diff --git a/web/News.htm b/web/News.htm index f7e29da8f..8d489a3e9 100644 --- a/web/News.htm +++ b/web/News.htm @@ -2,8 +2,7 @@
- +February 15, 2009
+
March 19, 2009
2009-03-19 Shorewall 4.2.7
++
Problems corrected in 4.2.7
1) Previously, the 'start' command set the permission flags on
/var/lib/shorewall*/state so that it could be read by
non-root users while the 'stop' command set the permissions such
that the file could not be read by those users.
Beginning with 4.2.7, both commands will secure the file for
root-only access. If you want the file to be world-readable, then
add
chmod 744 <file name>
To your /etc/shorewall/started, /etc/shorewall/stopped and
/etc/shorewall/restored files.
2) The 'shorewall6 dump' command now correctly displays the installed
version of Shorewall-perl. It also displays the IPv6 neighbor table
contents rather than the ARP table contents.
3) Under some circumstances, interface options like nosmurfs and
tcpflags would not be applied to forwarded traffic when using
Shorewall-perl.
4) The following rule was badly mis-handled:
DNAT- loc net:1.2.3.4:2525 tcp 25
The result:
WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules (line 45
9)
Can't call method "inet_htoa" without a package or object reference at
/usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150,
<$currentfile> line 459.
5) Previously, OPTIONS were not allowed with a bridge port in
/etc/shorewall/interfaces. That oversight has been corrected and
now the following OPTIONS are allowed:
blacklist
maclist
norfc1918
nosmurfs
routeback
tcpflags
6) Tuomo Soini provided a workaround patch for a problem seen in some
kernel's (see FAQ 82) that caused 'shorewall start' to fail when
USE_DEFAULT_RT=Yes .
New Features in Shorewall 4.2.7
1) Prior to Shorewall version 3.0.0, rules generated by
/etc/shorewall/tunnels were traversed before those generated by
/etc/shorewall/rules. When SECTIONs were added to the rules file in
3.0.0, traversal of the tunnel rules was deferred until after those
generated by the NEW section of the rules file.
Beginning with Shorewall-perl 4.2.7, the tunnel rules are back
where they started -- right before the first rule generated by the
NEW section of /etc/shorewall/rules.
2) To allow bypassing of connection tracking for certain traffic,
/etc/shorewall/notrack and /etc/shorewall6/notrack files have been
added.
Columns in the file are:
SOURCE - <zone>[:<interface>][:<address list>]
DEST - [<address list>]
PROTO - <protocol name or number>
DEST PORT(S) - <port number list>
SOURCE PORT(S) - <port number list>
USER/GROUP - [<user>][:<group>]
May only be specified if the SOURCE <zone> is $FW.
Traffic that matches all given criteria will not be subject to
connection tracking. For such traffic, your policies and/or rules
must deal with ALL of the packets involved, in both the original
and the opposite directions. All untracked traffic is passed
through the relevant rules in the NEW section of the rules
file. Untracked encapsulated tunnel traffic can be handled by
entries in /etc/shorewall/tunnels just like tracked traffic
is. Because every packet of an untracked connection must pass
through the NEW section rules, it is suggested that rules that deal
with untracked traffic should appear at the top of the file.
Example:
/etc/shorewall/tunnels:
#TYPE ZONE GATEWAY
6to4 net
/etc/shorewall/notrack
#SOURCE DEST PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP
net:!192.88.99.1 - 41
Given that 192.88.99.1 is an anycast address, many hosts can
respond to outward traffic to that address. The entry in
/etc/shorewall/tunnels allows protocol 41 net<->fw. The entry in
/etc/shorewall/notrack prevents the inbound traffic from creating
additional useless conntrack entries.
As part of this change, the 'show' command is enhanced to support a
'show raw' command that is an alias for 'show -t raw'. The raw
table is where NOTRACK rules are created. The dump command is also
enhanced to display the contents of the raw table.
3) Shorewall-perl supports three additional columns in the
/etc/shorewall/routestopped file:
PROTO -- Protocol name or number
DEST PORT(S) -- comma-separated list of service names and/or port
numbers
SOURCE PORT(S) -- comma-separated list of service names and/or port
numbers.
These columns are only meaningful when the "-f" option to
'shorewall stop' is used.
As part of this change, the "-f" option to the 'stop' and 'clear'
commands is now the default when FAST_STOP=Yes in shorewall.conf.
To override this default, use the "-s" option:
shorewall stop -s
Note that if you have entries with one or more of the new columns,
the -s option will result in warning messages.
gateway:~ # shorewall stop -s
Stopping Shorewall...
