Tom Eastep
2016-10-02 19:04:24 UTC
Shorewall 5.0.12 is now available for download.
1) Minor cleanup, mostly commentary, in the Rules.pm module.
2) In Shorewall 5.0.7, The assumed 'use Shorewall::Config(shorewall)'
statement in ?PERL and ?BEGIN PERL...?END PERL handling was
inadvertently removed. This results in Perl compilation errors if
the 'shorewall' function is invoked. The statement has now been
restored.
3) Previously, the firewall would fail to start if the configuration
contained a CHECKSUM rule without a chain designator and
MARK_IN_FORWARD_CHAIN=No. Now, the compiler defaults these rules to
the POSTROUTING chain and forbids them in the PREROUTING chain.
4) Recently, a case was observed where certain incoming packets had a
non-zero packet mark in the raw PREROUTING chain, causing them to
be misrouted. To guard against this issue, packet marks are now
cleared at the top of the PREROUTING and OUTPUT mangle chains when
the new ZERO_MARKS option is set to yes. Note that ZERO_MARKS=Yes
can break IPSEC in multi-ISP configurations.
5) Two distinct problems have been corrected in the 'disable'
command logic:
a) If a balanced or fallback interface was down or had been
deleted, then the 'disable' command could fail.
b) If a persistent optional interface was down, then the
generated script would fail when it attempted to add routes out
of the interface.
6) Previously, the generated script would attempt to reenable a
disabled persistent provider at each 'start', 'reload' or
'restart'. Now, disabled persistent providers are handled the same
as other providers and require the 'enable' or 'reenable' command
to enable them.
7) Previously, the generated script assumed that all
probability-balanced providers (those with the 'load' option
specified) were optional. That assumption has been removed.
8) Previously, the permissions of files created by the 'save' command
were more relaxed than necessary. This has been corrected.
New Features:
1) You may now place comma-separated zone lists in the SOURCE and DEST
columns in /etc/shorewall[6]/policy.
Example:
#SOURCE DEST POLICY ...
loc,dmz net REJECT
That line is equivalent to:
#SOURCE DEST POLICY ...
loc net REJECT
loc dmz REJECT
If the same zone appears in both columns, the default ACCEPT
intrazone policy is not overridden unless the list is followed
immediately by '+'.
Example:
#SOURCE DEST POLICY ...
dmz,loc loc,dmz+ REJECT
That line is equivalent to:
#SOURCE DEST POLICY ...
dmz loc REJECT
dmz dmz REJECT
loc loc REJECT
loc dmz REJECT
Without the plus sine, it would be equivalent to
#SOURCE DEST POLICY ...
dmz loc REJECT
loc dmz REJECT
2) Distribution maintainers may now set a default pager via the
configure and configure.pl programs in Shorewall-core to set
DEFAULT_PAGER in the generated shorewallrc file. The
Shorewall-provided shorewallrc files for Debian currently specify
'less' for DEFAULT_PAGER. The other shorewallrc files do not
specify DEFAULT_PAGER.
If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER
setting is used.
3) The 'contiguous' option is now supported in TIME columns. When the
'timestop' value is smaller than the 'timestart' value, match this
as a single time period instead distinct intervals.
Example:
weekdays=Mo×tart=23:00×top=01:00
Will match Monday, for one hour from midnight to 1 a.m., and
then again for another hour from 23:00 onwards. If this is
unwanted, e.g. if you would like 'match for two hours from
Monday 23:00 onwards' you need to also specify the 'contiguous'
option in the example above.
See http://www.shorewall.org/configuration_file_basics.htm#TIME for
additional TIME column examples.
Thank you for using Shorewall,
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
1) Minor cleanup, mostly commentary, in the Rules.pm module.
2) In Shorewall 5.0.7, The assumed 'use Shorewall::Config(shorewall)'
statement in ?PERL and ?BEGIN PERL...?END PERL handling was
inadvertently removed. This results in Perl compilation errors if
the 'shorewall' function is invoked. The statement has now been
restored.
3) Previously, the firewall would fail to start if the configuration
contained a CHECKSUM rule without a chain designator and
MARK_IN_FORWARD_CHAIN=No. Now, the compiler defaults these rules to
the POSTROUTING chain and forbids them in the PREROUTING chain.
4) Recently, a case was observed where certain incoming packets had a
non-zero packet mark in the raw PREROUTING chain, causing them to
be misrouted. To guard against this issue, packet marks are now
cleared at the top of the PREROUTING and OUTPUT mangle chains when
the new ZERO_MARKS option is set to yes. Note that ZERO_MARKS=Yes
can break IPSEC in multi-ISP configurations.
5) Two distinct problems have been corrected in the 'disable'
command logic:
a) If a balanced or fallback interface was down or had been
deleted, then the 'disable' command could fail.
b) If a persistent optional interface was down, then the
generated script would fail when it attempted to add routes out
of the interface.
6) Previously, the generated script would attempt to reenable a
disabled persistent provider at each 'start', 'reload' or
'restart'. Now, disabled persistent providers are handled the same
as other providers and require the 'enable' or 'reenable' command
to enable them.
7) Previously, the generated script assumed that all
probability-balanced providers (those with the 'load' option
specified) were optional. That assumption has been removed.
8) Previously, the permissions of files created by the 'save' command
were more relaxed than necessary. This has been corrected.
New Features:
1) You may now place comma-separated zone lists in the SOURCE and DEST
columns in /etc/shorewall[6]/policy.
Example:
#SOURCE DEST POLICY ...
loc,dmz net REJECT
That line is equivalent to:
#SOURCE DEST POLICY ...
loc net REJECT
loc dmz REJECT
If the same zone appears in both columns, the default ACCEPT
intrazone policy is not overridden unless the list is followed
immediately by '+'.
Example:
#SOURCE DEST POLICY ...
dmz,loc loc,dmz+ REJECT
That line is equivalent to:
#SOURCE DEST POLICY ...
dmz loc REJECT
dmz dmz REJECT
loc loc REJECT
loc dmz REJECT
Without the plus sine, it would be equivalent to
#SOURCE DEST POLICY ...
dmz loc REJECT
loc dmz REJECT
2) Distribution maintainers may now set a default pager via the
configure and configure.pl programs in Shorewall-core to set
DEFAULT_PAGER in the generated shorewallrc file. The
Shorewall-provided shorewallrc files for Debian currently specify
'less' for DEFAULT_PAGER. The other shorewallrc files do not
specify DEFAULT_PAGER.
If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER
setting is used.
3) The 'contiguous' option is now supported in TIME columns. When the
'timestop' value is smaller than the 'timestart' value, match this
as a single time period instead distinct intervals.
Example:
weekdays=Mo×tart=23:00×top=01:00
Will match Monday, for one hour from midnight to 1 a.m., and
then again for another hour from 23:00 onwards. If this is
unwanted, e.g. if you would like 'match for two hours from
Monday 23:00 onwards' you need to also specify the 'contiguous'
option in the example above.
See http://www.shorewall.org/configuration_file_basics.htm#TIME for
additional TIME column examples.
Thank you for using Shorewall,
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________