(The Shoreline Firewall) is an iptables based firewall (a light-weight version that will run compiled firewall scripts generated on a system with Shorewall installed).
| releasenotes.txt (shorewall-lite-5.2.7.tar.bz2) | : | releasenotes.txt (shorewall-lite-5.2.8.tar.bz2) |
|---|
| ---------------------------------------------------------------------------- | | ---------------------------------------------------------------------------- |
|
| S H O R E W A L L 5 . 2 . 7 | | S H O R E W A L L 5 . 2 . 8 |
| ------------------------------- | | ------------------------------- |
|
| J U L Y 3 1 , 2 0 2 0 | | S E P T E M B E R 2 4 , 2 0 2 0 |
| ---------------------------------------------------------------------------- | | ---------------------------------------------------------------------------- |
| | |
| I. PROBLEMS CORRECTED IN THIS RELEASE | | I. PROBLEMS CORRECTED IN THIS RELEASE |
| II. KNOWN PROBLEMS REMAINING | | II. KNOWN PROBLEMS REMAINING |
| III. NEW FEATURES IN THIS RELEASE | | III. NEW FEATURES IN THIS RELEASE |
| IV. MIGRATION ISSUES | | IV. MIGRATION ISSUES |
| V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES | | V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES |
| | |
| ---------------------------------------------------------------------------- | | ---------------------------------------------------------------------------- |
| I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E | | I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E |
| ---------------------------------------------------------------------------- | | ---------------------------------------------------------------------------- |
| | |
|
| 1) This release contains defect repair up through Shorewall 5.2.6.1. | | 1) Certain restrictions that apply to wildcard interfaces (interface |
| | name ends in '+') were previously not enforced when the logical |
| | interface name did not end in '+' but the physical interface name |
| | did end in '+'. That has been corrected. |
| | |
| | 2) To ensure that error messages appear in the correct place in the |
| | output stream, stderr is now redirected to stdout when the |
| | configured PAGER is used by a command. |
| | |
| | 3) Since Shorewall 5.1.0, the Shorewall uninstall.sh script has |
| | incorrectly removed ${SBINDIR}/shorewall, while the Shorewall-core |
| | uninstall.sh script has failed to remove that file. Both scripts |
| | have been corrected. |
| | |
| | 4) Previously, the Shorewall CLI included a spurious hyphen ('-') |
| | between the product name (e.g., 'Shorewall6') and the version when |
| | printing a command output banner. |
| | |
| | Example: |
| | |
| | Shorewall6 Lite 5.2.8-RC1 Logwatch at foo8 - Thu 17 Sep 2020 ... |
| | |
| | That has been corrected. |
| | |
| | 5) The shorewall-snat(5) manpage previously stated that a |
| | comma-separated list of IP address could be specified for |
| | SNAT. That statement was in error and has been removed. As part of |
| | this change, IPv4 Example 6 has been updated to use the |
| | PROBABILITY column. |
| | |
| ---------------------------------------------------------------------------- | | ---------------------------------------------------------------------------- |
| I I. K N O W N P R O B L E M S R E M A I N I N G | | I I. K N O W N P R O B L E M S R E M A I N I N G |
| ---------------------------------------------------------------------------- | | ---------------------------------------------------------------------------- |
| | |
| 1) On systems running Upstart, shorewall-init cannot reliably secure | | 1) On systems running Upstart, shorewall-init cannot reliably secure |
| the firewall before interfaces are brought up. | | the firewall before interfaces are brought up. |
| | |
| 2) The 'enable', 'reenable' and 'disable' commands do not work | | 2) The 'enable', 'reenable' and 'disable' commands do not work |
| correctly in configurations with USE_DEFAULT_RT=No and optional | | correctly in configurations with USE_DEFAULT_RT=No and optional |
| | |
| skipping to change at line 61 | | skipping to change at line 89 |
|---|
| # reset ExecStop | | # reset ExecStop |
| ExecStop= | | ExecStop= |
| # set ExecStop to "stop" instead of "clear" | | # set ExecStop to "stop" instead of "clear" |
| ExecStop=/sbin/shorewall $OPTIONS stop | | ExecStop=/sbin/shorewall $OPTIONS stop |
| | |
| Then type `systemctl daemon-reload` to activate the changes. This | | Then type `systemctl daemon-reload` to activate the changes. This |
