Update News

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9230 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

web/News.htm

@@ -26,9 +26,12 @@ license is included in the section entitled <span
  href="GnuCopyright.htm" target="_self">GNU Free Documentation
 License</a></span>".
 </p>
-<p>November 20, 2008<br>
+<p>December 31, 2008<br>
 </p>
 <hr style="width: 100%; height: 2px;">
+<p><strong>2008-12-31 Shorewall 4.2.4</strong></p>
+<p><strong></strong></p>
+<pre>1) In 4.2.4, two new packages are included:<br><br>   a) Shorewall6 - analagous to Shorewall-common but handles IPv6<br>      rather than IPv4.<br><br>   b) Shorewall6-lite - analagous to Shorewall-lite but handles IPv6<br>      rather than IPv4.<br><br>   The packages store their configurations in /etc/shorewall6/ and<br>   /etc/shorewall6-lite/ respectively.  <br><br>   The fact that the packages are separate from their IPv4 counterparts<br>   means that you control IPv4 and IPv6 traffic separately (the same<br>   way that Netfilter does). Starting/Stopping the firewall for one<br>   address family has no effect on the other address family.<br><br>   For additional information, see<br>   http://www.shorewall.net/IPV6Support.html.<br><br>   Other features of Shorewall6 are:<br><br>   a) There is no NAT of any kind (most people see this as a giant step<br>      forward). When an ISP assigns you a public IPv6 address, you are<br>      actually assigned an IPv6 'prefix' which is like an IPv4<br>      subnet. A 64-bit prefix allows 4 billion squared individual hosts<br>      (the size of the current IPv4 address space squared).<br><br>   b) The default zone type is ipv6.<br><br>   c) The currently-supported interface options in Shorewall6 are:<br><br>        blacklist<br>        bridge<br>        dhcp<br>        nosmurfs (traps multicast and Subnet-router anycast addresses<br>        used as the packet source address).<br>        optional<br>        routeback<br>        sourceroute<br>        tcpflags<br><br>   Other features of Shorewall6 are:<br><br>   a) There is no NAT of any kind (most people see this as a giant step<br>      forward). When an ISP assigns you a public IPv6 address, you are<br>      actually assigned an IPv6 'prefix' which is like an IPv4<br>      subnet. A 64-bit prefix allows 4 billion squared individual hosts<br>      (the size of the current IPv4 address space squared).<br><br>   b) The default zone type is ipv6.<br><br>   c) The currently-supported interface options in Shorewall6 are:<br><br>        blacklist<br>        bridge<br>        dhcp<br>        nosmurfs (traps multicast and Subnet-router anycast addresses<br>        used as the packet source address).<br>        optional<br>        routeback<br>        sourceroute<br>        tcpflags<br>        mss<br>        forward (setting it to 0 makes the router behave like a host<br>                 on that interface rather than like a router).<br><br>   d)  The currently-supported host options in Shorewall6 are:<br><br>        blacklist<br>        routeback<br>        tcpflags<br><br>   e)  Traffic Shaping is disabled by default. The tcdevices and<br>       tcclasses files are address-family independent so<br>       to use the Shorewall builtin Traffic Shaper, TC_ENABLED=Internal<br>       should be specified in Shorewall or in Shorewall6 but not in<br>       both. In the configuration where the internal traffic shaper is<br>       not enabled, CLEAR_TC=No should be specified.<br><br>       tcfilters are not available in Shorewall6.<br><br>   f)  When both an interface and an address or address list need to<br>       be specified in a rule, the address or list must be enclosed in<br>       angle brackets. Example:<br><br>        #ACTION      SOURCE                                     DEST<br>        ACCEPT       net:eth0:&lt;2001:19f0:feee::dead:beef:cafe&gt;  dmz<br><br>       Note that this includes MAC addresses as well as IPv6 addresses.<br><br>       The HOSTS column in /etc/shorewall6/hosts also uses this<br>       convention:<br><br>           #ZONE      HOSTS                                     OPTIONS<br>           chat6      eth0:&lt;2001:19f0:feee::dead:beef:cafe&gt;<br><br>       Even when an interface is not specified, it is permitted to<br>       enclose addresses in &lt;&gt; to improve readability. Example:<br><br>           #ACTION      SOURCE          DEST<br>           ACCEPT       net:&lt;2001:1::1&gt; $FW<br><br>   g)  The options available in shorewall6.conf are a subset of those<br>       available in shorewall.conf.<br><br>   h)  The Socket6.pm Perl module is required if you include DNS names<br>       in your Shorewall6 configuration. Note that it is loaded the<br>       first time that a DNS name is encountered so if it is missing,<br>       you get a message similar to this one:<br><br>       ...<br>       Checking /etc/shorewall6/rules...<br>       Can't locate Socket6.pm in @INC (@INC contains: /root ...<br>       teastep@ursa:~/Configs/standalone6$ <br></pre>
 <p><strong>2008-11-20 Shorewall 4.2.2</strong></p>
 <p><strong></strong></p>
 <pre>Problems corrected in Shorewall 4.2.2<br><br>1)  Shorewall-perl now insures that each line copied from a<br>    configuration file or user exit is terminated with a newline<br>    character.<br><br>2) When ipranges were used to define zones, Shorewall-perl could<br>   generate invalid iptables-restore input if 'Repeat Match' was not<br>   available. Repeat Match is not a true match -- it rather is a<br>   feature of recent iptables releases that allows a match to be<br>   repeated within a rule.<br><br>3)  With Shorewall-perl, if a destination port list had exactly 16<br>    ports, where a port-range counts as two ports, then Shorewall-perl<br>    would fail to split the rule into multiple rules and an<br>    iptables-restore error would result.<br><br>4)  The change to Shorewall-perl in 4.2.1 that promised iptables 1.4.1<br>    compatibility contained a typo that prevented it from working<br>    correctly.<br><br>5)  If a no-NAT rule (DNAT-, ACCEPT+, NONAT) included a destination IP<br>    address and no zone name in the DEST column, Shorewall-perl would<br>    reject the rule. If a zone name was specified, Shorewall-perl <br>    would issue a Warning message.<br><br>6)  Previously, if Extended conntrack match support was available, a<br>    DNAT rule that specified a server port but no destination port <br>    would generate invalid iptables-restore input.     <br><br>Other changes in Shorewall 4.2.2<br><br>1)  A macro supporting JAP (anonymization protocol) has been added.<br>    It can be used as any other macro (e.g., JAP/ACCEPT) in the rules<br>    file.<br><br>2)  A macro supporting DAAP (Digital Audio Access Protocol) has been added.<br>    It can be used as any other macro (e.g., DAAP/ACCEPT) in the rules<br>    file.<br><br>3)  A macro supporting DCC (Distributed Checksum Clearinghouse) has been<br>    added.  It can be used as any other macro (e.g., DCCP/ACCEPT) in the<br>    rules file.<br><br>4)  A macro supporting GNUnet (secure peer-to-peer networking) has been<br>    added.  It can be used as any other macro (e.g., GNUnet/ACCEPT) in the<br>    rules file.<br><br>5)  In 4.2.1, a single capability ("Extended conntrack match support")<br>    was used both to control the use of --ctorigport and to trigger use<br>    of the new syntax for inversion of --ctorigdst (e.g., "!<br>    --ctorigdst ..."). In 4.2.2, these are controlled by two separate<br>    capabilities. If you use a capabilities file when compiling your<br>    configuration, be sure to generate a new one after installing<br>    4.2.2.<br></pre>