shorewall-announce February 2012 archive
Main Archive Page > Month Archives  > shorewall-announce archives
shorewall-announce: [Shorewall-announce] Shorewall 4.5.0

[Shorewall-announce] Shorewall 4.5.0

From: Tom Eastep <teastep_at_nospam>
Date: Sun Feb 12 2012 - 20:38:30 GMT
To: Shorewall Announcements <shorewall-announce@lists.sourceforge.net>, Shorewall Users <shorewall-users@lists.sourceforge.net>

The Shorewall Team is pleased to announce the availability of Shorewall
4.5.0.

----------------------------------------------------------------------------
     P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------

1) This release includes all defect repair included in
    4.4.27.1-4.4.27.3.

2) The start and restart commands in Shorewall Lite and Shorewall6
    Lite now correctly handle the 'trace' and 'debug'
    keywords. Previously, those keywords were ignored.

3) The 'ip route list' command on recent Linux systems (Ubuntu 11.10,
    for example) displays the IPv4 routing table in a seemingly random
    order. In the 'show routing' and 'dump' commands, Shorewall and
    Shorewall-lite now sort the output into the traditional
    'Most-specific to most-general' order.

4) Previously, specifying 'No' in the HAVEROUTE column of
    /etc/shorewall6/proxyndp resulted in a run-time error. The code has
    been corrected so that no error occurs.

----------------------------------------------------------------------------
            K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------

1) On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

----------------------------------------------------------------------------
          N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------

1) The rules generated by the following interface options are now
    traversed after those generated by the blrules file.

    dhcp
    maclist
        nosmurfs
    sfilter
        tcpflags

    As part of this change, the BLACKLIST section in the rules file has
    been eliminated. If you have rules in that section, you must move
    them to the blrules file prior to installing this Shorewall
    version.

2) The timeout interval after which the previous state is restored
    may now be specified in the safe-start and safe-restart commands.

3) The packing of the Shorewall products has been changed. Beginning
    with this release, the packages are:

    - Shorewall Core -- Core libraries installed in
                       /usr/share/shorewall/

    - Shorewall -- Requires Shorewall Core. Together with
                         Shorewall Core, provides IPv4 firewalling.

    - Shorewall6 -- Requires Shorewall. Provides IPv6 firewalling.

    - Shorewall Lite -- Requires Shorewall Core. As before.

    - Shorewall6 Lite -- Requires Shorewall Core. As before.

    - Shorewall Init -- As before.

4) Shorewall and Shorewall6 now share a single install.sh file as do
    Shorewall Lite and Shorewall6 Lite.

5) Functions common to both /usr/share/shorewall/prog.header and
    /usr/share/shorewall/prog.header6 are now in a new library -
    lib.core. The files /usr/share/shorewall/prog.footer is now used
    for both IPv4 and IPv6.

6) Run-time address variables (e.g., &eth0) may now be used in the
    SOURCE column of the rtrules files.

7) The route_rules file has been renamed to 'rtrules'. The Shorewall
    and Shorewall6 installers will perform the rename on an existing
    file.

    If both files exist, route_rules will be processed and rtrules
    will be ignored with a warning.

8) A 'PROBABILITY' column has been added to the tcrules files. It
    causes the rule to match randomly with the probability specified in
    the column. See shorewall-tcrules(5) and shorewall6-tcrules(5) for
    details.

9) An alternative to the balance=<weight> option in the providers file
    is now available. This alternative works when there are multiple
    links to the same ISP where both links use an ethernet interface (as
    opposed to PPP0E) and have the same default gateway.

    As part of this change, the generated firewall script now
    automatically maintains the
    /var/lib/shorewall[6][-lite]/interface.status files used by SWPING
    and by LSM.

    See http://www.shorewall.net/MultiISP.html#load for additional
    information.

    Example that sends 1/3 of the connections to the ComcastC provider
    and the rest to ComcastB:

    /etc/shorewall/shorewall.conf

    MARK_IN_FORWARD_CHAIN=No
    ...
    USE_DEFAULT_RT=Yes

    /etc/shorewall/providers:

    #NAME NUMBER MARK DUP INTERFACE GATEWAY OPTIONS
    ComcastB 1 - - eth1 70.90.191.126
loose,balance,load=0.66666667
    ComcastC 2 - - eth0 67.170.120.1
loose,fallback,load=0.33333333

    Note: The 'loose' option is specified so that the compiler will not
          generate and rules based on interface IP addresses. That way
      we have complete control over the priority of such rules
      through entries in the rtrules file.

    /etc/shorewall/rtrules

    #SOURCE DEST PROVIDER PRIORITY
    70.90.191.120/29 - ComcastB 1000
    &eth0 - ComcastC 1000

    Note: eth0 has a dynamic address, so &eth0 is used in the SOURCE
          column.

    Note: Priority = 1000 means that these rules will come before rules
          that select a provider based on marks.

10) The Shorewall files in /etc/default and /etc/sysconfig now support
    two new options that affect how '/etc/init.d/shorewall start'
    and '/etc/init.d/shorewall restart' behave:

    STARTOPTIONS -- options to the start commmand.
    RESTARTOPTIONS -- options to the restart command.

    For example, if you always want 'start' to flush the conntrack
    table, then you would have:

           STARTOPTIONS="-p"

11) The Git repository has been reorganized to place the samples and
    manpages under their corresponding product directories. For
    example, trunk/manpage6 was moved to trunk/Shorewall6/manpages.

----------------------------------------------------------------------------
                          M I G R A T I O N I S S U E S
----------------------------------------------------------------------------

1) If you are migrating from Shorewall 4.2.x or earlier, please see
   
http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt

2) The BLACKLIST section of the rules file has been eliminated.
    If you have entries in that file section, you must move them to the
    blrules file.

3) This version of Shorewall requires the Digest::SHA1 Perl module.

        Debian: libdigest-sha1-perl
        Fedora: perl-Digest-SHA1
        OpenSuSE: perl-Digest-SHA1

4) The generated firewall script now maintains the
    /var/lib/shorewall[6][-lite]/interface.status files used by SWPING
    and by LSM.

Thank you for using Shorewall.
-Tom

-- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Shorewall-announce mailing list Shorewall-announce@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-announce