From 9006de1b0a168282ed53a852da113d4424f76c5a Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 29 Sep 2006 02:30:51 +0000 Subject: [PATCH] Belatedly update News for 3.0.8 -- Take 2 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4600 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- web/News.htm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/web/News.htm b/web/News.htm index 4030af94a..3d21e49f7 100644 --- a/web/News.htm +++ b/web/News.htm @@ -29,7 +29,9 @@ Documentation License”.

Shorewall Problems corrected in 3.2.4

1)  Previously, the directory name in the command "shorewall start
    <directory name>" was being dropped by "/sbin/shorewall".

2)  Previous, when /usr/share/shorewall/xmodules had been copied to
    /etc/shorewall/modules, Shorewall was not looking in the correct
    directory for the "xt_..." modules. There are two parts to the fix:

    - The /usr/share/shorewall/xmodules file has been removed. The
      /usr/share/shorewall/modules file will now load all required
      modules regardless of which kernel version you are running.
    - The MODULESDIR option can now contain a colon-separated list of
      directories to search for modules with the default being:

      /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter

3)  Rules in /etc/shorewall/tos which specify zones defined
    using entries in /etc/shorewall/hosts applied to all traffic
    to/from the zone interfaces (the bridge port, ipset or IP
    address(es) in the zone definition were ignored).

4)  Previously, 'shorewall-lite dump' did not report traffic shaping
    information even if TC_ENABLED was set to Yes or Internal in the
    shorewall.conf file used to compile the exported firewall script.

    To correct this problem, the firewall script must be recompiled and
    re-exported.

5)  Previously, errors during the compile phase were not reflected in
    the exit status of /sbin/shorewall. Thanks to Tuomo Soini for
    finding and correcting this problem.

Other Shorewall changes in 3.2.4

1)  Previously, scripts compiled for export (-e option) depended on
    /usr/share/shorewall-lite/functions in order to run correctly. This
    made it possible for a compiled script to be incompatible with the
    version of Shorewall Lite installed on a firewall system.

    Beginning with Shorewall 3.2.4, this dependency is removed such
    that version incompatibility between Shorewall and Shorewall Lite
    should not be a concern going forward.

2)  Two new macros have been added, courtesy of Tuomo Soini

        macro.Finger
        macro.Telnets

3)  The output of "shorewall show macros" has been enhanced to show
    macros in each directory in the CONFIG_PATH.

Shorewall Lite problems corrected in 3.2.4

1)  Previous, when /usr/share/shorewall-lite/xmodules had been copied to
    /etc/shorewall-lite/modules, Shorewall was not looking in the correct
    directory for the "xt_..." modules. There are two parts to the fix:

    - The /usr/share/shorewall-lite/xmodules file has been removed. The
      /usr/share/shorewall-lite/modules file will now load all required
      modules regardless of which kernel version you are running.
    - The MODULESDIR option can now contain a colon-separated list of
      directories to search for modules with the default being:

      /lib/modules/$(uname
      -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname
      -r)/kernel/net/netfilter

     /usr/share/shorewall-lite/modules contains a *lot* of modules. If
     you use module autoloading (which non-embedded Linux distributions
     do), then you can improve your "shorewall [re]start" time by
     trimming all but the helper modules from the file. To do that,
     create the file /etc/shorewall-lite/modules with the following
     entries:

        loadmodule ip_conntrack_amanda
        loadmodule ip_conntrack_ftp
        loadmodule ip_conntrack_irc
        loadmodule ip_conntrack_netbios_ns
        loadmodule ip_conntrack_pptp
        loadmodule ip_conntrack_tftp
        loadmodule ip_nat_amanda
        loadmodule ip_nat_ftp
        loadmodule ip_nat_irc
        loadmodule ip_nat_pptp
        loadmodule ip_nat_snmp_basic
        loadmodule ip_nat_tftp

Other Shorewall Lite changes in 3.2.4

None.
-2006-08-26 Shorewall 3.2.3
+ +
2006-08-26 +Shorewall 3.2.3
 
Shorewall Problems Corrected in 3.2.3

 1)  A problem in 'install.sh' resulted in sandbox violations on
     Gentoo and, when Shorewall is installed using an RPM, the problem
     caused an incorrect copy of shorewall.conf to be installed in
     /usr/share/shorewall/configfiles/.

