Shorewall 4.2.1 is available from all Shorewall Mirrors Problems corrected in Shorewall 4.2.1
1) A description of the CONNBYTES column has been added to shorewall-tcrules(5). 2) Previously, Shorewall-perl would accept zero as the <max> value in the CONNBYTES column of tcrules even when the <min> field was non-zero. A value of zero for <max> was equivalent to omitting <max>. 3) iptables 1.4.1 discontinued support of syntax generated by shorewall in some cases. Shorewall now detects when the new syntax is required and uses it instead. 4) The Shorewall-perl implementation of the LENGTH column in /etc/shorewall/tcrules was incomplete with the result that all LENGTH rules matched. Thanks to Lennart Sorensen for the patch. 5) The 'export' command no longer fails with the error: /sbin/shorewall: 1413: Syntax error: "(" unexpected (expecting "fi") Other changes in Shorewall 4.2.1 1) With the recent renewed interest in DOS attacks, it seems appropriate to have connection limiting support in Shorewall. To that end, a CONNLIMIT column has been added to both the policy and rules files. The content of these columns is of the format [!] <limit>[:<mask>] where <limit> is the limit on simultaneous TCP connections. <mask> specifies the size of the network to which the limit applies and is specified as a CIDR mask length. The default value for <mask> is 32 which means that each remote IP address can have <limit> TCP connections active at once. ! Not allowed in the policy file. In the rules file, it causes connections to match when the number of current connections exceeds <limit>. When specified in the policy file, the limit is enforced on all connections that are subject to the given policy (just like LIMIT:BURST). The limit is checked on new connections before the connection is passed through the rules in the NEW section of the rules file. It is important to note that while the limit is only checked for those destinations specified in the DEST column, the number of current connections is calculated over all destinations and not just the destination specified in the DEST column. Use of this feature requires the connlimit match capability in your kernel and iptables. If you use a capabilities file when compiling your Shorewall configuration(s), then you need to regenerate the file using Shorewall or Shorewall-lite 4.2.1. 2) Shorewall now supports time/date restrictions on entries in the rules file via a new TIME column. The contents of this column is a series of one or more "time elements" separated by apersands ("&"). Possible time elements are: utc Times are expressed in Greenwich Mean Time. localtz Times are expressed in local civil time (default) timestart=hh:mm[:ss] timestop=hh:mm[:ss] Start and stop time of day for rule weekdays=ddd[,ddd]... where ddd is Mon,Tue,Wed,Thu,Fri,Sat or Sun monthdays=dd[,dd]... where dd is an ordinal day of the month. datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]] datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]] where yyyy = Year first mm = Month dd = Day hh = Hour 2nd mm = Minute ss = Second Examples: 1) utc×tart=10:00×top=12:00 Between 10am and 12 noon each day, GMT 2) datestart=2008-11-01T12:00 Beginning November 1, 2008 at noon LCT. Use of this feature requires the time match capability in your kernel and iptables. If you use a capabilities file when compiling your Shorewall configuration(s), then you need to regenerate the file using Shorewall or Shorewall-lite 4.2.1. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users