WARNING: Unknown routestopped option ignored: notrack
WARNING: Unknown routestopped option ignored: 41
WARNING: Unknown routestopped option ignored: notrack
WARNING: Unknown routestopped option ignored: 41
done.
gateway:~ #
4) Shorewall-perl now handles SOURCE PORT lists of more than 15
entries by breaking the containing rule into multiple rules.
2009-02-15 Shorewall 4.2.6
Problems corrected in 4.2.6
1) The CONFIG_PATH in the two- and three-interface Shorewall6 sample
configurations was incorrect with the result that this error
occurred on 'shorewall6 check' or 'shorewall6 start'.
ERROR: No IP zones defined
2) Setting TCP_FLAGS_DISPOSITION=REJECT caused both Shorewall-shell
and Shorewall-perl to create invalid iptables commands. This has
been corrected but we still strongly recommend against that
setting; TCP_FLAGS_DISPOSITION=DROP is preferred.
3) Shorewall-perl was generating code that checked for state match
before kernel modules were loaded. This caused start/restart to
fail on systems without kernel module loading.
4) The Shorewall6 and Shorewall6-lite Makefiles were incorrect.
5) If a service name is used in a port-mapping rule (a DNAT or
REDIRECT rule that changes the destination port), and if the
kernel and iptables include Extended Connection Match support, then
invalid iptables-restore input is produced by Shorewall-perl.
6) If iptables 1.4.1 or later was installed, Shorewall-perl generated
incorrect iptables-restore input if exclusion was used in the
ORIGINAL DEST field of a DNAT or REDIRECT rule.
7) On kernels earlier than 2.6.20, the 'shorewall show connections'
command fails.
New Feature in Shorewall 4.2.6
1) A BitTorrent32 macro has been added. This macro matches the
extended TCP port range used by BitTorrent 3.2 and later.
2) A new COUNT action has been added to Shorewall-perl. This action
creates an iptables (ip6tables) rule with no target. Connections
matching such a rule are simply counted and the packet is passed on
to the next rule.
Shorewall-shell ignores COUNT in actions and macros, thus allowing
the standard actions (action.Drop and action.Reject) to have a
COUNT rule as their first entry.
3) A new RESTORE_DEFAULT_ROUTE option has been added to
shorewall.conf. It is used to determine whether to restore the
default route saved when there are 'balance' providers defined but
all of them are down.
The default is RESTORE_DEFAULT_ROUTE=Yes which preserves the
pre-4.2.6 behavior.
RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a
default route in the main table (USE_DEFAULT_RT=No) or in the
default table (USE_DEFAULT_RT=Yes) when there are no balance
providers available. In that case, RESTORE_DEFAULT_ROUTE=No
will cause any default route in the relevant table to be deleted.
4) IPv4 firewall scripts produced by Shorewall-perl now use dhcpcd's
database when trying to detect the gateway for an interface
("detect" in the GATEAWAY column in /etc/shorewall/interfaces).
As part of this change, it is now permitted to specify 'detect'
when USE_DEFAULT_RT=Yes; in that case, the script will only detect
gateways for point-to-point devices and for devices configured by
dhcpcd.
5) Shorewall-perl now supports port inversion. A port number or list
of port numbers may be preceded by '!" which will cause the rule to
match all ports EXCEPT those listed:
Example: To blacklist 206.124.146.176 for all tcp ports except 80:
ADDRESS/SUBNET PROTO PORT(S)
206.124.146.177 tcp !80
6) Shorewall-perl now supports protocol inversion. A protocol name or
number may be preceded by '!' to specify all protocols except the
one following '!'.
Example: To blacklist 206.124.146.176 for all protocols except
UDP:
ADDRESS/SUBNET PROTO PORT(S)
206.124.146.177 !udp
Note that ports may not be specified when protocol inversion
is used.
7) When using Shorewall-perl, neither the 'start' nor 'started'
extension script is run during processing of the 'restore'
command. To allow extension of that command, we have added a
'restored' extension script that runs at the successful completion
of 'restore'. This script is only available with Shorewall-perl.
With Shorewall-shell, both scripts are run during 'restore' but in
that case, the run_iptables() function does nothing. So any
run_iptables() calls in the 'start' script are effectively ignored.
8) Shorewall-perl now correctly handles 'here documents' quoting
(<<EOF .... EOF) in run-time extension scripts.
2009-01-22 Shorewall 4.2.5