| change will survive future updates of the shorewall package from apt | | change will survive future updates of the shorewall package from apt |
| repositories. The override file itself will be saved to | | repositories. The override file itself will be saved to |
| `/etc/systemd/system/shorewall.service.d/`. | | `/etc/systemd/system/shorewall.service.d/`. |
| | |
|
| | 5) RFC 2526 describes IPv6 subnet anycast addresses. The RFC makes a |
| | distinction between subnets with "IPv6 address types required to |
| | have 64-bit interface identifiers in EUI-64 format" and all other |
| | subnets. When generating these anycast addresses, the Shorewall |
| | compiler does not make this distinction and unconditionally |
| | assumes that the last 128 addresses in the subnet are reserved as |
| | anycast addresses. |
| | |
| ---------------------------------------------------------------------------- | | ---------------------------------------------------------------------------- |
| I I I. N E W F E A T U R E S I N T H I S R E L E A S E | | I I I. N E W F E A T U R E S I N T H I S R E L E A S E |
| ---------------------------------------------------------------------------- | | ---------------------------------------------------------------------------- |
| | |
|
| 1) Previously, it was not possible to classify traffic by destination | | 1) The 'show tc' command now shows the classifiers associated with |
| IP address when using an Intermediate Functional Block (IFB) for | | each interface (as displayed by the 'show classifiers' |
| traffic shaping. This is because such classification takes place | | command). This integrated qdisc/filter information is also included |
| before the traffic passes through the mangle PREROUTING chain. | | in the output of the 'dump' command. This change deprecates the |
| | 'show classifiers' ('show filters') command, as that command's |
| | output is now included in the 'show tc' output. |
| | |
|
| Such filtering is now possible by setting the 'connmark' option in | | 2) Shorewall6 has traditionally generated rules for IPv6 anycast |
| the tcdevices file. This option causes the current connection mark | | addresses. These rules include: |
| to be copied to the packet mark prior to filtering, thus allowing | | |
| the packet mark to be used for classification. | | |
| | |
|
| This change adds a new CONNMARK_ACTION capability which is | | a) Packets with these destination IP addresses are dropped by |
| required to be able to specify the 'connmark' option. | | REJECT rules. |
| | |
|
| Rodrigo Araujo provided the bulk of the code for this enhancement. | | b) Packets with these source IP addresses are dropped by the |
| | 'nosmurfs' interface option and by the 'dropSmurfs' action. |
| | |
|
| 2) The tcpri file now supports ?FORMAT 2 which inserts an SPORT | | c) Packets with these destination IP addresses are not logged |
| column directly to the right of the PORT column. As part of this | | during policy enforcement. |
| change, the PORT column is renamed to DPORT while allowing both | | |
| 'port' and 'dport' to be used in the alternate input format. See | | |
| shorewall-tcpri(5) and | | |
| http://shorewall.org/simple_traffic_shaping.html for additional | | |
| information. | | |
| | |
|
| 3) The Simple TC document is now linked to FAQs 97 and 97a. | | d) Packets with these destination IP addresses are processes by |
| | the 'Broadcast' action. |
| | |
| | Beginning with this release, individual network interfaces can be |
| | excluded from this treatment through use of the 'omitanycast' |
| | option in /etc/shorewall6/interfaces. |
| | |
| | Note: This option was named 'noanycast' in earlier Beta releases. |
| | |
| | 3) Duplicate function names have been eliminated between the |
| | Shorewall-core lib.cli shell library and the Shorewall lib.cli-std |
| | library. |
| | |
| | 4) The 'status' command in Shorewall[6]-lite now precedes the |
| | configuration directory name with the administrative host name |
| | separated with a colon (":"). |
| | |
| | Example (Firewall script generated on host 'debianvm'): |
| | |
| | root@gateway:~# shorewall-lite status |
| | Shorewall Lite-5.2.8 Status at gateway - Tue 15 Sep 2020 03:09:15 PM PDT |
| | |
| | Shorewall Lite is running |
| | State:Started Tue 15 Sep 2020 03:08:33 PM PDT from |
| | debianvm:/home/teastep/shorewall/gateway/shorewall/ |
| | (/var/lib/shorewall-lite/firewall compiled Tue 15 Sep 2020 |
| | 03:08:28 PM PDT by Shorewall version 5.2.8) |
| | |
| | root@gateway:~# |
| | |
| | 5) Tuomo Soini has contributed a macro that handles NFS v1.4 (no |
| | dynamic ports). |
