The Shorewall team is pleased to announce the availability of Shorewall 4.4.7 RC1.
The release is available at: http://www.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.7-RC1 ftp://ftp.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.7-RC1 This release features a number of enhancements: 1) The OPTIMIZE option value is now a bit-map with each bit controlling a separate set of optimizations. - The low-order bit (value 1) controls optimizations available in earlier releases. We refer to this optimization as "optimization 1". - The next bit (value 2) suppresses superfluous ACCEPT rules in a policy chain that implements an ACCEPT policy. Any ACCEPT rules that immediately preceed the final blanket ACCEPT rule in the chain are now omitted. We refer to this optimization as "optimization 2". - The next bit (value 4 or "optimization 4") enables the following additional optimizations: a) Empty chains are optimized away. b) Chains with one rule are optimized away. c) If a built-in chain has a single rule that branches to a second chain, then the rules from the second chain are moved to the built-in chain and the target chain is omitted. d) Chains with no references are deleted. e) Accounting chains are subject to optimization if the new OPTIMIZE_ACCOUNTING option is set to 'Yes' (default is 'No'). f) If a chain ends with an unconditional branch to a second chain (other than to 'reject'), then the branch is deleted from the first chain and the rules from the second chain are appended to it. The following chains are exempted from optimization 4: action chains (user-created). accounting chains (unless OPTIMIZE_ACCOUNTING=Yes) dynamic forwardUPnP logdrop logreject rules chains (those of the form zonea2zoneb or zonea-zoneb). UPnP (nat table). To enable all possible optimizations, set OPTIMIZE to 7 (1 + 2 + 4). 2) Shorewall now combines identical logging chains. Previously, a separate chain was created for each logging rule. 3) Beginning with Shorewall 4.4.7, accounting can be disabled by setting ACCOUNTING=No in shorewall.conf. This allows you to keep a set of accounting rules configured in /etc/shorewall/accounting and to then enable and disable them by simply toggling the setting of ACCOUNTING. Similarly, dynamic blacklisting can be disabled by setting DYNAMIC_BLACKLIST=No. This saves a jump rule in the INPUT and FORWARD filter chains.. 4) Shorewall can now automatically assign mark values to providers in cases where 'track' is specified (or TRACK_PROVIDERS=Yes) but packet marking is otherwise not used for directing connections to a particular provider. Simply specify '-' in the MARK column and Shorewall will automatically assign a mark value. 5) Support for TPROXY has been added. See http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY. 6) Traditionally, Shorewall has loaded all modules that could possibly be needed twice; once in the compiler, and once when the generated script is initialized. The latter can be a time-consuming process on slow hardware. Beginning with 4.4.7, there is a LOAD_HELPERS_ONLY option in shorewall.conf. For existing users, LOAD_HELPERS_ONLY=No is the default. For new users that employ the sample configurations, LOAD_HELPERS_ONLY=Yes will be the default. That setting causes only a small subset of modules to be loaded; it is assumed that the remaining modules will be autoloaded. Additionally, capability detection in the compiler is deferred until each capability is actually used. As a consequence, no modules are autoloaded unnecessarily. Modules loaded when LOAD_HELPERS_ONLY=Yes are the protocol helpers. These cannot be autoloaded. In addition, the nf_conntrack_sip module is loaded with sip_direct_media=0. This setting is slightly less secure than sip_direct_media=1, but it solves many VOIP problems that users routinely encounter. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
