[Shorewall-devel] Shorewall 2.5.3

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

http://www.shorewall.net/pub/shorewall/2.5/shorewall-2.5.3/
ftp://ftp.shorewall.net/pub/shorewall/2.5/shorewall-2.5.3/

Shorewall 2.5.3

Problems Corrected in 2.5.3:

1)  The Netfilter 'raw' table is now cleared during "shorewall stop",
    "shorewall [re]start" and "shorewall clear".

New Features in Shorewall 2.5.3

1)  You may now specify "!" followed by a list of addresses in the
    SOURCE and DEST columns of entries in /etc/shorewall/tcrules and
    in action files and Shorewall will generate the rule that you
    expect.

2)  Tunnel types "openvpnserver" and "openvpnclient" have been added
    to reflect the introduction of client and server OpenVPN
    configurations in OpenVPN 2.0.

3)  The COMMAND variable is now set to 'restore' in restore
    scripts. The value of this variable is sometimes of interest to
    programmers providing custom /etc/shorewall/tcstart scripts.

4)  Previously, if you defined any intra-zone rule(s) then any traffic
    not matching the rule(s) was subject to normal policies (which
    usually turned out to involve the all->all REJECT policy). Now, the
    intra-zone ACCEPT policy will still be in effect in the presense of
    intra-zone rules. That policy can still be overridden by an
    explicit policy in your /etc/shorewall/policy file.

    Example:

    /etc/shorewall/rules:

    DNAT        loc:!192.168.1.4  loc:192.168.1.4:3128  tcp     80

    Any other loc->loc traffic will still be accepted. If you want to
    also log that other loc->loc traffic at the info log level then
    insert this into /etc/shorewall/policy:

    #SOURCE     DEST    POLICY  LOG LEVEL
    loc         loc     ACCEPT  info

5)  Prior to Shorewall 2.5.3, the rules file only controlled packets in
    the Netfilter states NEW and INVALID. Beginning with this release,
    the rules file can also deal with packets in the ESTABLISHED and
    RELATED states.

    The /etc/shorewall/rules file may now be divided into
    "sections". Each section is introduced by a line that begins with
    the keyword SECTION which is followed by the section name. Sections
    are as listed below and must appear in the order shown.

    ESTABLISHED

        Rules in this section apply to packets in the ESTABLISHED
        state.

    RELATED

        Rules in this section apply to packets in the RELATED state.

    NEW

        Rules in this section apply to packets in the NEW and INVALID
        states.

    Rules in the ESTABLISHED and RELATED sections are limited to the
    following ACTIONs:

        ACCEPT, DROP, REJECT, QUEUE, LOG and User-defined actions.

    Macros may be used in these sections provided that they expand to
    only these ACTIONs.

    At the end of the ESTABLISHED and RELATED sections, there is an
    implicit "ALLOW   all         all all" rule.

    RESTRICTION: If you specify FASTACCEPT=Yes in
    /etc/shorewall.shorewall.conf then the ESTABLISHED and RELATED
    sections must be empty.

6)  The value 'ipp2p' is once again allowed in the PROTO column of
    the rules file. It is recommended that rules specifying 'ipp2p'
    only be included in the ESTABLISHED section of the file.

--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ te...@sh...
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key