Tom Eastep
2016-07-02 15:34:16 UTC
Shorewall 5.0.10 is now available for download. Please pay particular
attention to New Feature 3 below.
Problems Corrected:
1) This release includes defect repair through Shorewall 5.0.9.2.
2) Previously, the 'update' commmand could result in updated files
having the user's default permissions rather than the permissions
of the original file. That has been corrected.
3) A number of update and update-compatibility issues have been
corrected:
a) <user>: (e.g., "fred:") is once again accepted in USER columns.
b) The USER column in the mangle file can once again be specified
when :T is the chain designator.
c) The 'notrack' file is now correctly appended to the 'mangle'
file during update.
d) IPMARK entries in 'tcrules' are now correctly converted into
the 'mangle' file.
4) When multiple zones are configured on an interface, the 'tcpflags',
'nosmurfs' and 'maclist' options could previously result in silly
duplicate rules. That problem has been corrected.
New Features:
1) The 'allow' command can now remove entries from the ipset-based
dynamic blacklists.
allow <address> ...
2) A new 'dbl' (Dynamic Blacklist) option is now available in the
'interfaces' file. Possible settings are:
none - equivalent to specifying 'nodbl'.
src - packets entering the firewall on the interface have their
source IP address checked against the ipset-based
blacklist.
dst - packets entering the firewall on the interface have their
destination IP address checked against the ipset-based
blacklist.
src-dst - packets entering the firewall on the interface have their
source IP address checked against the ipset-based
blacklist. Packets originating on the fireawll and
leaving through the interface have their destination IP
address checked against the ipset-based blacklist.
The normal setting for an internet-facing interface will be either
'src' or 'src-dst'. The normal setting for an internal interface
will be either 'none' or 'dst'.
3) The RPMs from shorewall.net are now created to assume that systemd
is being used. They are targeted specifically at OpenSuSE and have
been verified on OpenSuSE 42.1. They will not work on Redhat or
Fedora systems.
Thank you for using Shorewall,
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
attention to New Feature 3 below.
Problems Corrected:
1) This release includes defect repair through Shorewall 5.0.9.2.
2) Previously, the 'update' commmand could result in updated files
having the user's default permissions rather than the permissions
of the original file. That has been corrected.
3) A number of update and update-compatibility issues have been
corrected:
a) <user>: (e.g., "fred:") is once again accepted in USER columns.
b) The USER column in the mangle file can once again be specified
when :T is the chain designator.
c) The 'notrack' file is now correctly appended to the 'mangle'
file during update.
d) IPMARK entries in 'tcrules' are now correctly converted into
the 'mangle' file.
4) When multiple zones are configured on an interface, the 'tcpflags',
'nosmurfs' and 'maclist' options could previously result in silly
duplicate rules. That problem has been corrected.
New Features:
1) The 'allow' command can now remove entries from the ipset-based
dynamic blacklists.
allow <address> ...
2) A new 'dbl' (Dynamic Blacklist) option is now available in the
'interfaces' file. Possible settings are:
none - equivalent to specifying 'nodbl'.
src - packets entering the firewall on the interface have their
source IP address checked against the ipset-based
blacklist.
dst - packets entering the firewall on the interface have their
destination IP address checked against the ipset-based
blacklist.
src-dst - packets entering the firewall on the interface have their
source IP address checked against the ipset-based
blacklist. Packets originating on the fireawll and
leaving through the interface have their destination IP
address checked against the ipset-based blacklist.
The normal setting for an internet-facing interface will be either
'src' or 'src-dst'. The normal setting for an internal interface
will be either 'none' or 'dst'.
3) The RPMs from shorewall.net are now created to assume that systemd
is being used. They are targeted specifically at OpenSuSE and have
been verified on OpenSuSE 42.1. They will not work on Redhat or
Fedora systems.
Thank you for using Shorewall,
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________