diff --git a/STABLE/changelog.txt b/STABLE/changelog.txt index be8feb608..83173b54e 100644 --- a/STABLE/changelog.txt +++ b/STABLE/changelog.txt @@ -1,45 +1,4 @@ -Changes since 1.4.9 +Changes since 1.4.10g -1) Implement destination list in masq file. - -2) Appled Frédéric LESPEZ's patch for packet marking by user/group id. - -3) Correct column headings in action.template - -4) Handle IPV6 addresses correctly with ADD_IP_ALIASES=Yes or - ADD_SNAT_ALIASES=Yes. - -5) Implement "detectnets" option. - -6) Correct the CONTINUE target and fix a couple of bugs in rate - limiting (with an assist from Steven Jan Springl). - -7) Silently drop smurfs and broadcasts in the 'reject' chain. - -8) Add multicast to 'detectnets' zones. - -9) Don't add broadcasts to /0 groups. - -10) Fix "-" in PROTO column of an action file. - -11) Fix the enhancement in 1) above to avoid startup errors. - -12) Allow maclist with Atheros cards - -13) Fix masq file problem with exclusion in the source column. - -14) Fix silly tcrules file problem. - -15) Fix multiple excluded zones in DNAT/REDIRECT rules. - -16) Correct reporting of POLICY rules. - -17) Implement Sean Mathews's fix for Proxy ARP/IPSEC. - -18) Update rfc1918. - -19) Fix local exploit vulnerability. - -20) Hack security fix so that it works under Slackware. - -21) Fix mktempfile() where there is no mktemp utility. +1) Fix installer to not give zones and shorewall.conf execute + permission. diff --git a/STABLE/fallback.sh b/STABLE/fallback.sh index 038272ea7..35ba77abf 100755 --- a/STABLE/fallback.sh +++ b/STABLE/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.4.10g +VERSION=1.4.11 usage() # $1 = exit status { diff --git a/STABLE/install.sh b/STABLE/install.sh index 93655596d..1e3c7ecda 100755 --- a/STABLE/install.sh +++ b/STABLE/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.4.10g +VERSION=1.4.11 usage() # $1 = exit status { @@ -284,7 +284,7 @@ mkdir -p ${PREFIX}/var/lib/shorewall if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then backup_file /etc/shorewall/shorewall.conf else - run_install -o $OWNER -g $GROUP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf + run_install -o $OWNER -g $GROUP -m 0600 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf echo echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf" fi @@ -294,7 +294,7 @@ fi if [ -f ${PREFIX}/etc/shorewall/zones ]; then backup_file /etc/shorewall/zones else - run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones + run_install -o $OWNER -g $GROUP -m 0600 zones ${PREFIX}/etc/shorewall/zones echo echo "Zones file installed as ${PREFIX}/etc/shorewall/zones" fi diff --git a/STABLE/releasenotes.txt b/STABLE/releasenotes.txt index 3b12691d3..47ea0a9e1 100644 --- a/STABLE/releasenotes.txt +++ b/STABLE/releasenotes.txt @@ -1,98 +1,7 @@ -This is a minor release of Shorewall. +Shorewall 1.4.11 -Problems Corrected since version 1.4.9: +Problems Corrected since version 1.4.10g -1. The column descriptions in the action.template file did not match - the column headings. That has been corrected. +1) The shorewall.conf and zones file are no longer given execute + permission by the installer. -2. The presence of IPV6 addresses on devices generates error messages - during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are - specified in /etc/shorewall/shorewall.conf. - -3. The CONTINUE action in /etc/shorewall/rules now works correctly. A - couple of problems involving rate limiting have been - corrected. These bug fixes courtesy of Steven Jan Springl. - -4. Shorewall now tries to avoid sending an ICMP response to broadcasts - and smurfs. - -5. Specifying "-" or "all" in the PROTO column of an action no longer - causes a startup error. - -6. Fixed a problem in which the firewall would encounter an error - during startup while processing the /etc/shorewall/masq file. - -7. Atheros WiFi cards were previously excluded from use with the - "maclist" interface option. - -8. (Fix from Steven Jan Springl) In the /etc/shorewall/masq entry - - eth0:!10.1.1.150  0.0.0.0/0!10.1.0.0/16     10.1.2.16 - - the !10.1.0.0/16 is ignored. - -9. A startup error occurs if the USER/GROUP column of the tcrules file - is empty. - -10. The following syntax previously produced a startup error: - - DNAT z1!z2,z3 z4:... - - That has been corrected so that multiple excluded zones may now be - listed in a DNAT or REDIRECT rule. - -11. Use of user-defined actions frequently resulted in a WARNING that - the rule was a policy. - -12. Thanks to Sean Mathews, a long-standing problem with proxy ARP and - IPSEC has been corrected!! - -13. The rfc1918 file has been updated. - -14. An exploitable vulnerability that allows local non-root users to - cause arbitrary files to be overwritten has been eliminated. - -15) The security vulnerability fix failed under Slackware 9.1. - -16) The security vulnerability fix failed if mktemp was not installed. - -Migration Issues: - -None. - -New Features: - -1) The INTERFACE column in the /etc/shorewall/masq file may now - specify a destination list. - - Example: - - #INTERFACE SUBNET ADDRESS - eth0:192.0.2.3,192.0.2.16/28 eth1 - - If the list begins with "!" then SNAT will occur only if the - destination IP address is NOT included in the list. - -2) Output traffic control rules (those with the firewall as the source) - may now be qualified by the effective userid and/or effective group - id of the program generating the output. This feature is courtesy of - Frédéric LESPEZ. - - A new USER column has been added to /etc/shorewall/tcrules. - - It may contain : - - []:[] - - The colon is optionnal when specifying only a user. - - Examples : john: / john / :users / john:users - -3) A "detectnets" interface option has been added for entries in - /etc/shorewall/interfaces. This option automatically taylors the - definition of the zone named in the ZONE column to include just - those hosts that have routes through the interface named in the - INTERFACE column. The named interface must be UP when - Shorewall is [re]started. - - WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE! diff --git a/STABLE/shorewall.spec b/STABLE/shorewall.spec index 7ac050b7a..ec2f0dbfe 100644 --- a/STABLE/shorewall.spec +++ b/STABLE/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 1.4.10g +%define version 1.4.11 %define release 1 %define prefix /usr @@ -110,6 +110,8 @@ fi %changelog * Wed Jun 30 2004 Tom Eastep +- Changed version to 1.4.11 +* Wed Jun 30 2004 Tom Eastep - Changed version to 1.4.10g-1 * Mon Jun 28 2004 Tom Eastep - Changed version to 1.4.10f-1 diff --git a/STABLE/uninstall.sh b/STABLE/uninstall.sh index f10d7eca3..ec75afe12 100755 --- a/STABLE/uninstall.sh +++ b/STABLE/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.4.10g +VERSION=1.4.11 usage() # $1 = exit status {