diff --git a/Shorewall-common/diff-3.4-shorewall b/Shorewall-common/diff-3.4-shorewall index 8c20cc9a5..9b45171b7 100644 --- a/Shorewall-common/diff-3.4-shorewall +++ b/Shorewall-common/diff-3.4-shorewall @@ -1,5 +1,5 @@ --- /home/teastep/shorewall/branches/3.4/Shorewall/shorewall 2007-06-18 11:32:15.000000000 -0700 -+++ shorewall 2007-06-18 11:31:44.000000000 -0700 ++++ shorewall 2007-06-19 06:36:20.000000000 -0700 @@ -1305,7 +1305,7 @@ echo " stop" echo " status" @@ -20,3 +20,11 @@ if [ -f /usr/share/shorewall-perl/version ]; then echo "Shorewall-perl $(cat /usr/share/shorewall-perl/version)" fi +@@ -1534,6 +1538,7 @@ + [ $# -ne 1 ] && usage 1 + get_config + export NOROUTES ++ [ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore + exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND + ;; + compile) diff --git a/Shorewall-common/shorewall b/Shorewall-common/shorewall index 5e14f484c..c63e542ed 100755 --- a/Shorewall-common/shorewall +++ b/Shorewall-common/shorewall @@ -1538,6 +1538,7 @@ case "$COMMAND" in [ $# -ne 1 ] && usage 1 get_config export NOROUTES + [ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND ;; compile) diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index a7582e906..5ccf4f362 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -905,11 +905,11 @@ sub ensure_config_path() { @config_path = split /:/, $config{CONFIG_PATH}; for ( @config_path ) { - $_ .= '/' unless m|//$|; + $_ .= '/' unless m|/$|; } if ( $shorewall_dir ) { - $shorewall_dir .= '/' unless $shorewall_dir =~ m|//$|; + $shorewall_dir .= '/' unless $shorewall_dir =~ m|/$|; unshift @config_path, $shorewall_dir if $shorewall_dir ne $config_path[0]; } } diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index 8e4825137..a73b7ee65 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -383,6 +383,8 @@ sub process_criticalhosts() { my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file'; + fatal_error "Unknown interface ($interface)" unless known_interface $interface; + $hosts = ALLIPv4 unless $hosts ne '-'; my @hosts; @@ -426,6 +428,8 @@ sub process_routestopped() { my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file'; + fatal_error "Unknown interface ($interface)" unless known_interface $interface; + $hosts = ALLIPv4 unless $hosts && $hosts ne '-'; my @hosts; diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 2155b4e1d..bc1fbb3e8 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -1789,6 +1789,15 @@ iptables: Invalid argument /lib/iptables/libipt_policy.so. + + + Beginning with Shorewall 3.4.0, Shorewall no longer attempts to + use policy match if you have no IPSEC zones and you have not specified + the option on any entry in + /etc/shorewall/hosts. The subject message will + still appear in your kernel log each time that Shorewall determines + the capabilities of your kernel/iptables. +
diff --git a/web/News.htm b/web/News.htm index d31dd02a9..d4eaddda5 100644 --- a/web/News.htm +++ b/web/News.htm @@ -24,10 +24,151 @@ href="GnuCopyright.htm" target="_self">GNU Free Documentation License”.

