RC 1 is now available for testing.
Problems corrected in RC 1:
1) If the configuration settings in the PACKET MARK LAYOUT section of
shorewall.conf (shorewall6.conf) had empty settings, the 'update'
command would previously set them to their default settings. It now
leaves them empty.
2) Previously, Shorewall used 'unreachable' routes to null-route the
RFC1918 subnets. This approach has two drawbacks:
- It can cause problems for IPSEC in that it can cause packets to
be rejected rather than encrypted and forwarded.
- It can return 'host unreachable' ICMPs to other systems that
attempt to route RFC1918 addresses through the firewall.
To eliminate these problems, Shorewall now uses 'blackhole' routes.
Such routes don't interfere with IPSEC and silently drop packets
rather than return an ICMP.
3) The 'default' routing table is now cleared if there are no
'fallback' providers.
4) The usage text for the 'compile' command has been corrected.
5) An error is now raised if a country-code list has more than 15
elements.
New Features in RC 1:
1) The compiler now uses the geoip database to validate country codes;
that database is normally installed in/usr/share/xt_geoip/. There
are two sub-directories at that location:
BE - The big-endian database.
LE - The little-endian database.
To accommodate both big-endian and little-endian machines and
to allow the database to be installed elsewhere, a GEOIPDIR option
has been added in shorewall.conf and shorewall6.conf. The default
setting is "/usr/share/xt_geoip/LE" since Shorewall is normally
installed on little-endian machines.
2) OPTIMIZE level 4 now performs an additional optimization. If the
last rule in a chain is an unqualified jump to a simple target,
then all immediately preceding rules with the same simple target
are omitted.
For example, consider this chain:
-A fw-net -p udp --dport 67:68 -j ACCEPT
-A fw-net -p udp --sport 1194 -j ACCEPT
-A fw-net -p 41 -j ACCEPT
-A fw-net -j ACCEPT
Since all of the rules are jumps to the simple target ACCEPT, this
chain is totally optimized away and jumps to 'fw-net' are replaced
with jumps to ACCEPT.
As part of this enhancement, when both OPTIMIZE level 1 and level 4
are selected, the level 1 optimization step is skipped because it
is now a limited subset of level 4.
If you wish to test Shorewall6, you must apply the attached patch after
installing RC 1:
patch /usr/share/shorewall6/actions.std < GEOIP.patch
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std
index 68785d2..3526f92 100644
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -26,7 +26,6 @@ AllowICMPs # Accept needed ICMP6 types
Broadcast # Handles Broadcast/Multicast/Anycast
Drop # Default Action for DROP policy
DropSmurfs # Handles packets with a broadcast source address
-GeoIP # Match packets by ISO 3166 Country Code
Invalid # Handles packets in the INVALID conntrack state
NotSyn # Handles TCP packets that do not have SYN=1 and ACK=0
Reject # Default Action for REJECT policy
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
