Shorewall 2.3.0

-----------------------------------------------------------------------
Problems corrected in version 2.3.0

None.

-----------------------------------------------------------------------
New Features in version 2.3.0

1) Shorewall 2.3.0 supports the 'cmd-owner' option of the owner match
   facility in Netfilter. Like all owner match options, 'cmd-owner' may
   only be applied to traffic that originates on the firewall.

   The syntax of the USER/GROUP column in the following files has been
   extended:

	/etc/shorewall/accounting
	/etc/shorewall/rules
	/etc/shorewall/tcrules
	/usr/share/shorewall/action.template

   To specify a command, prefix the command name with "+".

   Examples:

	+mozilla-bin		#The program is named "mozilla-bin"
	joe+mozilla-bin		#The program is named "mozilla-bin" and
				#is being run by user "joe"
	joe:users+mozilla-bin	#The program is named "mozilla-bin" and
				#is being run by user "joe" with 
				#effective group "users".

   Note that this is not a particularly robust feature and I would
   never advertise it as a "Personal Firewall" equivalent. Using
   symbolic links, it's easy to alias command names to be anything you
   want.

2) Support has been added for ipsets
   (see http://people.netfilter.org/kadlec/ipset/).

   In most places where a host or network address may be used, you may
   also use the name of an ipset prefaced by "+". 

	Example: "+Mirrors"

   The name of the set may be optionally followed by: 
   
   a) a number from 1 to 6 enclosed in square brackets ([]) -- this
   number indicates the maximum number of ipset binding levels that 
   are to be matched. Depending on the context where the ipset name 
   is used, either all "src" or all "dst" matches will be used.
   
	Example: "+Mirrors[4]"

   b) a series of "src" and "dst" options separated by commas and
   inclosed in square brackets ([]). These will be passed directly
   to iptables in the generated --set clause. See the ipset
   documentation for details. 

	Example: "+Mirrors[src,dst,src]"
   
   Note that "+Mirrors[4]" used in the SOURCE column of the rules 
   file is equivalent to "+Mirrors[src,src,src,src]".

   To generate a negative match, prefix the "+" with "!" as in
   "!+Mirrors".

   Example 1: Blacklist all hosts in an ipset named "blacklist"

	   /etc/shorewall/blacklist

	   #ADDRESS/SUBNET         PROTOCOL        PORT
	   +blacklist

   Example 2: Allow SSH from all hosts in an ipset named "sshok:

	   /etc/shorewall/rules

	   #ACTION      SOURCE      DEST     PROTO    DEST PORT(S)
           ACCEPT	+sshok      fw	     tcp      22

   Shorewall can automatically manage the contents of your ipsets for
   you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf
   then "shorewall save" will save the contents of your ipsets. The file
   where the sets are saved is formed by taking the name where the
   Shorewall configuration is stored and appending "-ipsets". So if you
   enter the command "shorewall save standard" then your Shorewall
   configuration will be saved in /var/lib/shorewall/standard and your
   ipset contents will be saved in /var/lib/shorewall/standard-ipsets.

   Regardless of the setting of SAVE_IPSETS, the "shorewall -f start"
   and "shorewall restore" commands will restore the ipset contents
   corresponding to the Shorewall configuration restored provided that
   the saved Shorewall configuration specified exists.

   For example, "shorewall restore standard" would restore the ipset
   contents from /var/lib/shorewall/standard-ipsets provided that
   /var/lib/shorewall/standard exists and is executable and that
   /var/lib/shorewall/standard-ipsets exists and is executable.

   Also regardless of the setting of SAVE_IPSETS, the "shorewall forget"
   command will purge the saved ipset information (if any) associated
   with the saved shorewall configuration being removed.

   You can also associate ipset contents with Shorewall configuration
   directories using the following command:

       ipset -S > <config directory>/ipsets

   Example:

       ipset -S > /etc/shorewall/ipsets

   When you start or restart Shorewall (including using the 'try'
   command) from the configuration directory, your ipsets will be
   configured from the saved ipsets file. Once again, this behavior is
   independent of the setting of SAVE_IPSETS.

   Ipsets are well suited for large blacklists. You can maintain your
   blacklist using the 'ipset' utility without ever having to restart
   or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be
   sure to "shorewall save" after altering the blacklist ipset(s). 

   Example /etc/shorewall/blacklist:

   #ADDRESS/SUBNET         PROTOCOL        PORT
   +Blacklist[src,dst]
   +Blacklistnets[src,dst]

   Create the blacklist ipsets using:

	  ipset -N Blacklist iphash
	  ipset -N Blacklistnets nethash

   Add entries

       ipset -A Blacklist 206.124.146.177
       ipset -A Blacklistnets 206.124.146.0/24

   To allow entries for individual ports

       ipset -N SMTP portmap --from 1 --to 31
       ipset -A SMTP 25

       ipset -A Blacklist 206.124.146.177
       ipset -B Blacklist 206.124.146.177 -b SMTP

   Now only port 25 will be blocked from 206.124.146.177.