[Shorewall-devel] Shorewall-2.1.9

Tom Eastep teastep at shorewall.net
Thu Sep 16 11:40:21 PDT 2004

Hash: SHA1


Problems Corrected:

1)  IP ranges in the routestopped and tunnels files now work.

2)  Rules where an IP range appears in both the source and destination
~    now work correctly.

3)  With complex proxy arp configurations involving two or more
~    ordered pairs of interfaces, the /proc/sys/net/ipv4/conf/*/proxy_arp
~    flags were sometimes set incorrectly. This has been fixed.

~    Users looking at their restore file (generated by "shorewall save")
~    may see that one of these flags might be first reset then set in
~    rapid succession. This is expected and is harmless since the correct
~    value (1) results.

New Features:

1)  To improve interoperability, tunnels of type 'OpenVPN'
~    no longer enforce use of the specified port as the
~    source port as well as the destination port.

2)  During "shorewall start", IP addresses to be added as a consequence
~    of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted
~    when /etc/shorewall/nat and /etc/shorewall/masq are processed then
~    the are re-added later. This is done to help ensure that the
~    addresses can be added with the specified labels but can have
~    the undesirable side effect of causing routes to be quietly
~    deleted. A new RETAIN_ALIASES option has been added to
~    shorewall.conf; when this option is set to Yes, existing addresses
~    will not be deleted. Regardless of the setting of RETAIN_ALIASES,
~    addresses added during "shorewall start" are still deleted at a
~    subsequent "shorewall stop" or "shorewall restart".

3)  Users with a large black list (from /etc/shorewall/blacklist) may
~    want to set the new DELAYBLACKLISTLOAD option in
~    shorewall.conf. When DELAYBLACKLISTLOAD=Yes, Shorewall will
~    enable new connections before loading the blacklist rules. While
~    this may allow connections from blacklisted hosts to slip by during
~    the loading of the blacklist, it can substantially reduce the time
~    that all new connections are disabled during "shorewall [re]start".

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


More information about the Shorewall-devel mailing list