extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-16 03:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update news page for 4.2.5

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9326 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-01-22 15:34:35 +00:00
parent 8f78a11a70
commit 485e921829
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
web/News.htm
View File

@ -24,9 +24,22 @@ license is included in the section entitled <span
href="GnuCopyright.htm" target="_self">GNU Free Documentation
License</a></span>".
</p>
<p>January 06, 2009<br>
<p>January 22, 2009<br>
</p>
<hr style="width: 100%; height: 2px;">
<p><strong>2009-01-22 Shorewall 4.2.5</strong></p>
<p><strong></strong></p>
<pre>Problems corrected in 4.2.5<br><br>1) If exclusion is used to define a zone in /etc/shorewall/hosts and<br> that zone is used as the SOURCE zone in a DNAT or REDIRECT rule,<br> then Shorewall-perl can generate invalid iptables-restore input.<br><br>2) A bug in the Perl Cwd module (see<br> <a
class="moz-txt-link-freetext"
href="http://rt.cpan.org/Public/Bug/Display.html?id=13851">http://rt.cpan.org/Public/Bug/Display.html?id=13851</a>) causes the<br> Shorewall-perl compiler to fail if it doesn't have at least read<br> access to its current working directory. 4.2.5 contains a<br> workaround.<br><br>3) If 'critical' was specified on an entry in<br> /etc/shorewall6/routestopped, Shorewall6 (Shorewall-perl) would<br> generate an error.<br><br>4) In certain cases where exclusion occurred in /etc/shorewall/hosts,<br> Shorewall-perl would generate incorrect iptables-restore input.<br><br>5) In certain cases where exclusion occurred in /etc/shorewall/hosts,<br> Shorewall-perl would generate invalid iptables-restore input.<br><br>6) The 'shorewall6 refresh' command runs iptables_restore rather than<br> ip6tables_restore.<br><br>7) The commands 'shorewall6 save-start', 'shorewall6-save-restart' and<br> 'shorewall6 restore' were previously broken.<br><br>8) The Debian init script was checking $startup in<br> /etc/default/shorewall rather than in /etc/default/shorweall6<br><br>9) The Archlinux init scripts for Shorewall6 and Shorewall6 Lite were<br> unconverted Shorewall scripts.<br><br>10) When 'detect' is used in the GATEWAY column of<br> /etc/shorewall/providers, Shorewall-perl now ensures that the<br> gateway was successfully detected. If the gateway cannot be<br> detected, action is taken depending on whether the provider is<br> 'optional' or not. If the provider is optional, it's configuration<br> is skipped; if the provider is not optional, the current operation<br> is aborted.<br><br>11) The command 'shorewall6 debug start' would previously fail with<br> ERROR: Command "/sbin/ip6tables -t nat -F" Failed<br><br>12) Both ipv4 and ipv6 compiled programs attempt to run the tcclear<br> script itself at run time rather than running the copy of the<br> file in the compiled script. This usually isn't noticable unless<br> you are running Shorewall Lite or Shorewall6 Lite in which case,<br> the script doesn't get run (since it is on the administrative<br> system and not the firewall system).<br><br>13) If your iptables/kernel included "Extended Connection Tracking<br> Match support" (see the output of "shorewall show capabilities"),<br> then a REDIRECT rule that specified a port list or range would<br> cause Shorewall-perl to create invalid iptables-restore input:<br><br> Running /usr/sbin/iptables-restore...<br> iptables-restore v1.4.2-rc1: conntrack: Bad value for<br> "--ctorigdstport" option: "1025:65535"<br> Error occurred at line: 191<br> Try `iptables-restore -h' or 'iptables-restore --help' for more information.<br> ERROR: iptables-restore Failed. Input is in <i
class="moz-txt-slash"><span class="moz-txt-tag">/</span>var/lib/shorewall<span
class="moz-txt-tag">/</span></i>.iptables-restore-input<br><br>Known Problems Remaiining:<br><br>1) When exclusion is used in an entry in /etc/shorewall/hosts, then<br> Shorewall-shell produces an invalid iptables rule if any of the<br> following OPTIONS are also specified in the entry:<br><br> blacklist<br> maclist<br> norfc1918<br> tcpflags<br><br>New Feature in Shorewall 4.2.5<br><br>1) A new 'fallback' option is added in<br> /etc/shorewall/providers. The option works similar to 'balance'<br> except that the default route is added in the default routing table<br> (253) rather than in the main table (254).<br><br> The option can be used by itself or followed by =&lt;number&gt; (e.g,<br> fallback=2).<br><br> When the option is used by itself, a separate (not balanced)<br> default route is added with a metric equal to the provider's NUMBER.<br><br> When the option is used with a number, a balanced route is added<br> with the weight set to the specified number.<br><br> 'fallback' is ignored if USE_DEFAULT_RT=Yes in shorewall.conf and<br> is only available with Shorewall-perl.<br><br> 'fallback' is useful in situations where:<br><br> - You want all traffic to be sent via one primary provider unless<br> there is a compelling reason to use a different provider<br><br> - If the primary provider is down, then you want to balance the<br> outgoing traffic among a set of other providers or to a<br> ordered list of providers.<br><br> In this case:<br><br> - Do not specify 'balance' on any of the providers.<br> - Disable route filtering ('ROUTE_FILTER=No' in shorewall.conf).<br> - Specify 'fallback' on those providers that you want to use if<br> the primary is down.<br> - Only the primary provider should have a default route in the main<br> routing table.<br><br> See <a
class="moz-txt-link-freetext"
href="http://www.shorewall.net/MultiISP.html#Complete">http://www.shorewall.net/MultiISP.html#Complete</a> for an example<br> of this option's use.<br><br>2) Shorewall-perl now transparently handles the xtables-addon version<br> of ipp2p. Shorewall detects whether the installed ipp2p is from<br> patch-o-matic-ng or from xtables-addon and proceeds accordingly.<br><br> If the patch-o-matic-ng version is installed:<br><br> a) If no DEST PORT is supplied, the default is "--ipp2p".<br> b) If "ipp2p" is supplied as the DEST PORT, it will be passed to<br> iptables-restore as "--ipp2p".<br><br> If the xtables-addons version is installed:<br><br> a) If no DEST PORT is supplied, the default is "--edk --gnu --dc<br> --kazaa".<br> b) If "ipp2p" is supplied as the DEST PORT, it will be passed to<br> iptables-restore as "--edk --gnu --dc --kazaa".<br><br> Shorewall-perl now also accepts a comma-separated list of options<br> (e.g., "edk,gnu,dc,kazaa).<br><br> Additionally, Shorewall now looks for modules in <i
class="moz-txt-slash"><span class="moz-txt-tag">/</span>lib/modules<span
class="moz-txt-tag">/</span></i>$(uname<br> -r)<i
class="moz-txt-slash"><span class="moz-txt-tag">/</span>extra and in /lib/modules<span
class="moz-txt-tag">/</span></i>$(uname -r)/extra/ipset<br><br> This change introduced a new capability ("Old IPP2P Match Syntax")<br> so if you use a capabilities file, be sure to re-generate the<br> file(s) after you have installed 4.2.5.<br><br>3) There is now a macro.Git, which opens git-daemon's port (9418/tcp).<br><br>4) There is also a macro.IRC which open's the Internet Relay Chat port<br> (6667/tcp).</pre>
<p><strong>2009-01-06 Winner of the Shorewall Logo Design Competition
Announced</strong></p>
The Shorewall developers are pleased to announce that after deliberating<br>