From 87882e15ea136d606b4a6121cff6276455732a3c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 1 May 2009 09:26:08 -0700 Subject: [PATCH] Update News --- web/News.htm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/web/News.htm b/web/News.htm index 8d489a3e9..e1ad97f7f 100644 --- a/web/News.htm +++ b/web/News.htm @@ -23,9 +23,12 @@ license is included in the section entitled GNU Free Documentation License".

-

March 19, 2009
+

April 16, 2009

+

2000-04-16 Shorewall 4.2.8

+

+
Problems Corrected in Shorewall 4.2.8

1)  The 'start -f' command would previously skip the compilation step
    unconditionally when the 'make' utility was not installed. Now, the
    compilation step is run unconditionally in this case.

2)  When ADD_IP_ALIASES=Yes in shorewall.conf, entries in
    /etc/shorewall/nat produce this failure at compile time when
    using Shorewall-perl:

    ERROR: Internal Error in emit : /etc/shorewall/nat (line 12)

3)  When LOG_MARTIANS=Yes with Shorewall-perl, setting logmartians=0 in
    an entry in /etc/shorewall/interface failed to suppress martian
    logging on the interface.

4)  Shorewall-perl now generates rules with inversion that are
    compatible with iptables 1.4.3.

5) When a network address was specified in the SOURCE or DEST column of
   /etc/shorewall/tcfilters, Shorewall-perl was generating an incorrect
   netmask.

New Features in 4.2.8

1)  The /usr/share/shorewall/modules and /usr/share/shorewall6/modules
    files have been updated for iptables 1.4.3/kernel 2.6.29.

2009-03-19 Shorewall 4.2.7

Problems corrected in 4.2.7

1)  Previously, the 'start' command set the permission flags on
    /var/lib/shorewall*/state so that it could be read by
    non-root users while the 'stop' command set the permissions such
    that the file could not be read by those users.

    Beginning with 4.2.7, both commands will secure the file for
    root-only access. If you want the file to be world-readable, then
    add 

        chmod 744 <file name>

    To your /etc/shorewall/started, /etc/shorewall/stopped and
    /etc/shorewall/restored files.

2)  The 'shorewall6 dump' command now correctly displays the installed
    version of Shorewall-perl. It also displays the IPv6 neighbor table
    contents rather than the ARP table contents.

3)  Under some circumstances, interface options like nosmurfs and
    tcpflags would not be applied to forwarded traffic when using
    Shorewall-perl.

4)  The following rule was badly mis-handled:

       DNAT-    loc     net:1.2.3.4:2525        tcp     25

    The result:

     WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules (line 45
9)
     Can't call method "inet_htoa" without a package or object reference at
       /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150,
      <$currentfile> line 459.

5)  Previously, OPTIONS were not allowed with a bridge port in
    /etc/shorewall/interfaces. That oversight has been corrected and
    now the following OPTIONS are allowed:

        blacklist
        maclist
        norfc1918
        nosmurfs
        routeback
        tcpflags

6)  Tuomo Soini provided a workaround patch for a problem seen in some
    kernel's (see FAQ 82) that caused 'shorewall start' to fail when
    USE_DEFAULT_RT=Yes .

New Features in Shorewall 4.2.7

1)  Prior to Shorewall version 3.0.0, rules generated by
    /etc/shorewall/tunnels were traversed before those generated by
    /etc/shorewall/rules. When SECTIONs were added to the rules file in
    3.0.0, traversal of the tunnel rules was deferred until after those
    generated by the NEW section of the rules file. 

    Beginning with Shorewall-perl 4.2.7, the tunnel rules are back
    where they started -- right before the first rule generated by the
    NEW section of /etc/shorewall/rules.

2)  To allow bypassing of connection tracking for certain traffic,
    /etc/shorewall/notrack and /etc/shorewall6/notrack files have been
    added.

    Columns in the file are:

        SOURCE - <zone>[:<interface>][:<address list>]

        DEST - [<address list>]

        PROTO - <protocol name or number>

        DEST PORT(S) - <port number list>

        SOURCE PORT(S) - <port number list>

        USER/GROUP - [<user>][:<group>]

            May only be specified if the SOURCE <zone> is $FW.

    Traffic that matches all given criteria will not be subject to
    connection tracking. For such traffic, your policies and/or rules
    must deal with ALL of the packets involved, in both the original
    and the opposite directions. All untracked traffic is passed
    through the relevant rules in the NEW section of the rules
    file. Untracked encapsulated tunnel traffic can be handled by
    entries in /etc/shorewall/tunnels just like tracked traffic
    is. Because every packet of an untracked connection must pass
    through the NEW section rules, it is suggested that rules that deal
    with untracked traffic should appear at the top of the file.

    Example:

    /etc/shorewall/tunnels:

        #TYPE   ZONE    GATEWAY
        6to4    net

    /etc/shorewall/notrack

        #SOURCE          DEST           PROTO   DEST    SOURCE  USER/
        #                                       PORT(S) PORT(S) GROUP
        net:!192.88.99.1 -              41

    Given that 192.88.99.1 is an anycast address, many hosts can
    respond to outward traffic to that address. The entry in
    /etc/shorewall/tunnels allows protocol 41 net<->fw. The entry in
    /etc/shorewall/notrack prevents the inbound traffic from creating
    additional useless conntrack entries.

    As part of this change, the 'show' command is enhanced to support a 
    'show raw' command that is an alias for 'show -t raw'. The raw
    table is where NOTRACK rules are created. The dump command is also
    enhanced to display the contents of the raw table.

3)  Shorewall-perl supports three additional columns in the
    /etc/shorewall/routestopped file:

    PROTO          -- Protocol name or number

    DEST PORT(S)   -- comma-separated list of service names and/or port
                      numbers
 
    SOURCE PORT(S) -- comma-separated list of service names and/or port
                      numbers.

    These columns are only meaningful when the "-f" option to
    'shorewall stop' is used.

    As part of this change, the "-f" option to the 'stop' and 'clear'
    commands is now the default when FAST_STOP=Yes in shorewall.conf.
    To override this default, use the "-s" option:

        shorewall stop -s

    Note that if you have entries with one or more of the new columns,
    the -s option will result in warning messages.

        gateway:~ # shorewall stop -s
        Stopping Shorewall...
          WARNING: Unknown routestopped option ignored: notrack
          WARNING: Unknown routestopped option ignored: 41
          WARNING: Unknown routestopped option ignored: notrack
          WARNING: Unknown routestopped option ignored: 41
        done.
        gateway:~ #

4)  Shorewall-perl now handles SOURCE PORT lists of more than 15
    entries by breaking the containing rule into multiple rules.