diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 58d9f623d..e5a4b084a 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -1,3 +1,11 @@ +Changes in 4.1.3 + +1) Fix NFLOG/ULOG upcasing problem. + +2) Fix STARTUP_LOG without LOG_VERBOSITY. + +3) Fix LOG_VERBOSITY without STARTUP_LOG. + Changes in 4.1.2 1) Enhanced Operational Logging diff --git a/Shorewall-common/fallback.sh b/Shorewall-common/fallback.sh index 97acd2ec1..dc342cc8a 100755 --- a/Shorewall-common/fallback.sh +++ b/Shorewall-common/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.1.2 +VERSION=4.1.3 usage() # $1 = exit status { diff --git a/Shorewall-common/install.sh b/Shorewall-common/install.sh index a0e25669e..092149c35 100755 --- a/Shorewall-common/install.sh +++ b/Shorewall-common/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.1.2 +VERSION=4.1.3 usage() # $1 = exit status { diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 36990d8f6..0b0212a93 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 4.1 Patch Release 2. +Shorewall 4.1 Patch Release 3. ---------------------------------------------------------------------------- R E L E A S E 4 . 1 H I G H L I G H T S @@ -10,217 +10,21 @@ Shorewall 4.1 Patch Release 2. 3) Enhanced operational logging -Problems corrected in Shorewall 4.1.2. +Problems corrected in Shorewall 4.1.3. -1) If any of the following files was missing, a harmless Perl warning - was issued: +1) If NFLOG or ULOG was specified with parameters, the resulting + iptables-restore input contained elements that were incorrectly + up-cased. - accounting - maclist - masq - nat - netmap - rfc1918 - routestopped - tunnels +2) If STARTUP_LOG is specified without LOG_VERBOSITY, /sbin/shorewall + produces an error. - This problem was experienced mostly by Debian users and users of - Debian derivatives such as Ubuntu. +3) If LOG_VERBOSITY is specified without STARTUP_LOG, run-time error + messages are produced. -2) The iptables utility doesn't retry operations that fail due to - resource shortage. Beginning with this release, Shorewall reruns - iptables when such a failure occurs. +Other changes in Shorewall 4.1.3. -3) Previously, Shorewall-perl did not accept log levels in upper case - (e.g., INFO). Log levels are treated in a case-insensitive manner - by Shorewall-perl. - -4) The column headers in macro files were not aligned. This has been - corrected, along with some inaccuracies in the macro.template file. - -5) The shorewall.conf files in the Samples did not contain some - recently-defined options. They are now up to date. - -6) The names of the Jabber macros were shuffled. They are now named - correctly. - -Other changes in Shorewall 4.1.2. - -1) Shorewall 4.1.2 contains enhanced operational logging capabilities - through a set of related enhancements to Shorewall-common and - Shorewall-perl. The enhancements are not supported by - Shorewall-shell nor are they supported by Shorewall-lite except - when the script is compiled using Shorewall-perl. - - a) The STARTUP_LOG option in /etc/shorewall/shorewall.conf gives - the name of the Shorewall operational log. The log will be - created if it does not exist. - - b) The LOG_VERBOSITY option in /etc/shorewall/shorewall.conf gives - the verbosity at which logging will occur. It uses the same - value range as VERBOSITY: - - -1 Do not log - 0 Almost quiet - 1 Only major steps - 2 Verbose - - c) An absolute VERBOSITY may be specified on the command line - using the -v option followed by -1,0,1 or 2. - - Example: - - shorewall -v2 check - - d) The /etc/init.d/shorewall script supplied with the - shorewall.net packages sets '-v0' as the default. This may be - overridden with the OPTIONS setting in /etc/defaults/shorewall or - /etc/sysconfig/shorewall. - - Logging occurs on both Shorewall-perl and the generated script when - the following commands are issued: - - start - restart - refresh - - Messages in the log are always timestamped. - - This change implemented two new options to the Shorewall-perl - compiler (/usr/share/shorewall-perl/compiler.pl). - - --log= - --log_verbosity={-1|0-2} - - The --log option is ignored when --log_verbosity is not supplied