mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-20 21:30:44 +01:00
4e650037f4
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1425 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
99 lines
3.1 KiB
Plaintext
99 lines
3.1 KiB
Plaintext
This is a minor release of Shorewall.
|
||
|
||
Problems Corrected since version 1.4.9:
|
||
|
||
1. The column descriptions in the action.template file did not match
|
||
the column headings. That has been corrected.
|
||
|
||
2. The presence of IPV6 addresses on devices generates error messages
|
||
during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are
|
||
specified in /etc/shorewall/shorewall.conf.
|
||
|
||
3. The CONTINUE action in /etc/shorewall/rules now works correctly. A
|
||
couple of problems involving rate limiting have been
|
||
corrected. These bug fixes courtesy of Steven Jan Springl.
|
||
|
||
4. Shorewall now tries to avoid sending an ICMP response to broadcasts
|
||
and smurfs.
|
||
|
||
5. Specifying "-" or "all" in the PROTO column of an action no longer
|
||
causes a startup error.
|
||
|
||
6. Fixed a problem in which the firewall would encounter an error
|
||
during startup while processing the /etc/shorewall/masq file.
|
||
|
||
7. Atheros WiFi cards were previously excluded from use with the
|
||
"maclist" interface option.
|
||
|
||
8. (Fix from Steven Jan Springl) In the /etc/shorewall/masq entry
|
||
|
||
eth0:!10.1.1.150 0.0.0.0/0!10.1.0.0/16 10.1.2.16
|
||
|
||
the !10.1.0.0/16 is ignored.
|
||
|
||
9. A startup error occurs if the USER/GROUP column of the tcrules file
|
||
is empty.
|
||
|
||
10. The following syntax previously produced a startup error:
|
||
|
||
DNAT z1!z2,z3 z4:...
|
||
|
||
That has been corrected so that multiple excluded zones may now be
|
||
listed in a DNAT or REDIRECT rule.
|
||
|
||
11. Use of user-defined actions frequently resulted in a WARNING that
|
||
the rule was a policy.
|
||
|
||
12. Thanks to Sean Mathews, a long-standing problem with proxy ARP and
|
||
IPSEC has been corrected!!
|
||
|
||
13. The rfc1918 file has been updated.
|
||
|
||
14. An exploitable vulnerability that allows local non-root users to
|
||
cause arbitrary files to be overwritten has been eliminated.
|
||
|
||
15) The security vulnerability fix failed under Slackware 9.1.
|
||
|
||
16) The security vulnerability fix failed if mktemp was not installed.
|
||
|
||
Migration Issues:
|
||
|
||
None.
|
||
|
||
New Features:
|
||
|
||
1) The INTERFACE column in the /etc/shorewall/masq file may now
|
||
specify a destination list.
|
||
|
||
Example:
|
||
|
||
#INTERFACE SUBNET ADDRESS
|
||
eth0:192.0.2.3,192.0.2.16/28 eth1
|
||
|
||
If the list begins with "!" then SNAT will occur only if the
|
||
destination IP address is NOT included in the list.
|
||
|
||
2) Output traffic control rules (those with the firewall as the source)
|
||
may now be qualified by the effective userid and/or effective group
|
||
id of the program generating the output. This feature is courtesy of
|
||
Frédéric LESPEZ.
|
||
|
||
A new USER column has been added to /etc/shorewall/tcrules.
|
||
|
||
It may contain :
|
||
|
||
[<user name or number>]:[<group name or number>]
|
||
|
||
The colon is optionnal when specifying only a user.
|
||
|
||
Examples : john: / john / :users / john:users
|
||
|
||
3) A "detectnets" interface option has been added for entries in
|
||
/etc/shorewall/interfaces. This option automatically taylors the
|
||
definition of the zone named in the ZONE column to include just
|
||
those hosts that have routes through the interface named in the
|
||
INTERFACE column. The named interface must be UP when
|
||
Shorewall is [re]started.
|
||
|
||
WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!
|