RC 2 is now available for testing. Problems corrected since 4.5.17 RC 1:
1) Previously, conntrack helpers were enabled by the 'stop'
command. Now, these helpers are only enabled by the 'clear'
command.
2) Previously, a 'virtual' interface (e.g., dev:N) could be specified
as the 'physical' interface in /etc/shorewall/interfaces. This
is now disallowed.
New/Changed Features since 4.5.17 RC 1:
1) Traditionally, Shorewall has treated the loopback interface ('lo')
as follows:
- It deals with firewall-to-firewall, firewall-to-vserver,
vserver-to-firewall, and vserver-to-vserver traffic.
- All filtering is done in the OUTPUT flow; all traffic arriving on
'lo' is silently accepted.
- If no firewall-to-firewall policy or rules are defined, then
a simple ACCEPT rule is also included in the OUTPUT chain for
'lo' (after any vserver-oriented jumps).
Beginning with this release, the handling of firewall-to-firewall
traffic can be altered by adding a zone of type 'loopback'.
- 'loopback' zones must be associated with the loopback device in
the interfaces and/or hosts file.
/etc/shorewall/zones
#ZONE TYPE
loop loopback
/etc/shorewall/interfaces
?FORMAT 2
#ZONE INTERFACE OPTIONS
loop lo ...
When this is done, the ACCEPT jumps for 'lo' in the INPUT and
OUTPUT chains are omitted and replaced with jumps to the loop2fw
and fw2loop (loop-fw and fw-lop) chains respectively. This
provides a model similar to other zones for fireall-to-firewall
traffic.
2) A new 'local' zone TYPE has been added to /etc/shorewall[6]/zones.
A 'local' zone is similar to an 'ipv4' ('ipv6') zone, except that
rules and policies to/from a 'local' zone may only be to/from the
firewall zone, vserver zones or other 'local' zones.
3) Previously, expensive matches such as '-m set' and '-m geoip' could
appear near the front of a rule. Now they appear at the end, unless
'-m nfacct' matches are present in the rule.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
