From 4f3189477ad46b7f8c829b9c1eb1d6f7f21a32fe Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 1 May 2009 09:27:12 -0700 Subject: [PATCH] Update News -- fix formatting --- web/News.htm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/News.htm b/web/News.htm index e1ad97f7f..51b90452e 100644 --- a/web/News.htm +++ b/web/News.htm @@ -31,7 +31,7 @@ License". 
Problems Corrected in Shorewall 4.2.8

1)  The 'start -f' command would previously skip the compilation step
    unconditionally when the 'make' utility was not installed. Now, the
    compilation step is run unconditionally in this case.

2)  When ADD_IP_ALIASES=Yes in shorewall.conf, entries in
    /etc/shorewall/nat produce this failure at compile time when
    using Shorewall-perl:

    ERROR: Internal Error in emit : /etc/shorewall/nat (line 12)

3)  When LOG_MARTIANS=Yes with Shorewall-perl, setting logmartians=0 in
    an entry in /etc/shorewall/interface failed to suppress martian
    logging on the interface.

4)  Shorewall-perl now generates rules with inversion that are
    compatible with iptables 1.4.3.

5) When a network address was specified in the SOURCE or DEST column of
   /etc/shorewall/tcfilters, Shorewall-perl was generating an incorrect
   netmask.

New Features in 4.2.8

1)  The /usr/share/shorewall/modules and /usr/share/shorewall6/modules
    files have been updated for iptables 1.4.3/kernel 2.6.29.

2009-03-19 Shorewall 4.2.7

-
Problems corrected in 4.2.7

1)  Previously, the 'start' command set the permission flags on
    /var/lib/shorewall*/state so that it could be read by
    non-root users while the 'stop' command set the permissions such
    that the file could not be read by those users.

    Beginning with 4.2.7, both commands will secure the file for
    root-only access. If you want the file to be world-readable, then
    add 

        chmod 744 <file name>

    To your /etc/shorewall/started, /etc/shorewall/stopped and
    /etc/shorewall/restored files.

2)  The 'shorewall6 dump' command now correctly displays the installed
    version of Shorewall-perl. It also displays the IPv6 neighbor table
    contents rather than the ARP table contents.

3)  Under some circumstances, interface options like nosmurfs and
    tcpflags would not be applied to forwarded traffic when using
    Shorewall-perl.

4)  The following rule was badly mis-handled:

       DNAT-    loc     net:1.2.3.4:2525        tcp     25

    The result:

     WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules (line 45
9)
     Can't call method "inet_htoa" without a package or object reference at
       /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150,
      <$currentfile> line 459.

5)  Previously, OPTIONS were not allowed with a bridge port in
    /etc/shorewall/interfaces. That oversight has been corrected and
    now the following OPTIONS are allowed:

        blacklist
        maclist
        norfc1918
        nosmurfs
        routeback
        tcpflags

6)  Tuomo Soini provided a workaround patch for a problem seen in some
    kernel's (see FAQ 82) that caused 'shorewall start' to fail when
    USE_DEFAULT_RT=Yes .

New Features in Shorewall 4.2.7

1)  Prior to Shorewall version 3.0.0, rules generated by
    /etc/shorewall/tunnels were traversed before those generated by
    /etc/shorewall/rules. When SECTIONs were added to the rules file in
    3.0.0, traversal of the tunnel rules was deferred until after those
    generated by the NEW section of the rules file. 

    Beginning with Shorewall-perl 4.2.7, the tunnel rules are back
    where they started -- right before the first rule generated by the
    NEW section of /etc/shorewall/rules.

2)  To allow bypassing of connection tracking for certain traffic,
    /etc/shorewall/notrack and /etc/shorewall6/notrack files have been
    added.

    Columns in the file are:

        SOURCE - <zone>[:<interface>][:<address list>]

        DEST - [<address list>]

        PROTO - <protocol name or number>

        DEST PORT(S) - <port number list>

        SOURCE PORT(S) - <port number list>

        USER/GROUP - [<user>][:<group>]

            May only be specified if the SOURCE <zone> is $FW.

