Fedora 7 Update: shorewall-3.4.4-1.fc7

updates at fedoraproject.org updates at fedoraproject.org
Mon Jun 18 16:43:09 UTC 2007


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2007-0509
2007-06-18 09:43:07.047425
--------------------------------------------------------------------------------

Name        : shorewall
Product     : Fedora 7
Version     : 3.4.4
Release     : 1.fc7
Summary     : Iptables-based firewall for Linux systems
Description :

The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
(iptables) based firewall that can be used on a dedicated firewall system,
a multi-function gateway/router/server or on a standalone GNU/Linux system.

--------------------------------------------------------------------------------
Update Information:

Problems corrected in 3.4.4:

1)  The commands "shorewall add <interface> <zone>" and "shorewall
    delete <interface> <zone>" no longer produce spurious error
    messages.

2)  The command "shorewall delete <interface> <zone>" now actually deletes
    entries when it successfully completes.  Previously, it would appear
    to remove an entry, even when removing that entry should fail.  See
    "Other Changes" item 2) for additional information.

3)  Setting HIGH_ROUTE_MARKS=No no longer causes TC_EXPERT flagging.

4)  When run as root, the 'shorewall load' and 'shorewall reload'
    commands would fail if the LOGFILE setting in
    /etc/shorewall/shorewall.conf specified a non-existant file.

5)  Entries in /etc/shorewall/tcrules that specify both a source and
    destination port fail with the following diagnostic:

    iptables v1.3.3: multiport can only have one option

6)  Previously, Shorewall-lite did not allow DHCP traffic through an
    interface when the interface was a bridge with 'dhcp' specified
    unless there was a bridge on the administrative system with the
    same name.

7)  SOURCE and DEST are now flagged as invalid zone name to avoid
    problems with macros that use those names as keywords.

8)  Previously, Shorewall could *increase* the MSS under some
    circumstances. This possibility is now eliminated, provided that
    the system has TCPMSS match support (be sure to update your
    capabilities files!).

9)  Firewall zone names other than 'fw' no longer cause a error when
    IPSECFILE is not set or is set to 'ipsec'.

10) The 'proxyarp' option on an interface was previously ignored when
    the /etc/shorewall/proxyarp file was empty.

11) Previously, if action 'a' was defined then the following
    rule generated an error:

         a:        z1   z2      ...

    The trailing ":" is now ignored.

12) Previously, if a RATE/LIMIT was specified on a REJECT rule, the
    generated error messages referred to the rule as a DROP rule.

13) The 'nolock' keyword was previously ignored on several
    /sbin/shorewall[-lite] commands.

Other changes in 3.4.4:

1)  The accounting, masq, rules and tos files now have a 'MARK' column
    similar to the column of the same name in the tcrules file. This
    column allows filtering by MARK value.

2)  The "shorewall show zones" command now flags zone members that have
    been added using "shorewall add" by preceding them with a plus sign
    ("+").

    Example:

    Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007

    fw (firewall)
    net (ipv4)
        eth0:0.0.0.0/0
    loc (ipv4)
        br0:0.0.0.0/0
        eth4:0.0.0.0/0
        eth5:0.0.0.0/0
        +eth1:0.0.0.0/0
    dmz (ipv4)
        eth3:0.0.0.0/0
    vpn (ipv4)
        tun+:0.0.0.0/0

    In the above output, "eth1:0.0.0.0/0" was dynamically added to the
    'loc' zone. As part of this change, "shorewall delete" will only
    delete entries that have been added dynamically. In earlier
    versions, any entry could be deleted although the ruleset was only
    changed by deleting entries that had been added dynamically.

3)  Eariler generations of Shorewall Lite required that remote root
    login via ssh be enabled in order to use the 'load' and 'reload'
    commands.

    Beginning with this release, you may define an alternative means
    for accessing the remote firewall system.

    Two new options have been added to shorewall.conf:

        RSH_COMMAND
        RCP_COMMAND

    The default values for these are as follows:

        RSH_COMMAND: ssh ${root}@${system} ${command}
        RCP_COMMAND: scp ${files} ${root}@${system}:${destination}

    Shell variables that will be set when the commands are envoked are
    as follows:

       root  - root user. Normally 'root' but may be overridden using
               the '-r' option.

       system - The name/IP address of the remote firewall system.

       command - For RSH_COMMAND, the command to be executed on the
                 firewall system.

       files   - For RCP_COMMAND, a space-separated list of files to
                 be copied to the remote firewall system.

       destination - The directory on the remote system that the files
                     are to be copied into.

4)  You may now select the compiler to use on the command line using
    the '-C' option. This option is available on the following
    commands:

        check
        compile
        export
        load
        reload
        restart
        start
        try
        safe-start
        save-restart

     Example:

        shorewall try -C perl .
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jun 18 2007 Robert Marcano <robert at marcanoonline.com> - 3.4.4-1
- Update to upstream 3.4.4
--------------------------------------------------------------------------------
Updated packages:

83f1e483c5fc72b44e1f8ac09a390b55362eedde shorewall-3.4.4-1.fc7.noarch.rpm
f2f234e2e8accc39cf56e9e81133a74968b6b824 shorewall-3.4.4-1.fc7.src.rpm

This update can be installed with the 'yum' update program.  Use 'yum update
package-name' at the command line.  For more information, refer to 'Managing
Software with yum,' available at http://docs.fedoraproject.org/yum/.
--------------------------------------------------------------------------------




More information about the Fedora-package-announce mailing list