or - is supplied with value -1. - - To avoid a proliferation of parameters to - Shorewall::Compiler::compile(), that function has been changed to - use named parameters. Parameter names are: - - object Object file. If omitted or '', the - configuration is syntax checked. - directory Directory. If omitted or '', configuration - files are located using - CONFIG_PATH. Otherwise, the directory named by - this parameter is searched first. - verbosity Verbosity; range -1 to 2 - timestamp 0|1 -- timestamp messages. - debug 0|1 -- include stack trace in warning/error - messages. - export 0|1 -- compile for export. - chains List of chains to be reloaded by 'refresh'. - log File to log compiler messages to. - log_verbosity Log Verbosity; range -1 to 2. - - Those parameters that are supplied must have defined values. - - Defaults are: - - object '' ('check' command) - directory '' - verbosity 1 - timestamp 0 - debug 0 - export 0 - chains '' - log '' - log_verbosity -1 - - - Example: - - use lib '/usr/share/shorewall-perl/'; - use Shorewall::Compiler; - - compiler( object => '/root/firewall', - log => '/root/compile.log', - log_verbosity => 2 ); - -2) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero - mark values < 256 to be assigned in the OUTPUT chain. This has been - changed so that only high mark values may be assigned - there. Packet marking rules for traffic shaping of packets - originating on the firewall must be coded in the POSTROUTING table. - -3) Previously, Shorewall did not range-check the value of the - VERBOSITY option in shorewall.conf. Beginning with Shorewall 4.1.2: - - a) A VERBOSITY setting outside the range -1 through 2 is rejected. - b) After the -v and -q options are applied, the resulting value is - adjusted to fall within the range -1 through 2. - -4) The tcdevices file has been extended to include an OPTIONS - column. Currently only a single option is defined. - - classify When specified, you must use explicit CLASSIFY tcrules - to classify traffic by class. Shorewall will not create - any CLASSIFY rules to classify traffic by mark value. - - The 'classify' option should be specified when you want to do all - classification using CLASSIFY tcrules. Because CLASSIFY is not a - terminating target, every packet passes through all CLASSIFY - rules. 'classify' can prevent packets from having to pass through - useless additional rules. - - Example: - - /etc/shorewall/tcdevices - - #INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS - $EXT_IF 1300kbit 384kbit classify - - /etc/shorewall/tcclasses - - #INTERFACE MARK RATE CEIL PRIORITY OPTIONS - $EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay - $EXT_IF 20 2*full/10 6*full/10 2 default - $EXT_IF 30 2*full/10 6*full/10 3 - - /etc/shorewall/tcrules - - #MARK SOURCE DEST PROTO PORT(S) SOURCE - # PORT(S) - 1:110 192.168.0.0/22 $EXT_IF - 1:130 206.124.146.177 $EXT_IF tcp - 873 - - This example shows my own simple traffic shaping configuration. I - have three classes; one for traffic from our local network, one for - rsync from the master shorewall.net server, and one for all other - DMZ traffic. I use CLASSIFY rules to assign traffic to the first - and third class and let the rest default to the second class. - -5) COMMENT lines are now supported in macro bodies by Shorewall-perl - and are ignored by the Shorewall-shell compiler. The standard - macros (with the exception of macro.Drop and macro.Reject) have - been modified to include a COMMENT line describing the macro. - - COMMENT lines in macros work slightly differently from COMMENT - lines in other files. COMMENT lines in macros are ignored if - COMMENT support is not available or if there was a COMMENT in use - when the top-level macro was invoked. This allows the - following: - - /usr/share/shorewall/macro.SSH: - - #ACTION SOURCE PROTO DEST SOURCE RATE USER/ - # PORT(S) PORT(S) LIMIT GROUP - COMMENT SSH - PARAM - - tcp 22 - - /etc/shorewall/rules: - - COMMENT Allow SSH from home - SSH/ALLOW net:$MYIP $FW - COMMENT - - The comment line in macro.SSH will not override the - COMMENT line in the rules file and the generated rule will show - - /* Allow SSH from home */ - - when displayed through the Shorewall show and dump commands. +None. Migration Issues. @@ -334,7 +138,7 @@ New Features in Shorewall 4.1. ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 -5) Shorewall-perl 4.1.0 implements an alternative syntax for macro +5) Shorewall-perl 4.1 implements an alternative syntax for macro parameters and for the NFQUEUE queue number. Rather than following the macro name (or NFQUEUE) with a slash ("/") and the parameter, the parameter may be enclosed in parentheses. @@ -346,3 +150,179 @@ New Features in Shorewall 4.1. The old syntax will still be accepted but will cease to be documented in some future Shorewall release. + +6) Shorewall 4.1 contains enhanced operational logging capabilities + through a set of related enhancements to Shorewall-common and + Shorewall-perl. The enhancements are not supported by + Shorewall-shell nor are they supported by Shorewall-lite except + when the script is compiled using Shorewall-perl. + + a) The STARTUP_LOG option in /etc/shorewall/shorewall.conf gives + the name of the Shorewall operational log. The log will be + created if it does not exist. + + b) The LOG_VERBOSITY option in /etc/shorewall/shorewall.conf gives + the verbosity at which logging will occur. It uses the same + value range as VERBOSITY: + + -1 Do not log + 0 Almost quiet + 1 Only major steps + 2 Verbose + + c) An absolute VERBOSITY may be specified on the command line + using the -v option followed by -1,0,1 or 2. + + Example: + + shorewall -v2 check + + d) The /etc/init.d/shorewall script supplied with the + shorewall.net packages sets '-v0' as the default. This may be + overridden with the OPTIONS setting in /etc/defaults/shorewall or + /etc/sysconfig/shorewall. + + Logging occurs on both Shorewall-perl and the generated script when + the following commands are issued: + + start + restart + refresh + + Messages in the log are always timestamped. + + This change implemented two new options to the Shorewall-perl + compiler (/usr/share/shorewall-perl/compiler.pl). + + --log= + --log_verbosity={-1|0-2} + + The --log option is ignored when --log_verbosity is not supplied or + is supplied with value -1. + + To avoid a proliferation of parameters to + Shorewall::Compiler::compile(), that function has been changed to + use named parameters. Parameter names are: + + object Object file. If omitted or '', the + configuration is syntax checked. + directory Directory. If omitted or '', configuration + files are located using + CONFIG_PATH. Otherwise, the directory named by + this parameter is searched first. + verbosity Verbosity; range -1 to 2 + timestamp 0|1 -- timestamp messages. + debug 0|1 -- include stack trace in warning/error + messages. + export 0|1 -- compile for export. + chains List of chains to be reloaded by 'refresh'. + log File to log compiler messages to. + log_verbosity Log Verbosity; range -1 to 2. + + Those parameters that are supplied must have defined values. + + Defaults are: + + object '' ('check' command) + directory '' + verbosity 1 + timestamp 0 + debug 0 + export 0 + chains '' + log '' + log_verbosity -1 + + + Example: + + use lib '/usr/share/shorewall-perl/'; + use Shorewall::Compiler; + + compiler( object => '/root/firewall', + log => '/root/compile.log', + log_verbosity => 2 ); + +7) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero + mark values < 256 to be assigned in the OUTPUT chain. This has been + changed so that only high mark values may be assigned + there. Packet marking rules for traffic shaping of packets + originating on the firewall must be coded in the POSTROUTING table. + +8) Previously, Shorewall did not range-check the value of the + VERBOSITY option in shorewall.conf. Beginning with Shorewall 4.1: + + a) A VERBOSITY setting outside the range -1 through 2 is rejected. + b) After the -v and -q options are applied, the resulting value is + adjusted to fall within the range -1 through 2. + +9) The tcdevices file has been extended to include an OPTIONS + column. Currently only a single option is defined. + + classify When specified, you must use explicit CLASSIFY tcrules + to classify traffic by class. Shorewall will not create + any CLASSIFY rules to classify traffic by mark value. + + The 'classify' option should be specified when you want to do all + classification using CLASSIFY tcrules. Because CLASSIFY is not a + terminating target, every packet passes through all CLASSIFY + rules. 