Shorewall 2.0.3 ---------------------------------------------------------------------- Problems Corrected since 2.0.2 1) The 'firewall' script is not purging temporary restore files in /var/lib/shorewall. These files have names of the form "restore-nnnnn". 2) The /var/lib/shorewall/restore script did not load the kernel modules specified in /etc/shorewall/modules. 3) Specifying a null common action in /etc/shorewall/actions (e.g., :REJECT) results in a startup error. 4) If /var/lib/shorewall does not exist, shorewall start fails. 5) DNAT rules with a dynamic source zone don't work properly. When used, these rules cause the rule to be checked against ALL input, not just input from the designated zone. 6) The install.sh script reported installing some files in /etc/shorewall when the files were actually installed in /usr/share/shorewall. 7) Shorewall checks netfilter capabilities before loading kernel modules. Hence if kernel module autoloading isn't enabled, the capabilities will be misdetected. 8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect. 9) The file /etc/init.d/shorewall now gets proper ownership when the RPM is built by a non-root user. 10) Rules that specify bridge ports in both the SOURCE and DEST columns no longer cause "shorewall start" to fail. 11) Comments in the rules file have been added to advise users that "all" in the SOURCE or DEST column does not affect intra-zone traffic. 12) With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now passed through the blacklisting chains. Without this change, it is not possible to blacklist hosts that are mounting certain types of ICMP-based DOS attacks. Problems corrected since 2.0.3: 1) Non-empty entries in the /etc/shorewall/tcrules DEST column generated an error message and Shorewall failed to start. ----------------------------------------------------------------------- Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3: 1) The 'dropNonSyn' standard builtin action has been replaced with the 'dropNotSyn' standard builtin action. The old name can still be used but will generate a warning. ----------------------------------------------------------------------- New Features: 1) Shorewall now supports multiple saved configurations. a) The default saved configuration (restore script) in /var/lib/shorewall is now specified using the RESTOREFILE option in shorewall.conf. If this variable isn't set then to maitain backward compatibility, 'restore' is assumed. The value of RESTOREFILE must be a simple file name; no slashes ("/") may be included. b) The "save" command has been extended to be able to specify the name of a saved configuration. shorewall save [ ] The current state is saved to /var/lib/shorewall/. If no is given, the configuration is saved to the file determined by the RESTOREFILE setting. c) The "restore" command has been extended to be able to specify the name of a saved configuration: shorewall restore [ ] The firewall state is restored from /var/lib/shorewall/. If no is given, the firewall state is restored from the file determined by the RESTOREFILE setting. c) The "forget" command has changed. Previously, the command unconditionally removed the /var/lib/shorewall/save file which records the current dynamic blacklist. The "forget" command now leaves that file alone. Also, the "forget" command has been extended to be able to specify the name of a saved configuration: shorewall forget [ ] The file /var/lib/shorewall/ is removed. If no is given, the file determined by the RESTOREFILE setting is removed. d) The "shorewall -f start" command restores the state from the file determined by the RESTOREFILE setting. 2) "!" is now allowed in accounting rules. 3) Interface names appearing within the configuration are now verified. Interface names must match the name of an entry in /etc/shorewall/interfaces (or if bridging is enabled, they must match the name of an entry in /etc/shorewall/interfaces or the name of a bridge port appearing in /etc/shorewall/hosts). 4) A new 'rejNotSyn' built-in standard action has been added. This action responds to "New not SYN" packets with an RST. The 'dropNonSyn' action has been superceded by the new 'dropNotSyn' action. The old name will be accepted until the next major release of Shorewall but will generate a warning. Several new logging actions involving "New not SYN" packets have been added: logNewNotSyn -- logs the packet with disposition = LOG dLogNewNotSyn -- logs the packet with disposition = DROP rLogNewNotSyn -- logs the packet with disposition = REJECT The packets are logged at the log level specified in the LOGNEWNOTSYN option in shorewall.conf. If than option is empty or not specified, then 'info' is assumed. Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf): A: To simulate the behavior of NEWNOTSYN=No: a) Add 'NoNewNotSyn' to /etc/shorewall/actions. b) Create /etc/shorewall/action.NoNewNotSyn containing: dLogNotSyn dropNotSyn c) Early in your rules file, place: NoNewNotSyn all all tcp B: Drop 'New not SYN' packets from the net only. Don't log them. a) Early in your rules file, place: dropNotSyn net all tcp 5) Slackware users no longer have to modify the install.sh script before installation. Tuomo Soini has provided a change that allows the INIT and FIREWALL variables to be specified outside the script as in: DEST=/etc/rc.d INIT=rc.firewall ./install.sh