holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Update web site for 4.2.6

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9442 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-02-15 16:24:38 +00:00
parent a0c2371a5d
commit 8b75a2d996
2 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
web/News.htm
View File

@ -24,10 +24,13 @@ license is included in the section entitled <span
href="GnuCopyright.htm" target="_self">GNU Free Documentation
License</a></span>".
</p>
<p>January 22, 2009<br>
<p>February 15, 2009<br>
</p>
<hr style="width: 100%; height: 2px;">
<p><strong>2009-01-22 Shorewall 4.2.5</strong></p>
<p><strong>2009-02-15 Shorewall 4.2.6</strong></p>
<pre>Problems corrected in 4.2.6<br><br>1) The CONFIG_PATH in the two- and three-interface Shorewall6 sample<br> configurations was incorrect with the result that this error<br> occurred on 'shorewall6 check' or 'shorewall6 start'.<br><br> ERROR: No IP zones defined<br><br>2) Setting TCP_FLAGS_DISPOSITION=REJECT caused both Shorewall-shell<br> and Shorewall-perl to create invalid iptables commands. This has<br> been corrected but we still strongly recommend against that<br> setting; TCP_FLAGS_DISPOSITION=DROP is preferred.<br><br>3) Shorewall-perl was generating code that checked for state match<br> before kernel modules were loaded. This caused start/restart to<br> fail on systems without kernel module loading. <br><br>4) The Shorewall6 and Shorewall6-lite Makefiles were incorrect.<br><br>5) If a service name is used in a port-mapping rule (a DNAT or<br> REDIRECT rule that changes the destination port), and if the<br> kernel and iptables include Extended Connection Match support, then<br> invalid iptables-restore input is produced by Shorewall-perl.<br><br>6) If iptables 1.4.1 or later was installed, Shorewall-perl generated<br> incorrect iptables-restore input if exclusion was used in the<br> ORIGINAL DEST field of a DNAT or REDIRECT rule.<br><br>7) On kernels earlier than 2.6.20, the 'shorewall show connections'<br> command fails.<br><br>New Feature in Shorewall 4.2.6<br><br>1) A BitTorrent32 macro has been added. This macro matches the<br> extended TCP port range used by BitTorrent 3.2 and later.<br><br>2) A new COUNT action has been added to Shorewall-perl. This action<br> creates an iptables (ip6tables) rule with no target. Connections<br> matching such a rule are simply counted and the packet is passed on<br> to the next rule.<br><br> Shorewall-shell ignores COUNT in actions and macros, thus allowing<br> the standard actions (action.Drop and action.Reject) to have a<br> COUNT rule as their first entry.<br><br>3) A new RESTORE_DEFAULT_ROUTE option has been added to<br> shorewall.conf. It is used to determine whether to restore the<br> default route saved when there are 'balance' providers defined but<br> all of them are down.<br><br> The default is RESTORE_DEFAULT_ROUTE=Yes which preserves the<br> pre-4.2.6 behavior. <br><br> RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a<br> default route in the main table (USE_DEFAULT_RT=No) or in the<br> default table (USE_DEFAULT_RT=Yes) when there are no balance<br> providers available. In that case, RESTORE_DEFAULT_ROUTE=No<br> will cause any default route in the relevant table to be deleted.<br><br>4) IPv4 firewall scripts produced by Shorewall-perl now use dhcpcd's<br> database when trying to detect the gateway for an interface<br> ("detect" in the GATEAWAY column in /etc/shorewall/interfaces).<br><br> As part of this change, it is now permitted to specify 'detect'<br> when USE_DEFAULT_RT=Yes; in that case, the script will only detect<br> gateways for point-to-point devices and for devices configured by<br> dhcpcd.<br><br>5) Shorewall-perl now supports port inversion. A port number or list<br> of port numbers may be preceded by '!" which will cause the rule to<br> match all ports EXCEPT those listed:<br><br> Example: To blacklist 206.124.146.176 for all tcp ports except 80:<br><br> ADDRESS/SUBNET PROTO PORT(S)<br> 206.124.146.177 tcp !80<br><br>6) Shorewall-perl now supports protocol inversion. A protocol name or<br> number may be preceded by '!' to specify all protocols except the<br> one following '!'.<br><br> Example: To blacklist 206.124.146.176 for all protocols except <br> UDP:<br><br> ADDRESS/SUBNET PROTO PORT(S)<br> 206.124.146.177 !udp<br><br> Note that ports may not be specified when protocol inversion<br> is used.<br><br>7) When using Shorewall-perl, neither the 'start' nor 'started'<br> extension script is run during processing of the 'restore'<br> command. To allow extension of that command, we have added a<br> 'restored' extension script that runs at the successful completion<br> of 'restore'. This script is only available with Shorewall-perl.<br><br> With Shorewall-shell, both scripts are run during 'restore' but in<br> that case, the run_iptables() function does nothing. So any<br> run_iptables() calls in the 'start' script are effectively ignored.<br><br>8) Shorewall-perl now correctly handles 'here documents' quoting<br> (&lt;&lt;EOF .... EOF) in run-time extension scripts.<br><strong></strong></pre>
<p><strong></strong><strong>2009-01-22 Shorewall 4.2.5</strong><br>
</p>
<p><strong></strong></p>
<pre>Problems corrected in 4.2.5<br><br>1) If exclusion is used to define a zone in /etc/shorewall/hosts and<br> that zone is used as the SOURCE zone in a DNAT or REDIRECT rule,<br> then Shorewall-perl can generate invalid iptables-restore input.<br><br>2) A bug in the Perl Cwd module (see<br> <a
class="moz-txt-link-freetext"

8
web/shorewall_index.htm
View File

@ -48,7 +48,7 @@
</tr>
</tbody>
</table>
<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">2009-02-02<br>
<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">2009-02-15<br>
</span>
<h3><img alt="LFNW Logo" src="images/TotemCompletePlain.png"
style="border: 0px solid ; width: 76px; height: 114px;">Plan to Attend
@ -65,13 +65,13 @@ Shorewall team members Tom and Roberto will be there!<br>
Stable Release</span><br>
</div>
</td>
<td style="vertical-align: top;"><span style="font-weight: bold;">4.2.5</span>
<td style="vertical-align: top;"><span style="font-weight: bold;">4.2.6</span>
(includes <a href="IPv6Support.html">IPv6 support.</a>)</td>
<td style="vertical-align: top;"><a
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.5/releasenotes.txt">Release
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.6/releasenotes.txt">Release
notes</a> </td>
<td style="vertical-align: top;"><a
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.5/known_problems.txt">Known
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.6/known_problems.txt">Known
Problems</a></td>
</tr>
<tr>