shorewall_code/Shorewall2/releasenotes.txt

81 lines
2.7 KiB
Plaintext
Executable File

Shorewall 2.1.0
----------------------------------------------------------------------
Problems Corrected since 2.0.3
1) A non-empty DEST entry in /etc/shorewall/tcrules will generate an
error and Shorewall fails to start.
2) A potential security vulnerablilty in the way that Shorewall
handles temporary files and directories has been corrected.
3) Two problems with logging NAT rules (DNAT and REDIRECT) could cause
startup failures.
4) Some users have reported the pkttype match option in iptables/
Netfilter failing to match certain broadcast packets. The result
is that the firewall log shows a lot of broadcast packets.
Users experiencing this problem can use PKTTYPE=No in
shorewall.conf to cause Shorewall to use IP address filtering of
broadcasts rather than packet type.
Problems Corrected since 2.1.0
1) The "check" command fails with the following message:
iptables: No chain/target/match by that name
-----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0 to Shorewall 2.1:
1) Shorewall configuration files except shorewall.conf are now empty
(they contain only comments). If you wish to retain the defaults
in any of the following files, you should copy these files before
upgrading them then restore them after the upgrade:
/etc/shorewall/zones
/etc/shorewall/policy
/etc/shorewall/tos
-----------------------------------------------------------------------
New Features:
1) ICMP packets that are in the INVALID state are now dropped by the
Reject and Drop default actions. They do so using the new
'dropInvalid' builtin action.
2) The /etc/shorewall/masq file INTERFACE column now allows additional
options.
Normally MASQUERADE/SNAT rules are evaluated after one-to-one NAT
rules defined in the /etc/shorewall/nat file. If you preceed the
interface name with a plus sign ("+") then the rule will be
evaluated before one-to-one NAT.
Examples:
+eth0
+eth1:192.0.2.32/27
Also, the effect of ADD_SNAT_ALIASES=Yes can be negated for an
entry by following the interface name by ":" but no digit.
Examples:
eth0:
eth1::192.0.2.32/27
+eth3:
3) Similar to 2), the /etc/shorewall/nat file INTERFACE column now allows
you to override the setting of ADD_IP_ALIASES=Yes by following the
interface name with ":" but no digit.
4) All configuration files in the Shorewall distribution are now
empty. In particular, the /etc/shorewall/zones,
/etc/shorewall/policy and /etc/shorewall/tos files now have no
active entries. Hopefully this will stop the questions on the
support and development lists regarding why the default entries
are the way they are.