'classify' can prevent packets from having to pass through + useless additional rules. + + Example: + + /etc/shorewall/tcdevices + + #INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS + $EXT_IF 1300kbit 384kbit classify + + /etc/shorewall/tcclasses + + #INTERFACE MARK RATE CEIL PRIORITY OPTIONS + $EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay + $EXT_IF 20 2*full/10 6*full/10 2 default + $EXT_IF 30 2*full/10 6*full/10 3 + + /etc/shorewall/tcrules + + #MARK SOURCE DEST PROTO PORT(S) SOURCE + # PORT(S) + 1:110 192.168.0.0/22 $EXT_IF + 1:130 206.124.146.177 $EXT_IF tcp - 873 + + This example shows my own simple traffic shaping configuration. I + have three classes; one for traffic from our local network, one for + rsync from the master shorewall.net server, and one for all other + DMZ traffic. I use CLASSIFY rules to assign traffic to the first + and third class and let the rest default to the second class. + +10) COMMENT lines are now supported in macro bodies by Shorewall-perl + and are ignored by the Shorewall-shell compiler. The standard + macros (with the exception of macro.Drop and macro.Reject) have + been modified to include a COMMENT line describing the macro. + + COMMENT lines in macros work slightly differently from COMMENT + lines in other files. COMMENT lines in macros are ignored if + COMMENT support is not available or if there was a COMMENT in use + when the top-level macro was invoked. This allows the + following: + + /usr/share/shorewall/macro.SSH: + + #ACTION SOURCE PROTO DEST SOURCE RATE USER/ + # PORT(S) PORT(S) LIMIT GROUP + COMMENT SSH + PARAM - - tcp 22 + + /etc/shorewall/rules: + + COMMENT Allow SSH from home + SSH/ALLOW net:$MYIP $FW + COMMENT + + The comment line in macro.SSH will not override the + COMMENT line in the rules file and the generated rule will show + + /* Allow SSH from home */ + + when displayed through the Shorewall show and dump commands. diff --git a/Shorewall-common/shorewall-common.spec b/Shorewall-common/shorewall-common.spec index 17cca0357..b17e6d3a4 100644 --- a/Shorewall-common/shorewall-common.spec +++ b/Shorewall-common/shorewall-common.spec @@ -1,5 +1,5 @@ %define name shorewall-common -%define version 4.1.2 +%define version 4.1.3 %define release 1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -243,6 +243,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %changelog +* Fri Dec 07 2007 Tom Eastep tom@shorewall.net +- Updated to 4.1.3-1 * Tue Nov 27 2007 Tom Eastep tom@shorewall.net - Updated to 4.1.2-1 * Wed Nov 21 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-common/uninstall.sh b/Shorewall-common/uninstall.sh index b7276ae8b..07a388dab 100755 --- a/Shorewall-common/uninstall.sh +++ b/Shorewall-common/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.1.2 +VERSION=4.1.3 usage() # $1 = exit status { diff --git a/Shorewall-lite/fallback.sh b/Shorewall-lite/fallback.sh index 9842ac3a7..4c41876f1 100755 --- a/Shorewall-lite/fallback.sh +++ b/Shorewall-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.1.2 +VERSION=4.1.3 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 7911d85a9..109713524 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.1.2 +VERSION=4.1.3 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index baa5780b7..cfd23fd2a 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 4.1.2 +%define version 4.1.3 %define release 1 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -98,6 +98,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Fri Dec 07 2007 Tom Eastep tom@shorewall.net +- Updated to 4.1.3-1 * Tue Nov 27 2007 Tom Eastep tom@shorewall.net - Updated to 4.1.2-1 * Wed Nov 21 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index 0d63c0105..127842014 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.1.2 +VERSION=4.1.3 usage() # $1 = exit status { diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index ff9622f82..0317dd91c 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -82,7 +82,11 @@ sub generate_script_1() { my $date = localtime; - emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl $globals{VERSION} - $date\n#"; + if ( $config{COMPILER_TEST} ) { + emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#"; + } else { + emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl $globals{VERSION} - $date\n#"; + } copy $globals{SHAREDIRPL} . 