 2)  A typo in the functions file caused startup errors when the user's
     distribution did not support a true mktemp program (such as
     Bering Uclibc). Patch courtesy of Cédric Schieli.

 3)  Several erroneous references to ip_addr_del() were made in
     /var/lib/shorewall/compiler and in the code that it generates.

     a) These should have been references to del_ip_addr()
     b) One of the calls also had an incorrect parameter list.

 4)  Previously, "shorewall check -e" would erroneously attempt to
     detect interfaces configured for traffic shaping.

 5)  SUBSYSLOCK functionality has been restored.

 6)  In prior versions, setting 'mss=' in /etc/shorewall/zones did not
     affect traffic to/from the firewall zone. That has been corrected.

 7)  When /sbin/shorewall was run under BusyBox ash, shell errors would
     occur if certain command options were given.

 8)  Previously, the 'optional' provider option did not detect the case
     where the interface was DOWN but still had a configured IP
     address. Shorewall was detecting such interfaces as UP and later
     'ip replace route' commands would fail.

     It should also be clarified that the 'optional' option is intended
     to detect cases where a provider interface is in a state that would
     cause 'shorewall [re]start' to fail; it is not intended to
     determine whether communication is possible using the interface.

 9)  Previously, the "shorewall add" command would fail with error
     messages indicating that the commands "chain_exists" and
     "verify_hosts_file" could not be found.

 10) Using earlier Shorewall versions, the following sequence of
     commands produced inconsistant results:

     a) shorewall [re] start
     b) Modify /etc/shorewall/tcdevices and/or /etc/shorewall/tcclasses
     c) shorewall refresh
     d) shorewall save
     e) shorewall restore (or reboot and shorewall start -f during boot
        up)

     After that series of commands, the state of traffic shaping was as
     it was after step a) rather than as it was after step c). The fix
     involved re-implementing 'shorewall refresh' as a compile/execute
     procedure similar to [re]start. While the entire configuration is
     recompiled, only ecn, blacklisting, tcrules and traffic control
     will be updated in the running configuration.

 11) DNAT rules generated under DETECT_DNAT_IPADDRS=Yes may have been
     incorrect with the result that the rules didn't work at all.

 Other Shorewall changes in 3.2.3

 1)  A 'shorewall export' command has been added.

     shorewall export [ <directory1> ] [user@]<system>:[<directory2>]

     If <directory1> is omitted, then the current working directory is
     assumed.

     Causes the shorewall configuration in <directory1> to be compiled
     into a program called '<directory1>/firewall'. If compilation is
     successful, the '<directory1>/firewall' script is copied via scp
     to the specified <system>.

     Example:

         shorewall export admin@gateway:

     This command would compile the configuration in the current working
     directory then copy the 'firewall' (and 'firewall.conf') files to
     admin's home directory on system 'gateway'.

 2)  Normally, Shorewall tries to protect users from themselves by
     preventing PREROUTING and OUTPUT tcrules from being applied to
     packets that have been marked by the 'track' option in
     /etc/shorewall/providers.

     If you really know what you are doing and understand packet marking
     thoroughly, you can set TC_EXPERT=Yes in shorewall.conf and
     Shorewall will not include these cautionary checks.

 3)  Previously, CLASSIFY tcrules were always processed out of the
     POSTROUTING chain. Beginning with this release, they are processed
     out of the POSTROUTING chain *except* when the SOURCE is
     $FW[:<address>] in which case the rule is processed out of the
     OUTPUT chain.

     See the Migration Considerations section for further information.

 4)  Previously, if you specified 'detectnets' on an interface with a
     default route, Shorewall would ignore the default route with a
     warning message. This could lead to systems that were inaccessible
     from the net, even from systems listed in the 'routestopped' file.

     Specifying 'detectnets' on an interface with a default route now
     generates a fatal error.

Shorewall Lite problems corrected in 3.2.3

1)  A typo in /usr/share/shorewall-lite/functions caused startup errors
    on distributions like Bering Uclibc that don't have a true mktemp
    utility.

Other Shorewall Lite changes in 3.2.3

None.
2006-08-10 Shorewall 3.2.2