-

June 12, 2007
+

June 17, 2007

+

2006-06-17 Shorewall 3.4.4

+
Problems corrected in 3.4.4:
+
+1)  The commands "shorewall add <interface> <zone>" and "shorewall
+    delete <interface> <zone>" no longer produce spurious error
+    messages.
+
+2)  The command "shorewall delete <interface> <zone>" now actually deletes
+    entries when it successfully completes.  Previously, it would appear
+    to remove an entry, even when removing that entry should fail. 
+
+3)  Setting HIGH_ROUTE_MARKS=No no longer causes TC_EXPERT flagging.
+
+4)  When run as root, the 'shorewall load' and 'shorewall reload'
+    commands would fail if the LOGFILE setting in
+    /etc/shorewall/shorewall.conf specified a non-existant file.
+
+5)  Entries in /etc/shorewall/tcrules that specify both a source and
+    destination port fail with the following diagnostic:
+
+    iptables v1.3.3: multiport can only have one option
+
+6)  Previously, Shorewall-lite did not allow DHCP traffic through an
+    interface when the interface was a bridge with 'dhcp' specified
+    unless there was a bridge on the administrative system with the
+    same name.
+
+7)  SOURCE and DEST are now flagged as invalid zone name to avoid
+    problems with macros that use those names as keywords.
+
+8)  Previously, Shorewall could *increase* the MSS under some
+    circumstances. This possibility is now eliminated, provided that
+    the system has TCPMSS match support (be sure to update your
+    capabilities files!).
+
+9)  Firewall zone names other than 'fw' no longer cause a error when
+    IPSECFILE is not set or is set to 'ipsec'.
+
+10) The 'proxyarp' option on an interface was previously ignored when
+    the /etc/shorewall/proxyarp file was empty.
+
+11) Previously, if action 'a' was defined then the following 
+    rule generated an error:
+
+         a:        z1   z2      ...
+
+    The trailing ":" is now ignored.
+
+12) Previously, if a RATE/LIMIT was specified on a REJECT rule, the
+    generated error messages referred to the rule as a DROP rule.
+
+13) The 'nolock' keyword was previously ignored on several
+    /sbin/shorewall[-lite] commands. 
+
+Other changes in 3.4.4:
+
+1)  The accounting, masq, rules and tos files now have a 'MARK' column
+    similar to the column of the same name in the tcrules file. This
+    column allows filtering by MARK value.
+
+2)  The "shorewall show zones" command now flags zone members that have
+    been added using "shorewall add" by preceding them with a plus sign
+    ("+").
+
+    Example:
+
+    Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007
+
+    fw (firewall)
+    net (ipv4)
+        eth0:0.0.0.0/0
+    loc (ipv4)
+        br0:0.0.0.0/0
+        eth4:0.0.0.0/0
+        eth5:0.0.0.0/0
+        +eth1:0.0.0.0/0
+    dmz (ipv4)
+        eth3:0.0.0.0/0
+    vpn (ipv4)
+        tun+:0.0.0.0/0
+
+    In the above output, "eth1:0.0.0.0/0" was dynamically added to the
+    'loc' zone. As part of this change, "shorewall delete" will only
+    delete entries that have been added dynamically. In earlier
+    versions, any entry could be deleted although the ruleset was only
+    changed by deleting entries that had been added dynamically.
+
+3)  Eariler generations of Shorewall Lite required that remote root
+    login via ssh be enabled in order to use the 'load' and 'reload'
+    commands.
+
+    Beginning with this release, you may define an alternative means
+    for accessing the remote firewall system.
+
+    Two new options have been added to shorewall.conf:
+
+        RSH_COMMAND
+        RCP_COMMAND
+
+    The default values for these are as follows:
+
+        RSH_COMMAND: ssh ${root}@${system} ${command}
+        RCP_COMMAND: scp ${files} ${root}@${system}:${destination}
+
+    Shell variables that will be set when the commands are envoked are
+    as follows:
+
+       root  - root user. Normally 'root' but may be overridden using
+               the '-r' option.
+
+       system - The name/IP address of the remote firewall system.
+
+       command - For RSH_COMMAND, the command to be executed on the 
+                 firewall system.
+
+       files   - For RCP_COMMAND, a space-separated list of files to
+                 be copied to the remote firewall system.
+
+       destination - The directory on the remote system that the files 
+                     are to be copied into. 
+
+4)  You may now select the compiler to use on the command line using
+    the '-C' option. This option is available on the following
+    commands:
+
+        check
+        compile
+        export
+        load
+        reload
+        restart
+        start
+        try
+        safe-start
+        save-restart
+
+     Example:
+
+        shorewall try -C perl .
+
+

2006-06-12 New Host for www.shorewall.net and ftp.shorewall.net

I'm pleased to announce that Ty Christiansen and the folks at Master Mind
diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm
index 8e8f8a0a4..12fc93fed 100644
--- a/web/shorewall_index.htm
+++ b/web/shorewall_index.htm
@@ -21,7 +21,7 @@ Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the
 license is included in the section entitled “GNU Free Documentation License”.

 
-
2007-06-15

+
2007-06-17

 

 
 
Table of Contents

@@ -103,17 +103,17 @@ Features page.

 
Current Shorewall Releases

 
 
The current
-Stable Release version is  3.4.3

+Stable Release version is  3.4.4