January 22, 2009
+
February 15, 2009
2009-01-22 Shorewall 4.2.5
+2009-02-15 Shorewall 4.2.6
+Problems corrected in 4.2.6+
1) The CONFIG_PATH in the two- and three-interface Shorewall6 sample
configurations was incorrect with the result that this error
occurred on 'shorewall6 check' or 'shorewall6 start'.
ERROR: No IP zones defined
2) Setting TCP_FLAGS_DISPOSITION=REJECT caused both Shorewall-shell
and Shorewall-perl to create invalid iptables commands. This has
been corrected but we still strongly recommend against that
setting; TCP_FLAGS_DISPOSITION=DROP is preferred.
3) Shorewall-perl was generating code that checked for state match
before kernel modules were loaded. This caused start/restart to
fail on systems without kernel module loading.
4) The Shorewall6 and Shorewall6-lite Makefiles were incorrect.
5) If a service name is used in a port-mapping rule (a DNAT or
REDIRECT rule that changes the destination port), and if the
kernel and iptables include Extended Connection Match support, then
invalid iptables-restore input is produced by Shorewall-perl.
6) If iptables 1.4.1 or later was installed, Shorewall-perl generated
incorrect iptables-restore input if exclusion was used in the
ORIGINAL DEST field of a DNAT or REDIRECT rule.
7) On kernels earlier than 2.6.20, the 'shorewall show connections'
command fails.
New Feature in Shorewall 4.2.6
1) A BitTorrent32 macro has been added. This macro matches the
extended TCP port range used by BitTorrent 3.2 and later.
2) A new COUNT action has been added to Shorewall-perl. This action
creates an iptables (ip6tables) rule with no target. Connections
matching such a rule are simply counted and the packet is passed on
to the next rule.
Shorewall-shell ignores COUNT in actions and macros, thus allowing
the standard actions (action.Drop and action.Reject) to have a
COUNT rule as their first entry.
3) A new RESTORE_DEFAULT_ROUTE option has been added to
shorewall.conf. It is used to determine whether to restore the
default route saved when there are 'balance' providers defined but
all of them are down.
The default is RESTORE_DEFAULT_ROUTE=Yes which preserves the
pre-4.2.6 behavior.
RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a
default route in the main table (USE_DEFAULT_RT=No) or in the
default table (USE_DEFAULT_RT=Yes) when there are no balance
providers available. In that case, RESTORE_DEFAULT_ROUTE=No
will cause any default route in the relevant table to be deleted.
4) IPv4 firewall scripts produced by Shorewall-perl now use dhcpcd's
database when trying to detect the gateway for an interface
("detect" in the GATEAWAY column in /etc/shorewall/interfaces).
As part of this change, it is now permitted to specify 'detect'
when USE_DEFAULT_RT=Yes; in that case, the script will only detect
gateways for point-to-point devices and for devices configured by
dhcpcd.
5) Shorewall-perl now supports port inversion. A port number or list
of port numbers may be preceded by '!" which will cause the rule to
match all ports EXCEPT those listed:
Example: To blacklist 206.124.146.176 for all tcp ports except 80:
ADDRESS/SUBNET PROTO PORT(S)
206.124.146.177 tcp !80
6) Shorewall-perl now supports protocol inversion. A protocol name or
number may be preceded by '!' to specify all protocols except the
one following '!'.
Example: To blacklist 206.124.146.176 for all protocols except
UDP:
ADDRESS/SUBNET PROTO PORT(S)
206.124.146.177 !udp
Note that ports may not be specified when protocol inversion
is used.
7) When using Shorewall-perl, neither the 'start' nor 'started'
extension script is run during processing of the 'restore'
command. To allow extension of that command, we have added a
'restored' extension script that runs at the successful completion
of 'restore'. This script is only available with Shorewall-perl.
With Shorewall-shell, both scripts are run during 'restore' but in
that case, the run_iptables() function does nothing. So any
run_iptables() calls in the 'start' script are effectively ignored.
8) Shorewall-perl now correctly handles 'here documents' quoting
(<<EOF .... EOF) in run-time extension scripts.
2009-01-22 Shorewall 4.2.5
+
Problems corrected in 4.2.5
1) If exclusion is used to define a zone in /etc/shorewall/hosts and
that zone is used as the SOURCE zone in a DNAT or REDIRECT rule,
then Shorewall-perl can generate invalid iptables-restore input.
2) A bug in the Perl Cwd module (see
-
2009-02-02
+
2009-02-15
Plan to Attend @@ -65,13 +65,13 @@ Shorewall team members Tom and Roberto will be there!
Stable Release
-4.2.5 + 4.2.6 (includes IPv6 support.) Release + href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.6/releasenotes.txt">Release notes Known + href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.6/known_problems.txt">Known Problems