Shorewall 5.1.11 is now available for download. Problems Corrected:
1) This release contains defect repair from releases through 5.1.10.2. 2) Previously, if DYNAMIC_BLACKLIST=ipset,disconnect..., the CLI would verify the existence of the 'conntrack' utility on the local system when the command was 'remote-start', 'remote-reload' or 'remote-restart'. Now, that verification is only done for the blacklist-oriented commands ('blacklist', 'allow', 'drop', etc.). 3) Previously, when DYNAMIC_BLACKLIST=ipsec..., the CLI required the firewall to be started in order to run the 'allow' command. Now, the command only requires that the dynamic blacklist ipset exists. 4) Previously, if an address variable was used in the stoppedrules file, the 'clear' command could fail in two different ways, depending on whether the related interface was optional or not. If the interface was optional, the failure message was similar to the following: $ shorewall clear Clearing Shorewall.... Preparing iptables-restore input... /var/lib/shorewall/firewall: 3064: [: !=: unexpected operator Running /sbin/iptables-restore... IPv4 Forwarding Enabled done. If the interface was not optional, the result was similar to: $ shorewall debug clear Clearing Shorewall.... Preparing iptables-restore input... Running debug_restore_input... Bad argument `6' Try `iptables -h' or 'iptables --help' for more information. ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -s 172.17.211.254 -d -p 6 --dport 22 -i enp2s0 -j ACCEPT" Failed Terminated This problem has been corrected. 5) Previously, the 'clear' command enabled forwarding unconditionally. Beginning with this release, 'clear' will conditionally enable/disable forwarding in the same manner as 'stop'. 6) In multi-ISP configurations, it is possible for an IPSEC-tunneled connection from the Internet to be forwarded back out to the Internet (for example, if all traffic from the remote endpoint is sent through the tunnel). If the provider handling the tunnel has the 'track' option (or if TRACK_PROVIDERS=Yes), then the outgoing tunneled connection is sent back out that interface by default (since the encapsulated initial packet arrived through that interface). Since this is not always desirable, Shorewall now clears the tracking mark on the connection while processing the first packet, allowing the connection to not match routing rules that are dependent on the tracking mark. New Features: 1) Previously, the 'show' command was not available to non-root users. Beginning with this release, non-root users may now run the following 'show' commands: show action <action> show actions show ip show macro <macro> show macros show routing 2) When a RATE is specified on a policy, the rate is enforced in a chain whose name begins with '@' (e.g., @net-dmz). Previously, log messages in the chain omitted the '@', leading to possible confusion. Beginning with this release, the log message will reflect the chain's actual name (including the '@'). 3) To improve efficiency, TCP CT entries in the conntrack file and TCP entries in the rules file that specify a HELPER will now assume that 'tcp:syn' had been specified. That way, the generated ip[6]tables rule will only match on the first packet of the three-way handshake. 4) Now that the route caches have been removed from the kernel, Multi-ISP really doesn't work without the 'track' provider option. As a consequence, TRACK_PROVIDERS=Yes is now the default. Note that the 'track' option may still be turned off using 'notrack', when TRACK_PROVIDERS=Yes. Thank you for using Shorewall, -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users