Beta 1 is now available for testing.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) On older distributions where 'shorewall show capabilities'
indicates 'Connection Tracking Match: Not Available', harmless Perl
diagnostics like the following could be issued:
Use of uninitialized value $list in pattern match (m//)
at /usr/share/shorewall/Shorewall/Config.pm line 1273,
<$currentfile> line 14.
Use of uninitialized value $list in split
at /usr/share/shorewall/Shorewall/Config.pm line 1275,
<$currentfile> line 14.
2) On older distributions where 'shorewall show capabilities'
indicates 'Mangle FORWARD Chain: Not Available', entries in the ecn
file generated the following Perl Diagnostic:
Use of uninitialized value in hash element
at /usr/share/shorewall/Shorewall/Chains.pm line 1119.
--------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) When 'shorewall update' or 'shorewall6 update' results in no change
to the .conf file, a message is issued, the .bak file is removed
and the command terminates without error.
2) Support has been added for 'stateless NAT'. Stateless NAT is very
simmilar to NATMAP but differs from it in a couple of ways:
a. It does not rely on connection tracking, but is rather
implemented in the Netfilter raw table.
b. Both the source and destination address can be rewritten in all
three raw table chains: PREROUTING, OUTPUT and POSTROUTING.
When used together with stateful NAT, it allows a single router to
handle a duplicate network address situation.
Suppose that a VPN using interface tun0 is used to connect to
another organization, and that both intranets have network
192.168.1.0/24.
To allow the two organizations to communicate, they decide to use
172.20.1.0/24 to address the other's 192.168.1.0/24.
The following four entries are required in /etc/shorewall/netmap:
#TYPE NET1 INTERFACE NET2
SNAT 192.168.1.0/24 tun0 172.20.1.0/24
DNAT 172.20.1.0/24 tun0 192.168.1.0/24
DNAT:T 172.20.1.0/24 tun0 192.168.1.0.24
SNAT:P 192.168.1.0/24 tun0 172.20.1.0/24
Stateless NAT entries differ from NETMAP entries in the TYPE
column. For stateless entries, both the type of address
translation (DNAT or SNAT) and the chain (O for OUTPUT, P for
PREROUTING and T for POSTROUTING) are given.
Note: The release notes in the packages are abbreviated for some reason. So
please refer to this email or to the copy of the release notes on the web site.
Thank you for testing,
-Tom
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
FREE DOWNLOAD - uberSVN with Social Coding for Subversion.
Subversion made easy with a complete admin console. Easy
to use, easy to manage, easy to install, easy to extend.
Get a Free download of the new open ALM Subversion platform now.
http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
