Fedora 7 Update: shorewall-3.4.4-1.fc7
updates at fedoraproject.org
updates at fedoraproject.org
Mon Jun 18 16:43:09 UTC 2007
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2007-0509
2007-06-18 09:43:07.047425
--------------------------------------------------------------------------------
Name : shorewall
Product : Fedora 7
Version : 3.4.4
Release : 1.fc7
Summary : Iptables-based firewall for Linux systems
Description :
The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
(iptables) based firewall that can be used on a dedicated firewall system,
a multi-function gateway/router/server or on a standalone GNU/Linux system.
--------------------------------------------------------------------------------
Update Information:
Problems corrected in 3.4.4:
1) The commands "shorewall add <interface> <zone>" and "shorewall
delete <interface> <zone>" no longer produce spurious error
messages.
2) The command "shorewall delete <interface> <zone>" now actually deletes
entries when it successfully completes. Previously, it would appear
to remove an entry, even when removing that entry should fail. See
"Other Changes" item 2) for additional information.
3) Setting HIGH_ROUTE_MARKS=No no longer causes TC_EXPERT flagging.
4) When run as root, the 'shorewall load' and 'shorewall reload'
commands would fail if the LOGFILE setting in
/etc/shorewall/shorewall.conf specified a non-existant file.
5) Entries in /etc/shorewall/tcrules that specify both a source and
destination port fail with the following diagnostic:
iptables v1.3.3: multiport can only have one option
6) Previously, Shorewall-lite did not allow DHCP traffic through an
interface when the interface was a bridge with 'dhcp' specified
unless there was a bridge on the administrative system with the
same name.
7) SOURCE and DEST are now flagged as invalid zone name to avoid
problems with macros that use those names as keywords.
8) Previously, Shorewall could *increase* the MSS under some
circumstances. This possibility is now eliminated, provided that
the system has TCPMSS match support (be sure to update your
capabilities files!).
9) Firewall zone names other than 'fw' no longer cause a error when
IPSECFILE is not set or is set to 'ipsec'.
10) The 'proxyarp' option on an interface was previously ignored when
the /etc/shorewall/proxyarp file was empty.
11) Previously, if action 'a' was defined then the following
rule generated an error:
a: z1 z2 ...
The trailing ":" is now ignored.
12) Previously, if a RATE/LIMIT was specified on a REJECT rule, the
generated error messages referred to the rule as a DROP rule.
13) The 'nolock' keyword was previously ignored on several
/sbin/shorewall[-lite] commands.
Other changes in 3.4.4:
1) The accounting, masq, rules and tos files now have a 'MARK' column
similar to the column of the same name in the tcrules file. This
column allows filtering by MARK value.
2) The "shorewall show zones" command now flags zone members that have
been added using "shorewall add" by preceding them with a plus sign
("+").
Example:
Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007
fw (firewall)
net (ipv4)
eth0:0.0.0.0/0
loc (ipv4)
br0:0.0.0.0/0
eth4:0.0.0.0/0
eth5:0.0.0.0/0
+eth1:0.0.0.0/0
dmz (ipv4)
eth3:0.0.0.0/0
vpn (ipv4)
tun+:0.0.0.0/0
In the above output, "eth1:0.0.0.0/0" was dynamically added to the
'loc' zone. As part of this change, "shorewall delete" will only
delete entries that have been added dynamically. In earlier
versions, any entry could be deleted although the ruleset was only
changed by deleting entries that had been added dynamically.
3) Eariler generations of Shorewall Lite required that remote root
login via ssh be enabled in order to use the 'load' and 'reload'
commands.
Beginning with this release, you may define an alternative means
for accessing the remote firewall system.
Two new options have been added to shorewall.conf:
RSH_COMMAND
RCP_COMMAND
The default values for these are as follows:
RSH_COMMAND: ssh ${root}@${system} ${command}
RCP_COMMAND: scp ${files} ${root}@${system}:${destination}
Shell variables that will be set when the commands are envoked are
as follows:
root - root user. Normally 'root' but may be overridden using
the '-r' option.
system - The name/IP address of the remote firewall system.
command - For RSH_COMMAND, the command to be executed on the
firewall system.
files - For RCP_COMMAND, a space-separated list of files to
be copied to the remote firewall system.
destination - The directory on the remote system that the files
are to be copied into.
4) You may now select the compiler to use on the command line using
the '-C' option. This option is available on the following
commands:
check
compile
export
load
reload
restart
start
try
safe-start
save-restart
Example:
shorewall try -C perl .
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jun 18 2007 Robert Marcano <robert at marcanoonline.com> - 3.4.4-1
- Update to upstream 3.4.4
--------------------------------------------------------------------------------
Updated packages:
83f1e483c5fc72b44e1f8ac09a390b55362eedde shorewall-3.4.4-1.fc7.noarch.rpm
f2f234e2e8accc39cf56e9e81133a74968b6b824 shorewall-3.4.4-1.fc7.src.rpm
This update can be installed with the 'yum' update program. Use 'yum update
package-name' at the command line. For more information, refer to 'Managing
Software with yum,' available at http://docs.fedoraproject.org/yum/.
--------------------------------------------------------------------------------
More information about the Fedora-package-announce
mailing list