Update release notes

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-06-06 15:48:26 -07:00
parent 642319d706
commit 59c11e205b

View File

@ -27,6 +27,17 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
STARTUP_LOG=/var/log/shorewall-lite-init.log STARTUP_LOG=/var/log/shorewall-lite-init.log
(or shorewall6-lite-init.log) (or shorewall6-lite-init.log)
3) The 4.4.20 Shorewall6 installer always installed the plain
(unannotated) version of shorewall6.conf, regardless of the '-p'
setting.
4) Due to dissatisfaction with the default setting for configuration
file annotation, the default has returned to 'plain' (unannotated)
configuration files. If you wish to include documentation in your
installed configuration files, use the '-a' option in the
installer. The '-p' option will remain supported until 4.4.21 when
it will be removed.
4.4.20 4.4.20
1) Previously, when a device number was explicitly specified in 1) Previously, when a device number was explicitly specified in
@ -35,76 +46,26 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
did not specify a number. Now, the compiler selects the lowest did not specify a number. Now, the compiler selects the lowest
unallocated number when no device number is explicitly allocated. unallocated number when no device number is explicitly allocated.
2) Certain attacks can be best defended through use of one of these 2) The obsolete PKTTYPE option has been removed from shorewall.conf
two measures.
a) rt_filter (Shorewall's routefilter). Only applicable to IPv4
and can't be used with some multi-ISP configurations.
b) Insert a DROP rule that prevents hairpinning (routeback). The
rule must be inserted before any ESTABLISHED,RELATED firewall
rules. This approach is not appropriate for bridges and other
cases, where the 'routeback' option is specified or implied.
For non-routeback interfaces, Shorewall and Shorewall6 will now
insert a hairpin rule, provided that the routefilter option is not
specified. The rule will dispose of hairpins according to the
setting of two new options in shorewall.conf and shorewall6.conf:
SFILTER_LOG_LEVEL
Specifies the logging level; default is 'info'. To omit
logging, specify FILTER_LOG_LEVEL=none.
SFILTER_DISPOSITION
Specifies the disposition. Default is DROP and the possible
values are DROP, A_DROP, REJECT and A_REJECT.
To deal with bridges and other routeback interfaces , there is now
an 'sfilter' option in /shorewall/interfaces and
/etc/shorewall6/interfaces.
The value of the 'sfilter' option is a list of network addresses
enclosed in in parentheses. Where only a single address is listed,
the parentheses may be omitted. When a packet from a
source-filtered address is received on the interface, it is
disposed of based on the new SFILTER_ options described above.
For a bridge or other routeback interface, you should list all of
your other local networks (those networks not attached to the
bridge) in the bridge's sfilter list.
Example:
My DMZ is 2001:470:b:227::40/124
My local interface (br1) is a bridge.
In /etc/shorewall6/interfaces, I have:
#ZONE INTERFACE BROADCAST OPTIONS
loc br1 - sfilter=2001:470:b:227::40/124
3) The obsolete PKTTYPE option has been removed from shorewall.conf
and the associated manpage. and the associated manpage.
4) The iptables 1.4.11 release produces an error when negative numbers 3) The iptables 1.4.11 release produces an error when negative numbers
are specified for IPMARK mask values. Shorewall now converts such are specified for IPMARK mask values. Shorewall now converts such
numbers to their 32-bit hex equivalent. numbers to their 32-bit hex equivalent.
5) Previously, before /etc/shorewall6/params was processed, the 4) Previously, before /etc/shorewall6/params was processed, the
IPv4 Shorewall libraries (/usr/share/shorewall/lib.*) were IPv4 Shorewall libraries (/usr/share/shorewall/lib.*) were
loaded rather that the IPv6 versions (/usr/share/shorewall6/lib.*). loaded rather that the IPv6 versions (/usr/share/shorewall6/lib.*).
Now, the correct libraries are loaded. Now, the correct libraries are loaded.
6) Shorewall now sets /proc/sys/net/bridge/bridge_nf_call_iptables or 5) Shorewall now sets /proc/sys/net/bridge/bridge_nf_call_iptables or
/proc/sys/net/bridge/bridge_nf_call_ip6tables when there are /proc/sys/net/bridge/bridge_nf_call_ip6tables when there are
interfaces with the 'bridge' option. This insures that netfilter interfaces with the 'bridge' option. This insures that netfilter
rules are invoked for bridged traffic. Previously, Shorewall was rules are invoked for bridged traffic. Previously, Shorewall was
not setting these flags with the possible result that a not setting these flags with the possible result that a
bridge/firewall would not work properly. bridge/firewall would not work properly.
7) Problem corrections released in 4.4.19.1-4.4.19.4 (see below) 6) Problem corrections released in 4.4.19.1-4.4.19.4 (see below)
are also included in this release. are also included in this release.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
@ -272,6 +233,56 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
which will match packets in the INVALID state, and 'NI' which will match packets in the INVALID state, and 'NI'
which will match packets in either NEW or INVALID state. which will match packets in either NEW or INVALID state.
12) Certain attacks can be best defended through use of one of these
two measures.
a) rt_filter (Shorewall's routefilter). Only applicable to IPv4
and can't be used with some multi-ISP configurations.
b) Insert a DROP rule that prevents hairpinning (routeback). The
rule must be inserted before any ESTABLISHED,RELATED firewall
rules. This approach is not appropriate for bridges and other
cases, where the 'routeback' option is specified or implied.
For non-routeback interfaces, Shorewall and Shorewall6 will now
insert a hairpin rule, provided that the routefilter option is not
specified. The rule will dispose of hairpins according to the
setting of two new options in shorewall.conf and shorewall6.conf:
SFILTER_LOG_LEVEL
Specifies the logging level; default is 'info'. To omit
logging, specify FILTER_LOG_LEVEL=none.
SFILTER_DISPOSITION
Specifies the disposition. Default is DROP and the possible
values are DROP, A_DROP, REJECT and A_REJECT.
To deal with bridges and other routeback interfaces , there is now
an 'sfilter' option in /shorewall/interfaces and
/etc/shorewall6/interfaces.
The value of the 'sfilter' option is a list of network addresses
enclosed in in parentheses. Where only a single address is listed,
the parentheses may be omitted. When a packet from a
source-filtered address is received on the interface, it is
disposed of based on the new SFILTER_ options described above.
For a bridge or other routeback interface, you should list all of
your other local networks (those networks not attached to the
bridge) in the bridge's sfilter list.
Example:
My DMZ is 2001:470:b:227::40/124
My local interface (br1) is a bridge.
In /etc/shorewall6/interfaces, I have:
#ZONE INTERFACE BROADCAST OPTIONS
loc br1 - sfilter=2001:470:b:227::40/124
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S I V. R E L E A S E 4 . 4 H I G H L I G H T S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------