Shorewall 4.5.8 Beta 1 is now available for testing. ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ----------------------------------------------------------------------------
1) This release includes the defect repair from Shorewall 4.5.7.1.
2) The restriction that TTL and HL rules could only be placed in the
FORWARD chain prevented these rules from being used to hide a router
from traceroute[6]. It is now allowed to place these rules in the
PREROUTING chain by following the specification with ':P' (e.g.,
'TTL(+1):P').
3) Previously, the macro.SNMP macro opened both UDP ports 161 and 162
from SOURCE to DEST. This is against the usual practice of opening
these ports in the opposite direction. Beginning with this release,
port 162 is opened in to SOURCE to DEST as before, while port 161
is opened from DEST to SOURCE.
4) Previously, when compiling for export, both
/etc/shorewall/shorewall[6].conf and the shorewall[6].conf in the
configuration directory were processed. Now, only the copy in the
configuration directory is processed.
5) Previously, when ADMINISABSENTMINDED=No in shorewall[6].conf, both
INPUT and OUTPUT rules were generated from entries in
/etc/shorewall[6]/routestopped that specified the 'source'
option. Now only the INPUT rule is generated.
6) The 'iptables_raw' module has been added to the modules.essential
file.
7) Previously, when SAVE_IPSETS=No in shorewall[6].conf, using an
ipset name in the HOSTS column of /etc/shorewall[6]/routestopped
generated this error:
ERROR: An ipset name (+test) is not allowed in this context
The error is no longer generated and the correct rule matching the
ipset is generated.
8) Several corrections have been made to the Fedora/Redhat init script
for Shorewall-init.
9) The <directory> parameter to the 'try' command is now documented in
the shorewall(8) and shorewall6(8) manpages.
10) Some redundant interface-option rules have been removed in
configurations with multiple zones configured on a single
interface.
11) Previously, when compiling for export, the compilation would fail
if the setting of SHAREDIR in the firewall's shorewallrc was
different from the setting on the admin system. Such compilations
now succeed.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release attempts to alleviate the confustion that results
from different usage of the VARDIR name.
Beginning with Shorewall 4.5.2, 'VARDIR' became a variable in the
shorewallrc file with the default value '/var/lib'. This was at
odds with the usage of VARDIR in /etc/$product/vardir, where the
variable VARDIR holds the state directory for a particular product
(e.g., /var/lib/shorewall).
To eliminate this issue going forward, a VARLIB variable has been
added to shorewallrc to assume the role previously filled by
VARDIR while VARDIR now defaults to '${VARDIR}/${PRODUCT}'.
When a pre-4.5.8 shorewallrc file is present, VARLIB is set to
${VARDIR} and VARDIR is set to ${VARLIB}/${PRODUCT}. If VARLIB is
set in the shorewallrc file and VARDIR is not, then VARDIR also
defaults to ${VARDIR}/${PRODUCT}.
2) A new 'stoppedrules' file has been added and the 'routestopped file
is now deprecated. See stoppedrules(5) for details.
3) When the -e option is specified, the current working directory is
now included in the CONFIG_PATH.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
