Config.pm index ef40d9197..aa2626eaa 100644 --- a/Shorewall/Shorewall/Config.pm +++ b/Shorewall/Shorewall/Config.pm @@ -317,7 +317,7 @@ sub initialize( $ ) { TC_SCRIPT => '', EXPORT => 0, UNTRACKED => 0, - VERSION => "4.3.6", + VERSION => "4.3.7", CAPVERSION => 40205 , ); diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 93501e5ba..4b2cb048a 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.3.6 +VERSION=4.3.7 usage() # $1 = exit status { diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index fc520fea3..37cc52204 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -289,9 +289,9 @@ save_config() { if $IPTABLES -L dynamic -n > ${VARDIR}/save; then echo " Dynamic Rules Saved" - if [ -f ${VARDIR}/.restore ]; then + if [ -f ${VARDIR}/firewall ]; then if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then - cp -f ${VARDIR}/.restore $RESTOREPATH + cp -f ${VARDIR}/firewall $RESTOREPATH mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables chmod +x $RESTOREPATH echo " Currently-running Configuration Saved to $RESTOREPATH" @@ -340,7 +340,7 @@ save_config() { echo " ERROR: Currently-running Configuration Not Saved" >&2 fi else - echo " ERROR: ${VARDIR}/.restore does not exist" >&2 + echo " ERROR: ${VARDIR}/firewall does not exist" >&2 fi else echo "Error Saving the Dynamic Rules" >&2 diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 15f4d3e9e..9329ee938 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 4.3.6 +Shorewall 4.3.7 Shorewall 4.3 is the development thread for Shorewall 4.4 which will be released late in 2009. @@ -18,98 +18,50 @@ released late in 2009. that cause new connections to use the same provider as an existing connection of the same kind. -4) Shorewall now supports NOTRACK rules (this feature will also be - released in Shorewall 4.2.7). +---------------------------------------------------------------------------- + M I G R A T I O N I S S U E S +---------------------------------------------------------------------------- -Problems corrected in 4.3.6 +1) The 'shorewall stop', 'shorewall clear', 'shorewall6 stop' and + 'shorewall6 clear' commands no longer read the 'routestopped' + file. The 'routestopped' file used is the one that was present at + the last 'start', 'restart' or 'restore' command. -1) The shorewall6 dump command now correctly displays the installed - Shorewall version. - -2) Previously, the 'start' command set the permission flags on - /var/lib/shorewall*/state so that it could be read by - non-root users while the 'stop' command set the permissions such - that the file could not be read by those users. +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 3 . 7 +---------------------------------------------------------------------------- - Beginning with 4.3.6, both commands will secure the file for - root-only access. If you want the file to be world-readable, then - add +1) Klemens Rutz reported a problem that affects all Shorewall-perl 4.2 + and 4.3 versions. - chmod 744 /var/lib/shorewall*/state + The problem: - To your /etc/shorewall*/started, /etc/shorewall*/stopped and - /etc/shorewall*/restored files. + a) Only occurs when there are more than one non-firewall zone. + b) Results in the following interface options not being applied to + forwarded traffic. -3) If nets=() was specified in - /etc/shorewall/interfaces then the specification was ignored. - -4) Shorewall6 compilation failed with this error: - - ERROR: Unable to open /usr/share/shorewall6/prog.header6: - No such file or directory - -Known Problems Remaiining: + blacklist + dhcp + maclist (when MACLIST_TABLE=filter) + norfc1918 + nosmurfs + tcpflags + +---------------------------------------------------------------------------- + K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- None. -New Features in Shorewall 4.3.6 +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 3 . 6 +---------------------------------------------------------------------------- -1) To allow bypassing of connection tracking for certain traffic, - /etc/shorewall/notrack and /etc/shorewall6/notrack files have been - added. +None. - Columns in the file are: - - SOURCE - [:][:
] - - DEST - [
] - - PROTO - - - DEST PORT(S) - - - SOURCE PORT(S) - - - USER/GROUP - [][:] - - May only be specified if the SOURCE is $FW. - - Traffic that matches all given criteria will not be subject to - connection tracking. For such traffic, your policies and/or rules - must deal with ALL of the packets involved, in both the original - and the opposite directions. All untracked traffic is passed - through the relevant rules in the NEW section of the rules - file. Untracked encapsulated tunnel traffic can be handled by - entries in /etc/shorewall/tunnels just like tracked traffic - is. Because every packet of an untracked connection must pass - through the NEW section rules, it is suggested that rules that deal - with untracked traffic should appear at the top of the file. - - Example: - - /etc/shorewall/tunnels: - - #TYPE ZONE GATEWAY - 6to4 net - - /etc/shorewall/notrack - - #SOURCE DEST PROTO DEST SOURCE USER/ - # PORT(S) PORT(S) GROUP - net:!192.88.99.1 - 41 - - Given that 192.88.99.1 is an anycast address, many hosts can - respond to outward traffic to that address. The entry in - /etc/shorewall/tunnels allows protocol 41 net<->fw. The entry in - /etc/shorewall/notrack prevents the inbound traffic from creating - additional useless conntrack entries. - - As part of this change, the 'show' command is enhanced to support a - 'show raw' command that is an alias for 'show -t raw'. The raw - table is where NOTRACK rules are created. The dump command is also - enhanced to display the contents of the raw table. - -New Features in Shorewall 4.3 +---------------------------------------------------------------------------- + N E W F E A T U R E S IN 4 . 3 +---------------------------------------------------------------------------- 1) The Shorewall packaging has been completely revamped in Shorewall 4.3. diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 0d4b6d7d4..9f6a90996 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -767,9 +767,9 @@ restart_command() { logger -p kern.err "ERROR:Shorewall restart failed" fi else - [ -x ${VARDIR}/.restore ] || fatal_error "No ${VARDIR}/.restore file found" + [ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found" [ -n "$nolock" ] || mutex_on - $SHOREWALL_SHELL ${VARDIR}/.restore $debugging restart + $SHOREWALL_SHELL ${VARDIR}/firewall $debugging restart rc=$? [ -n "$nolock" ] || mutex_off fi @@ -1540,7 +1540,11 @@ export PRODUCT="Shorewall" [ -n "${VARDIR:=/var/lib/shorewall}" ] -FIREWALL=${VARDIR}/.restore +if [ ! -f ${VARDIR}/firewall ]; then + [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall +fi + +FIREWALL=${VARDIR}/firewall LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli" VERSION_FILE=$SHAREDIR/version REFRESHCHAINS= diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 485ae26c0..a9e092954 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 4.3.6 +%define version 4.3.7 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -174,6 +174,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples swping swping.init isusable %changelog +* Sun Mar 01 2009 Tom Eastep tom@shorewall.net +- Updated to 4.3.7-0base * Fri Feb 27 2009 Tom Eastep tom@shorewall.net - Updated to 4.3.6-0base * Sun Feb 22 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 306577366..31699ac08 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.3.6 +VERSION=4.3.7 usage() # $1 = exit status { diff --git a/Shorewall6-lite/fallback.sh b/Shorewall6-lite/fallback.sh index 0d1c8516c..c24beeeab 100755 --- a/Shorewall6-lite/fallback.sh +++ b/Shorewall6-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.3.6 +VERSION=4.3.7 usage() # $1 = exit status { diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index aa1e59891..4a4d0566d 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.3.6 +VERSION=4.3.7 usage() # $1 = exit status { diff --git a/Shorewall6-lite/shorewall6-lite.spec b/Shorewall6-lite/shorewall6-lite.spec index 5350df121..998a50f1f 100644 --- a/Shorewall6-lite/shorewall6-lite.spec +++ b/Shorewall6-lite/shorewall6-lite.spec @@ -1,5 +1,5 @@ %define name shorewall6-lite -%define version 4.3.6 +%define version 4.3.7 %define release 0base Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. @@ -89,6 +89,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sun Mar 01 2009 Tom Eastep tom@shorewall.net +- Updated to 4.3.7-0base * Fri Feb 27 2009 Tom Eastep tom@shorewall.net - Updated to 4.3.6-0base * Sun Feb 22 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index afae2215a..56d28d1f0 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.3.6 +VERSION=4.3.7 usage() # $1 = exit status { diff --git a/Shorewall6/Makefile b/Shorewall6/Makefile index 48ecebacc..a7b34f616 100644 --- a/Shorewall6/Makefile +++ b/Shorewall6/Makefile @@ -1,7 +1,7 @@ # Shorewall6 Makefile to restart if config-files are newer than last restart VARDIR=$(shell /sbin/shorewall6 show vardir) CONFDIR=/etc/shorewall6 -RESTOREFILE?=.restore +RESTOREFILE?=firewall all: $(VARDIR)/${RESTOREFILE} $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/* diff --git a/Shorewall6/fallback.sh b/Shorewall6/fallback.sh index c8a2aa3b8..1c649e220 100755 --- a/Shorewall6/fallback.sh +++ b/Shorewall6/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.3.6 +VERSION=4.3.7 usage() # $1 = exit status { diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index 53370d73b..672179982 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.3.6 +VERSION=4.3.7 usage() # $1 = exit status { diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli index 26008c5e7..949fe853e 100644 --- a/Shorewall6/lib.cli +++ b/Shorewall6/lib.cli @@ -270,9 +270,9 @@ save_config() { if $IP6TABLES -L dynamic -n > ${VARDIR}/save; then echo " Dynamic Rules Saved" - if [ -f ${VARDIR}/.restore ]; then + if [ -f ${VARDIR}/firewall ]; then if $iptables_save > ${VARDIR}/restore-$$; then - cp -f ${VARDIR}/.restore $RESTOREPATH + cp -f ${VARDIR}/firewall $RESTOREPATH mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables chmod +x $RESTOREPATH echo " Currently-running Configuration Saved to $RESTOREPATH" @@ -282,7 +282,7 @@ save_config() { echo " ERROR: Currently-running Configuration Not Saved" >&2 fi else - echo " ERROR: ${VARDIR}/.restore does not exist" >&2 + echo " ERROR: ${VARDIR}/firewall does not exist" >&2 fi else echo "Error Saving the Dynamic Rules" >&2 diff --git a/Shorewall6/shorewall6 b/Shorewall6/shorewall6 index d5b297556..87e7a00ae 100755 --- a/Shorewall6/shorewall6 +++ b/Shorewall6/shorewall6 @@ -744,9 +744,9 @@ restart_command() { logger -p kern.err "ERROR:Shorewall6 restart failed" fi else - [ -x ${VARDIR}/.restore ] || fatal_error "No ${VARDIR}/.restore file found" + [ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found" [ -n "$nolock" ] || mutex_on - $SHOREWALL_SHELL ${VARDIR}/.restore $debugging restart + $SHOREWALL_SHELL ${VARDIR}/firewall $debugging restart rc=$? [ -n "$nolock" ] || mutex_off fi @@ -1524,7 +1524,11 @@ export PRODUCT="Shorewall6" [ -n "${VARDIR:=/var/lib/shorewall6}" ] -FIREWALL=${VARDIR}/.restore +if [ ! -f ${VARDIR}/firewall ]; then + [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall +fi + +FIREWALL=${VARDIR}/firewall LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli" VERSION_FILE=$SHAREDIR/version REFRESHCHAINS= diff --git a/Shorewall6/shorewall6.spec b/Shorewall6/shorewall6.spec index 32f5f64a4..65db3d472 100644 --- a/Shorewall6/shorewall6.spec +++ b/Shorewall6/shorewall6.spec @@ -1,5 +1,5 @@ %define name shorewall6 -%define version 4.3.6 +%define version 4.3.7 %define release 0base Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. @@ -144,6 +144,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog +* Sun Mar 01 2009 Tom Eastep tom@shorewall.net +- Updated to 4.3.7-0base * Fri Feb 27 2009 Tom Eastep tom@shorewall.net - Updated to 4.3.6-0base * Sun Feb 22 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall6/uninstall.sh b/Shorewall6/uninstall.sh index 83375c490..6cad78d41 100755 --- a/Shorewall6/uninstall.sh +++ b/Shorewall6/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.3.6 +VERSION=4.3.7 usage() # $1 = exit status {