shorewall_code/Shorewall/releasenotes.txt
2009-03-02 03:25:16 +00:00

163 lines
6.0 KiB
Plaintext

Shorewall 4.3.7
Shorewall 4.3 is the development thread for Shorewall 4.4 which will be
released late in 2009.
----------------------------------------------------------------------------
R E L E A S E 4 . 3 H I G H L I G H T S
----------------------------------------------------------------------------
1) Support for Shorewall-shell has been discontinued. Shorewall-perl
has been combined with Shorewall-common to produce a single
Shorewall package.
2) The interfaces file OPTIONs have been extended to largely remove the
need for the hosts file.
3) It is now possible to define PREROUTING and OUTPUT marking rules
that cause new connections to use the same provider as an existing
connection of the same kind.
----------------------------------------------------------------------------
M I G R A T I O N I S S U E S
----------------------------------------------------------------------------
1) The 'shorewall stop', 'shorewall clear', 'shorewall6 stop' and
'shorewall6 clear' commands no longer read the 'routestopped'
file. The 'routestopped' file used is the one that was present at
the last 'start', 'restart' or 'restore' command.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 3 . 7
----------------------------------------------------------------------------
1) Klemens Rutz reported a problem that affects all Shorewall-perl 4.2
and 4.3 versions.
The problem:
a) Only occurs when there are more than one non-firewall zone.
b) Results in the following interface options not being applied to
forwarded traffic.
blacklist
dhcp
maclist (when MACLIST_TABLE=filter)
norfc1918
nosmurfs
tcpflags
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
None.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 3 . 6
----------------------------------------------------------------------------
1) The file /var/lib/shorewall/.restore has been renamed to
/var/lib/shorewall/firewall. A similar change has been made in
Shorewall6.
When a successful start or restart is completed, the script that
executed the command copies itself to to /var/lib/shorewall[6/firewall.
----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 3
----------------------------------------------------------------------------
1) The Shorewall packaging has been completely revamped in Shorewall
4.3.
The new packages are:
- Shorewall. Includes the former Shorewall-common and
Shorewall-perl packages. Includes everything needed
to create an IPv4 firewall.
- Shorewall6. Requires Shorewall. Adds the components necessary to
create an IPv6 firewall.
- Shorewall-lite
May be installed on a firewall system to run
IPv4 firewall scripts generated by Shorewall.
- Shorewall6-lite
May be installed on a firewall system to run
IPv6 firewall scripts generated by Shorewall.
2) The interfaces file supports a new 'nets=' option. This option
allows users to restrict a zone's definition to particular networks
through an interface without having to use the hosts file.
Example interfaces file:
#ZONE INTERFACE BROADCAST OPTIONS
loc eth3 detect dhcp,logmartians=1,routefilter=1,nets=172.20.1.0/24
dmz eth4 detect logmartians=1,routefilter=1,nets=206.124.146.177
net eth0 detect dhcp,blacklist,tcpflags,optional,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177)
net eth2 detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177)
loc tun+ detect nets=172.20.0.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Note that when more than one network address is listed, the list
must be enclosed in parentheses. Notice also that exclusion may be
used.
The first entry in the above interfaces file is equivalent to the
following:
interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
- eth0 detect dhcp,logmartians=1,routefilter=1
hosts:
#ZONE HOST(S) OPTIONS
loc $INT_IF:192.20.1.0/24 broadcast
Note that the 'broadcast' option is automatically assumed and need
not be explicitly specified.
3) Some websites run applications that require multiple connections
from a client browser. Where multiple 'balanced' providers are
configured, this can lead to problems when some of the connections
are routed through one provider and some through another.
To work around this issue, the SAME target has been added to
/etc/shorewall/tcrules. SAME may be used in the PREROUTING and
OUTPUT chains. When used in PREROUTING, it causes matching
connections from an individual local system to all use the same
provider.
For example:
SAME:P 192.168.1.0/24 - tcp 80,443
If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or
443 and it has sent a packet on either of those ports in the last
five minutes then the new connection will use the same provider as
the connection over which that last packet was sent.
When used in the OUTPUT chain, it causes all matching connections
to an individual remote system to all use the same provider.
For example:
SAME $FW - tcp 80,443
If the firewall attempts a connection on TCP port 80 or
443 and it has sent a packet on either of those ports in the last
five minutes to the same remote system then the new connection will
use the same provider as the connection over which that last packet
was sent.
Important note: SAME only works with providers that have the
'track' option specified in /etc/shorewall/providers.