[Shorewall-announce] Shorewall 2.0.8 (Stable Release)

Tom Eastep teastep at shorewall.net
Sun Aug 22 17:41:21 PDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://shorewall.net/pub/shorewall/2.0/shorewall-2.0.8
ftp://shorewall.net/pub/shorewall/2.0/shorewall-2.0.8

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBKT0xO/MAbZfjDLIRAsPFAJ45J0iKsAeKbxmkDn5EoGMnUfTkiACcDgjE
RaxCB00zNv49l0Is8f+g3xk=
=OFue
-----END PGP SIGNATURE-----
-------------- next part --------------
Shorewall 2.0.8

----------------------------------------------------------------------
Problems Corrected in version 2.0.4

1)  A DNAT rule with 'fw' as the source that specified logging caused
    "shorewall start" to fail.

----------------------------------------------------------------------
Problems Corrected in version 2.0.5

1) Eliminated "$RESTOREBASE: ambiguous redirect" messages during 
   "shorewll stop" in the case where DISABLE_IPV6=Yes in 
   shorewall.conf.

2) An anachronistic reference to the mangle option was removed from
   shorewall.conf.

----------------------------------------------------------------------
Problems Corrected in version 2.0.6

1) Some users have reported the pkttype match option in iptables/
   Netfilter failing to match certain broadcast packets. The result 
   is that the firewall log shows a lot of broadcast packets.

   Other users have complained of the following message when 
   starting Shorewall:

	    modprobe: cant locate module ipt_pkttype

   Users experiencing either of these problems can use PKTTYPE=No in
   shorewall.conf to cause Shorewall to use IP address filtering of 
   broadcasts rather than packet type.

2) The shorewall.conf and zones file are no longer given execute
   permission by the installer script.

3) ICMP packets that are in the INVALID state are now dropped by the
   Reject and Drop default actions. They do so using the new 
   'dropInvalid' builtin action.
-----------------------------------------------------------------------
Problems Corrected in version 2.0.7

1) The PKTTYPE option introduced in version 2.0.6 is now used when
   generating rules to REJECT packets. Broadcast packets are silently
   dropped rather than being rejected with an ICMP (which is a protocol
   violation) and users whose kernels have broken packet type match
   support are likely to see messages reporting this violation.
   Setting PKTTYPE=No should cause these messages to cease. 

2) Multiple interfaces with the 'blacklist' option no longer result in
   an error message at startup.

3) The following has been added to /etc/shorewall/bogons:

       0.0.0.0	 RETURN

   This prevents the 'nobogons' option from logging DHCP 'DISCOVER'
   broadcasts. 
-----------------------------------------------------------------------
New Features in version 2.0.7

1) To improve supportability, the "shorewall status" command now
   includes IP and Route configuration information.

   Example:

   IP Configuration

   1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
      inet6 ::1/128 scope host
   2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
      link/ether 00:a0:c9:15:39:78 brd ff:ff:ff:ff:ff:ff
      inet6 fe80::2a0:c9ff:fe15:3978/64 scope link
   3: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
      link/ether 00:a0:c9:a7:d7:bf brd ff:ff:ff:ff:ff:ff
      inet6 fe80::2a0:c9ff:fea7:d7bf/64 scope link
   5: sit0 at NONE: <NOARP> mtu 1480 qdisc noop
      link/sit 0.0.0.0 brd 0.0.0.0
   6: eth2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
      link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
      inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
   7: br0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc noqueue
      link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
      inet 192.168.1.3/24 brd 192.168.1.255 scope global br0
      inet6 fe80::240:d0ff:fe07:3a1b/64 scope link

   Routing Rules

   0:      from all lookup local	
   32765:  from all fwmark       ca lookup www.out
   32766:  from all lookup main
   32767:  from all lookup default

   Table local:

   broadcast 192.168.1.0 dev br0  proto kernel  scope link  src 192.168.1.3
   broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1
   local 192.168.1.3 dev br0  proto kernel  scope host  src 192.168.1.3
   broadcast 192.168.1.255 dev br0  proto kernel  scope link  src 192.168.1.3
   broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
   local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
   local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1

   Table www.out:

   default via 192.168.1.3 dev br0

   Table main:

   192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.3
   default via 192.168.1.254 dev br0

   Table default:
-----------------------------------------------------------------------
Problems Corrected in version 2.0.8

1) User/group restricted rules now work in actions.






More information about the Shorewall-announce mailing list