shorewall_code/STABLE/releasenotes.txt
2004-06-30 19:50:39 +00:00

99 lines
3.1 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This is a minor release of Shorewall.
Problems Corrected since version 1.4.9:
1. The column descriptions in the action.template file did not match
the column headings. That has been corrected.
2. The presence of IPV6 addresses on devices generates error messages
during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are
specified in /etc/shorewall/shorewall.conf.
3. The CONTINUE action in /etc/shorewall/rules now works correctly. A
couple of problems involving rate limiting have been
corrected. These bug fixes courtesy of Steven Jan Springl.
4. Shorewall now tries to avoid sending an ICMP response to broadcasts
and smurfs.
5. Specifying "-" or "all" in the PROTO column of an action no longer
causes a startup error.
6. Fixed a problem in which the firewall would encounter an error
during startup while processing the /etc/shorewall/masq file.
7. Atheros WiFi cards were previously excluded from use with the
"maclist" interface option.
8. (Fix from Steven Jan Springl) In the /etc/shorewall/masq entry
eth0:!10.1.1.150  0.0.0.0/0!10.1.0.0/16     10.1.2.16
the !10.1.0.0/16 is ignored.
9. A startup error occurs if the USER/GROUP column of the tcrules file
is empty.
10. The following syntax previously produced a startup error:
DNAT z1!z2,z3 z4:...
That has been corrected so that multiple excluded zones may now be
listed in a DNAT or REDIRECT rule.
11. Use of user-defined actions frequently resulted in a WARNING that
the rule was a policy.
12. Thanks to Sean Mathews, a long-standing problem with proxy ARP and
IPSEC has been corrected!!
13. The rfc1918 file has been updated.
14. An exploitable vulnerability that allows local non-root users to
cause arbitrary files to be overwritten has been eliminated.
15) The security vulnerability fix failed under Slackware 9.1.
16) The security vulnerability fix failed if mktemp was not installed.
Migration Issues:
None.
New Features:
1) The INTERFACE column in the /etc/shorewall/masq file may now
specify a destination list.
Example:
#INTERFACE SUBNET ADDRESS
eth0:192.0.2.3,192.0.2.16/28 eth1
If the list begins with "!" then SNAT will occur only if the
destination IP address is NOT included in the list.
2) Output traffic control rules (those with the firewall as the source)
may now be qualified by the effective userid and/or effective group
id of the program generating the output. This feature is courtesy of
Frédéric LESPEZ.
A new USER column has been added to /etc/shorewall/tcrules.
It may contain :
[<user name or number>]:[<group name or number>]
The colon is optionnal when specifying only a user.
Examples : john: / john / :users / john:users
3) A "detectnets" interface option has been added for entries in
/etc/shorewall/interfaces. This option automatically taylors the
definition of the zone named in the ZONE column to include just
those hosts that have routes through the interface named in the
INTERFACE column. The named interface must be UP when
Shorewall is [re]started.
WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!