| | |
| ---------------------------------------------------------------------------- | | ---------------------------------------------------------------------------- |
| I V. M I G R A T I O N I S S U E S | | I V. M I G R A T I O N I S S U E S |
| ---------------------------------------------------------------------------- | | ---------------------------------------------------------------------------- |
| | |
| If you are migrating from Shorewall 4.6.x or earlier, please see | | If you are migrating from Shorewall 4.6.x or earlier, please see |
| http://www.shorewall.org/pub/shorewall/5.0/shorewall-5.0.15/releasenotes.txt | | http://www.shorewall.org/pub/shorewall/5.0/shorewall-5.0.15/releasenotes.txt |
| | |
| Immediately after installing Shorewall 5.2.x, we recommend that you run | | Immediately after installing Shorewall 5.2.x, we recommend that you run |
| 'shorewall[6] update'. This command will handle many of the migration | | 'shorewall[6] update'. This command will handle many of the migration |
| | |
| skipping to change at line 488 | | skipping to change at line 551 |
|---|
| message, if used. | | message, if used. |
| | |
| 9) Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY option in | | 9) Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY option in |
| shorewall[6].conf has been removed, and the behavior is as if | | shorewall[6].conf has been removed, and the behavior is as if |
| LOAD_HELPERS_ONLY=Yes had been specified. 'shorewall[6] update' | | LOAD_HELPERS_ONLY=Yes had been specified. 'shorewall[6] update' |
| will remove the option from shorewall[6].conf. | | will remove the option from shorewall[6].conf. |
| | |
| ---------------------------------------------------------------------------- | | ---------------------------------------------------------------------------- |
| V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S | | V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S |
| ---------------------------------------------------------------------------- | | ---------------------------------------------------------------------------- |
|
| | N E W F E A T U R E S I N 5 . 2 . 7 |
| | ---------------------------------------------------------------------------- |
| | |
| | 1) Previously, it was not possible to classify traffic by destination |
| | IP address when using an Intermediate Functional Block (IFB) for |
| | traffic shaping. This is because such classification takes place |
| | before the traffic passes through the mangle PREROUTING chain. |
| | |
| | Such filtering is now possible by setting the 'connmark' option in |
| | the tcdevices file. This option causes the current connection mark |
| | to be copied to the packet mark prior to filtering, thus allowing |
| | the packet mark to be used for classification. |
| | |
| | This change adds a new CONNMARK_ACTION capability which is |
| | required to be able to specify the 'connmark' option. |
| | |
| | Rodrigo Araujo provided the bulk of the code for this enhancement. |
| | |
| | 2) The tcpri file now supports ?FORMAT 2 which inserts an SPORT |
| | column directly to the right of the PORT column. As part of this |
| | change, the PORT column is renamed to DPORT while allowing both |
| | 'port' and 'dport' to be used in the alternate input format. See |
| | shorewall-tcpri(5) and |
| | http://shorewall.org/simple_traffic_shaping.html for additional |
| | information. |
| | |
| | 3) The Simple TC document is now linked to FAQs 97 and 97a. |
| | |
| | ---------------------------------------------------------------------------- |
| N E W F E A T U R E S I N 5 . 2 . 6 | | N E W F E A T U R E S I N 5 . 2 . 6 |
| ---------------------------------------------------------------------------- | | ---------------------------------------------------------------------------- |
| | |
| 1) The 'actions' file now supports a 'dport' option to go along with | | 1) The 'actions' file now supports a 'dport' option to go along with |
| the 'proto' option. Using these two options can now restrict an | | the 'proto' option. Using these two options can now restrict an |
| action to a particular service. See shorewall-actions(5) for | | action to a particular service. See shorewall-actions(5) for |
| details. | | details. |
| | |
| Example limiting net->all SSH connections to 3/min per source IP: | | Example limiting net->all SSH connections to 3/min per source IP: |
| | |
| | | |
| End of changes. 11 change blocks. |
|---|
| 22 lines changed or deleted | | 114 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 