[Shorewall-newbies] Shorewall 1.4.10

Tom Eastep teastep at shorewall.net
Fri Jan 30 16:06:17 PST 2004


1.4.10 is available now at:

http://shorewall.net/pub/shorewall/shorewall-1.4.10
ftp://shorewall.net/pub/shorewall/shorewall-1.4.10

Coming soon to a mirror near you.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

-------------- next part --------------
This is a minor release of Shorewall.

Problems Corrected since version 1.4.9:

1. The column descriptions in the action.template file did not match
   the column headings. That has been corrected.

2. The presence of IPV6 addresses on devices generates error messages
   during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are
   specified in /etc/shorewall/shorewall.conf.

3. The CONTINUE action in /etc/shorewall/rules now works correctly. A
   couple of problems involving rate limiting have been
   corrected. These bug fixes courtesy of Steven Jan Springl.

4. Shorewall now tries to avoid sending an ICMP response to broadcasts
   and smurfs.

5. Specifying "-" or "all" in the PROTO column of an action no longer
   causes a startup error. 

Migration Issues:

None.

New Features:

1) The INTERFACE column in the /etc/shorewall/masq file may now
   specify a destination list. 

   Example:

	#INTERFACE			SUBNET		ADDRESS
	eth0:192.0.2.3,192.0.2.16/28	eth1

   If the list begins with "!" then SNAT will occur only if the
   destination IP address is NOT included in the list.

2) Output traffic control rules (those with the firewall as the source)
   may now be qualified by the effective userid and/or effective group
   id of the program generating the output. This feature is courtesy of 
   Frédéric LESPEZ.

   A new USER column has been added to /etc/shorewall/tcrules.

   It may contain :

      [<user name or number>]:[<group name or number>]

   The colon is optionnal when specifying only a user.

       Examples : john: / john / :users / john:users	

3) A "detectnets" interface option has been added for entries in
   /etc/shorewall/interfaces. This option automatically taylors the
   definition of the zone named in the ZONE column to include just
   those hosts that have routes through the interface named in the
   INTERFACE column. The named interface must be UP when
   Shorewall is [re]started.

   WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!


More information about the Shorewall-newbies mailing list