Shorewall 3.1.8 Note to users upgrading from Shorewall 2.x or 3.0 Most problems associated with upgrades come from two causes: - The user didn't read and follow the migration considerations in these release notes. - The user mis-handled the /etc/shorewall/shorewall.conf file during upgrade. Shorewall is designed to allow the default behavior of the product to evolve over time. To make this possible, the design assumes that you will not replace your current shorewall.conf file during upgrades. If you feel absolutely compelled to have the latest comments and options in your shorewall.conf then you must proceed carefully. While you are at it, if you have a file named /etc/shorewall/rfc1918 then please check that file. If it has addresses listed that are NOT in one of these three ranges, then please rename the file to /etc/shorewall/rfc1918.old. 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 Please see the "Migration Considerations" below for additional upgrade information. Problems Corrected in 3.1.8 1) Previously, startup errors occurred if the user had configured a network interface named 'inet'. 2) SUBSYSLOCK functionality has been restored. Other changes in 3.1.8 1) The sillyness having to do with running certain extension scripts at compile time has been eliminated. When a configuration is compiled, the scripts are copied unmodified (except for indentation) into the compiled program. Note: The /etc/shorewall/params file is still processed at compile-time. Migration Considerations: 1) A number of macros have been split into two. The macros affected are: IMAP LDAP NNTP POP3 SMTP Each of these macros now handles only traffic on the native (plaintext) port. There is a corresponding macro with S added to the end of the name for the SSL version of the same protocol. Thus each macro results in the insertion of only one port per invocation. The Web macro has not been split, but two new macros, HTTP and HTTPS have been created. The Web macro is deprecated in favour of these new macros, and may be removed from future Shorewall releases. These changes have been made to ensure no unexpected ports are opened due to the use of macros. 2) In previous Shorewall releases, DNAT and REDIRECT rules supported a special syntax for exclusion of a subnet from the effect of the rule. Example: Z2 is a subzone of Z1: DNAT Z1!Z2 loc:192.168.1.4 ... That syntax has never worked correctly when Z2 is a dynamic zone. Furthermore, now that Shorewall supports exclusion lists, the capability is redundant since the above rule can now be written in the form: DNAT Z1:! loc:192.168.1.4 ... Beginning with Shorewall 3.2.0, the special exclusion syntax will no longer be supported. 3) Important if you use the QUEUE target. In the /etc/shorewall/rules file and in actions, you may now specify 'tcpsyn' in the PROTO column. 'tcpsyn' is equivalent to 'tcp' but also requires that the SYN flag is set and the RST, FIN and ACK flags be off ("--syn" is added to the iptables rule). As part of this change, Shorewall no longer adds the "--syn" option to TCP rules that specify QUEUE as their target. New Features: 1) A new 'shorewall compile' command has been added. shorewall compile [ -e ] [ -d ] [ ]