Shorewall 5.0.0 Beta 1 is now available for testing. You can read about Shorewall 5 at http://www.shorewall.org/Shorewall-5.html.
Problems Corrected: 1) This release includes defect repair up through Shorewall 4.6.13. New Features: 1) To make the command names more accurately reflect what they do, several changes have been included: a) Beginning with this release, the 'restart' command now does a true restart and is equivalent to a 'stop' followed by a 'start'. b) The pre-5.0.0 'load' command has been renamed 'remote_start'. c) The pre-5.0.0 'reload' command has been renamed 'remote_reload'. c) The 'reload' command now performs the same function as the pre-5.0.0 'restart' command. d) A 'remote_restart' command has been added to Shorewall and Shorewall6 to allow a remote 'restart' after updating the remote firewall system's compiled script. 2) For those that can't get used to the idea of using 'reload' in place of 'restart', a LEGACY_RESTART option has been added. The option defaults to No but if set to Yes, then the 'restart' command does what it has always done. 3) It is now possible to limit connections by destination address in the rules file by prefixing the CONNLIMIT setting with 'd:'. 4) While the WORKAROUNDS setting is still present in the shorewall[6].conf files: a) Its default setting has been changed to No. b) All workarounds for old distributions have been eliminated. See the Migration Issues for additional information. 5) A number of configuration options have been eliminated: - EXPORTPARAMS - IPSECFILE - LEGACY_FASTSTART - LOGRATE * - LOGBURST * - WIDE_TC_MARKS * - HIGH_ROUTE_MARKS * - BLACKLISTNEWONLY * A fatal error results if those flagged with an asterisk ("*") appear in the .conf file -- run the 'shorewall[6] update' command to convert their settings to use supported options. A warning is issued if any of the rest appear in the .conf file. 'shorewall[6] update' will drop them from the file. 7) The -b, -D, -r, -s, -t and -n options have been removed from the 'update' command. The command now behaves as if all of those options had been specified. 6) Support has been removed for the 'blacklist', 'tcrules', 'routestopped', 'notrack' and 'tos' files. The 'update' command will: - convert the 'tcrules' and 'tos' files to the equivalent 'mangle' file. - convert the 'blacklist' file into an equivalent 'blrules' file. - convert the routestopped' file into the equivalent 'stoppedrules' file. - convert a 'notrack' file to the equivalent 'conntrack' file. 7) Beginning with this release, all macros and actions are assumed to be FORMAT-2. FORMAT-1 macros and actions are no longer supported and will be silently processed as if they were FORMAT-2. For most macros and actions, this change will be of no concern, but may cause compilation errors in rare cases. 8) Beginning with this release, COMMENT, FORMAT and SECTION lines must begin with a question mark ("?"). The 'update' command makes these changes for you. 9) As an alternative to INLINE_MATCHES=Yes, you may now specify inline matches (raw ip[6]tables text) after a double semicolon (';;'). Example from the 'masq' file to split SNAT between two public addresses on eth1: #INTERFACE SOURCE ADDRESS eth1 - 1.2.3.1 ;; -m statistic --mode random --probability 0.50 eth1 - 1.2.3.2 10) Options in shorewall[6].conf that accept a log level now also allow specification of a log tag. Example: TCP_FLAGS_LOG_LEVEL=info:,tcpflags 11) A PROBABILITY column has been added to the masq file. One usage scenario is to balance SNAT between two or more IP addresses on a WAN interface: #INTERFACE SOURCE ADDRESS eth1 - 1.2.3.4 { probability=0.50 } eth2 - 1.2.3.5 Thank you for testing, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users