Shorewall 5.2.5 Beta 1 is now available for download. There isn't a lot here, but the fixes require a change to the Debian released files, so I thought that I shouldn't hide that change in a dot release.
Problems Corrected:
1) Previously, Shorewall-init installed a 'shorewall' script in
/etc/network/if-down.d on Debian and derivatives. This script was
unnecessary and required Debian-specific code in the generated
firewall script. The Shorewall-init script is no longer installed
and the generated firewall script is now free of
distribution-specific code.
2) Also on Debian and derivatives, Shorewall-init installed
/etc//NetworkManager/dispatcher.d/01-shorewall which was also
unnecessary. Beginning with this release, that file is no longer
installed.
New Features:
1) Prior to this release, when a 'timeout' value was specified in the
DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset was
created with this default timeout. This had the unfortunate
disadvantage that it was not possible to add permanent entries
into the ipset. Even if 'timeout 0' was specified in a 'blacklist'
command, the entry would still age out of the ipset after the
default timeout had elapsed.
Beginning with this release, the dynamic-blacklisting ipset is
created with 'timeout 0'. When an address is added to the set,
either by BLACKLIST policy enforcement or by the 'blacklist'
command (where no 'timeout' is specified), the default timeout is
applied to the new entry.
Once you have updated to this version of Shorewall, you can convert
your existing dynamic-blacklisting ipset to have a default timeout
of zero as follows:
a) If RESTART=restart in shorewall[6].conf, then simply
'shorewall[6] restart'.
b) Otherwise, 'shorewall[6] stop && shorewall[6] start'.
2) Previously, when an ADD or DEL rule specified logging, the entire
action (e.g. 'ADD(+NET_BL:src:7200)') was included in the log
message. This could easily lead to a "Log prefix shortened..."
warning during compilation.
Beginning with this release, such log messages will contain only
the basic action ('ADD' or 'DEL') and the set name (e.g.,
'ADD(NET_BL)') to reduce the liklihood of producing the warning.
Thank you for testing,
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
