shorewall-announce June 2012 archive
Main Archive Page > Month Archives  > shorewall-announce archives
shorewall-announce: [Shorewall-announce] Shorewall 4.5.5

[Shorewall-announce] Shorewall 4.5.5

From: Tom Eastep <teastep_at_nospam>
Date: Sat Jun 09 2012 - 18:11:33 GMT
To: Shorewall Announcements <shorewall-announce@lists.sourceforge.net>, Shorewall Users <shorewall-users@lists.sourceforge.net>

The Shorewall team is pleased to announce the availability of Shorewall
4.5.5.

----------------------------------------------------------------------------
  I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------

1) This release includes all defect repair from Shorewall 4.5.4.1 and
    4.5.4.2.

2) The Shorewall compiler sometimes must defer generating a rule until
    runtime. This is done by placing shell commands in its internal
    representation of a chain. These commands are then executed at run
    time to create the final rule.

    If all of the following were true, then an incorrect ruleset could
    be generated:

    a) Optimization level 4 was set.
    b) A chain (chain A) containing shell commands had three or fewer
        rules and commands.
    c) The last rule in a second chain was a conditional jump to
        chain A.

    Under these conditions, the rules and commands in Chain A replaced
    the conditional jump and the conditional part was lost.

    Example (Lines are folded to fit the release note format):

        Chain A:

           if [ $SW_ETH0_ADDRESS != 0.0.0.0 ]; then
              echo "-A net_dnat -d $SW_ETH0_ADDRESS\
                  -j DNAT --to-destination 1.2.3.4" >&3
          fi

       Chain B:

          ...
          -A dnat -i eth0 -j

       Result:

          if [ $SW_ETH0_ADDRESS != 0.0.0.0 ]; then
              echo "-A dnat -d $SW_ETH0_ADDRESS\
                  -j DNAT --to-destination 1.2.3.4" >&3
          fi

       Notice that the '-i eth0' match has been lost.

3) The Shorewall-core configure and configure.pl script were treating
    SYSCONFDIR as a synonym for CONFDIR making it impossible to set
    SYSCONFDIR.

----------------------------------------------------------------------------
           I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------

1) On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

----------------------------------------------------------------------------
      I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------

1) It is now possible to include additional information in netfilter
     messages when using plain log levels (debug, info, ...). This is
     done by following the level with a parenthesized comma-separated
     list of "log options".

     Valid log options are:

     ip_options

       Log messages will include the option settings from the IP
       header.

     macdecode

       Decode the MAC address and protocol.

     tcp_sequence

       Include TCP sequence numbers.

     tcp_options

       Include options from the TCP header.

     uid

       Include the UID of the sending program; only effective for
       packets originating on the firewall itself.

     Example: info(tcp_options,tcp_sequence)

2) The Shorewall-init configuration file (/etc/default/shorewall-init
     or /etc/sysconfig/shorewall-init) now contains a LOGFILE setting.
     When specified, all messages generated by interface updown events
     are logged there. The sample configuration file and the logrotate
     file configure this log as /var/log/shorewall-ifupdown.log.

3) Previously, the 'ignore' interface option could only be specified
     by itself and could not be specified unless the ZONE column was
     empty (i.e, contained '-'). Now, it is allowed to specify
     'ignore=1' without these restrictions.

     With 'ignore=1', the generated script will still ignore
     Shorewall-init 'up' and 'down' events but the interface will still
     be subject to hairpin filtering unless it has the 'routefilter' or
     'routeback' option.

4) Imbedded shell and Perl directives may now be optionally preceded
     by a question mark ('?').

     Example:

         ?BEGIN PERL
         use strict;
         ...
         ?END PERL

5) To aid package maintainers for distributions that don't include the
    Digest::SHA Perl module, the Shorewall install.sh script looks for
    the DIGEST environmental variable and if the setting is not 'SHA',
    then the Shorewall::Chains module is modified to use $DIGEST as the
    module name.

    To specify SHA1

               DIGEST=SHA1 ./install.sh

Thank you for using Shorewall.
-Tom
-- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Shorewall-announce mailing list
Shorewall-announce@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-announce