November 20, 2008
+
December 31, 2008
2008-12-31 Shorewall 4.2.4
++
1) In 4.2.4, two new packages are included:
a) Shorewall6 - analagous to Shorewall-common but handles IPv6
rather than IPv4.
b) Shorewall6-lite - analagous to Shorewall-lite but handles IPv6
rather than IPv4.
The packages store their configurations in /etc/shorewall6/ and
/etc/shorewall6-lite/ respectively.
The fact that the packages are separate from their IPv4 counterparts
means that you control IPv4 and IPv6 traffic separately (the same
way that Netfilter does). Starting/Stopping the firewall for one
address family has no effect on the other address family.
For additional information, see
http://www.shorewall.net/IPV6Support.html.
Other features of Shorewall6 are:
a) There is no NAT of any kind (most people see this as a giant step
forward). When an ISP assigns you a public IPv6 address, you are
actually assigned an IPv6 'prefix' which is like an IPv4
subnet. A 64-bit prefix allows 4 billion squared individual hosts
(the size of the current IPv4 address space squared).
b) The default zone type is ipv6.
c) The currently-supported interface options in Shorewall6 are:
blacklist
bridge
dhcp
nosmurfs (traps multicast and Subnet-router anycast addresses
used as the packet source address).
optional
routeback
sourceroute
tcpflags
Other features of Shorewall6 are:
a) There is no NAT of any kind (most people see this as a giant step
forward). When an ISP assigns you a public IPv6 address, you are
actually assigned an IPv6 'prefix' which is like an IPv4
subnet. A 64-bit prefix allows 4 billion squared individual hosts
(the size of the current IPv4 address space squared).
b) The default zone type is ipv6.
c) The currently-supported interface options in Shorewall6 are:
blacklist
bridge
dhcp
nosmurfs (traps multicast and Subnet-router anycast addresses
used as the packet source address).
optional
routeback
sourceroute
tcpflags
mss
forward (setting it to 0 makes the router behave like a host
on that interface rather than like a router).
d) The currently-supported host options in Shorewall6 are:
blacklist
routeback
tcpflags
e) Traffic Shaping is disabled by default. The tcdevices and
tcclasses files are address-family independent so
to use the Shorewall builtin Traffic Shaper, TC_ENABLED=Internal
should be specified in Shorewall or in Shorewall6 but not in
both. In the configuration where the internal traffic shaper is
not enabled, CLEAR_TC=No should be specified.
tcfilters are not available in Shorewall6.
f) When both an interface and an address or address list need to
be specified in a rule, the address or list must be enclosed in
angle brackets. Example:
#ACTION SOURCE DEST
ACCEPT net:eth0:<2001:19f0:feee::dead:beef:cafe> dmz
Note that this includes MAC addresses as well as IPv6 addresses.
The HOSTS column in /etc/shorewall6/hosts also uses this
convention:
#ZONE HOSTS OPTIONS
chat6 eth0:<2001:19f0:feee::dead:beef:cafe>
Even when an interface is not specified, it is permitted to
enclose addresses in <> to improve readability. Example:
#ACTION SOURCE DEST
ACCEPT net:<2001:1::1> $FW
g) The options available in shorewall6.conf are a subset of those
available in shorewall.conf.
h) The Socket6.pm Perl module is required if you include DNS names
in your Shorewall6 configuration. Note that it is loaded the
first time that a DNS name is encountered so if it is missing,
you get a message similar to this one:
...
Checking /etc/shorewall6/rules...
Can't locate Socket6.pm in @INC (@INC contains: /root ...
teastep@ursa:~/Configs/standalone6$
2008-11-20 Shorewall 4.2.2
Problems corrected in Shorewall 4.2.2
1) Shorewall-perl now insures that each line copied from a
configuration file or user exit is terminated with a newline
character.
2) When ipranges were used to define zones, Shorewall-perl could
generate invalid iptables-restore input if 'Repeat Match' was not
available. Repeat Match is not a true match -- it rather is a
feature of recent iptables releases that allows a match to be
repeated within a rule.
3) With Shorewall-perl, if a destination port list had exactly 16
ports, where a port-range counts as two ports, then Shorewall-perl
would fail to split the rule into multiple rules and an
iptables-restore error would result.
4) The change to Shorewall-perl in 4.2.1 that promised iptables 1.4.1
compatibility contained a typo that prevented it from working
correctly.
5) If a no-NAT rule (DNAT-, ACCEPT+, NONAT) included a destination IP
address and no zone name in the DEST column, Shorewall-perl would
reject the rule. If a zone name was specified, Shorewall-perl
would issue a Warning message.
6) Previously, if Extended conntrack match support was available, a
DNAT rule that specified a server port but no destination port
would generate invalid iptables-restore input.
Other changes in Shorewall 4.2.2
1) A macro supporting JAP (anonymization protocol) has been added.
It can be used as any other macro (e.g., JAP/ACCEPT) in the rules
file.
2) A macro supporting DAAP (Digital Audio Access Protocol) has been added.
It can be used as any other macro (e.g., DAAP/ACCEPT) in the rules
file.
3) A macro supporting DCC (Distributed Checksum Clearinghouse) has been
added. It can be used as any other macro (e.g., DCCP/ACCEPT) in the
rules file.
4) A macro supporting GNUnet (secure peer-to-peer networking) has been
added. It can be used as any other macro (e.g., GNUnet/ACCEPT) in the
rules file.
5) In 4.2.1, a single capability ("Extended conntrack match support")
was used both to control the use of --ctorigport and to trigger use
of the new syntax for inversion of --ctorigdst (e.g., "!
--ctorigdst ..."). In 4.2.2, these are controlled by two separate
capabilities. If you use a capabilities file when compiling your
configuration, be sure to generate a new one after installing
4.2.2.