'prog.header'; @@ -138,9 +142,11 @@ sub generate_script_1() { emit ( '[ -n "${COMMAND:=restart}" ]', '[ -n "${VERBOSE:=0}" ]', qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]), - '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"', - qq(VERSION="$globals{VERSION}") , - qq(PATH="$config{PATH}") , + '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"' ); + + emit ( qq(VERSION="$globals{VERSION}") ) unless $config{COMPILER_TEST}; + + emit ( qq(PATH="$config{PATH}") , 'TERMINATOR=fatal_error' , qq(DONT_LOAD="@dont_load") , qq(STARTUP_LOG="$config{STARTUP_LOG}") , diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 3a95ee2dd..255d1ff96 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -105,7 +105,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object Exporter::export_ok_tags('internal'); -our $VERSION = 4.1.2; +our $VERSION = 4.1.3; # # describe the current command, it's present progressive, and it's completion. @@ -253,14 +253,15 @@ sub initialize() { ORIGINAL_POLICY_MATCH => '', LOGPARMS => '', TC_SCRIPT => '', - VERSION => '4.1.2', + VERSION => '4.1.3', CAPVERSION => 40100 , ); # # From shorewall.conf file # %config = - ( STARTUP_ENABLED => undef, + ( COMPILER_TEST => undef, + STARTUP_ENABLED => undef, VERBOSITY => undef, # # Logging @@ -1799,6 +1800,7 @@ sub get_configuration( $ ) { $config{LOG_VERBOSITY} = -1; } + default_yes_no 'COMPILER_TEST' , ''; default_yes_no 'ADD_IP_ALIASES' , 'Yes'; default_yes_no 'ADD_SNAT_ALIASES' , ''; default_yes_no 'DETECT_DNAT_IPADDRS' , ''; diff --git a/Shorewall-perl/install.sh b/Shorewall-perl/install.sh index d15a174a7..2ebf3cea8 100755 --- a/Shorewall-perl/install.sh +++ b/Shorewall-perl/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.1.2 +VERSION=4.1.3 usage() # $1 = exit status { diff --git a/Shorewall-perl/shorewall-perl.spec b/Shorewall-perl/shorewall-perl.spec index aa60edec6..fc9de2a71 100644 --- a/Shorewall-perl/shorewall-perl.spec +++ b/Shorewall-perl/shorewall-perl.spec @@ -1,5 +1,5 @@ %define name shorewall-perl -%define version 4.1.2 +%define version 4.1.3 %define release 1 Summary: Shoreline Firewall Perl-based compiler. @@ -64,6 +64,8 @@ rm -rf $RPM_BUILD_ROOT %doc COPYING releasenotes.txt %changelog +* Fri Dec 07 2007 Tom Eastep tom@shorewall.net +- Updated to 4.1.3-1 * Tue Nov 27 2007 Tom Eastep tom@shorewall.net - Updated to 4.1.2-1 * Wed Nov 21 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-shell/install.sh b/Shorewall-shell/install.sh index aab78cdfb..9fd0e9a2f 100755 --- a/Shorewall-shell/install.sh +++ b/Shorewall-shell/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.1.2 +VERSION=4.1.3 usage() # $1 = exit status { diff --git a/Shorewall-shell/shorewall-shell.spec b/Shorewall-shell/shorewall-shell.spec index 64a90962a..da2f95810 100644 --- a/Shorewall-shell/shorewall-shell.spec +++ b/Shorewall-shell/shorewall-shell.spec @@ -1,5 +1,5 @@ %define name shorewall-shell -%define version 4.1.2 +%define version 4.1.3 %define release 1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -81,6 +81,8 @@ fi %doc COPYING INSTALL %changelog +* Fri Dec 07 2007 Tom Eastep tom@shorewall.net +- Updated to 4.1.3-1 * Tue Nov 27 2007 Tom Eastep tom@shorewall.net - Updated to 4.1.2-1 * Wed Nov 21 2007 Tom Eastep tom@shorewall.net diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm index 3366d60b7..c2710ed39 100644 --- a/web/shorewall_index.htm +++ b/web/shorewall_index.htm @@ -21,7 +21,7 @@ Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

-

2007-12-05

+

2007-12-06

Table of Contents

@@ -141,15 +141,15 @@ is 3.4.7
href="http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.7/errata/">updates. The current Development Release is -4.1.1. +4.1.2.