Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2015-01-20 12:34:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2015-01-14 11:45:00.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2015-01-20 12:37:07.000000000 +0100 @@ -1,0 +2,13 @@ +Sat Jan 17 12:07:10 UTC 2015 - tog...@opensuse.org + +- Update to version 4.6.6 For more details see changlelog.txt and + releasenotes.txt As there are many new features with this release + please consult the mentioned files. + + * Previously, a line beginning with 'shell' was interpreted as a + shell script. Now, the line must begin with 'SHELL' + (case-sensitive). + + Note that ?SHELL and BEGIN SHELL are still case-insensitive. + +------------------------------------------------------------------- Old: ---- shorewall-4.6.5.5.tar.bz2 shorewall-core-4.6.5.5.tar.bz2 shorewall-docs-html-4.6.5.5.tar.bz2 shorewall-init-4.6.5.5.tar.bz2 shorewall-lite-4.6.5.5.tar.bz2 shorewall6-4.6.5.5.tar.bz2 shorewall6-lite-4.6.5.5.tar.bz2 New: ---- shorewall-4.6.6.tar.bz2 shorewall-core-4.6.6.tar.bz2 shorewall-docs-html-4.6.6.tar.bz2 shorewall-init-4.6.6.tar.bz2 shorewall-lite-4.6.6.tar.bz2 shorewall6-4.6.6.tar.bz2 shorewall6-lite-4.6.6.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.GA5q2i/_old 2015-01-20 12:37:13.000000000 +0100 +++ /var/tmp/diff_new_pack.GA5q2i/_new 2015-01-20 12:37:13.000000000 +0100 @@ -20,19 +20,19 @@ %define have_systemd 1 Name: shorewall -Version: 4.6.5.5 +Version: 4.6.6 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 Group: Productivity/Networking/Security Url: http://www.shorewall.net/ -Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.5/%{name}-%version.tar.bz2 -Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.5/%{name}-core-%version.tar.bz2 -Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.5/%{name}-lite-%version.tar.bz2 -Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.5/%{name}-init-%version.tar.bz2 -Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.5/%{name}6-lite-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.5/%{name}6-%version.tar.bz2 -Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.5/%{name}-docs-html-%version.tar.bz2 +Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.6/%{name}-%version.tar.bz2 +Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.6/%{name}-core-%version.tar.bz2 +Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.6/%{name}-lite-%version.tar.bz2 +Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.6/%{name}-init-%version.tar.bz2 +Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.6/%{name}6-lite-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.6/%{name}6-%version.tar.bz2 +Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.6/%{name}-docs-html-%version.tar.bz2 Source7: %{name}-4.4.22.rpmlintrc Source8: README.openSUSE # PATCH-FIX-UPSTREAM tog...@opensuse.org Shorewall-lite init.suse.sh Required Stop ++++++ shorewall-4.6.5.5.tar.bz2 -> shorewall-4.6.6.tar.bz2 ++++++ ++++ 3072 lines of diff (skipped) ++++++ shorewall-core-4.6.5.5.tar.bz2 -> shorewall-core-4.6.6.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.5.5/changelog.txt new/shorewall-core-4.6.6/changelog.txt --- old/shorewall-core-4.6.5.5/changelog.txt 2015-01-11 17:38:54.000000000 +0100 +++ new/shorewall-core-4.6.6/changelog.txt 2015-01-15 16:45:36.000000000 +0100 @@ -1,19 +1,48 @@ -Changes in 4.6.5.5 +Changes in 4.6.6 Final 1) Update release documents. -2) Fix Shorewall-init VARDIR => VARLIB in the ifupdown scripts. +2) Apply Tuomo Soini's fix for Shorewall-init. -Changes in 4.6.5.4 +3) Make leading 'SHELL' case sensitive. + +Changes in 4.6.6 RC 1 + +1) Update release documents. + +2) Add 'primary' provider option. + +3) Correct ipset names in port columns. + +Changes in 4.6.6 Beta 3 1) Update release documents. -2) Correct handling of ipset names in PORT columns. +2) Add the 'loopback' interface option. + +3) Use 'Iface match' for loopback interfaces where practical. + +Changes in 4.6.6 Beta 2 + +1) Update release documents. -3) Document the -c option in the show and dump commands. +2) Document the -c option to the 'dump' and 'show routing' commands. -4) Correct handling of the DIGEST environmental variable in the - Shorewall installer. +3) Implement the 'TARPIT' target. + +Changes in 4.6.6 Beta 1 + +1) Update release documents. + +2) Minor reorganization of Shorewall::Compiler::compiler() + +3) Cosmetic/commentary changes to Shorewall::Config + +4) Start firewall after network-online target has been reached + +Changes in 4.6.5.3 + +1) Update release documents. 2) Correct shorewall-init scripts to use VARLIB rather than VARDIR (Roberto Sanchez) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.5.5/configure new/shorewall-core-4.6.6/configure --- old/shorewall-core-4.6.5.5/configure 2015-01-11 17:38:54.000000000 +0100 +++ new/shorewall-core-4.6.6/configure 2015-01-15 16:45:36.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.5.5 +VERSION=4.6.6 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.5.5/configure.pl new/shorewall-core-4.6.6/configure.pl --- old/shorewall-core-4.6.5.5/configure.pl 2015-01-11 17:38:54.000000000 +0100 +++ new/shorewall-core-4.6.6/configure.pl 2015-01-15 16:45:36.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.5.5' + VERSION => '4.6.6' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.5.5/install.sh new/shorewall-core-4.6.6/install.sh --- old/shorewall-core-4.6.5.5/install.sh 2015-01-11 17:38:54.000000000 +0100 +++ new/shorewall-core-4.6.6/install.sh 2015-01-15 16:45:36.000000000 +0100 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.5.5 +VERSION=4.6.6 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.5.5/known_problems.txt new/shorewall-core-4.6.6/known_problems.txt --- old/shorewall-core-4.6.5.5/known_problems.txt 2015-01-11 17:38:54.000000000 +0100 +++ new/shorewall-core-4.6.6/known_problems.txt 2015-01-15 16:45:36.000000000 +0100 @@ -1,65 +1,2 @@ 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. - -2) The generated firewall cannot detect the gateway added by recent - versions of dhclient. - - Corrected in 4.6.5.1. - -3) In 4.6.5, the bash-based configure script would issue the following - diagnostic if SERVICEDIR was not specified in the shorewallrc - file. - - ./configure: line 199: [SERVICEDIR]=: command not found - - This is compounded by the fact that all of the released - shorewallrc files still specify SYSTEMDDIR rather than SERVICEDIR - (Evangelos Foutras) - - Corrected in 4.6.5.1. - -4) LOG_BACKEND=LOG is broken in Shorewall6 on all but the most recent - kernel versions. - - Corrected in 4.6.5.2. - -5) The Shorewall-init scripts are currently using the incorrect - variable to set the state directory. - - Corrected in 4.6.5.3 - -6) For normal dynamic zones, the 'add' command fails with a - diagnostic such as: - - ERROR: Zone ast, interface net0 does not have a dynamic host list - - Corrected in 4.6.5.3 - -7) When a mark range is used in the marks (tcrules) file, a run-time - error occurs while attempting to load the generated ruleset. - - Corrected in 4.6.5.3 - - -8) The '-c' option of the 'dump' and 'show routing' commands is - currently undocumented. It causes the routing cache to be displayed - along with the other routing information. - - Corrected in 4.6.5.4. - -9) The handling of the 'DIGEST' environmental variable is incorrect - in the Shorewall installer. Specifying that option does not - correctly update the Chains module which leads to a Perl - compilation failure. - - Corrected in 4.6.5.4. - -10) Handling of ipset names on PORT columns is incorrect. Such usage - results in an invalid iptables rule being generated. - - Corrected in 4.6.5.4. - -11) The Shorewall-init ifupdown scripts currently look in the wrong - directory for the firewall script. - - Corrected in 4.6.5.5. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.5.5/lib.cli new/shorewall-core-4.6.6/lib.cli --- old/shorewall-core-4.6.5.5/lib.cli 2015-01-11 17:24:10.000000000 +0100 +++ new/shorewall-core-4.6.6/lib.cli 2015-01-13 16:05:15.000000000 +0100 @@ -25,7 +25,7 @@ # loaded after this one and replaces some of the functions declared here. # -SHOREWALL_CAPVERSION=40600 +SHOREWALL_CAPVERSION=40606 [ -n "${g_program:=shorewall}" ] @@ -2392,6 +2392,8 @@ MASQUERADE_TGT= UDPLITEREDIRECT= NEW_TOS_MATCH= + TARPIT_TARGET= + IFACE_MATCH= AMANDA_HELPER= FTP_HELPER= @@ -2545,6 +2547,10 @@ qt $NFACCT del $chain fi + qt $g_tool -A $chain -p tcp -j TARPIT && TARPIT_TARGET=Yes + + qt $g_tool -A $chain -m iface --iface lo --loopback && IFACE_MATCH=Yes + if [ -n "$MANGLE_ENABLED" ]; then qt $g_tool -t mangle -N $chain @@ -2822,6 +2828,8 @@ report_capability "MASQUERADE Target" $MASQUERADE_TGT report_capability "UDPLITE Port Redirection" $UDPLITEREDIRECT report_capability "New tos Match" $NEW_TOS_MATCH + report_capability "TARPIT Target" $TARPIT_TARGET + report_capability "Iface Match" $IFACE_MATCH report_capability "Amanda Helper" $AMANDA_HELPER report_capability "FTP Helper" $FTP_HELPER @@ -2949,6 +2957,8 @@ report_capability1 MASQUERADE_TGT report_capability1 UDPLITEREDIRECT report_capability1 NEW_TOS_MATCH + report_capability1 TARPIT_TARGET + report_capability1 IFACE_MATCH report_capability1 AMANDA_HELPER report_capability1 FTP_HELPER @@ -3390,11 +3400,6 @@ g_hostname=$(hostname 2> /dev/null) - IP=$(mywhich ip 2> /dev/null) - if [ -z "$IP" ] ; then - fatal_error "Can't find ip executable" - fi - if [ -n "$IPSET" ]; then case "$IPSET" in */*) @@ -3416,6 +3421,10 @@ TC=tc + IP=$(mywhich ip 2> /dev/null) + + g_loopback=$(find_loopback_interfaces) + } # @@ -3719,6 +3728,7 @@ g_inline= g_tcrules= g_counters= + g_loopback= VERBOSE= VERBOSITY=1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.5.5/lib.common new/shorewall-core-4.6.6/lib.common --- old/shorewall-core-4.6.5.5/lib.common 2015-01-11 17:24:10.000000000 +0100 +++ new/shorewall-core-4.6.6/lib.common 2015-01-13 16:05:15.000000000 +0100 @@ -646,6 +646,24 @@ } # +#Determines if the passed interface is a loopback interface +# +loopback_interface() { #$1 = Interface name + [ "$1" = lo ] || $IP link show $1 | fgrep -q LOOPBACK +} + +# +# Find Loopback Interfaces +# +find_loopback_interfaces() { + local interfaces + + [ -x "$IP" ] && interfaces=$($IP link show | fgrep LOOPBACK | sed 's/://g' | cut -d ' ' -f 2) + + [ -n "$interfaces" ] && echo $interfaces || echo lo +} + +# # Internal version of 'which' # mywhich() { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.5.5/releasenotes.txt new/shorewall-core-4.6.6/releasenotes.txt --- old/shorewall-core-4.6.5.5/releasenotes.txt 2015-01-11 17:38:54.000000000 +0100 +++ new/shorewall-core-4.6.6/releasenotes.txt 2015-01-15 16:45:36.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 5 . 5 + S H O R E W A L L 4 . 6 . 6 ------------------------------------ - J a n u a r y 1 1 , 2 0 1 5 + J a n u a r y 1 7 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,79 +14,17 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.5.5 - -1) The Shorewall-init ifupdown scripts were looking for the firewall - script in the wrong directory. Correction was provider by Tuomo - Soini. - -4.6.5.4 - -1) The '-c' option of the 'dump' and 'show routing' commands is now - documented. - -2) The handling of the 'DIGEST' environmental variable has been - corrected in the Shorewall installer. Previously, specifying that - option would not correctly update the Chains module which led to a - Perl compilation failure. - -3) Handling of ipset names on PORT columns has been - corrected. Previously, such usage resulted in an invalid iptables - rule being generated. - -4.6.5.3 - -1) The Shorewall-init scripts were using the incorrect - variable to set the state directory. - -2) For normal dynamic zones, the 'add' command failed with a - diagnostic such as: - - ERROR: Zone ast, interface net0 does not have a dynamic host list - -3) When a mark range was used in the marks (tcrules) file, a run-time - error occured while attempting to load the generated ruleset. - -4.6.5.2 - -1) LOG_BACKEND=LOG failed at run-time for all but the most recent - kernels. - -4.6.5.1 - -1) The generated script can now detect an gateway address assigned by - later versions of that program (Alan Barrett). - -2) In 4.6.5, the bash-based configure script would issue the following - diagnostic if SERVICEDIR was not specified in the shorewallrc - file: - - ./configure: line 199: [SERVICEDIR]=: command not found - - This was compounded by the fact that all of the released - shorewallrc files still specified SYSTEMDDIR rather than SERVICEDIR - (Evangelos Foutras) - -3) The shorewallrc.archlinux file now reflects a change in SBINDIR - that occurred in Arch Linux in mid 2013 (Evangelos Foutras). - -4.6.5 - -1) This release includes defect repair through release 4.6.4.3. - -2) On kernel 3.17, LOG_BACKEND=LOG previously failed with the - diagnostics: - - Setting up log backend - /var/lib/shorewall/.restart: line 2075: echo: write error: - No such file or directory - WARNING: Unable to set log backend to ipt_LOG - -3) A number of corrections have been made to the manpages (Thomas D). - -4) Previously, if $OPTIONS was set in /etc/sysconfig/shorewall-init, - then servicd failed to start/stop Shorewall-init. +1) This release includes defect repair from Shorewall 4.6.5.4 and + earlier releases. +2) The 'ifupdown' scripts have been corrected. Previously, they were + looking in the wrong directory for the firewall script. Thanks go + to Tuomo Soini. + +3) Previously, a line beginning with 'shell' was interpreted as a + shell script. Now, the line must begin with 'SHELL' + (case-sensitive). + ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- @@ -98,83 +36,87 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The configure scripts and installers now support SERVICEDIR as an - alternative to SYSTEMD. For compatability, SERVICED is an alias - for SERVICEDIR. - -2) The installers now offer a choice of .service files, selected by - the SERVICEFILE option. The default remains $PRODUCT.service. Each - product supplying a .service file now supplies a .service.214. The - differences between the standard .service files and the service.214 - files are: - - a) They specify 'after=network-online.target' rather than - 'after=network.target'. - - b) The file shorewall-init.service.214 specifies - 'before=network-pre.target' rather than - 'before=network.target'. That file requires serviced 214 or - later, hence the names of the new files. - - Regardless of which file is selected, it is installed in - $SERVICEDIR/$PRODUCT.service. - -3) The RATE LIMIT column of the rules files now allows specification - of both a per-source and per-destination limit. See - shorewall[6]-rules(5) for details. - -4) Previously, /bin/sh was used unconditionally to process the helper - script 'getparams'. That shell script reads the params file and - passes back the (variable,value) pairs to the compiler. Beginning - with this release, $SHOREWALL_SHELL is used to process that script, - unless the compilation is for export, in which case /bin/sh is - still used. - - Note that the default value of $SHOREWALL_SHELL is /bin/sh, so - unless your configuration sets that variable, this enhancement will - have no effect. Similarly, on an administrative system, this - enhancement has no effect on the processing of the 'compile -e', - 'load', 'reload' and 'export' commands. - -5) A -C option has been added to several commands to allow the - ip[6]tables packet and byte counters to be preserved. - - - save command - - Causes the packet and byte counters to be saved along with the - chains and rules. - - - restore command - - Causes the packet and byte counters (if saved) to be restored - along with the chains and rules. - - - start command - - With Shorewall and Shorewall6, the -C option only has an effect - if the -f option is also specified. If a previously-saved - configuration is restored, then the packet and byte counters (if - saved) will be restored along with the chains and rules. - - - restart command - - If an existing compiled script is used (no recompilation - required) and if that script generated the current running - configuration, then the current netfilter configuration is - reloaded as is so as to preserve the current packet and byte - counters. +1) Previously, the firewall products (Shorewall, Shorewall6 and + *-lite) specified "After=network.target" in their .service files. - If you wish to (approximately) preserve the counters over a - possibly unexpected reboot, then: - - - Create a cron job that periodically does 'shorewall save -C' - - - Specify the -C and -f option in the STARTOPTIONS variable in - either /etc/default/shorewall[6][-lite] or - /etc/sysconfig/shorewall[6][-lite], whichever is supported by your - distribution. Note that some distributions do not distribute these - files so you may have to create the one(s) you need (such as - /etc/sysconfig/shorewall). + Beginning with this release, those products specify + "After=network-online.target" like the service.214 files. This + change is intended to delay firewall startup until after network + initialization is complete. + +2) The 'TARPIT' target is now supported in the rules file. Using this + target requires the appropriate support in your kernel and + iptables. This feature implements a new "TARPIT Target" capability, + so if you use a capabilities file, then you need to regenerate the + file after installing this release. + + TARPIT captures and holds incoming TCP connections using no local + per-connection resources. + + + TARPIT only works with the PROTO column set to tcp (6), and is + totally application agnostic. This module will answer a TCP request + and play along like a listening server, but aside from sending an + ACK or RST, no data is sent. Incoming packets are ignored and + dropped. The attacker will terminate the session eventually. This + module allows the initial packets of an attack to be captured by + other software for inspection. In most cases this is sufficient to + determine the nature of the attack. + + + This offers similar functionality to LaBrea + <http://www.hackbusters.net/LaBrea/> but does not require dedicated + hardware or IPs. Any TCP port that you would normally DROP or + REJECT can instead become a tarpit. + + The target accepts a single optional parameter: + + tarpit (default) + + This mode completes a connection with the attacker but limits + the window size to 0, thus keeping the attacker waiting long + periods of time. While he is maintaining state of the + connection and trying to continue every 60-240 seconds, we + keep none, so it is very lightweight. Attempts to close the + connection are ignored, forcing the remote side to time out + the connection in 12-24 minutes. + + honeypot + + This mode completes a connection with the attacker, but + signals a normal window size, so that the remote side will + attempt to send data, often with some very nasty exploit + attempts. We can capture these packets for decoding and + further analysis. The module does not send any data, so if + the remote expects an application level response, the game + is up. + + reset + + This mode is handy because we can send an inline RST + (reset). It has no other function. + +3) A 'loopback' option has been added to the interfaces files to + designate the interface as the loopback device. This option is + assumed if the device's physical name is 'lo'. Only one + interface may specify 'loopback'. + + If no interface has physical name 'lo' and no interface specifies + the 'loopback' option, then the compiler implicitly defines an + interface as follows: + + #ZONE INTERFACE OPTIONS + - lo ignore,loopback + +4) The compiler now takes advantage of the iptables 'iface' match + capability for identifying loopback traffic. + +5) The 'primary' provider option has been added as a synonym for + 'balance=1'. The rationale for this addition is that 'balance' + seems inappropriate when only a single provider specifies that + option. For example, if there are two providers and one specifies + 'fallback', then the other would specify 'primary' rather than + 'balance'. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -469,6 +411,145 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 5 +---------------------------------------------------------------------------- + +4.6.5.3 + +1) The Shorewall-init scripts were using the incorrect + variable to set the state directory. + +2) For normal dynamic zones, the 'add' command failed with a + diagnostic such as: + + ERROR: Zone ast, interface net0 does not have a dynamic host list + +3) When a mark range was used in the marks (tcrules) file, a run-time + error occured while attempting to load the generated ruleset. + +4.6.5.2 + +1) LOG_BACKEND=LOG failed at run-time for all but the most recent + kernels. + +4.6.5.1 + +1) The generated script can now detect an gateway address assigned by + later versions of that program (Alan Barrett). + +2) In 4.6.5, the bash-based configure script would issue the following + diagnostic if SERVICEDIR was not specified in the shorewallrc + file: + + ./configure: line 199: [SERVICEDIR]=: command not found + + This was compounded by the fact that all of the released + shorewallrc files still specified SYSTEMDDIR rather than SERVICEDIR + (Evangelos Foutras) + +3) The shorewallrc.archlinux file now reflects a change in SBINDIR + that occurred in Arch Linux in mid 2013 (Evangelos Foutras). + +4.6.5 + +1) This release includes defect repair through release 4.6.4.3. + +2) On kernel 3.17, LOG_BACKEND=LOG previously failed with the + diagnostics: + + Setting up log backend + /var/lib/shorewall/.restart: line 2075: echo: write error: + No such file or directory + WARNING: Unable to set log backend to ipt_LOG + +3) A number of corrections have been made to the manpages (Thomas D). + +4) Previously, if $OPTIONS was set in /etc/sysconfig/shorewall-init, + then servicd failed to start/stop Shorewall-init. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 4 +---------------------------------------------------------------------------- + +1) The configure scripts and installers now support SERVICEDIR as an + alternative to SYSTEMD. For compatability, SERVICED is an alias + for SERVICEDIR. + +2) The installers now offer a choice of .service files, selected by + the SERVICEFILE option. The default remains $PRODUCT.service. Each + product supplying a .service file now supplies a .service.214. The + differences between the standard .service files and the service.214 + files are: + + a) They specify 'after=network-online.target' rather than + 'after=network.target'. + + b) The file shorewall-init.service.214 specifies + 'before=network-pre.target' rather than + 'before=network.target'. That file requires serviced 214 or + later, hence the names of the new files. + + Regardless of which file is selected, it is installed in + $SERVICEDIR/$PRODUCT.service. + +3) The RATE LIMIT column of the rules files now allows specification + of both a per-source and per-destination limit. See + shorewall[6]-rules(5) for details. + +4) Previously, /bin/sh was used unconditionally to process the helper + script 'getparams'. That shell script reads the params file and + passes back the (variable,value) pairs to the compiler. Beginning + with this release, $SHOREWALL_SHELL is used to process that script, + unless the compilation is for export, in which case /bin/sh is + still used. + + Note that the default value of $SHOREWALL_SHELL is /bin/sh, so + unless your configuration sets that variable, this enhancement will + have no effect. Similarly, on an administrative system, this + enhancement has no effect on the processing of the 'compile -e', + 'load', 'reload' and 'export' commands. + +5) A -C option has been added to several commands to allow the + ip[6]tables packet and byte counters to be preserved. + + - save command + + Causes the packet and byte counters to be saved along with the + chains and rules. + + - restore command + + Causes the packet and byte counters (if saved) to be restored + along with the chains and rules. + + - start command + + With Shorewall and Shorewall6, the -C option only has an effect + if the -f option is also specified. If a previously-saved + configuration is restored, then the packet and byte counters (if + saved) will be restored along with the chains and rules. + + - restart command + + If an existing compiled script is used (no recompilation + required) and if that script generated the current running + configuration, then the current netfilter configuration is + reloaded as is so as to preserve the current packet and byte + counters. + + If you wish to (approximately) preserve the counters over a + possibly unexpected reboot, then: + + - Create a cron job that periodically does 'shorewall save -C' + + - Specify the -C and -f option in the STARTOPTIONS variable in + either /etc/default/shorewall[6][-lite] or + /etc/sysconfig/shorewall[6][-lite], whichever is supported by your + distribution. Note that some distributions do not distribute these + files so you may have to create the one(s) you need (such as + /etc/sysconfig/shorewall). + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 4 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.5.5/shorewall-core.spec new/shorewall-core-4.6.6/shorewall-core.spec --- old/shorewall-core-4.6.5.5/shorewall-core.spec 2015-01-11 17:38:54.000000000 +0100 +++ new/shorewall-core-4.6.6/shorewall-core.spec 2015-01-15 16:45:36.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 4.6.5 -%define release 5 +%define version 4.6.6 +%define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -63,10 +63,16 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog -* Sun Jan 11 2015 Tom Eastep t...@shorewall.net -- Updated to 4.6.5-5 -* Fri Jan 09 2015 Tom Eastep t...@shorewall.net -- Updated to 4.6.5-4 +* Sat Jan 10 2015 Tom Eastep t...@shorewall.net +- Updated to 4.6.6-0base +* Tue Jan 06 2015 Tom Eastep t...@shorewall.net +- Updated to 4.6.6-0RC1 +* Fri Jan 02 2015 Tom Eastep t...@shorewall.net +- Updated to 4.6.6-0Beta3 +* Fri Dec 26 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.6-0Beta2 +* Fri Dec 19 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.6-0Beta1 * Mon Dec 15 2014 Tom Eastep t...@shorewall.net - Updated to 4.6.5-3 * Sat Nov 15 2014 Tom Eastep t...@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.5.5/uninstall.sh new/shorewall-core-4.6.6/uninstall.sh --- old/shorewall-core-4.6.5.5/uninstall.sh 2015-01-11 17:38:54.000000000 +0100 +++ new/shorewall-core-4.6.6/uninstall.sh 2015-01-15 16:45:36.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.5.5 +VERSION=4.6.6 usage() # $1 = exit status { ++++++ shorewall-docs-html-4.6.5.5.tar.bz2 -> shorewall-docs-html-4.6.6.tar.bz2 ++++++ ++++ 6979 lines of diff (skipped) ++++++ shorewall-init-4.6.5.5.tar.bz2 -> shorewall-init-4.6.6.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.5.5/changelog.txt new/shorewall-init-4.6.6/changelog.txt --- old/shorewall-init-4.6.5.5/changelog.txt 2015-01-11 17:38:55.000000000 +0100 +++ new/shorewall-init-4.6.6/changelog.txt 2015-01-15 16:45:37.000000000 +0100 @@ -1,19 +1,48 @@ -Changes in 4.6.5.5 +Changes in 4.6.6 Final 1) Update release documents. -2) Fix Shorewall-init VARDIR => VARLIB in the ifupdown scripts. +2) Apply Tuomo Soini's fix for Shorewall-init. -Changes in 4.6.5.4 +3) Make leading 'SHELL' case sensitive. + +Changes in 4.6.6 RC 1 + +1) Update release documents. + +2) Add 'primary' provider option. + +3) Correct ipset names in port columns. + +Changes in 4.6.6 Beta 3 1) Update release documents. -2) Correct handling of ipset names in PORT columns. +2) Add the 'loopback' interface option. + +3) Use 'Iface match' for loopback interfaces where practical. + +Changes in 4.6.6 Beta 2 + +1) Update release documents. -3) Document the -c option in the show and dump commands. +2) Document the -c option to the 'dump' and 'show routing' commands. -4) Correct handling of the DIGEST environmental variable in the - Shorewall installer. +3) Implement the 'TARPIT' target. + +Changes in 4.6.6 Beta 1 + +1) Update release documents. + +2) Minor reorganization of Shorewall::Compiler::compiler() + +3) Cosmetic/commentary changes to Shorewall::Config + +4) Start firewall after network-online target has been reached + +Changes in 4.6.5.3 + +1) Update release documents. 2) Correct shorewall-init scripts to use VARLIB rather than VARDIR (Roberto Sanchez) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.5.5/configure new/shorewall-init-4.6.6/configure --- old/shorewall-init-4.6.5.5/configure 2015-01-11 17:38:55.000000000 +0100 +++ new/shorewall-init-4.6.6/configure 2015-01-15 16:45:37.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.5.5 +VERSION=4.6.6 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.5.5/configure.pl new/shorewall-init-4.6.6/configure.pl --- old/shorewall-init-4.6.5.5/configure.pl 2015-01-11 17:38:55.000000000 +0100 +++ new/shorewall-init-4.6.6/configure.pl 2015-01-15 16:45:37.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.5.5' + VERSION => '4.6.6' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.5.5/install.sh new/shorewall-init-4.6.6/install.sh --- old/shorewall-init-4.6.5.5/install.sh 2015-01-11 17:38:55.000000000 +0100 +++ new/shorewall-init-4.6.6/install.sh 2015-01-15 16:45:37.000000000 +0100 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.6.5.5 +VERSION=4.6.6 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.5.5/releasenotes.txt new/shorewall-init-4.6.6/releasenotes.txt --- old/shorewall-init-4.6.5.5/releasenotes.txt 2015-01-11 17:38:55.000000000 +0100 +++ new/shorewall-init-4.6.6/releasenotes.txt 2015-01-15 16:45:37.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 5 . 5 + S H O R E W A L L 4 . 6 . 6 ------------------------------------ - J a n u a r y 1 1 , 2 0 1 5 + J a n u a r y 1 7 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,79 +14,17 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.5.5 - -1) The Shorewall-init ifupdown scripts were looking for the firewall - script in the wrong directory. Correction was provider by Tuomo - Soini. - -4.6.5.4 - -1) The '-c' option of the 'dump' and 'show routing' commands is now - documented. - -2) The handling of the 'DIGEST' environmental variable has been - corrected in the Shorewall installer. Previously, specifying that - option would not correctly update the Chains module which led to a - Perl compilation failure. - -3) Handling of ipset names on PORT columns has been - corrected. Previously, such usage resulted in an invalid iptables - rule being generated. - -4.6.5.3 - -1) The Shorewall-init scripts were using the incorrect - variable to set the state directory. - -2) For normal dynamic zones, the 'add' command failed with a - diagnostic such as: - - ERROR: Zone ast, interface net0 does not have a dynamic host list - -3) When a mark range was used in the marks (tcrules) file, a run-time - error occured while attempting to load the generated ruleset. - -4.6.5.2 - -1) LOG_BACKEND=LOG failed at run-time for all but the most recent - kernels. - -4.6.5.1 - -1) The generated script can now detect an gateway address assigned by - later versions of that program (Alan Barrett). - -2) In 4.6.5, the bash-based configure script would issue the following - diagnostic if SERVICEDIR was not specified in the shorewallrc - file: - - ./configure: line 199: [SERVICEDIR]=: command not found - - This was compounded by the fact that all of the released - shorewallrc files still specified SYSTEMDDIR rather than SERVICEDIR - (Evangelos Foutras) - -3) The shorewallrc.archlinux file now reflects a change in SBINDIR - that occurred in Arch Linux in mid 2013 (Evangelos Foutras). - -4.6.5 - -1) This release includes defect repair through release 4.6.4.3. - -2) On kernel 3.17, LOG_BACKEND=LOG previously failed with the - diagnostics: - - Setting up log backend - /var/lib/shorewall/.restart: line 2075: echo: write error: - No such file or directory - WARNING: Unable to set log backend to ipt_LOG - -3) A number of corrections have been made to the manpages (Thomas D). - -4) Previously, if $OPTIONS was set in /etc/sysconfig/shorewall-init, - then servicd failed to start/stop Shorewall-init. +1) This release includes defect repair from Shorewall 4.6.5.4 and + earlier releases. +2) The 'ifupdown' scripts have been corrected. Previously, they were + looking in the wrong directory for the firewall script. Thanks go + to Tuomo Soini. + +3) Previously, a line beginning with 'shell' was interpreted as a + shell script. Now, the line must begin with 'SHELL' + (case-sensitive). + ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- @@ -98,83 +36,87 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The configure scripts and installers now support SERVICEDIR as an - alternative to SYSTEMD. For compatability, SERVICED is an alias - for SERVICEDIR. - -2) The installers now offer a choice of .service files, selected by - the SERVICEFILE option. The default remains $PRODUCT.service. Each - product supplying a .service file now supplies a .service.214. The - differences between the standard .service files and the service.214 - files are: - - a) They specify 'after=network-online.target' rather than - 'after=network.target'. - - b) The file shorewall-init.service.214 specifies - 'before=network-pre.target' rather than - 'before=network.target'. That file requires serviced 214 or - later, hence the names of the new files. - - Regardless of which file is selected, it is installed in - $SERVICEDIR/$PRODUCT.service. - -3) The RATE LIMIT column of the rules files now allows specification - of both a per-source and per-destination limit. See - shorewall[6]-rules(5) for details. - -4) Previously, /bin/sh was used unconditionally to process the helper - script 'getparams'. That shell script reads the params file and - passes back the (variable,value) pairs to the compiler. Beginning - with this release, $SHOREWALL_SHELL is used to process that script, - unless the compilation is for export, in which case /bin/sh is - still used. - - Note that the default value of $SHOREWALL_SHELL is /bin/sh, so - unless your configuration sets that variable, this enhancement will - have no effect. Similarly, on an administrative system, this - enhancement has no effect on the processing of the 'compile -e', - 'load', 'reload' and 'export' commands. - -5) A -C option has been added to several commands to allow the - ip[6]tables packet and byte counters to be preserved. - - - save command - - Causes the packet and byte counters to be saved along with the - chains and rules. - - - restore command - - Causes the packet and byte counters (if saved) to be restored - along with the chains and rules. - - - start command - - With Shorewall and Shorewall6, the -C option only has an effect - if the -f option is also specified. If a previously-saved - configuration is restored, then the packet and byte counters (if - saved) will be restored along with the chains and rules. - - - restart command - - If an existing compiled script is used (no recompilation - required) and if that script generated the current running - configuration, then the current netfilter configuration is - reloaded as is so as to preserve the current packet and byte - counters. +1) Previously, the firewall products (Shorewall, Shorewall6 and + *-lite) specified "After=network.target" in their .service files. - If you wish to (approximately) preserve the counters over a - possibly unexpected reboot, then: - - - Create a cron job that periodically does 'shorewall save -C' - - - Specify the -C and -f option in the STARTOPTIONS variable in - either /etc/default/shorewall[6][-lite] or - /etc/sysconfig/shorewall[6][-lite], whichever is supported by your - distribution. Note that some distributions do not distribute these - files so you may have to create the one(s) you need (such as - /etc/sysconfig/shorewall). + Beginning with this release, those products specify + "After=network-online.target" like the service.214 files. This + change is intended to delay firewall startup until after network + initialization is complete. + +2) The 'TARPIT' target is now supported in the rules file. Using this + target requires the appropriate support in your kernel and + iptables. This feature implements a new "TARPIT Target" capability, + so if you use a capabilities file, then you need to regenerate the + file after installing this release. + + TARPIT captures and holds incoming TCP connections using no local + per-connection resources. + + + TARPIT only works with the PROTO column set to tcp (6), and is + totally application agnostic. This module will answer a TCP request + and play along like a listening server, but aside from sending an + ACK or RST, no data is sent. Incoming packets are ignored and + dropped. The attacker will terminate the session eventually. This + module allows the initial packets of an attack to be captured by + other software for inspection. In most cases this is sufficient to + determine the nature of the attack. + + + This offers similar functionality to LaBrea + <http://www.hackbusters.net/LaBrea/> but does not require dedicated + hardware or IPs. Any TCP port that you would normally DROP or + REJECT can instead become a tarpit. + + The target accepts a single optional parameter: + + tarpit (default) + + This mode completes a connection with the attacker but limits + the window size to 0, thus keeping the attacker waiting long + periods of time. While he is maintaining state of the + connection and trying to continue every 60-240 seconds, we + keep none, so it is very lightweight. Attempts to close the + connection are ignored, forcing the remote side to time out + the connection in 12-24 minutes. + + honeypot + + This mode completes a connection with the attacker, but + signals a normal window size, so that the remote side will + attempt to send data, often with some very nasty exploit + attempts. We can capture these packets for decoding and + further analysis. The module does not send any data, so if + the remote expects an application level response, the game + is up. + + reset + + This mode is handy because we can send an inline RST + (reset). It has no other function. + +3) A 'loopback' option has been added to the interfaces files to + designate the interface as the loopback device. This option is + assumed if the device's physical name is 'lo'. Only one + interface may specify 'loopback'. + + If no interface has physical name 'lo' and no interface specifies + the 'loopback' option, then the compiler implicitly defines an + interface as follows: + + #ZONE INTERFACE OPTIONS + - lo ignore,loopback + +4) The compiler now takes advantage of the iptables 'iface' match + capability for identifying loopback traffic. + +5) The 'primary' provider option has been added as a synonym for + 'balance=1'. The rationale for this addition is that 'balance' + seems inappropriate when only a single provider specifies that + option. For example, if there are two providers and one specifies + 'fallback', then the other would specify 'primary' rather than + 'balance'. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -469,6 +411,145 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 5 +---------------------------------------------------------------------------- + +4.6.5.3 + +1) The Shorewall-init scripts were using the incorrect + variable to set the state directory. + +2) For normal dynamic zones, the 'add' command failed with a + diagnostic such as: + + ERROR: Zone ast, interface net0 does not have a dynamic host list + +3) When a mark range was used in the marks (tcrules) file, a run-time + error occured while attempting to load the generated ruleset. + +4.6.5.2 + +1) LOG_BACKEND=LOG failed at run-time for all but the most recent + kernels. + +4.6.5.1 + +1) The generated script can now detect an gateway address assigned by + later versions of that program (Alan Barrett). + +2) In 4.6.5, the bash-based configure script would issue the following + diagnostic if SERVICEDIR was not specified in the shorewallrc + file: + + ./configure: line 199: [SERVICEDIR]=: command not found + + This was compounded by the fact that all of the released + shorewallrc files still specified SYSTEMDDIR rather than SERVICEDIR + (Evangelos Foutras) + +3) The shorewallrc.archlinux file now reflects a change in SBINDIR + that occurred in Arch Linux in mid 2013 (Evangelos Foutras). + +4.6.5 + +1) This release includes defect repair through release 4.6.4.3. + +2) On kernel 3.17, LOG_BACKEND=LOG previously failed with the + diagnostics: + + Setting up log backend + /var/lib/shorewall/.restart: line 2075: echo: write error: + No such file or directory + WARNING: Unable to set log backend to ipt_LOG + +3) A number of corrections have been made to the manpages (Thomas D). + +4) Previously, if $OPTIONS was set in /etc/sysconfig/shorewall-init, + then servicd failed to start/stop Shorewall-init. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 4 +---------------------------------------------------------------------------- + +1) The configure scripts and installers now support SERVICEDIR as an + alternative to SYSTEMD. For compatability, SERVICED is an alias + for SERVICEDIR. + +2) The installers now offer a choice of .service files, selected by + the SERVICEFILE option. The default remains $PRODUCT.service. Each + product supplying a .service file now supplies a .service.214. The + differences between the standard .service files and the service.214 + files are: + + a) They specify 'after=network-online.target' rather than + 'after=network.target'. + + b) The file shorewall-init.service.214 specifies + 'before=network-pre.target' rather than + 'before=network.target'. That file requires serviced 214 or + later, hence the names of the new files. + + Regardless of which file is selected, it is installed in + $SERVICEDIR/$PRODUCT.service. + +3) The RATE LIMIT column of the rules files now allows specification + of both a per-source and per-destination limit. See + shorewall[6]-rules(5) for details. + +4) Previously, /bin/sh was used unconditionally to process the helper + script 'getparams'. That shell script reads the params file and + passes back the (variable,value) pairs to the compiler. Beginning + with this release, $SHOREWALL_SHELL is used to process that script, + unless the compilation is for export, in which case /bin/sh is + still used. + + Note that the default value of $SHOREWALL_SHELL is /bin/sh, so + unless your configuration sets that variable, this enhancement will + have no effect. Similarly, on an administrative system, this + enhancement has no effect on the processing of the 'compile -e', + 'load', 'reload' and 'export' commands. + +5) A -C option has been added to several commands to allow the + ip[6]tables packet and byte counters to be preserved. + + - save command + + Causes the packet and byte counters to be saved along with the + chains and rules. + + - restore command + + Causes the packet and byte counters (if saved) to be restored + along with the chains and rules. + + - start command + + With Shorewall and Shorewall6, the -C option only has an effect + if the -f option is also specified. If a previously-saved + configuration is restored, then the packet and byte counters (if + saved) will be restored along with the chains and rules. + + - restart command + + If an existing compiled script is used (no recompilation + required) and if that script generated the current running + configuration, then the current netfilter configuration is + reloaded as is so as to preserve the current packet and byte + counters. + + If you wish to (approximately) preserve the counters over a + possibly unexpected reboot, then: + + - Create a cron job that periodically does 'shorewall save -C' + + - Specify the -C and -f option in the STARTOPTIONS variable in + either /etc/default/shorewall[6][-lite] or + /etc/sysconfig/shorewall[6][-lite], whichever is supported by your + distribution. Note that some distributions do not distribute these + files so you may have to create the one(s) you need (such as + /etc/sysconfig/shorewall). + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 4 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.5.5/shorewall-init.spec new/shorewall-init-4.6.6/shorewall-init.spec --- old/shorewall-init-4.6.5.5/shorewall-init.spec 2015-01-11 17:38:55.000000000 +0100 +++ new/shorewall-init-4.6.6/shorewall-init.spec 2015-01-15 16:45:37.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.6.5 -%define release 5 +%define version 4.6.6 +%define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -126,10 +126,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Sun Jan 11 2015 Tom Eastep t...@shorewall.net -- Updated to 4.6.5-5 -* Fri Jan 09 2015 Tom Eastep t...@shorewall.net -- Updated to 4.6.5-4 +* Sat Jan 10 2015 Tom Eastep t...@shorewall.net +- Updated to 4.6.6-0base +* Tue Jan 06 2015 Tom Eastep t...@shorewall.net +- Updated to 4.6.6-0RC1 +* Fri Jan 02 2015 Tom Eastep t...@shorewall.net +- Updated to 4.6.6-0Beta3 +* Fri Dec 26 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.6-0Beta2 +* Fri Dec 19 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.6-0Beta1 * Mon Dec 15 2014 Tom Eastep t...@shorewall.net - Updated to 4.6.5-3 * Sat Nov 15 2014 Tom Eastep t...@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.5.5/uninstall.sh new/shorewall-init-4.6.6/uninstall.sh --- old/shorewall-init-4.6.5.5/uninstall.sh 2015-01-11 17:38:55.000000000 +0100 +++ new/shorewall-init-4.6.6/uninstall.sh 2015-01-15 16:45:37.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.5.5 +VERSION=4.6.6 usage() # $1 = exit status { ++++++ shorewall-lite-4.6.5.5.tar.bz2 -> shorewall-lite-4.6.6.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.5.5/changelog.txt new/shorewall-lite-4.6.6/changelog.txt --- old/shorewall-lite-4.6.5.5/changelog.txt 2015-01-11 17:38:55.000000000 +0100 +++ new/shorewall-lite-4.6.6/changelog.txt 2015-01-15 16:45:37.000000000 +0100 @@ -1,19 +1,48 @@ -Changes in 4.6.5.5 +Changes in 4.6.6 Final 1) Update release documents. -2) Fix Shorewall-init VARDIR => VARLIB in the ifupdown scripts. +2) Apply Tuomo Soini's fix for Shorewall-init. -Changes in 4.6.5.4 +3) Make leading 'SHELL' case sensitive. + +Changes in 4.6.6 RC 1 + +1) Update release documents. + +2) Add 'primary' provider option. + +3) Correct ipset names in port columns. + +Changes in 4.6.6 Beta 3 1) Update release documents. -2) Correct handling of ipset names in PORT columns. +2) Add the 'loopback' interface option. + +3) Use 'Iface match' for loopback interfaces where practical. + +Changes in 4.6.6 Beta 2 + +1) Update release documents. -3) Document the -c option in the show and dump commands. +2) Document the -c option to the 'dump' and 'show routing' commands. -4) Correct handling of the DIGEST environmental variable in the - Shorewall installer. +3) Implement the 'TARPIT' target. + +Changes in 4.6.6 Beta 1 + +1) Update release documents. + +2) Minor reorganization of Shorewall::Compiler::compiler() + +3) Cosmetic/commentary changes to Shorewall::Config + +4) Start firewall after network-online target has been reached + +Changes in 4.6.5.3 + +1) Update release documents. 2) Correct shorewall-init scripts to use VARLIB rather than VARDIR (Roberto Sanchez) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.5.5/configure new/shorewall-lite-4.6.6/configure --- old/shorewall-lite-4.6.5.5/configure 2015-01-11 17:38:55.000000000 +0100 +++ new/shorewall-lite-4.6.6/configure 2015-01-15 16:45:37.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.5.5 +VERSION=4.6.6 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.5.5/configure.pl new/shorewall-lite-4.6.6/configure.pl --- old/shorewall-lite-4.6.5.5/configure.pl 2015-01-11 17:38:55.000000000 +0100 +++ new/shorewall-lite-4.6.6/configure.pl 2015-01-15 16:45:37.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.5.5' + VERSION => '4.6.6' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.5.5/install.sh new/shorewall-lite-4.6.6/install.sh --- old/shorewall-lite-4.6.5.5/install.sh 2015-01-11 17:38:55.000000000 +0100 +++ new/shorewall-lite-4.6.6/install.sh 2015-01-15 16:45:37.000000000 +0100 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=4.6.5.5 +VERSION=4.6.6 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.5.5/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.6.6/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.6.5.5/manpages/shorewall-lite-vardir.5 2015-01-11 17:42:17.000000000 +0100 +++ new/shorewall-lite-4.6.6/manpages/shorewall-lite-vardir.5 2015-01-15 16:48:57.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 01/11/2015 +.\" Date: 01/15/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "01/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "01/15/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.5.5/manpages/shorewall-lite.8 new/shorewall-lite-4.6.6/manpages/shorewall-lite.8 --- old/shorewall-lite-4.6.5.5/manpages/shorewall-lite.8 2015-01-11 17:42:18.000000000 +0100 +++ new/shorewall-lite-4.6.6/manpages/shorewall-lite.8 2015-01-15 16:48:59.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 01/11/2015 +.\" Date: 01/15/2015 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "01/11/2015" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "01/15/2015" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.5.5/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.6.6/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.6.5.5/manpages/shorewall-lite.conf.5 2015-01-11 17:42:15.000000000 +0100 +++ new/shorewall-lite-4.6.6/manpages/shorewall-lite.conf.5 2015-01-15 16:48:56.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 01/11/2015 +.\" Date: 01/15/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "01/11/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "01/15/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.5.5/releasenotes.txt new/shorewall-lite-4.6.6/releasenotes.txt --- old/shorewall-lite-4.6.5.5/releasenotes.txt 2015-01-11 17:38:55.000000000 +0100 +++ new/shorewall-lite-4.6.6/releasenotes.txt 2015-01-15 16:45:37.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 5 . 5 + S H O R E W A L L 4 . 6 . 6 ------------------------------------ - J a n u a r y 1 1 , 2 0 1 5 + J a n u a r y 1 7 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,79 +14,17 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.5.5 - -1) The Shorewall-init ifupdown scripts were looking for the firewall - script in the wrong directory. Correction was provider by Tuomo - Soini. - -4.6.5.4 - -1) The '-c' option of the 'dump' and 'show routing' commands is now - documented. - -2) The handling of the 'DIGEST' environmental variable has been - corrected in the Shorewall installer. Previously, specifying that - option would not correctly update the Chains module which led to a - Perl compilation failure. - -3) Handling of ipset names on PORT columns has been - corrected. Previously, such usage resulted in an invalid iptables - rule being generated. - -4.6.5.3 - -1) The Shorewall-init scripts were using the incorrect - variable to set the state directory. - -2) For normal dynamic zones, the 'add' command failed with a - diagnostic such as: - - ERROR: Zone ast, interface net0 does not have a dynamic host list - -3) When a mark range was used in the marks (tcrules) file, a run-time - error occured while attempting to load the generated ruleset. - -4.6.5.2 - -1) LOG_BACKEND=LOG failed at run-time for all but the most recent - kernels. - -4.6.5.1 - -1) The generated script can now detect an gateway address assigned by - later versions of that program (Alan Barrett). - -2) In 4.6.5, the bash-based configure script would issue the following - diagnostic if SERVICEDIR was not specified in the shorewallrc - file: - - ./configure: line 199: [SERVICEDIR]=: command not found - - This was compounded by the fact that all of the released - shorewallrc files still specified SYSTEMDDIR rather than SERVICEDIR - (Evangelos Foutras) - -3) The shorewallrc.archlinux file now reflects a change in SBINDIR - that occurred in Arch Linux in mid 2013 (Evangelos Foutras). - -4.6.5 - -1) This release includes defect repair through release 4.6.4.3. - -2) On kernel 3.17, LOG_BACKEND=LOG previously failed with the - diagnostics: - - Setting up log backend - /var/lib/shorewall/.restart: line 2075: echo: write error: - No such file or directory - WARNING: Unable to set log backend to ipt_LOG - -3) A number of corrections have been made to the manpages (Thomas D). - -4) Previously, if $OPTIONS was set in /etc/sysconfig/shorewall-init, - then servicd failed to start/stop Shorewall-init. +1) This release includes defect repair from Shorewall 4.6.5.4 and + earlier releases. +2) The 'ifupdown' scripts have been corrected. Previously, they were + looking in the wrong directory for the firewall script. Thanks go + to Tuomo Soini. + +3) Previously, a line beginning with 'shell' was interpreted as a + shell script. Now, the line must begin with 'SHELL' + (case-sensitive). + ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- @@ -98,83 +36,87 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The configure scripts and installers now support SERVICEDIR as an - alternative to SYSTEMD. For compatability, SERVICED is an alias - for SERVICEDIR. - -2) The installers now offer a choice of .service files, selected by - the SERVICEFILE option. The default remains $PRODUCT.service. Each - product supplying a .service file now supplies a .service.214. The - differences between the standard .service files and the service.214 - files are: - - a) They specify 'after=network-online.target' rather than - 'after=network.target'. - - b) The file shorewall-init.service.214 specifies - 'before=network-pre.target' rather than - 'before=network.target'. That file requires serviced 214 or - later, hence the names of the new files. - - Regardless of which file is selected, it is installed in - $SERVICEDIR/$PRODUCT.service. - -3) The RATE LIMIT column of the rules files now allows specification - of both a per-source and per-destination limit. See - shorewall[6]-rules(5) for details. - -4) Previously, /bin/sh was used unconditionally to process the helper - script 'getparams'. That shell script reads the params file and - passes back the (variable,value) pairs to the compiler. Beginning - with this release, $SHOREWALL_SHELL is used to process that script, - unless the compilation is for export, in which case /bin/sh is - still used. - - Note that the default value of $SHOREWALL_SHELL is /bin/sh, so - unless your configuration sets that variable, this enhancement will - have no effect. Similarly, on an administrative system, this - enhancement has no effect on the processing of the 'compile -e', - 'load', 'reload' and 'export' commands. - -5) A -C option has been added to several commands to allow the - ip[6]tables packet and byte counters to be preserved. - - - save command - - Causes the packet and byte counters to be saved along with the - chains and rules. - - - restore command - - Causes the packet and byte counters (if saved) to be restored - along with the chains and rules. - - - start command - - With Shorewall and Shorewall6, the -C option only has an effect - if the -f option is also specified. If a previously-saved - configuration is restored, then the packet and byte counters (if - saved) will be restored along with the chains and rules. - - - restart command - - If an existing compiled script is used (no recompilation - required) and if that script generated the current running - configuration, then the current netfilter configuration is - reloaded as is so as to preserve the current packet and byte - counters. +1) Previously, the firewall products (Shorewall, Shorewall6 and + *-lite) specified "After=network.target" in their .service files. - If you wish to (approximately) preserve the counters over a - possibly unexpected reboot, then: - - - Create a cron job that periodically does 'shorewall save -C' - - - Specify the -C and -f option in the STARTOPTIONS variable in - either /etc/default/shorewall[6][-lite] or - /etc/sysconfig/shorewall[6][-lite], whichever is supported by your - distribution. Note that some distributions do not distribute these - files so you may have to create the one(s) you need (such as - /etc/sysconfig/shorewall). + Beginning with this release, those products specify + "After=network-online.target" like the service.214 files. This + change is intended to delay firewall startup until after network + initialization is complete. + +2) The 'TARPIT' target is now supported in the rules file. Using this + target requires the appropriate support in your kernel and + iptables. This feature implements a new "TARPIT Target" capability, + so if you use a capabilities file, then you need to regenerate the + file after installing this release. + + TARPIT captures and holds incoming TCP connections using no local + per-connection resources. + + + TARPIT only works with the PROTO column set to tcp (6), and is + totally application agnostic. This module will answer a TCP request + and play along like a listening server, but aside from sending an + ACK or RST, no data is sent. Incoming packets are ignored and + dropped. The attacker will terminate the session eventually. This + module allows the initial packets of an attack to be captured by + other software for inspection. In most cases this is sufficient to + determine the nature of the attack. + + + This offers similar functionality to LaBrea + <http://www.hackbusters.net/LaBrea/> but does not require dedicated + hardware or IPs. Any TCP port that you would normally DROP or + REJECT can instead become a tarpit. + + The target accepts a single optional parameter: + + tarpit (default) + + This mode completes a connection with the attacker but limits + the window size to 0, thus keeping the attacker waiting long + periods of time. While he is maintaining state of the + connection and trying to continue every 60-240 seconds, we + keep none, so it is very lightweight. Attempts to close the + connection are ignored, forcing the remote side to time out + the connection in 12-24 minutes. + + honeypot + + This mode completes a connection with the attacker, but + signals a normal window size, so that the remote side will + attempt to send data, often with some very nasty exploit + attempts. We can capture these packets for decoding and + further analysis. The module does not send any data, so if + the remote expects an application level response, the game + is up. + + reset + + This mode is handy because we can send an inline RST + (reset). It has no other function. + +3) A 'loopback' option has been added to the interfaces files to + designate the interface as the loopback device. This option is + assumed if the device's physical name is 'lo'. Only one + interface may specify 'loopback'. + + If no interface has physical name 'lo' and no interface specifies + the 'loopback' option, then the compiler implicitly defines an + interface as follows: + + #ZONE INTERFACE OPTIONS + - lo ignore,loopback + +4) The compiler now takes advantage of the iptables 'iface' match + capability for identifying loopback traffic. + +5) The 'primary' provider option has been added as a synonym for + 'balance=1'. The rationale for this addition is that 'balance' + seems inappropriate when only a single provider specifies that + option. For example, if there are two providers and one specifies + 'fallback', then the other would specify 'primary' rather than + 'balance'. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -469,6 +411,145 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 5 +---------------------------------------------------------------------------- + +4.6.5.3 + +1) The Shorewall-init scripts were using the incorrect + variable to set the state directory. + +2) For normal dynamic zones, the 'add' command failed with a + diagnostic such as: + + ERROR: Zone ast, interface net0 does not have a dynamic host list + +3) When a mark range was used in the marks (tcrules) file, a run-time + error occured while attempting to load the generated ruleset. + +4.6.5.2 + +1) LOG_BACKEND=LOG failed at run-time for all but the most recent + kernels. + +4.6.5.1 + +1) The generated script can now detect an gateway address assigned by + later versions of that program (Alan Barrett). + +2) In 4.6.5, the bash-based configure script would issue the following + diagnostic if SERVICEDIR was not specified in the shorewallrc + file: + + ./configure: line 199: [SERVICEDIR]=: command not found + + This was compounded by the fact that all of the released + shorewallrc files still specified SYSTEMDDIR rather than SERVICEDIR + (Evangelos Foutras) + +3) The shorewallrc.archlinux file now reflects a change in SBINDIR + that occurred in Arch Linux in mid 2013 (Evangelos Foutras). + +4.6.5 + +1) This release includes defect repair through release 4.6.4.3. + +2) On kernel 3.17, LOG_BACKEND=LOG previously failed with the + diagnostics: + + Setting up log backend + /var/lib/shorewall/.restart: line 2075: echo: write error: + No such file or directory + WARNING: Unable to set log backend to ipt_LOG + +3) A number of corrections have been made to the manpages (Thomas D). + +4) Previously, if $OPTIONS was set in /etc/sysconfig/shorewall-init, + then servicd failed to start/stop Shorewall-init. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 4 +---------------------------------------------------------------------------- + +1) The configure scripts and installers now support SERVICEDIR as an + alternative to SYSTEMD. For compatability, SERVICED is an alias + for SERVICEDIR. + +2) The installers now offer a choice of .service files, selected by + the SERVICEFILE option. The default remains $PRODUCT.service. Each + product supplying a .service file now supplies a .service.214. The + differences between the standard .service files and the service.214 + files are: + + a) They specify 'after=network-online.target' rather than + 'after=network.target'. + + b) The file shorewall-init.service.214 specifies + 'before=network-pre.target' rather than + 'before=network.target'. That file requires serviced 214 or + later, hence the names of the new files. + + Regardless of which file is selected, it is installed in + $SERVICEDIR/$PRODUCT.service. + +3) The RATE LIMIT column of the rules files now allows specification + of both a per-source and per-destination limit. See + shorewall[6]-rules(5) for details. + +4) Previously, /bin/sh was used unconditionally to process the helper + script 'getparams'. That shell script reads the params file and + passes back the (variable,value) pairs to the compiler. Beginning + with this release, $SHOREWALL_SHELL is used to process that script, + unless the compilation is for export, in which case /bin/sh is + still used. + + Note that the default value of $SHOREWALL_SHELL is /bin/sh, so + unless your configuration sets that variable, this enhancement will + have no effect. Similarly, on an administrative system, this + enhancement has no effect on the processing of the 'compile -e', + 'load', 'reload' and 'export' commands. + +5) A -C option has been added to several commands to allow the + ip[6]tables packet and byte counters to be preserved. + + - save command + + Causes the packet and byte counters to be saved along with the + chains and rules. + + - restore command + + Causes the packet and byte counters (if saved) to be restored + along with the chains and rules. + + - start command + + With Shorewall and Shorewall6, the -C option only has an effect + if the -f option is also specified. If a previously-saved + configuration is restored, then the packet and byte counters (if + saved) will be restored along with the chains and rules. + + - restart command + + If an existing compiled script is used (no recompilation + required) and if that script generated the current running + configuration, then the current netfilter configuration is + reloaded as is so as to preserve the current packet and byte + counters. + + If you wish to (approximately) preserve the counters over a + possibly unexpected reboot, then: + + - Create a cron job that periodically does 'shorewall save -C' + + - Specify the -C and -f option in the STARTOPTIONS variable in + either /etc/default/shorewall[6][-lite] or + /etc/sysconfig/shorewall[6][-lite], whichever is supported by your + distribution. Note that some distributions do not distribute these + files so you may have to create the one(s) you need (such as + /etc/sysconfig/shorewall). + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 4 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.5.5/shorewall-lite.service new/shorewall-lite-4.6.6/shorewall-lite.service --- old/shorewall-lite-4.6.5.5/shorewall-lite.service 2015-01-11 17:24:10.000000000 +0100 +++ new/shorewall-lite-4.6.6/shorewall-lite.service 2015-01-13 16:05:15.000000000 +0100 @@ -5,7 +5,7 @@ # [Unit] Description=Shorewall IPv4 firewall (lite) -After=network.target +After=network-online.target Conflicts=iptables.service firewalld.service [Service] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.5.5/shorewall-lite.spec new/shorewall-lite-4.6.6/shorewall-lite.spec --- old/shorewall-lite-4.6.5.5/shorewall-lite.spec 2015-01-11 17:38:55.000000000 +0100 +++ new/shorewall-lite-4.6.6/shorewall-lite.spec 2015-01-15 16:45:37.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.6.5 -%define release 5 +%define version 4.6.6 +%define release 0base %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -106,10 +106,16 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Sun Jan 11 2015 Tom Eastep t...@shorewall.net -- Updated to 4.6.5-5 -* Fri Jan 09 2015 Tom Eastep t...@shorewall.net -- Updated to 4.6.5-4 +* Sat Jan 10 2015 Tom Eastep t...@shorewall.net +- Updated to 4.6.6-0base +* Tue Jan 06 2015 Tom Eastep t...@shorewall.net +- Updated to 4.6.6-0RC1 +* Fri Jan 02 2015 Tom Eastep t...@shorewall.net +- Updated to 4.6.6-0Beta3 +* Fri Dec 26 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.6-0Beta2 +* Fri Dec 19 2014 Tom Eastep t...@shorewall.net +- Updated to 4.6.6-0Beta1 * Mon Dec 15 2014 Tom Eastep t...@shorewall.net - Updated to 4.6.5-3 * Sat Nov 15 2014 Tom Eastep t...@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.5.5/uninstall.sh new/shorewall-lite-4.6.6/uninstall.sh --- old/shorewall-lite-4.6.5.5/uninstall.sh 2015-01-11 17:38:55.000000000 +0100 +++ new/shorewall-lite-4.6.6/uninstall.sh 2015-01-15 16:45:37.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.5.5 +VERSION=4.6.6 PRODUCT=shorewall-lite usage() # $1 = exit status ++++++ shorewall-4.6.5.5.tar.bz2 -> shorewall6-4.6.6.tar.bz2 ++++++ ++++ 127531 lines of diff (skipped) ++++++ shorewall-lite-4.6.5.5.tar.bz2 -> shorewall6-lite-4.6.6.tar.bz2 ++++++ ++++ 8386 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org