Tom Eastep
2016-10-04 19:00:53 UTC
5.0.13 Beta 1 is now available for testing.
Problems Corrected:
1) The wording in the description of DYNAMIC_BLACKLISTING in
shorewall[6].conf(5) has been corrected.
2) Typos in shorewall[6]-mangle(5) have been corrected (Roberto
C. Sánchez).
3) The options in shorewall[6].conf have been reordered to put them
in ASCII collating sequence within the FIREWALL OPTIONS section.
New Feature:
1) A 'disconnect' option has been added to the DYNAMIC_BLACKLIST
setting. The option is only accepted for ipset-based dynamic
blacklisting and requires that the 'conntrack' utility be
installed. See shorewall[6].conf(5) for details.
With this option, when an address is blackliseted using the
'blacklist' command, the conntrack utility is used to disconnect
all connections from that address. If the 'src-dst' option is also
specified in the BLACKLIST setting, then all connections to the
address are also disconnected.
This option is more efficient for packet processing than including
the ESTABLISHED state in the BLACKLIST setting.
Thank you for testing,
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Problems Corrected:
1) The wording in the description of DYNAMIC_BLACKLISTING in
shorewall[6].conf(5) has been corrected.
2) Typos in shorewall[6]-mangle(5) have been corrected (Roberto
C. Sánchez).
3) The options in shorewall[6].conf have been reordered to put them
in ASCII collating sequence within the FIREWALL OPTIONS section.
New Feature:
1) A 'disconnect' option has been added to the DYNAMIC_BLACKLIST
setting. The option is only accepted for ipset-based dynamic
blacklisting and requires that the 'conntrack' utility be
installed. See shorewall[6].conf(5) for details.
With this option, when an address is blackliseted using the
'blacklist' command, the conntrack utility is used to disconnect
all connections from that address. If the 'src-dst' option is also
specified in the BLACKLIST setting, then all connections to the
address are also disconnected.
This option is more efficient for packet processing than including
the ESTABLISHED state in the BLACKLIST setting.
Thank you for testing,
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________