This is a minor release of Shorewall. Problems Corrected since version 1.4.9: 1. The column descriptions in the action.template file did not match the column headings. That has been corrected. 2. The presence of IPV6 addresses on devices generates error messages during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are specified in /etc/shorewall/shorewall.conf. 3. The CONTINUE action in /etc/shorewall/rules now works correctly. A couple of problems involving rate limiting have been corrected. These bug fixes courtesy of Steven Jan Springl. 4. Shorewall now tries to avoid sending an ICMP response to broadcasts and smurfs. 5. Specifying "-" or "all" in the PROTO column of an action no longer causes a startup error. 6. Fixed a problem in which the firewall would encounter an error during startup while processing the /etc/shorewall/masq file. 7. Atheros WiFi cards were previously excluded from use with the "maclist" interface option. 8. (Fix from Steven Jan Springl) In the /etc/shorewall/masq entry eth0:!10.1.1.150  0.0.0.0/0!10.1.0.0/16     10.1.2.16 the !10.1.0.0/16 is ignored. 9. A startup error occurs if the USER/GROUP column of the tcrules file is empty. 10. The following syntax previously produced a startup error: DNAT z1!z2,z3 z4:... That has been corrected so that multiple excluded zones may now be listed in a DNAT or REDIRECT rule. 11. Use of user-defined actions frequently resulted in a WARNING that the rule was a policy. 12. Thanks to Sean Mathews, a long-standing problem with proxy ARP and IPSEC has been corrected!! 13. The rfc1918 file has been updated. 14. An exploitable vulnerability that allows local non-root users to cause arbitrary files to be overwritten has been eliminated. 15) The security vulnerability fix failed under Slackware 9.1. Migration Issues: None. New Features: 1) The INTERFACE column in the /etc/shorewall/masq file may now specify a destination list. Example: #INTERFACE SUBNET ADDRESS eth0:192.0.2.3,192.0.2.16/28 eth1 If the list begins with "!" then SNAT will occur only if the destination IP address is NOT included in the list. 2) Output traffic control rules (those with the firewall as the source) may now be qualified by the effective userid and/or effective group id of the program generating the output. This feature is courtesy of Frédéric LESPEZ. A new USER column has been added to /etc/shorewall/tcrules. It may contain : []:[] The colon is optionnal when specifying only a user. Examples : john: / john / :users / john:users 3) A "detectnets" interface option has been added for entries in /etc/shorewall/interfaces. This option automatically taylors the definition of the zone named in the ZONE column to include just those hosts that have routes through the interface named in the INTERFACE column. The named interface must be UP when Shorewall is [re]started. WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!