Tom Eastep
2016-10-18 16:02:00 UTC
Shorewall 5.0.13 is now available for download.
Problems Corrected:
1) This release contains defect repair from 5.0.12.1.
2) The compiler now detects shell metacharacters in interface names
defined in /etc/shorewall[6]/interfaces. Previously, such
characters could cause runtime failures in the generated script.
3) Previously, the compiler ignored DEST column entries in inline
mangle action bodies. That value is now used unless it is '-', in
which case the DEST column value in the action invocation is used.
New Features:
1) A 'disconnect' option has been added to the DYNAMIC_BLACKLIST
setting. The option is only accepted for ipset-based dynamic
blacklisting and requires that the 'conntrack' utility be
installed. See shorewall[6].conf(5) for details.
With this option, when an address is blackliseted using the
'blacklist' command, the conntrack utility is used to break all
connections from that address. If the 'src-dst' option is also
specified in the BLACKLIST setting, then all connections to the
address are also broken. If the effective VERBOSITY is greater than
0, then a messages is displayed that indicated the number of flows
deleted by the command. If the effective VERBOSITY is 2, the
conntrack entries delected by the command are also displayed.
This option is more efficient for packet processing than including
the ESTABLISHED state in the BLACKLIST setting.
2) A 'timeout' option has been added to the DYNAMIC_BLACKLIST setting.
The option is only accepted for ipset-based dynamic blacklisting
and causes entries in the blacklist ipset to be automatically
deleted if they are not matched within a specified time. See
shorewall[6].conf(5) for details.
3) A new FIREWALL option has been added to shorewall[6].conf. This
option is intended to be used on an admisitrative system in
configurations of remote firewalls. It defines the DNS name or IP
address of the remote system so that the system name does not have
to be given in the remote-start, remote-reload and remote-restart
commmands. See shorewall[6](8) for details.
4) Shorewall6 now allows more that one provider to specify the
'balance' or 'fallback' options.
5) When using port numbers (as opposed to service names), the hyphen
("-") is now accepted as the separator in port ranges. When service
names are used, the colon (":") must still be used.
Thank you for using Shorewall,
- -Tom and the rest of the Shorewall Team
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Problems Corrected:
1) This release contains defect repair from 5.0.12.1.
2) The compiler now detects shell metacharacters in interface names
defined in /etc/shorewall[6]/interfaces. Previously, such
characters could cause runtime failures in the generated script.
3) Previously, the compiler ignored DEST column entries in inline
mangle action bodies. That value is now used unless it is '-', in
which case the DEST column value in the action invocation is used.
New Features:
1) A 'disconnect' option has been added to the DYNAMIC_BLACKLIST
setting. The option is only accepted for ipset-based dynamic
blacklisting and requires that the 'conntrack' utility be
installed. See shorewall[6].conf(5) for details.
With this option, when an address is blackliseted using the
'blacklist' command, the conntrack utility is used to break all
connections from that address. If the 'src-dst' option is also
specified in the BLACKLIST setting, then all connections to the
address are also broken. If the effective VERBOSITY is greater than
0, then a messages is displayed that indicated the number of flows
deleted by the command. If the effective VERBOSITY is 2, the
conntrack entries delected by the command are also displayed.
This option is more efficient for packet processing than including
the ESTABLISHED state in the BLACKLIST setting.
2) A 'timeout' option has been added to the DYNAMIC_BLACKLIST setting.
The option is only accepted for ipset-based dynamic blacklisting
and causes entries in the blacklist ipset to be automatically
deleted if they are not matched within a specified time. See
shorewall[6].conf(5) for details.
3) A new FIREWALL option has been added to shorewall[6].conf. This
option is intended to be used on an admisitrative system in
configurations of remote firewalls. It defines the DNS name or IP
address of the remote system so that the system name does not have
to be given in the remote-start, remote-reload and remote-restart
commmands. See shorewall[6](8) for details.
4) Shorewall6 now allows more that one provider to specify the
'balance' or 'fallback' options.
5) When using port numbers (as opposed to service names), the hyphen
("-") is now accepted as the separator in port ranges. When service
names are used, the colon (":") must still be used.
Thank you for using Shorewall,
- -Tom and the rest of the Shorewall Team
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________