Shorewall 3.1.5 Note to users upgrading from Shorewall 2.x or 3.0 Most problems associated with upgrades come from two causes: - The user didn't read and follow the migration considerations in these release notes. - The user mis-handled the /etc/shorewall/shorewall.conf file during upgrade. Shorewall is designed to allow the default behavior of the product to evolve over time. To make this possible, the design assumes that you will not replace your current shorewall.conf file during upgrades. If you feel absolutely compelled to have the latest comments and options in your shorewall.conf then you must proceed carefully. While you are at it, if you have a file named /etc/shorewall/rfc1918 then please check that file. If it has addresses listed that are NOT in one of these three ranges, then please rename the file to /etc/shorewall/rfc1918.old. 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 Please see the "Migration Considerations" below for additional upgrade information. Problems Corrected in 3.1.5 1) Compilation has been speeded up by 10-15%. 2) Specifying a GATEWAY IP address in /etc/shorewall/providers no longer causes "shorewall [re]start to fail". Other changes in 3.1.5 1) Synonyms have been removed from the /sbin/shorewall command set. The 'generate' and 'reload' command have been removed. The 'reload' command has also been removed from the program generated by 'compile'. 2) Scripts compiled without the -e option are now more forgiving when run on systems with a different Shorewall version installed. If the installed version meets minimum version requirements, the script will run -- it no longer requires an exact match. That having been said, the minimum version required for scripts compiled with 3.1.5 is 3.1.5. I plan to add new features to the library (/usr/share/shorewall/functions) in advance of using them in compiled scripts so that scripts compiled on one version of Shorewall should be able to run on the next several newer minor releases. Migration Considerations: 1) A number of macros have been split into two. The macros affected are: IMAP LDAP NNTP POP3 SMTP Each of these macros now handles only traffic on the native (plaintext) port. There is a corresponding macro with S added to the end of the name for the SSL version of the same protocol. Thus each macro results in the insertion of only one port per invocation. The Web macro has not been split, but two new macros, HTTP and HTTPS have been created. The Web macro is deprecated in favour of these new macros, and may be removed from future Shorewall releases. These changes have been made to ensure no unexpected ports are opened due to the use of macros. 2) In previous Shorewall releases, DNAT and REDIRECT rules supported a special syntax for exclusion of a subnet from the effect of the rule. Example: Z2 is a subzone of Z1: DNAT Z1!Z2 loc:192.168.1.4 ... That syntax has never worked correctly when Z2 is a dynamic zone. Furthermore, now that Shorewall supports exclusion lists, the capability is redundant since the above rule can now be written in the form: DNAT Z1:! loc:192.168.1.4 ... Beginning with Shorewall 3.2.0, the special exclusion syntax will no longer be supported. New Features: 1) A new 'shorewall compile' command has been added. shorewall compile [ -e ] [ -d ] [ ]