Don't give zones and shorewall.conf execute permission; update version to 1.4.11

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1475 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-07-13 13:21:51 +00:00
parent 812f927d70
commit 4f69a5eddb
6 changed files with 15 additions and 145 deletions

View File

@ -1,45 +1,4 @@
Changes since 1.4.9
Changes since 1.4.10g
1) Implement destination list in masq file.
2) Appled Frédéric LESPEZ's patch for packet marking by user/group id.
3) Correct column headings in action.template
4) Handle IPV6 addresses correctly with ADD_IP_ALIASES=Yes or
ADD_SNAT_ALIASES=Yes.
5) Implement "detectnets" option.
6) Correct the CONTINUE target and fix a couple of bugs in rate
limiting (with an assist from Steven Jan Springl).
7) Silently drop smurfs and broadcasts in the 'reject' chain.
8) Add multicast to 'detectnets' zones.
9) Don't add broadcasts to /0 groups.
10) Fix "-" in PROTO column of an action file.
11) Fix the enhancement in 1) above to avoid startup errors.
12) Allow maclist with Atheros cards
13) Fix masq file problem with exclusion in the source column.
14) Fix silly tcrules file problem.
15) Fix multiple excluded zones in DNAT/REDIRECT rules.
16) Correct reporting of POLICY rules.
17) Implement Sean Mathews's fix for Proxy ARP/IPSEC.
18) Update rfc1918.
19) Fix local exploit vulnerability.
20) Hack security fix so that it works under Slackware.
21) Fix mktempfile() where there is no mktemp utility.
1) Fix installer to not give zones and shorewall.conf execute
permission.

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.4.10g
VERSION=1.4.11
usage() # $1 = exit status
{

View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.4.10g
VERSION=1.4.11
usage() # $1 = exit status
{
@ -284,7 +284,7 @@ mkdir -p ${PREFIX}/var/lib/shorewall
if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
backup_file /etc/shorewall/shorewall.conf
else
run_install -o $OWNER -g $GROUP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
run_install -o $OWNER -g $GROUP -m 0600 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
echo
echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
fi
@ -294,7 +294,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/zones ]; then
backup_file /etc/shorewall/zones
else
run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones
run_install -o $OWNER -g $GROUP -m 0600 zones ${PREFIX}/etc/shorewall/zones
echo
echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
fi

View File

@ -1,98 +1,7 @@
This is a minor release of Shorewall.
Shorewall 1.4.11
Problems Corrected since version 1.4.9:
Problems Corrected since version 1.4.10g
1. The column descriptions in the action.template file did not match
the column headings. That has been corrected.
1) The shorewall.conf and zones file are no longer given execute
permission by the installer.
2. The presence of IPV6 addresses on devices generates error messages
during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are
specified in /etc/shorewall/shorewall.conf.
3. The CONTINUE action in /etc/shorewall/rules now works correctly. A
couple of problems involving rate limiting have been
corrected. These bug fixes courtesy of Steven Jan Springl.
4. Shorewall now tries to avoid sending an ICMP response to broadcasts
and smurfs.
5. Specifying "-" or "all" in the PROTO column of an action no longer
causes a startup error.
6. Fixed a problem in which the firewall would encounter an error
during startup while processing the /etc/shorewall/masq file.
7. Atheros WiFi cards were previously excluded from use with the
"maclist" interface option.
8. (Fix from Steven Jan Springl) In the /etc/shorewall/masq entry
eth0:!10.1.1.150  0.0.0.0/0!10.1.0.0/16     10.1.2.16
the !10.1.0.0/16 is ignored.
9. A startup error occurs if the USER/GROUP column of the tcrules file
is empty.
10. The following syntax previously produced a startup error:
DNAT z1!z2,z3 z4:...
That has been corrected so that multiple excluded zones may now be
listed in a DNAT or REDIRECT rule.
11. Use of user-defined actions frequently resulted in a WARNING that
the rule was a policy.
12. Thanks to Sean Mathews, a long-standing problem with proxy ARP and
IPSEC has been corrected!!
13. The rfc1918 file has been updated.
14. An exploitable vulnerability that allows local non-root users to
cause arbitrary files to be overwritten has been eliminated.
15) The security vulnerability fix failed under Slackware 9.1.
16) The security vulnerability fix failed if mktemp was not installed.
Migration Issues:
None.
New Features:
1) The INTERFACE column in the /etc/shorewall/masq file may now
specify a destination list.
Example:
#INTERFACE SUBNET ADDRESS
eth0:192.0.2.3,192.0.2.16/28 eth1
If the list begins with "!" then SNAT will occur only if the
destination IP address is NOT included in the list.
2) Output traffic control rules (those with the firewall as the source)
may now be qualified by the effective userid and/or effective group
id of the program generating the output. This feature is courtesy of
Frédéric LESPEZ.
A new USER column has been added to /etc/shorewall/tcrules.
It may contain :
[<user name or number>]:[<group name or number>]
The colon is optionnal when specifying only a user.
Examples : john: / john / :users / john:users
3) A "detectnets" interface option has been added for entries in
/etc/shorewall/interfaces. This option automatically taylors the
definition of the zone named in the ZONE column to include just
those hosts that have routes through the interface named in the
INTERFACE column. The named interface must be UP when
Shorewall is [re]started.
WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!

View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.4.10g
%define version 1.4.11
%define release 1
%define prefix /usr
@ -110,6 +110,8 @@ fi
%changelog
* Wed Jun 30 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.11
* Wed Jun 30 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10g-1
* Mon Jun 28 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10f-1

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.10g
VERSION=1.4.11
usage() # $1 = exit status
{