[Shorewall-announce] Shorewall 4.2.6

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Shorewall 4.2.6 is now available for download.

Problems corrected in 4.2.6

1)  The CONFIG_PATH in the two- and three-interface Shorewall6 sample
    configurations was incorrect with the result that this error
    occurred on 'shorewall6 check' or 'shorewall6 start'.

           ERROR: No IP zones defined

2)  Setting TCP_FLAGS_DISPOSITION=REJECT caused both Shorewall-shell
    and Shorewall-perl to create invalid iptables commands. This has
    been corrected but we still strongly recommend against that
    setting; TCP_FLAGS_DISPOSITION=DROP is preferred.

3)  Shorewall-perl was generating code that checked for state match
    before kernel modules were loaded. This caused start/restart to
    fail on systems without kernel module loading.

4)  The Shorewall6 and Shorewall6-lite Makefiles were incorrect.

5)  If a service name is used in a port-mapping rule (a DNAT or
    REDIRECT rule that changes the destination port), and if the
    kernel and iptables include Extended Connection Match support, then
    invalid iptables-restore input is produced by Shorewall-perl.

6)  If iptables 1.4.1 or later was installed, Shorewall-perl generated
    incorrect iptables-restore input if exclusion was used in the
    ORIGINAL DEST field of a DNAT or REDIRECT rule.

7)  On kernels earlier than 2.6.20, the 'shorewall show connections'
    command fails.

New Feature in Shorewall 4.2.6

1)  A BitTorrent32 macro has been added. This macro matches the
    extended TCP port range used by BitTorrent 3.2 and later.

2)  A new COUNT action has been added to Shorewall-perl. This action
    creates an iptables (ip6tables) rule with no target. Connections
    matching such a rule are simply counted and the packet is passed on
    to the next rule.

    Shorewall-shell ignores COUNT in actions and macros, thus allowing
    the standard actions (action.Drop and action.Reject) to have a
    COUNT rule as their first entry.

3)  A new RESTORE_DEFAULT_ROUTE option has been added to
    shorewall.conf. It is used to determine whether to restore the
    default route saved when there are 'balance' providers defined but
    all of them are down.

    The default is RESTORE_DEFAULT_ROUTE=Yes which preserves the
    pre-4.2.6 behavior.

    RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a
    default route in the main table (USE_DEFAULT_RT=No) or in the
    default table (USE_DEFAULT_RT=Yes) when there are no balance
    providers available. In that case, RESTORE_DEFAULT_ROUTE=No
    will cause any default route in the relevant table to be deleted.

4)  IPv4 firewall scripts produced by Shorewall-perl now use dhcpcd's
    database when trying to detect the gateway for an interface
    ("detect" in the GATEAWAY column in /etc/shorewall/interfaces).

    As part of this change, it is now permitted to specify 'detect'
    when USE_DEFAULT_RT=Yes; in that case, the script will only detect
    gateways for point-to-point devices and for devices configured by
    dhcpcd.

5)  Shorewall-perl now supports port inversion. A port number or list
    of port numbers may be preceded by '!" which will cause the rule to
    match all ports EXCEPT those listed:

    Example: To blacklist 206.124.146.176 for all tcp ports except 80:

             ADDRESS/SUBNET       PROTO           PORT(S)
             206.124.146.177      tcp             !80

6)  Shorewall-perl now supports protocol inversion. A protocol name or
    number may be preceded by '!' to specify all protocols except the
    one following '!'.

    Example: To blacklist 206.124.146.176 for all protocols except
             UDP:

             ADDRESS/SUBNET       PROTO           PORT(S)
             206.124.146.177      !udp

    Note that ports may not be specified when protocol inversion
    is used.

7)  When using Shorewall-perl, neither the 'start' nor 'started'
    extension script is run during processing of the 'restore'
    command. To allow extension of that command, we have added a
    'restored' extension script that runs at the successful completion
    of 'restore'. This script is only available with Shorewall-perl.

    With Shorewall-shell, both scripts are run during 'restore' but in
    that case, the run_iptables() function does nothing. So any
    run_iptables() calls in the 'start' script are effectively ignored.

8)  Shorewall-perl now correctly handles 'here documents' quoting
    (<<EOF .... EOF) in run-time extension scripts.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________