-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Shorewall team is pleased to announce the availability of Shorewall
4.4.0.
The Shorewall packaging has been completely revamped in Shorewall 4.4.
The new packages are:
- Shorewall. Includes the former Shorewall-common and
Shorewall-perl packages. Has everything needed
to create an IPv4 firewall.
Shorewall-shell is no longer available.
- Shorewall6. Requires Shorewall. Adds the components necessary to
create an IPv6 firewall.
- Shorewall-lite
May be installed on a firewall system to run
IPv4 firewall scripts generated by Shorewall.
- Shorewall6-lite
May be installed on a firewall system to run
IPv6 firewall scripts generated by Shorewall6.
4.4.0 is available at most mirrors now and all of the mirrors will be
fully populated by tomorrow.
-
----------------------------------------------------------------------------
R E L E A S E 4 . 4 H I G H L I G H T S
-
----------------------------------------------------------------------------
1) Support for Shorewall-shell has been discontinued. Shorewall-perl
has been combined with Shorewall-common to produce a single
Shorewall package.
2) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing
discipline has been added. HFSC is superior to the "Hierarchical
Token Bucket" queuing discipline where realtime traffic such as
VOIP is being used.
3) Support for the "flow" traffic classifier has been added. This
classifier can help prevent multi-connection applications such as
BitTorrent from using an unfair amount of bandwidth.
4) The Shorewall documentation and man pages have been purged of
information about earlier Shorewall releases. The documentation
describes only the behavior of Shorewall 4.4 and later versions.
5) The interfaces file OPTIONs have been extended to largely remove the
need for the hosts file.
6) It is now possible to define PREROUTING and OUTPUT marking rules
that cause new connections to use the same provider as an existing
connection of the same kind.
7) Dynamic Zone support is once again available for IPv4; ipset
support is required in your kernel and in iptables.
8) A new AUTOMAKE option has been added to shorewall.conf and
shorewall6.conf. Setting this option will allow Shorewall to skip
the compilation phase during start/restart if no configuration
changes have occurred since the last start/restart.
9) The LIMIT:BURST column in /etc/shorewall/policy
(/etc/shorewall6/policy) and the RATE LIMIT column in
/etc/shorewall/rules (/etc/shorewall6/rules) may now be used to
limit on a per source IP or per destination IP basis.
10) Support for per-IP traffic shaping classes has been added.
11) Support for netfilter's TRACE facility has been added. TRACE allows
you to trace selected packets through Netfilter, including marking
by tcrules.
-
----------------------------------------------------------------------------
M I G R A T I O N I S S U E S
-
----------------------------------------------------------------------------
1) If you are currently using Shorewall-shell:
a) In shorewall.conf, if you have specified
"SHOREWALL_COMPILER=shell" then you must either:
- change that specification to "SHOREWALL_COMPILER=perl"; or
- change that specification to "SHOREWALL_COMPILER="; or
- delete the specification altogether.
Failure to do so will result in the following warning:
WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell
support has been removed in this release.
b) Review the incompatibilities between Shorewall-shell and
Shorewall-perl at
http://www.shorewall.net/Shorewall-perl.html#Incompatibilities
and make changes to your configuration as necessary.
We strongly recommend that you migrate to Shorewall-perl on your
current Shorewall version before upgrading to Shorewall 4.4.0. That
way, you can have both Shorewall-shell and Shorewall-perl available
until you are certain that Shorewall-perl is working correctly for
you.
2) The 'shorewall stop', 'shorewall clear', 'shorewall6 stop' and
'shorewall6 clear' commands no longer read the 'routestopped'
file. The 'routestopped' file used is the one that was present at
the last 'start', 'restart' or 'restore' command.
IMPORTANT: If you modify the routestopped file, you must refresh or
restart Shorewall before the changes to that file take effect.
3) The old macro parameter syntax (e.g., SSH/ACCEPT) is now deprecated
in favor of the new syntax (e.g., SSH(ACCEPT)). The 4.4
documentation uses the new syntax exclusively, although the old
syntax continues to be supported.
The sample configurations also use the new syntax.
4) Support for the SAME target in /etc/shorewall/masq and
/etc/shorewall/rules has been removed, following the removal of the
underlying support in the Linux kernel.
5) Supplying an interface name in the SOURCE column of
/etc/shorewall/masq is now deprecated. Entering the name of an
interface there will result in a compile-time warning:
WARNING: Using an interface as the masq SOURCE requires the
interface to be up and configured when Shorewall
starts/restarts
To avoid this warning, replace interface names by the corresponding
network addresses (e.g., 192.168.144.0/24).
6) Previously, Shorewall has treated traffic shaping class IDs as
decimal numbers (or pairs of decimal numbers). That worked fine
until IPMARK was implemented. IPMARK requires Shorewall to generate
class Ids in numeric sequence. In 4.3.9, that didn't work correctly
because Shorewall was generating the sequence "..8,9,10,11..." when
the correct sequence was "...8,9,a,b,...". Shorewall now treats
class IDs as hex, as do 'tc' and 'iptables'.
This should only be an issue if you have more than 9 interfaces
defined in /etc/shorewall/tcdevices and if you use class IDs in
/etc/shorewall/tcrules or /etc/shorewall/tcfilters. You will need
to renumber the class IDs for devices 10 and greater.
7) Support for the 'norfc1918' interface and host option has been
removed. If 'norfc1918' is specified for an entry in either the
interfaces or the hosts file, a warning is issued and the option is
ignored. Simply remove the option to avoid the warning.
Similarly, if RFC1918_STRICT=Yes or a non-empty RFC1918_LOG_LEVEL
is given in shorewall.conf, a warning will be issued and the option
will be ignored.
You may simply delete the RFC1918-related options from your
shorewall.conf file if you are seeing warnings regarding them.
Users who currently use 'norfc1918' are encouraged to consider
using NULL_ROUTE_RFC1918=Yes instead.
8) The install.sh scripts in the Shorewall and Shorewall6 packages no
longer create a backup copy of the existing configuration. If you
want your configuration backed up prior to upgrading, you will
need to do that yourself.
As part of this change, the fallback.sh scripts are no longer
released.
9) In earlier releases, if an ipsec zone was defined as a sub-zone of
an ipv4 or ipv6 zone using the special <child>:<parent>,... syntax,
CONTINUE policies for the sub-zone did not work as
expected. Traffic that was not matched by a sub-zone rule was not
compared against the parent zone(s) rules.
In 4.4.0, such traffic IS compared against the parent zone rules.
10) The name 'any' is now reserved and may not be used as a zone name.
The full release notes are available at
http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.0/releasenotes.txt
- -The Shorewall Team
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkqF6y8ACgkQO/MAbZfjDLLEpACgmq8zA5nzPoU10R9IUS2FX85K
bKkAn1d0caluoOoP9+x79+BULIctfnQX
=vMsl
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
