Shorewall 2.0.10 ---------------------------------------------------------------------- Problems Corrected in version 2.0.4 1) A DNAT rule with 'fw' as the source that specified logging caused "shorewall start" to fail. ---------------------------------------------------------------------- Problems Corrected in version 2.0.5 1) Eliminated "$RESTOREBASE: ambiguous redirect" messages during "shorewll stop" in the case where DISABLE_IPV6=Yes in shorewall.conf. 2) An anachronistic reference to the mangle option was removed from shorewall.conf. ---------------------------------------------------------------------- Problems Corrected in version 2.0.6 1) Some users have reported the pkttype match option in iptables/ Netfilter failing to match certain broadcast packets. The result is that the firewall log shows a lot of broadcast packets. Other users have complained of the following message when starting Shorewall: modprobe: cant locate module ipt_pkttype Users experiencing either of these problems can use PKTTYPE=No in shorewall.conf to cause Shorewall to use IP address filtering of broadcasts rather than packet type. 2) The shorewall.conf and zones file are no longer given execute permission by the installer script. 3) ICMP packets that are in the INVALID state are now dropped by the Reject and Drop default actions. They do so using the new 'dropInvalid' builtin action. ----------------------------------------------------------------------- Problems Corrected in version 2.0.7 1) The PKTTYPE option introduced in version 2.0.6 is now used when generating rules to REJECT packets. Broadcast packets are silently dropped rather than being rejected with an ICMP (which is a protocol violation) and users whose kernels have broken packet type match support are likely to see messages reporting this violation. Setting PKTTYPE=No should cause these messages to cease. 2) Multiple interfaces with the 'blacklist' option no longer result in an error message at startup. 3) The following has been added to /etc/shorewall/bogons: 0.0.0.0 RETURN This prevents the 'nobogons' option from logging DHCP 'DISCOVER' broadcasts. ----------------------------------------------------------------------- New Features in version 2.0.7 1) To improve supportability, the "shorewall status" command now includes IP and Route configuration information. Example: IP Configuration 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo inet6 ::1/128 scope host 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:a0:c9:15:39:78 brd ff:ff:ff:ff:ff:ff inet6 fe80::2a0:c9ff:fe15:3978/64 scope link 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:a0:c9:a7:d7:bf brd ff:ff:ff:ff:ff:ff inet6 fe80::2a0:c9ff:fea7:d7bf/64 scope link 5: sit0@NONE: mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 6: eth2: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff inet6 fe80::240:d0ff:fe07:3a1b/64 scope link 7: br0: mtu 1500 qdisc noqueue link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff inet 192.168.1.3/24 brd 192.168.1.255 scope global br0 inet6 fe80::240:d0ff:fe07:3a1b/64 scope link Routing Rules 0: from all lookup local 32765: from all fwmark ca lookup www.out 32766: from all lookup main 32767: from all lookup default Table local: broadcast 192.168.1.0 dev br0 proto kernel scope link src 192.168.1.3 broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 local 192.168.1.3 dev br0 proto kernel scope host src 192.168.1.3 broadcast 192.168.1.255 dev br0 proto kernel scope link src 192.168.1.3 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 Table www.out: default via 192.168.1.3 dev br0 Table main: 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.3 default via 192.168.1.254 dev br0 Table default: ----------------------------------------------------------------------- Problems Corrected in version 2.0.8 1) User/group restricted rules now work in actions. ----------------------------------------------------------------------- Problems Corrected in version 2.0.9 1) Previously, an empty PROTO column or a value of "all" in that column would cause errors when processing the /etc/shorewall/tcrules file. New Fewatures in version 2.0.9 1) The "shorewall status" command now includes the output of "brctl show" if the bridge tools are installed. ----------------------------------------------------------------------- Problems corrected in version 2.0.10 1) The GATEWAY column was previously ignored in 'pptpserver' entries in /etc/shorewall/tunnels. 2) When log rule numbers are included in the LOGFORMAT, duplicate rule numbers could previously be generated. 3) The /etc/shorewall/tcrules file now includes a note to the effect that rule evaluation continues after a match. 4) The error message produced if Shorewall couldn't obtain the routes through an interface named in the SUBNET column of /etc/shorewall/masq was less than helpful since it didn't include the interface name.