[Shorewall-announce] Shorewall 3.2.0 Beta 3

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I realize that this is hot on the heels of Beta 2 but it fixes a couple of=
=20
annoying bugs and provides a nice new feature.

http://www1.shorewall.net/pub/shorewall/development/3.2/shorewall-3.2.0-Bet=
a3
ftp://ftp1.shorewall.net/pub/shorewall/development/3.2/shorewall-3.2.0-Beta3

Problems Corrected in 3.2.0 Beta 3

1)  The 'try' command with an effective verbosity of zero resulted in an
    error message and the command failed.

2)  /etc/shorwall/Makefile was incorrectly described as %config(noreplace)
    in the RPM .spec file. This prevented updated versions of the file
    from being installed properly.

3)  If you use SAME or SAME:nodst in the ADDRESS column of /etc/shorewall/m=
asq
    and if you set ADD_SNAT_ALIASES=3DYes in shorewall.conf, then "shorewall
    start" will fail with the error 'Error: an inet prefix is expected rath=
er
    than "SAME".'.

Other changes in 3.2.0 Beta 2

2)  A new IMPLICIT_CONTINUE option has been added to shorewall.conf. When
    this option is set to "Yes", it causes subzones to be treated different=
ly
    with respect to policies.

    Subzones are defined by following their name with ":" and a list of par=
ent
    zones (in /etc/shorewall/zones). Normally, you want to have a set of
    special rules for the subzone and if a connection doesn't match any of
    those subzone-specific rules then you want the parent zone rules to be
    applied. With IMPLICIT_CONTINUE=3DYes, that happens automatically.

    If IMPLICIT_CONTINUE=3DNo or if IMPLICIT_CONTINUE is not set, then
    subzones are not subject to this special treatment.

    With IMPLICIT_CONTINUE=3DYes, an implicit CONTINUE policy may be overri=
dden
    by including an explicit policy (one that does not specify "all" in eit=
her
    the SOURCE or the DEST columns).

    Example:

    /etc/shorewall/zones:

        par        ipv4
        chld:par   ipv4

    Traffic to/from the 'chld' zone will first pass through the applicable
    'chld' rules and if none of those rules match then it will be passed=20
through
    the appropriate 'par' rules. If the connection request does not match
    any of the 'par' rules then the relevant 'par' policy is applied.

    If you want the fw->chld policy to be ACCEPT, simply add this entry to
    /etc/shorewall/policy:

        $FW      chld        ACCEPT

    Traffic from all other zones to 'chld' will be subject to the implicit
    CONTINUE policy.

=2DTom
=2D-=20
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ te...@sh...
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key