mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 14:48:51 +01:00
Don't give zones and shorewall.conf execute permission; update version to 1.4.11
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1475 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
812f927d70
commit
4f69a5eddb
@ -1,45 +1,4 @@
|
||||
Changes since 1.4.9
|
||||
Changes since 1.4.10g
|
||||
|
||||
1) Implement destination list in masq file.
|
||||
|
||||
2) Appled Frédéric LESPEZ's patch for packet marking by user/group id.
|
||||
|
||||
3) Correct column headings in action.template
|
||||
|
||||
4) Handle IPV6 addresses correctly with ADD_IP_ALIASES=Yes or
|
||||
ADD_SNAT_ALIASES=Yes.
|
||||
|
||||
5) Implement "detectnets" option.
|
||||
|
||||
6) Correct the CONTINUE target and fix a couple of bugs in rate
|
||||
limiting (with an assist from Steven Jan Springl).
|
||||
|
||||
7) Silently drop smurfs and broadcasts in the 'reject' chain.
|
||||
|
||||
8) Add multicast to 'detectnets' zones.
|
||||
|
||||
9) Don't add broadcasts to /0 groups.
|
||||
|
||||
10) Fix "-" in PROTO column of an action file.
|
||||
|
||||
11) Fix the enhancement in 1) above to avoid startup errors.
|
||||
|
||||
12) Allow maclist with Atheros cards
|
||||
|
||||
13) Fix masq file problem with exclusion in the source column.
|
||||
|
||||
14) Fix silly tcrules file problem.
|
||||
|
||||
15) Fix multiple excluded zones in DNAT/REDIRECT rules.
|
||||
|
||||
16) Correct reporting of POLICY rules.
|
||||
|
||||
17) Implement Sean Mathews's fix for Proxy ARP/IPSEC.
|
||||
|
||||
18) Update rfc1918.
|
||||
|
||||
19) Fix local exploit vulnerability.
|
||||
|
||||
20) Hack security fix so that it works under Slackware.
|
||||
|
||||
21) Fix mktempfile() where there is no mktemp utility.
|
||||
1) Fix installer to not give zones and shorewall.conf execute
|
||||
permission.
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.4.10g
|
||||
VERSION=1.4.11
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -54,7 +54,7 @@
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.4.10g
|
||||
VERSION=1.4.11
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -284,7 +284,7 @@ mkdir -p ${PREFIX}/var/lib/shorewall
|
||||
if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
|
||||
backup_file /etc/shorewall/shorewall.conf
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
|
||||
run_install -o $OWNER -g $GROUP -m 0600 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
|
||||
echo
|
||||
echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
|
||||
fi
|
||||
@ -294,7 +294,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/zones ]; then
|
||||
backup_file /etc/shorewall/zones
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones
|
||||
run_install -o $OWNER -g $GROUP -m 0600 zones ${PREFIX}/etc/shorewall/zones
|
||||
echo
|
||||
echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
|
||||
fi
|
||||
|
@ -1,98 +1,7 @@
|
||||
This is a minor release of Shorewall.
|
||||
Shorewall 1.4.11
|
||||
|
||||
Problems Corrected since version 1.4.9:
|
||||
Problems Corrected since version 1.4.10g
|
||||
|
||||
1. The column descriptions in the action.template file did not match
|
||||
the column headings. That has been corrected.
|
||||
1) The shorewall.conf and zones file are no longer given execute
|
||||
permission by the installer.
|
||||
|
||||
2. The presence of IPV6 addresses on devices generates error messages
|
||||
during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are
|
||||
specified in /etc/shorewall/shorewall.conf.
|
||||
|
||||
3. The CONTINUE action in /etc/shorewall/rules now works correctly. A
|
||||
couple of problems involving rate limiting have been
|
||||
corrected. These bug fixes courtesy of Steven Jan Springl.
|
||||
|
||||
4. Shorewall now tries to avoid sending an ICMP response to broadcasts
|
||||
and smurfs.
|
||||
|
||||
5. Specifying "-" or "all" in the PROTO column of an action no longer
|
||||
causes a startup error.
|
||||
|
||||
6. Fixed a problem in which the firewall would encounter an error
|
||||
during startup while processing the /etc/shorewall/masq file.
|
||||
|
||||
7. Atheros WiFi cards were previously excluded from use with the
|
||||
"maclist" interface option.
|
||||
|
||||
8. (Fix from Steven Jan Springl) In the /etc/shorewall/masq entry
|
||||
|
||||
eth0:!10.1.1.150 0.0.0.0/0!10.1.0.0/16 10.1.2.16
|
||||
|
||||
the !10.1.0.0/16 is ignored.
|
||||
|
||||
9. A startup error occurs if the USER/GROUP column of the tcrules file
|
||||
is empty.
|
||||
|
||||
10. The following syntax previously produced a startup error:
|
||||
|
||||
DNAT z1!z2,z3 z4:...
|
||||
|
||||
That has been corrected so that multiple excluded zones may now be
|
||||
listed in a DNAT or REDIRECT rule.
|
||||
|
||||
11. Use of user-defined actions frequently resulted in a WARNING that
|
||||
the rule was a policy.
|
||||
|
||||
12. Thanks to Sean Mathews, a long-standing problem with proxy ARP and
|
||||
IPSEC has been corrected!!
|
||||
|
||||
13. The rfc1918 file has been updated.
|
||||
|
||||
14. An exploitable vulnerability that allows local non-root users to
|
||||
cause arbitrary files to be overwritten has been eliminated.
|
||||
|
||||
15) The security vulnerability fix failed under Slackware 9.1.
|
||||
|
||||
16) The security vulnerability fix failed if mktemp was not installed.
|
||||
|
||||
Migration Issues:
|
||||
|
||||
None.
|
||||
|
||||
New Features:
|
||||
|
||||
1) The INTERFACE column in the /etc/shorewall/masq file may now
|
||||
specify a destination list.
|
||||
|
||||
Example:
|
||||
|
||||
#INTERFACE SUBNET ADDRESS
|
||||
eth0:192.0.2.3,192.0.2.16/28 eth1
|
||||
|
||||
If the list begins with "!" then SNAT will occur only if the
|
||||
destination IP address is NOT included in the list.
|
||||
|
||||
2) Output traffic control rules (those with the firewall as the source)
|
||||
may now be qualified by the effective userid and/or effective group
|
||||
id of the program generating the output. This feature is courtesy of
|
||||
Frédéric LESPEZ.
|
||||
|
||||
A new USER column has been added to /etc/shorewall/tcrules.
|
||||
|
||||
It may contain :
|
||||
|
||||
[<user name or number>]:[<group name or number>]
|
||||
|
||||
The colon is optionnal when specifying only a user.
|
||||
|
||||
Examples : john: / john / :users / john:users
|
||||
|
||||
3) A "detectnets" interface option has been added for entries in
|
||||
/etc/shorewall/interfaces. This option automatically taylors the
|
||||
definition of the zone named in the ZONE column to include just
|
||||
those hosts that have routes through the interface named in the
|
||||
INTERFACE column. The named interface must be UP when
|
||||
Shorewall is [re]started.
|
||||
|
||||
WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 1.4.10g
|
||||
%define version 1.4.11
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -110,6 +110,8 @@ fi
|
||||
|
||||
%changelog
|
||||
* Wed Jun 30 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.11
|
||||
* Wed Jun 30 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10g-1
|
||||
* Mon Jun 28 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10f-1
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=1.4.10g
|
||||
VERSION=1.4.11
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user