    Traffic that matches all given criteria will not be subject to
    connection tracking. For such traffic, your policies and/or rules
    must deal with ALL of the packets involved, in both the original
    and the opposite directions. All untracked traffic is passed
    through the relevant rules in the NEW section of the rules
    file. Untracked encapsulated tunnel traffic can be handled by
    entries in /etc/shorewall/tunnels just like tracked traffic
    is. Because every packet of an untracked connection must pass
    through the NEW section rules, it is suggested that rules that deal
    with untracked traffic should appear at the top of the file.

    Example:

    /etc/shorewall/tunnels:

        #TYPE   ZONE    GATEWAY
        6to4    net

    /etc/shorewall/notrack

        #SOURCE          DEST           PROTO   DEST    SOURCE  USER/
        #                                       PORT(S) PORT(S) GROUP
        net:!192.88.99.1 -              41

    Given that 192.88.99.1 is an anycast address, many hosts can
    respond to outward traffic to that address. The entry in
    /etc/shorewall/tunnels allows protocol 41 net<->fw. The entry in
    /etc/shorewall/notrack prevents the inbound traffic from creating
    additional useless conntrack entries.

    As part of this change, the 'show' command is enhanced to support a 
    'show raw' command that is an alias for 'show -t raw'. The raw
    table is where NOTRACK rules are created. The dump command is also
    enhanced to display the contents of the raw table.

3)  Shorewall-perl supports three additional columns in the
    /etc/shorewall/routestopped file:

    PROTO          -- Protocol name or number

    DEST PORT(S)   -- comma-separated list of service names and/or port
                      numbers
 
    SOURCE PORT(S) -- comma-separated list of service names and/or port
                      numbers.

    These columns are only meaningful when the "-f" option to
    'shorewall stop' is used.

    As part of this change, the "-f" option to the 'stop' and 'clear'
    commands is now the default when FAST_STOP=Yes in shorewall.conf.
    To override this default, use the "-s" option:

        shorewall stop -s

    Note that if you have entries with one or more of the new columns,
    the -s option will result in warning messages.

        gateway:~ # shorewall stop -s
        Stopping Shorewall...
          WARNING: Unknown routestopped option ignored: notrack
          WARNING: Unknown routestopped option ignored: 41
          WARNING: Unknown routestopped option ignored: notrack
          WARNING: Unknown routestopped option ignored: 41
        done.
        gateway:~ #

4)  Shorewall-perl now handles SOURCE PORT lists of more than 15
    entries by breaking the containing rule into multiple rules.
+
Problems corrected in 4.2.7

1)  Previously, the 'start' command set the permission flags on
    /var/lib/shorewall*/state so that it could be read by
    non-root users while the 'stop' command set the permissions such
    that the file could not be read by those users.

    Beginning with 4.2.7, both commands will secure the file for
    root-only access. If you want the file to be world-readable, then
    add 

        chmod 744 <file name>

    To your /etc/shorewall/started, /etc/shorewall/stopped and
    /etc/shorewall/restored files.

2)  The 'shorewall6 dump' command now correctly displays the installed
    version of Shorewall-perl. It also displays the IPv6 neighbor table
    contents rather than the ARP table contents.

3)  Under some circumstances, interface options like nosmurfs and
    tcpflags would not be applied to forwarded traffic when using
    Shorewall-perl.

4)  The following rule was badly mis-handled:

       DNAT-    loc     net:1.2.3.4:2525        tcp     25

    The result:

     WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules (line 459)
     Can't call method "inet_htoa" without a package or object reference at
       /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150,
      <$currentfile> line 459.

5)  Previously, OPTIONS were not allowed with a bridge port in
    /etc/shorewall/interfaces. That oversight has been corrected and
    now the following OPTIONS are allowed:

        blacklist
        maclist
        norfc1918
        nosmurfs
        routeback
        tcpflags

6)  Tuomo Soini provided a workaround patch for a problem seen in some
    kernel's (see FAQ 82) that caused 'shorewall start' to fail when
    USE_DEFAULT_RT=Yes .

