Shorewall 5.0.0 Beta 1 is now available for testing. You can read about Shorewall 5 at http://www.shorewall.org/Shorewall-5.html.
Problems Corrected:
1) This release includes defect repair up through Shorewall 4.6.13.
New Features:
1) To make the command names more accurately reflect what they do,
several changes have been included:
a) Beginning with this release, the 'restart' command now does a
true restart and is equivalent to a 'stop' followed by a
'start'.
b) The pre-5.0.0 'load' command has been renamed 'remote_start'.
c) The pre-5.0.0 'reload' command has been renamed 'remote_reload'.
c) The 'reload' command now performs the same function as the
pre-5.0.0 'restart' command.
d) A 'remote_restart' command has been added to Shorewall and
Shorewall6 to allow a remote 'restart' after updating the
remote firewall system's compiled script.
2) For those that can't get used to the idea of using 'reload' in
place of 'restart', a LEGACY_RESTART option has been added. The
option defaults to No but if set to Yes, then the 'restart' command
does what it has always done.
3) It is now possible to limit connections by destination address in
the rules file by prefixing the CONNLIMIT setting with 'd:'.
4) While the WORKAROUNDS setting is still present in the
shorewall[6].conf files:
a) Its default setting has been changed to No.
b) All workarounds for old distributions have been eliminated. See
the Migration Issues for additional information.
5) A number of configuration options have been eliminated:
- EXPORTPARAMS
- IPSECFILE
- LEGACY_FASTSTART
- LOGRATE *
- LOGBURST *
- WIDE_TC_MARKS *
- HIGH_ROUTE_MARKS *
- BLACKLISTNEWONLY *
A fatal error results if those flagged with an asterisk ("*")
appear in the .conf file -- run the 'shorewall[6] update' command
to convert their settings to use supported options.
A warning is issued if any of the rest appear in the .conf file.
'shorewall[6] update' will drop them from the file.
7) The -b, -D, -r, -s, -t and -n options have been removed from the
'update' command. The command now behaves as if all of those
options had been specified.
6) Support has been removed for the 'blacklist', 'tcrules',
'routestopped', 'notrack' and 'tos' files.
The 'update' command will:
- convert the 'tcrules' and 'tos' files to the equivalent 'mangle'
file.
- convert the 'blacklist' file into an equivalent 'blrules' file.
- convert the routestopped' file into the equivalent 'stoppedrules'
file.
- convert a 'notrack' file to the equivalent 'conntrack' file.
7) Beginning with this release, all macros and actions are assumed
to be FORMAT-2. FORMAT-1 macros and actions are no longer supported
and will be silently processed as if they were FORMAT-2. For most
macros and actions, this change will be of no concern, but may cause
compilation errors in rare cases.
8) Beginning with this release, COMMENT, FORMAT and SECTION lines must
begin with a question mark ("?"). The 'update' command makes these
changes for you.
9) As an alternative to INLINE_MATCHES=Yes, you may now specify inline
matches (raw ip[6]tables text) after a double semicolon (';;').
Example from the 'masq' file to split SNAT between two public
addresses on eth1:
#INTERFACE SOURCE ADDRESS
eth1 - 1.2.3.1 ;; -m statistic --mode random
--probability 0.50
eth1 - 1.2.3.2
10) Options in shorewall[6].conf that accept a log level now also allow
specification of a log tag.
Example:
TCP_FLAGS_LOG_LEVEL=info:,tcpflags
11) A PROBABILITY column has been added to the masq file. One usage
scenario is to balance SNAT between two or more IP addresses on a
WAN interface:
#INTERFACE SOURCE ADDRESS
eth1 - 1.2.3.4 { probability=0.50 }
eth2 - 1.2.3.5
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
