-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Shorewall team is pleased to announce the availability of Shorewall 4.4.0.
The Shorewall packaging has been completely revamped in Shorewall 4.4. The new packages are: - Shorewall. Includes the former Shorewall-common and Shorewall-perl packages. Has everything needed to create an IPv4 firewall. Shorewall-shell is no longer available. - Shorewall6. Requires Shorewall. Adds the components necessary to create an IPv6 firewall. - Shorewall-lite May be installed on a firewall system to run IPv4 firewall scripts generated by Shorewall. - Shorewall6-lite May be installed on a firewall system to run IPv6 firewall scripts generated by Shorewall6. 4.4.0 is available at most mirrors now and all of the mirrors will be fully populated by tomorrow. - ---------------------------------------------------------------------------- R E L E A S E 4 . 4 H I G H L I G H T S - ---------------------------------------------------------------------------- 1) Support for Shorewall-shell has been discontinued. Shorewall-perl has been combined with Shorewall-common to produce a single Shorewall package. 2) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing discipline has been added. HFSC is superior to the "Hierarchical Token Bucket" queuing discipline where realtime traffic such as VOIP is being used. 3) Support for the "flow" traffic classifier has been added. This classifier can help prevent multi-connection applications such as BitTorrent from using an unfair amount of bandwidth. 4) The Shorewall documentation and man pages have been purged of information about earlier Shorewall releases. The documentation describes only the behavior of Shorewall 4.4 and later versions. 5) The interfaces file OPTIONs have been extended to largely remove the need for the hosts file. 6) It is now possible to define PREROUTING and OUTPUT marking rules that cause new connections to use the same provider as an existing connection of the same kind. 7) Dynamic Zone support is once again available for IPv4; ipset support is required in your kernel and in iptables. 8) A new AUTOMAKE option has been added to shorewall.conf and shorewall6.conf. Setting this option will allow Shorewall to skip the compilation phase during start/restart if no configuration changes have occurred since the last start/restart. 9) The LIMIT:BURST column in /etc/shorewall/policy (/etc/shorewall6/policy) and the RATE LIMIT column in /etc/shorewall/rules (/etc/shorewall6/rules) may now be used to limit on a per source IP or per destination IP basis. 10) Support for per-IP traffic shaping classes has been added. 11) Support for netfilter's TRACE facility has been added. TRACE allows you to trace selected packets through Netfilter, including marking by tcrules. - ---------------------------------------------------------------------------- M I G R A T I O N I S S U E S - ---------------------------------------------------------------------------- 1) If you are currently using Shorewall-shell: a) In shorewall.conf, if you have specified "SHOREWALL_COMPILER=shell" then you must either: - change that specification to "SHOREWALL_COMPILER=perl"; or - change that specification to "SHOREWALL_COMPILER="; or - delete the specification altogether. Failure to do so will result in the following warning: WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell support has been removed in this release. b) Review the incompatibilities between Shorewall-shell and Shorewall-perl at http://www.shorewall.net/Shorewall-perl.html#Incompatibilities and make changes to your configuration as necessary. We strongly recommend that you migrate to Shorewall-perl on your current Shorewall version before upgrading to Shorewall 4.4.0. That way, you can have both Shorewall-shell and Shorewall-perl available until you are certain that Shorewall-perl is working correctly for you. 2) The 'shorewall stop', 'shorewall clear', 'shorewall6 stop' and 'shorewall6 clear' commands no longer read the 'routestopped' file. The 'routestopped' file used is the one that was present at the last 'start', 'restart' or 'restore' command. IMPORTANT: If you modify the routestopped file, you must refresh or restart Shorewall before the changes to that file take effect. 3) The old macro parameter syntax (e.g., SSH/ACCEPT) is now deprecated in favor of the new syntax (e.g., SSH(ACCEPT)). The 4.4 documentation uses the new syntax exclusively, although the old syntax continues to be supported. The sample configurations also use the new syntax. 4) Support for the SAME target in /etc/shorewall/masq and /etc/shorewall/rules has been removed, following the removal of the underlying support in the Linux kernel. 5) Supplying an interface name in the SOURCE column of /etc/shorewall/masq is now deprecated. Entering the name of an interface there will result in a compile-time warning: WARNING: Using an interface as the masq SOURCE requires the interface to be up and configured when Shorewall starts/restarts To avoid this warning, replace interface names by the corresponding network addresses (e.g., 192.168.144.0/24). 6) Previously, Shorewall has treated traffic shaping class IDs as decimal numbers (or pairs of decimal numbers). That worked fine until IPMARK was implemented. IPMARK requires Shorewall to generate class Ids in numeric sequence. In 4.3.9, that didn't work correctly because Shorewall was generating the sequence "..8,9,10,11..." when the correct sequence was "...8,9,a,b,...". Shorewall now treats class IDs as hex, as do 'tc' and 'iptables'. This should only be an issue if you have more than 9 interfaces defined in /etc/shorewall/tcdevices and if you use class IDs in /etc/shorewall/tcrules or /etc/shorewall/tcfilters. You will need to renumber the class IDs for devices 10 and greater. 7) Support for the 'norfc1918' interface and host option has been removed. If 'norfc1918' is specified for an entry in either the interfaces or the hosts file, a warning is issued and the option is ignored. Simply remove the option to avoid the warning. Similarly, if RFC1918_STRICT=Yes or a non-empty RFC1918_LOG_LEVEL is given in shorewall.conf, a warning will be issued and the option will be ignored. You may simply delete the RFC1918-related options from your shorewall.conf file if you are seeing warnings regarding them. Users who currently use 'norfc1918' are encouraged to consider using NULL_ROUTE_RFC1918=Yes instead. 8) The install.sh scripts in the Shorewall and Shorewall6 packages no longer create a backup copy of the existing configuration. If you want your configuration backed up prior to upgrading, you will need to do that yourself. As part of this change, the fallback.sh scripts are no longer released. 9) In earlier releases, if an ipsec zone was defined as a sub-zone of an ipv4 or ipv6 zone using the special <child>:<parent>,... syntax, CONTINUE policies for the sub-zone did not work as expected. Traffic that was not matched by a sub-zone rule was not compared against the parent zone(s) rules. In 4.4.0, such traffic IS compared against the parent zone rules. 10) The name 'any' is now reserved and may not be used as a zone name. The full release notes are available at http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.0/releasenotes.txt - -The Shorewall Team - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqF6y8ACgkQO/MAbZfjDLLEpACgmq8zA5nzPoU10R9IUS2FX85K bKkAn1d0caluoOoP9+x79+BULIctfnQX =vMsl -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users