New Features in Shorewall 4.2.7

1)  Prior to Shorewall version 3.0.0, rules generated by
    /etc/shorewall/tunnels were traversed before those generated by
    /etc/shorewall/rules. When SECTIONs were added to the rules file in
    3.0.0, traversal of the tunnel rules was deferred until after those
    generated by the NEW section of the rules file. 

    Beginning with Shorewall-perl 4.2.7, the tunnel rules are back
    where they started -- right before the first rule generated by the
    NEW section of /etc/shorewall/rules.

2)  To allow bypassing of connection tracking for certain traffic,
    /etc/shorewall/notrack and /etc/shorewall6/notrack files have been
    added.

    Columns in the file are:

        SOURCE - <zone>[:<interface>][:<address list>]

        DEST - [<address list>]

        PROTO - <protocol name or number>

        DEST PORT(S) - <port number list>

        SOURCE PORT(S) - <port number list>

        USER/GROUP - [<user>][:<group>]

            May only be specified if the SOURCE <zone> is $FW.

    Traffic that matches all given criteria will not be subject to
    connection tracking. For such traffic, your policies and/or rules
    must deal with ALL of the packets involved, in both the original
    and the opposite directions. All untracked traffic is passed
    through the relevant rules in the NEW section of the rules
    file. Untracked encapsulated tunnel traffic can be handled by
    entries in /etc/shorewall/tunnels just like tracked traffic
    is. Because every packet of an untracked connection must pass
    through the NEW section rules, it is suggested that rules that deal
    with untracked traffic should appear at the top of the file.

    Example:

    /etc/shorewall/tunnels:

        #TYPE   ZONE    GATEWAY
        6to4    net

    /etc/shorewall/notrack

        #SOURCE          DEST           PROTO   DEST    SOURCE  USER/
        #                                       PORT(S) PORT(S) GROUP
        net:!192.88.99.1 -              41

    Given that 192.88.99.1 is an anycast address, many hosts can
    respond to outward traffic to that address. The entry in
    /etc/shorewall/tunnels allows protocol 41 net<->fw. The entry in
    /etc/shorewall/notrack prevents the inbound traffic from creating
    additional useless conntrack entries.

    As part of this change, the 'show' command is enhanced to support a 
    'show raw' command that is an alias for 'show -t raw'. The raw
    table is where NOTRACK rules are created. The dump command is also
    enhanced to display the contents of the raw table.

3)  Shorewall-perl supports three additional columns in the
    /etc/shorewall/routestopped file:

    PROTO          -- Protocol name or number

    DEST PORT(S)   -- comma-separated list of service names and/or port
                      numbers
 
    SOURCE PORT(S) -- comma-separated list of service names and/or port
                      numbers.

    These columns are only meaningful when the "-f" option to
    'shorewall stop' is used.

    As part of this change, the "-f" option to the 'stop' and 'clear'
    commands is now the default when FAST_STOP=Yes in shorewall.conf.
    To override this default, use the "-s" option:

        shorewall stop -s

    Note that if you have entries with one or more of the new columns,
    the -s option will result in warning messages.

        gateway:~ # shorewall stop -s
        Stopping Shorewall...
          WARNING: Unknown routestopped option ignored: notrack
          WARNING: Unknown routestopped option ignored: 41
          WARNING: Unknown routestopped option ignored: notrack
          WARNING: Unknown routestopped option ignored: 41
        done.
        gateway:~ #

4)  Shorewall-perl now handles SOURCE PORT lists of more than 15
    entries by breaking the containing rule into multiple rules.

2009-02-15 Shorewall 4.2.6

Problems corrected in 4.2.6

1)  The CONFIG_PATH in the two- and three-interface Shorewall6 sample
    configurations was incorrect with the result that this error
    occurred on 'shorewall6 check' or 'shorewall6 start'.

