diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index e9506c364..0aff8ebc0 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,7 @@ +Changes in 3.0.1 + +1) Set policies for chains in nat, mangle and raw tables. + Changes in 3.0.0 Final None. diff --git a/Shorewall/firewall b/Shorewall/firewall index df5b81ba0..39ddedc60 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -2138,6 +2138,26 @@ stop_firewall() { process_criticalhosts + [ -n "$RAW_TABLE" ] && rawtable=raw || rawtable= + + for table in mangle nat $rawtable ; do + case $table in + mangle) + chains="PREROUTING INPUT FORWARD POSTROUTING" + ;; + nat) + chains="PREROUTING POSTROUTING OUTPUT" + ;; + *) + chains="PREROUTING OUTPUT" + ;; + esac + + for chain in $chains; do + iptables -t $table -P $chain ACCEPT + done + done + if [ -n "$CRITICALHOSTS" ]; then if [ -z "$ADMINISABSENTMINDED" ]; then for chain in INPUT OUTPUT; do @@ -7680,6 +7700,26 @@ initialize_netfilter () { process_criticalhosts + [ -n "$RAW_TABLE" ] && rawtable=raw || rawtable= + + for table in mangle nat $rawtable ; do + case $table in + mangle) + chains="PREROUTING INPUT FORWARD POSTROUTING" + ;; + nat) + chains="PREROUTING POSTROUTING OUTPUT" + ;; + *) + chains="PREROUTING OUTPUT" + ;; + esac + + for chain in $chains; do + iptables -t $table -P $chain ACCEPT + done + done + if [ -n "$CRITICALHOSTS" ]; then setpolicy INPUT ACCEPT diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index e5ed4a3d7..2b07d1b5d 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,4 +1,11 @@ -Shorewall 3.0.0 +Shorewall 3.0.1 + +Problems Corrected in 3.0.1 + +1) If the previous firewall configuration included a policy other than + ACCEPT in the nat, mangle or raw tables then Shorewall would not set + the policy to ACCEPT. This could result in a ruleset that rejected or + dropped all traffic. Migration Considerations: