Beta 5 is now available for testing. Problems Corrected:
1) Previously, when a device number was explicitly specified in
/etc/shorewall/tcdevices, all unused numbers less than the one
specified were unavailable for allocation to following entries that
did not specify a number. Now, the compiler selects the lowest
unallocated number when no device number is explicitly allocated.
2) Network developers have discovered an exploit that allows hosts to
poke holes in a firewall under some circumstances. The known ways
to protect against the exploit are:
a) rt_filter (Shorewall's routefilter). Only applicable to IPv4
and can't be used with some multi-ISP configurations.
b) Insert a DROP rule that prevents hairpinning (routeback). The
rule must be inserted before any ESTABLISHED,RELATED firewall
rules. This approach is not appropriate for bridges and other
cases where the 'routeback' option is specified or implied.
For non-routeback interfaces, Shorewall and Shorewall6 will insert
a hairpin rule, provided that the routefilter option is not
specified. The rule will dispose of hairpins according to the
setting of two new options in shorewall.conf and shorewall6.conf:
FILTER_LOG_LEVEL
Specifies the logging level; default is 'info'. To omit
logging, specify FILTER_LOG_LEVEL=none.
FILTER_DISPOSITION
Specifies the disposition. Default is DROP and the possible
values are DROP, A_DROP, REJECT and A_REJECT.
To deal with bridges and other routeback interfaces , there is now
a 'filter' option in /shorewall/interfaces and
/etc/shorewall6/interfaces.
The value of the 'filter' option is a list of network addresses
enclosed in in parentheses. Where only a single address is listed,
the parentheses may be omitted. When a packet from a filtered
address is received on the interface, it is disposed of based on
the new FILTER_ options described above.
For a bridge or other routeback interface, you should list all of
your other local networks (those networks not attached to the
bridge) in the bridge's filter list.
Example:
My DMZ is 2001:470:b:227::40/124
My local interface (br1) is a bridge.
In /etc/shorewall6/interfaces, I have:
#ZONE INTERFACE BROADCAST OPTIONS
loc br1 - filter=2001:470:b:227::40/124
3) A defect introduced in Beta 3 that resulted in Internal Errors in
the compiler has been corrected.
New Features:
1) The new auditing actions and macros introduced in Beta 4 have been
renamed by adding an underscore ('_') after the leading A. For
example, ADrop is now A_Drop.
2) Shorewall and Shorewall6 no longer depend on 'make'.
3) A '-T' (trace) option has been added to the 'check' and 'compile'
commands. When a warning or error message is generated, a Perl
stack trace is included to aid in isolating the source of the
message.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
