shorewall-announce April 2012 archive
Main Archive Page > Month Archives  > shorewall-announce archives
shorewall-announce: [Shorewall-announce] Shorewall 4.5.2

[Shorewall-announce] Shorewall 4.5.2

From: Tom Eastep <teastep_at_nospam>
Date: Tue Apr 10 2012 - 17:52:22 GMT
To: Shorewall Users <>, Shorewall Announcements <>

The Shorewall Team is pleased to announce the availability of Shorewall

Package maintainers should note the second Known Problem listed below. A version will be released shortly to work around this limitation.

  I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E

1) This release includes the defect repairs from Shorewall and (see below).

2) The generated firewall script includes code to automatically create
    ipsets that are referenced but that don't exist. That code was
    broken in releases 4.4.22 and later. This defect has been
    corrected. As part of the fix, the generated script will now
    issue a warning message when it creates an ipset.

           I I. K N O W N P R O B L E M S R E M A I N I N G

1) On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

2) The 'configure' script described below does not work on RHEL5 and
    derivatives. The version of Bash on those systems does not support
    features used by the script.

    Failure message is:

        ./configure: line 28: declare: -A: invalid option

      I I I. N E W F E A T U R E S I N T H I S R E L E A S E

1) The 'mss' option is now supported in the /etc/shorewall[6]/hosts
    files. See the manpages for details.

2) It is now possible to conditionally include or omit configuration
    entries based on the settings of shell variables. See
    for details.

3) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been
    renamed ACTION to reflect the expanded set of actions that can be
    specified in the column.

4) Some users are finding these ipset warnings objectionable:

    - Warning when a referenced ipset does not exist.
    - Warning when using [src] in a destination column or [dst] in a
      source column.

    These warnings may now be suppressed by setting IPSET_WARNINGS=No
    in shorewall.conf and/or shorewall6.conf.

5) The evolution of the Shorewall installation process
    continues. Testers are invited to provide comments and suggestions
    about the following.

    Beginning with this release, the installers accept a configuration
    file as a parameter. Options set in the configuration file are as

    BUILD (optional) -- Platform on which the installation is being
                                     performed. Possible values are:

                          apple - OS X
                          archlinux - ArchLinux
                          cygwin - Cygwin running under Windows
                          debian - Debian and derivatives
                          linux - Generic Linux system
                          redhat - Fedora, RHEL and derivatives
                          suse - SLES and OpenSuSE
                          If no value is assigned, then the installer
                          will detect the platform.

    HOST (Optional) -- Allowed values are same as for BUILD. If not
                               specified, the BUILD setting is used.

    CONFDIR (Req'd) -- Directory where product configuration
                                         directory is installed. Normally /etc.

    SHAREDIR (Req'd) -- Directory where architecture-independent
                                        product files are installed. Normally

    LIBEXECDIR (Req'd) -- Directory where product executables are
                                     installed. Normally /usr/share or

    PERLLIBDIR (Req'd) -- Directory where Shorewall Perl modules are
                                            to be installed. Traditionally

    SBINDIR (Req'd) -- Directory where product CLI programs are
                                  installed. Normally /sbin

    MANDIR (Req.d) -- Directory where manpages are
                                 installed. Mornally /usr/share/man.

    INITFILE (Optional)
                       -- Optional. If given, specifies the installed
                                 filename of the initscript. Normally
                          set to $PRODUCT which the installers expand
                          to the name of the product being installed.
                          If not specified, no init script will be

    INITSOURCE (Optional)
                       -- Must be specified if INITFILE is specified.
                          Gives the name of the file to be installed
                          as the INITFILE.

    INITDIR (Optional) -- Directory where SysV init scripts are
                                  installed. Must be specified if INITFILE is

    ANNOTATED (Optional)
                       -- If non-empty, indicates that the
                                     configuration files are to be annotated with
                          manpage information. Normally empty.

    SYSTEMD (Optional) -- Name of the directory where .service files
                                         are to be installed. Should only be specified
                                         on systems running systemd.

    SYSCONFDIR (Optional)
                       -- Name of the directory where subsystem
                              init configuration information is stored.
                          On Debian and derivates, this is
                              /etc/default. On other systems, it is

    SYSCONFFILE (Optional)
                       -- Name of the file to be installed in the
                          SYSCONFIGDIR. The installed name of the file
                          will always be the product name (shorewall,
                              shorewall-lite, etc.)

    SPARSE (Optional) -- If non-empty, causes only the .conf file to
                                 be installed in
                                 ${CONFDIR}/${PRODUCT}/. Otherwise, all of
                          the product's skeleton configuration files
                          will be installed.

    TEMPDIR (Optional) -- If non-empty, the generated firewall script
                                         will export the variable TMPDIR with
                          value $TEMPDIR.

    VARDIR (Required) -- Directory where product state information
                                 is stored. Normally /var/lib.

                          This setting was previously stored in the
                          optional vardir file in the product's
                          configuration directory.

    Each of the product tarballs contains a set of configuration files
    for the various HOSTS:

            shorewallrc.default (for HOST 'linux')

    To aid distribution packagers, a configure script has been added.
    The arguments to the script are the usual list of <option>=<value>
    assignments. The supported options are the same as those above,
    although they may be in lower case and may be optionally preceded
    by '--'.

    The configure script uses the setting of --host to select the
    appropriate rc file. It reads that file to establish default
    settings and then applies the values specified in the argument
    list. To allow use with the %configure RPM macro, only the last
    occurrence of a particular option setting is applied. The resulting
    settings are written to a file named 'shorewallrc' in the current
    working directory and are also written to standard out.

    When Shorewall-core is installed on a system (with no DESTDIR), it
    copies the specified configuration file into root's
    ~/.shorewallrc. The ~/.shorewallrc file is then used, by default,
    when installing the other packages.

    To further aid use with %configure, several aliases are supported:

       alias option
       ----- ------
       sharedstatedir vardir
       datadir sharedir
       sysconfdir confdir

    The configuration file is also copied to
    ${SHAREDIR}/shorewall/shorewallrc where the CLI programs and init
    scripts can find it. Those programs are modified by the installer
    when ${SHAREDIR} is not /usr/share.

    When using Shorewall-lite or Shorewall6-lite, if the remote
    firewall's shorewallrc file differs from that on the firewall, then
    a copy of the remote file should be placed in the firewall's
    configuration directory on the administrative system.

    Beginning with this release, using /etc/shorewall-lite/vardir
    and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in
    favor of the VARDIR setting in shorewallrc.

        NOTE: While the name of the variable remains VARDIR, the
              meaning is slightly different. When set in shorewallrc,
              each product (shorewall-lite, and shorewall6-lite) will
              create a directory under the specified path name to
              hold state information.



                  The state directory for shorewall-lite will be
                  /opt/var/lib/shorewall-lite/ and the directory for
                  shorewall6-lite will be /opt/var/lib/shorewall6-lite.

              When VARDIR is set in /etc/shorewall[6]-lite/vardir, the
              product will save its state in the specified directory.

Thank you for using Shorewall.

-- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car \________________________________________________

Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.

Shorewall-announce mailing list