Shorewall 3.2.0 Beta 2. Note to users upgrading from Shorewall 2.x or 3.0 Most problems associated with upgrades come from two causes: - The user didn't read and follow the migration considerations in these release notes. - The user mis-handled the /etc/shorewall/shorewall.conf file during upgrade. Shorewall is designed to allow the default behavior of the product to evolve over time. To make this possible, the design assumes that you will not replace your current shorewall.conf file during upgrades. If you feel absolutely compelled to have the latest comments and options in your shorewall.conf then you must proceed carefully. While you are at it, if you have a file named /etc/shorewall/rfc1918 then please check that file. If it has addresses listed that are NOT in one of these three ranges, then please rename the file to /etc/shorewall/rfc1918.old. 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 Please see the "Migration Considerations" below for additional upgrade information. Problems Corrected in 3.2.0 Beta 2 1) The Makefile is now sensitive to the RESTOREFILE variable if that variable is defined at make time. The /sbin/shorewall script has been updated to define RESTOREFILE when it invokes 'make' during processing of the "shorewall start -f" command. 2) Code involving SUBSYSLOCK has been removed from the default and Debian program footers. SUBSYSLOCK only applies to programs installed in /etc/init.d/. Other changes in 3.2.0 Beta 2 1) A 'refreshed' extension script has been added -- it is executed after "shorewall refresh" has finished. 2) Two new dynamic blacklisting commands have been added: logdrop -- like 'drop' but causes the dropped packets to be logged. logreject -- like 'reject' but causes the rejected packets to be logged. Packets are logged at the BLACKLIST_LOGLEVEL if one was specified at the last "shorewall [re]start"; otherwise, they are logged at the 'info' log level. Migration Considerations: 1) A number of macros have been split into two. The macros affected are: IMAP LDAP NNTP POP3 SMTP Each of these macros now handles only traffic on the native (plaintext) port. There is a corresponding macro with S added to the end of the name for the SSL version of the same protocol. Thus each macro results in the insertion of only one port per invocation. The Web macro has not been split, but two new macros, HTTP and HTTPS have been created. The Web macro is deprecated in favour of these new macros, and may be removed from future Shorewall releases. These changes have been made to ensure no unexpected ports are opened due to the use of macros. 2) In previous Shorewall releases, DNAT and REDIRECT rules supported a special syntax for exclusion of a subnet from the effect of the rule. Example: Z2 is a subzone of Z1: DNAT Z1!Z2 loc:192.168.1.4 ... That feature has never worked correctly when Z2 is a dynamic zone. Furthermore, now that Shorewall supports exclusion lists, the capability is redundant since the above rule can now be written in the form: DNAT Z1:! loc:192.168.1.4 ... Beginning with Shorewall 3.2.0, the special exclusion syntax will no longer be supported. 3) Important if you use the QUEUE target. In the /etc/shorewall/rules file and in actions, you may now specify 'tcpsyn' in the PROTO column. 'tcpsyn' is equivalent to 'tcp' but also requires that the SYN flag is set and the RST, FIN and ACK flags be off ("--syn" is added to the iptables rule). As part of this change, Shorewall no longer adds the "--syn" option to TCP rules that specify QUEUE as their target. New Features: 1) Shorewall has always been very noisy (lots of messages). No longer. You set the default level of verbosity using the VERBOSITY option in shorewall.conf. If you don't set it (as would be the case of you use your old shorewall.conf file) then VERBOSITY defaults to a value of 2 which is the old default. A value of 1 suppresses some of the output (like the old -q option did) while a value of 0 makes Shorewall almost silent. A value of -1 suppresses all output except warning and error messages. The value specified in the 3.2 shorewall.conf is 1. So you can make Shorewall as verbose as previously using a single -v and you can make it silent by using a single -q. If the default is set at 2, you can still make a command silent by using two "q"s (e.g., shorewall -qq restart). In summary, each "q" subtracts one from VERBOSITY while each "v" adds one to VERBOSITY. The "shorewall show log", "shorewall logwatch" and "shorewall dump" commands require VERBOSITY to be greater than or equal to 3 to display MAC addresses.This is consistent with the previous implementation which required a single -v to enable MAC display but means that if you set VERBOSITY=0 in shorewall.conf, then you will need to include -vvv in commands that display log records in order to have MACs displayed. 2) A new 'shorewall compile' command has been added. shorewall compile [ -e ] [ -d ] [ ]