diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 1cdb1f256..72d289c42 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -1345,11 +1345,6 @@ sub compile_updown() { ' detect_configuration', ' define_firewall', ' ;;', - ' cleared|unknown)', - ' COMMAND=stop', - ' detect_configuration', - ' stop_firewall', - ' ;;', ' esac', ); diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 40231a08c..a3ce96946 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,5 +1,6 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 9 + S H O R E W A L L 4 . 4 . 10 + B E T A 1 ---------------------------------------------------------------------------- I. RELEASE 4.4 HIGHLIGHTS @@ -218,6 +219,131 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +1) Startup Errors (those that are detected before the state of the + system has been altered), were previously not sent to the + STARTUP_LOG. + +2) A regression of sorts occurred in Shorewall 4.4.9. Previously, a + Perl extension script could end with a call to add_rule(). Such a + script would fail in Shorewall 4.4.9 unless the 'trace' option was + specified on the run line. + + While this issue has been corrected, users are advised to always + end their Perl extension scripts with the following line to insure + that the script returns a 'true' value: + + 1; + +---------------------------------------------------------------------------- + I V. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- + +None. + +---------------------------------------------------------------------------- + V. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- + +1) Shorewall 4.4.10 includes a new 'Shorewall Init' package. This new + package provides two related features: + + a) It allows the firewall to be closed prior to bringing up + network devices. This insures that unwanted connections are not + allowed between the time that the network comes up and when the + firewall is started. + + b) It integrates with NetworkManager and distribution ifup/ifdown + systems to allow for 'event-driven' startup and shutdown. + + The two facilities can be enabled separately. + + When Shorewall-init is first installed, it does nothing until you + configure it. + + The configuration file is /etc/default/shorewall-init on + Debian-based systems and /etc/sysconfig/shorewall-init otherwise. + + There are two settings in the file: + + PRODUCTS - lists the Shorewall packages that you want to + integrate with Shorewall-init. Example: + + PRODUCTS="shorewall shorewall6" + + IFUPDOWN When set to 1, enables integration with + NetworkManager and the ifup/ifdown scripts. + + To close your firewall before networking starts: + + a) in the Shorewall-init configuration file, set PRODUCTS to the + firewall products installed on your system. + + b) be sure that your current firewall script(s) (normally in + /var/lib//firewall) is(are) compiled with the 4.4.10 + compiler. + + Shorewall and Shorewall6 users can execute these commands: + + shorewall compile + shorewall6 compile + + Shorewall-lite and Shorewall6-lite users can execute these + commands on the administrative system. + + shorewall export + shorewall6 export + + That's all that is required. + + To integrate with NetworkManager and ifup/ifdown, additional steps + are required. + + a) In the Shorewall-init configuration file, set IFUPDOWN=1. + + b) In your Shorewall interfaces file(s), set the 'required' option + on any interfaces that must be up in order for the firewall to + start. At least one interface must have the 'required' option + if you perform the next optional step. + + c) (Optional) -- If you have specified at least one 'required' + interface, you can then disable automatic firewall startup at + boot time. + + On Debian-based systems, set start=0 in /etc/default/. + + On other systems, use your service startup configuration tool + (chkconfig, insserv, ...) to disable startup. + + The following actions occur when an interface comes up: + + FIREWALL INTERFACE ACTION + STATE + ---------------------------------- + Any required start + started optional restart + started - restart + + The following actions occur when an interface goes down: + + In the INTERFACE column, '-' indicates neither required nor + optional + + FIREWALL INTERFACE ACTION + STATE + ---------------------------------- + Any required stop + started optional restart + started - restart + + For optional interfaces, the /var/lib//.state + files are maintained to reflect the state of the interface. + +---------------------------------------------------------------------------- +V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S + I N P R I O R R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 9 +---------------------------------------------------------------------------- 1) Logical interface names in the EXTERNAL column of /etc/shorewall/proxyarp were previously not mapped to their corresponding physical interface names. This could cause 'start' or @@ -294,13 +420,7 @@ I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E iptables-restore input. ---------------------------------------------------------------------------- - I V. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- - -None. - ----------------------------------------------------------------------------- - V. N E W F E A T U R E S I N T H I S R E L E A S E + N E W F E A T U R E S I N 4 . 4 . 9 ---------------------------------------------------------------------------- 1) The compiler now auto-detects bridges for the purpose of setting @@ -401,10 +521,7 @@ None. administrative system. Simply install using the tarball installer. ---------------------------------------------------------------------------- -V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S - I N P R I O R R E L E A S E S ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 4 . 8 + P R O B L E M S C O R R E C T E D I N 4 . 4 . 9 ---------------------------------------------------------------------------- 1) A CONTINUE rule specifying a log level would cause the compiler to