Problems corrected in Shorewall 3.0.5 + +1) Previously, if /etc/shorewall/ipsets existed, it was run when Shorewall starts + but not when Shorewall was restored. + +2) When using the NETKEY IPSEC implementation in kernel 2.6 but without the + policy match patch and the Netfilter/IPSEC patches, previously an + entry in /etc/shorewall/tunnels was not sufficient in cases where: + + a) gw<->gw traffic was encrypted + b) The gw<->gw policy through the tunnel was not ACCEPT + + Thanks to Tuomo Soini, this has been corrected. By simply including the + remote VPN zone in the GATEWAY ZONE column for the tunnel's entry, no + additional rules are required. + +3) Extra blank output lines are no longer produced by install.sh (patch + courtesy of Tuomo Soini). + +4) TCP packets sent to QUEUE by rules in the ESTABLISHED section of the + rules file previously didn't work (they had the "--syn" parameter + added to them which resulted in a rule that no traffic would match). + + WARNING: If you use the QUEUE target from an action, Shorewall will + still insert --syn if the protocol is tcp. So you don't want to + invoke such an action from the ESTABLISHED section of the rules + file. + +5) The description of the SOURCE column in /etc/shorewall/rules has been + improved (patch courtesy of Ed Suominen). + +6) The 'allow', 'drop' and 'reject' commands no longer produce iptables + errors when executed while Shorewall is not started. + +7) The spelling of "maximize-throughput" has been corrected in the code + that implements tcclasses parsing. Patch courtesy of Paul Traina. + +8) Shorewall now generates the correct match for devices in + /etc/shorewall/tcdevices that are actually bridge ports. + +New Features in Shorewall 3.0.5 + +1) The facilities available for dealing with the TOS field in + /etc/shorewall/tcclasses has been expended. The OPTIONS field is now may + contain a comma-separates list of the following: + + tos=0x<value>[/0x<mask>] (mask defaults to 0xff) + - this lets you define a classifier + for the given <value>/<mask> combination + of the IP packet's TOS/Precedence/DiffSrv + octet (aka the TOS byte). Please note, + classifiers override all mark settings, + so if you define a classifer for a class, + all traffic having that mark will go in it + regardless of any mark set on the packet + by a firewall/mangle filter. + + NOTE: multiple tos= statements may be + applied per class and per interface, but + a given value/mask pair is valid for only + ONE class per interface. + + tos-<tosname> - aliases for the following TOS octet + value and mask encodings. TOS encodings + of the "TOS byte" have been deprecated in + favor of diffserve classes, but programs + like ssh, rlogin, and ftp still use them. + + tos-minimize-delay 0x10/0x10 + tos-maximize-throughput 0x08/0x08 + tos-maximize-reliability 0x04/0x04 + tos-minimize-cost 0x02/0x02 + tos-normal-service 0x00/0x1e + + tcp-ack - defined causes an tc filter to + be created that puts all tcp ack + packets on that interface that have + an size of <=64 Bytes to go in this + class. This is useful for speeding up + downloads. Please note that the size + of the ack packets is limited to 64 + bytes as some applications (p2p for + example) use to make every packet an + ack packet which would cause them + all into here. We want only packets + WITHOUT payload to match, so the size + limit. + + NOTE: This option is only valid for + ONE class per interface. + + Note that the semantics of 'tos-<tosname>' have changed slightly. Previously, + these were tested using a mask of 0xff (example: tos-minimize-delay was + equivalent to 0x10/0xff). Now each bit is tested individually. + + This enhancement is courtesy of Paul Traina. +2006-01-05 Shorewall 3.0.4
Problems Corrected in 3.0.4+
1) The shorewall.conf file is once again "console friendly". Patch is
courtesy of Tuomo Soini.
2) A potential security hole has been closed. Previously, Shorewall ACCEPTed
all traffic from a bridge port that was sent back out on the same port. If
the port was described in /etc/shorewall/hosts using the wildcard "+" (eg,
xenbr0:vif+), this could lead to traffic being passed in variance with the
supplied policies and rules.
3) Previously, an intra-zone policy of NONE would cause a startup error. That
problem has been corrected.
4) When RETAIN_ALIASES=Yes, the script produced by "shorewall save" did not
add the retained aliases. This means that the following sequence of
events resulted in missing aliases:
shorewall start
shorewall restart
shorewall save
reboot
shorewall -f start (which is the default during boot up)
5) When a 2.x standard action is invoked with a log level (example
"AllowPing:info"), logging does not occur.
New Features in 3.0.4
1) By popular demand, the 'Limit' action described at
http://www1.shorewall.net/PortKnocking.html#Limit has been made a standard
action. Limit requires 'recent match' support in your kernel and iptables.
2) DISABLE_IPV6 no longer disabled local (loopback) IPV6 traffic. This
change is reported to improve Java startup time on some distributions.
3) Shorewall now contains support for wildcard ports. In
/etc/shorewall/hosts, you may specify the port name with trailing "+" then
use specific port names in rules.
Example:
/etc/shorewall/hosts
vpn br0:tap+
/etc/shorewall/hosts
DROP vpn:tap0 vpn:tap1 udp 9999
4) For the benefit of those who run Shorewall on distributions that don't
autoload kernel modules, /etc/shorewall/modules now contains load commands
for a wide range of Netfilter modules.
Problems Corrected in 3.0.42005-12-13 Shorewall 3.0.3
1) The shorewall.conf file is once again "console friendly". Patch is
courtesy of Tuomo Soini.
2) A potential security hole has been closed. Previously, Shorewall ACCEPTed
all traffic from a bridge port that was sent back out on the same port. If
the port was described in /etc/shorewall/hosts using the wildcard "+" (eg,
xenbr0:vif+), this could lead to traffic being passed in variance with the
supplied policies and rules.
3) Previously, an intra-zone policy of NONE would cause a startup error. That
problem has been corrected.
4) When RETAIN_ALIASES=Yes, the script produced by "shorewall save" did not
add the retained aliases. This means that the following sequence of
events resulted in missing aliases:
shorewall start
shorewall restart
shorewall save
reboot
shorewall -f start (which is the default during boot up)
5) When a 2.x standard action is invoked with a log level (example
"AllowPing:info"), logging does not occur.
New Features in 3.0.4
1) By popular demand, the 'Limit' action described at
http://www1.shorewall.net/PortKnocking.html#Limit has been made a standard
action. Limit requires 'recent match' support in your kernel and iptables.
2) DISABLE_IPV6 no longer disabled local (loopback) IPV6 traffic. This
change is reported to improve Java startup time on some distributions.
3) Shorewall now contains support for wildcard ports. In
/etc/shorewall/hosts, you may specify the port name with trailing "+" then
use specific port names in rules.
Example:
/etc/shorewall/hosts
vpn br0:tap+
/etc/shorewall/rules
DROP vpn:tap0 vpn:tap1 udp 9999
4) For the benefit of those who run Shorewall on distributions that don't
autoload kernel modules, /etc/shorewall/modules now contains load commands
for a wide range of Netfilter modules.
The current Stable Version is 3.0.4 -- Get it from the The current Stable Version is 3.0.5 -- Get it from the download sites. Here are the + href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/releasenotes.txt"> release notes and here are the + href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/known_problems.txt"> known problems and + href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/errata/"> updates.
The current Development Version is 3.1.5 -- Get it from the download sites. Here are the GNU Free Documentation License”.
-2005-02-03
+2005-02-10