           ERROR: No IP zones defined

2)  Setting TCP_FLAGS_DISPOSITION=REJECT caused both Shorewall-shell
    and Shorewall-perl to create invalid iptables commands. This has
    been corrected but we still strongly recommend against that
    setting; TCP_FLAGS_DISPOSITION=DROP is preferred.

3)  Shorewall-perl was generating code that checked for state match
    before kernel modules were loaded. This caused start/restart to
    fail on systems without kernel module loading. 

4)  The Shorewall6 and Shorewall6-lite Makefiles were incorrect.

5)  If a service name is used in a port-mapping rule (a DNAT or
    REDIRECT rule that changes the destination port), and if the
    kernel and iptables include Extended Connection Match support, then
    invalid iptables-restore input is produced by Shorewall-perl.

6)  If iptables 1.4.1 or later was installed, Shorewall-perl generated
    incorrect iptables-restore input if exclusion was used in the
    ORIGINAL DEST field of a DNAT or REDIRECT rule.

7)  On kernels earlier than 2.6.20, the 'shorewall show connections'
    command fails.

New Feature in Shorewall 4.2.6

1)  A BitTorrent32 macro has been added. This macro matches the
    extended TCP port range used by BitTorrent 3.2 and later.

2)  A new COUNT action has been added to Shorewall-perl. This action
    creates an iptables (ip6tables) rule with no target. Connections
    matching such a rule are simply counted and the packet is passed on
    to the next rule.

    Shorewall-shell ignores COUNT in actions and macros, thus allowing
    the standard actions (action.Drop and action.Reject) to have a
    COUNT rule as their first entry.

3)  A new RESTORE_DEFAULT_ROUTE option has been added to
    shorewall.conf. It is used to determine whether to restore the
    default route saved when there are 'balance' providers defined but
    all of them are down.

    The default is RESTORE_DEFAULT_ROUTE=Yes which preserves the
    pre-4.2.6 behavior. 

    RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a
    default route in the main table (USE_DEFAULT_RT=No) or in the
    default table (USE_DEFAULT_RT=Yes) when there are no balance
    providers available. In that case, RESTORE_DEFAULT_ROUTE=No
    will cause any default route in the relevant table to be deleted.

4)  IPv4 firewall scripts produced by Shorewall-perl now use dhcpcd's
    database when trying to detect the gateway for an interface
    ("detect" in the GATEAWAY column in /etc/shorewall/interfaces).

    As part of this change, it is now permitted to specify 'detect'
    when USE_DEFAULT_RT=Yes; in that case, the script will only detect
    gateways for point-to-point devices and for devices configured by
    dhcpcd.

5)  Shorewall-perl now supports port inversion. A port number or list
    of port numbers may be preceded by '!" which will cause the rule to
    match all ports EXCEPT those listed:

    Example: To blacklist 206.124.146.176 for all tcp ports except 80:

             ADDRESS/SUBNET       PROTO           PORT(S)
             206.124.146.177      tcp             !80

6)  Shorewall-perl now supports protocol inversion. A protocol name or
    number may be preceded by '!' to specify all protocols except the
    one following '!'.

    Example: To blacklist 206.124.146.176 for all protocols except 
             UDP:

             ADDRESS/SUBNET       PROTO           PORT(S)
             206.124.146.177      !udp

    Note that ports may not be specified when protocol inversion
    is used.

7)  When using Shorewall-perl, neither the 'start' nor 'started'
    extension script is run during processing of the 'restore'
    command. To allow extension of that command, we have added a
    'restored' extension script that runs at the successful completion
    of 'restore'. This script is only available with Shorewall-perl.

    With Shorewall-shell, both scripts are run during 'restore' but in
    that case, the run_iptables() function does nothing. So any
    run_iptables() calls in the 'start' script are effectively ignored.

8)  Shorewall-perl now correctly handles 'here documents' quoting
    (<<EOF .... EOF) in run-time extension scripts.

2009-01-22 Shorewall 4.2.5