The Shorewall Team is pleased to announce the availability of Shorewall 4.5.2.
Package maintainers should note the second Known Problem listed below. A
4.5.2.1 version will be released shortly to work around this limitation.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release includes the defect repairs from Shorewall 4.5.1.1 and
4.5.1.2 (see below).
2) The generated firewall script includes code to automatically create
ipsets that are referenced but that don't exist. That code was
broken in releases 4.4.22 and later. This defect has been
corrected. As part of the fix, the generated script will now
issue a warning message when it creates an ipset.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
2) The 'configure' script described below does not work on RHEL5 and
derivatives. The version of Bash on those systems does not support
features used by the script.
Failure message is:
./configure: line 28: declare: -A: invalid option
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) The 'mss' option is now supported in the /etc/shorewall[6]/hosts
files. See the manpages for details.
2) It is now possible to conditionally include or omit configuration
entries based on the settings of shell variables. See
http://www.shorewall.net/configuration_file_basics.htm#Conditional
for details.
3) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been
renamed ACTION to reflect the expanded set of actions that can be
specified in the column.
4) Some users are finding these ipset warnings objectionable:
- Warning when a referenced ipset does not exist.
- Warning when using [src] in a destination column or [dst] in a
source column.
These warnings may now be suppressed by setting IPSET_WARNINGS=No
in shorewall.conf and/or shorewall6.conf.
5) The evolution of the Shorewall installation process
continues. Testers are invited to provide comments and suggestions
about the following.
Beginning with this release, the installers accept a configuration
file as a parameter. Options set in the configuration file are as
follows:
BUILD (optional) -- Platform on which the installation is being
performed. Possible values are:
apple - OS X
archlinux - ArchLinux
cygwin - Cygwin running under Windows
debian - Debian and derivatives
linux - Generic Linux system
redhat - Fedora, RHEL and derivatives
suse - SLES and OpenSuSE
If no value is assigned, then the installer
will detect the platform.
HOST (Optional) -- Allowed values are same as for BUILD. If not
specified, the BUILD setting is used.
CONFDIR (Req'd) -- Directory where product configuration
directory is installed. Normally /etc.
SHAREDIR (Req'd) -- Directory where architecture-independent
product files are installed. Normally
/usr/share.
LIBEXECDIR (Req'd) -- Directory where product executables are
installed. Normally /usr/share or
/usr/libexec.
PERLLIBDIR (Req'd) -- Directory where Shorewall Perl modules are
to be installed. Traditionally
/usr/share/shorewall.
SBINDIR (Req'd) -- Directory where product CLI programs are
installed. Normally /sbin
MANDIR (Req.d) -- Directory where manpages are
installed. Mornally /usr/share/man.
INITFILE (Optional)
-- Optional. If given, specifies the installed
filename of the initscript. Normally
set to $PRODUCT which the installers expand
to the name of the product being installed.
If not specified, no init script will be
installed.
INITSOURCE (Optional)
-- Must be specified if INITFILE is specified.
Gives the name of the file to be installed
as the INITFILE.
INITDIR (Optional) -- Directory where SysV init scripts are
installed. Must be specified if INITFILE is
specified.
ANNOTATED (Optional)
-- If non-empty, indicates that the
configuration files are to be annotated with
manpage information. Normally empty.
SYSTEMD (Optional) -- Name of the directory where .service files
are to be installed. Should only be specified
on systems running systemd.
SYSCONFDIR (Optional)
-- Name of the directory where subsystem
init configuration information is stored.
On Debian and derivates, this is
/etc/default. On other systems, it is
/etc/sysconfig.
SYSCONFFILE (Optional)
-- Name of the file to be installed in the
SYSCONFIGDIR. The installed name of the file
will always be the product name (shorewall,
shorewall-lite, etc.)
SPARSE (Optional) -- If non-empty, causes only the .conf file to
be installed in
${CONFDIR}/${PRODUCT}/. Otherwise, all of
the product's skeleton configuration files
will be installed.
TEMPDIR (Optional) -- If non-empty, the generated firewall script
will export the variable TMPDIR with
value $TEMPDIR.
VARDIR (Required) -- Directory where product state information
is stored. Normally /var/lib.
This setting was previously stored in the
optional vardir file in the product's
configuration directory.
Each of the product tarballs contains a set of configuration files
for the various HOSTS:
shorewallrc.apple
shorewallrc.archlinux
shorewallrc.cygwin
shorewallrc.debian
shorewallrc.default (for HOST 'linux')
shorewallrc.redhat
shorewallrc.suse
To aid distribution packagers, a configure script has been added.
The arguments to the script are the usual list of <option>=<value>
assignments. The supported options are the same as those above,
although they may be in lower case and may be optionally preceded
by '--'.
The configure script uses the setting of --host to select the
appropriate rc file. It reads that file to establish default
settings and then applies the values specified in the argument
list. To allow use with the %configure RPM macro, only the last
occurrence of a particular option setting is applied. The resulting
settings are written to a file named 'shorewallrc' in the current
working directory and are also written to standard out.
When Shorewall-core is installed on a system (with no DESTDIR), it
copies the specified configuration file into root's
~/.shorewallrc. The ~/.shorewallrc file is then used, by default,
when installing the other packages.
To further aid use with %configure, several aliases are supported:
alias option
----- ------
sharedstatedir vardir
datadir sharedir
sysconfdir confdir
The configuration file is also copied to
${SHAREDIR}/shorewall/shorewallrc where the CLI programs and init
scripts can find it. Those programs are modified by the installer
when ${SHAREDIR} is not /usr/share.
When using Shorewall-lite or Shorewall6-lite, if the remote
firewall's shorewallrc file differs from that on the firewall, then
a copy of the remote file should be placed in the firewall's
configuration directory on the administrative system.
Beginning with this release, using /etc/shorewall-lite/vardir
and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in
favor of the VARDIR setting in shorewallrc.
NOTE: While the name of the variable remains VARDIR, the
meaning is slightly different. When set in shorewallrc,
each product (shorewall-lite, and shorewall6-lite) will
create a directory under the specified path name to
hold state information.
Example:
VARDIR=/opt/var/lib/
The state directory for shorewall-lite will be
/opt/var/lib/shorewall-lite/ and the directory for
shorewall6-lite will be /opt/var/lib/shorewall6-lite.
When VARDIR is set in /etc/shorewall[6]-lite/vardir, the
product will save its state in the specified directory.
Thank you for using Shorewall.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
