Portage has version 4.5.4.2 in ~arch. The latest stable version is (this list is truncated for the comment character limit) S H O R E W A L L 4 . 5 . 6 . 2 A u g u s t 0 8 , 2 0 1 2 I. PROBLEMS CORRECTED IN THIS RELEASE II. KNOWN PROBLEMS REMAINING III. NEW FEATURES IN THIS RELEASE IV. RELEASE 4.4 HIGHLIGHTS V. MIGRATION ISSUES VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E 4.5.6.2 1) The compiler now generates an error when a SOURCE interface is specified in a rule where the SOURCE zone is the firewall itself. 2) Previously, entries in /etc/shorewall/notrack that specified a Vserver zone in the SOURCE column were omitted from the generated ruleset. 3) The set of helpers available in the notrack file and in the HELPER column of the tcrules file was incorrect: - The Amanda helper requires a UDP port -- Shorewall was requiring TCP. - The H323 module supplies two helpers: 'RAW' and 'Q.931'; Shorewall only accepted 'h323'. - The Netbios NS module supplies the 'netbios-ns' helper; Shorewall only accepted 'netbios_ns'. 4) The conditional directive '?IF 0' generated an error from the compiler. It now causes following lines to be omitted. 4.5.6.1 1) The 'systemctl' command in the Shorewall[6], Shorewall[6] Lite and Shorewall Init installers was incorrect with the result that the product was not started automatically on boot. 4.5.6 1) This release includes the defect repairs from Shorewall 4.5.5.1 through 4.5.5.4. 2) Previously, the tcrules file was not processed when TC_ENABLED=No. That meant that to use features like TPROXY, it was necessary to set TC_ENABLED=Yes and create a dummy /etc/shorewall/tcstart file. Now, only MANGLE_ENABLED=Yes is required. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. I I I. N E W F E A T U R E S I N T H I S R E L E A S E 1) Support for size tables has been added in complex TC. The OPTIONS column of /etc/shorewall/tcdevices now allows a 'linklayer' option whose value may be 'ethernet', 'atm' or 'adsl'; the last two are synonyms. When 'linklayer' is specified, it may be followed by additional options: mtu=<mtu> - The device MTU; default 2048 (will be rounded up to a power of two) mpu=<mpubytes> - Minimum packet size used in calculations. Smaller packets will be rounded up to this size tsize=<tablesize> - Size table entries; default is 512 overhead=<overheadbytes> - Number of overhead bytes per packet. See tc-stab (8) for details about these options. 2) It is now possible to specify the LS (linksharing) rate for an HFSC class in /etc/shorewall/tcclasses. See shorewall-tcclasses (5) for details. 3) It is now possible to specify that a leaf class will use the RED (Random Early Detection) queuing discipline rather than SFQ or pfifo. A new class OPTION is defined: red=(<red option>=<value>, ...) When specified on a leaf class, causes the class to use the RED (Random Early Detection) queuing discipline rather than SFQ. See tc-red (8) for additional information. Allowable <red option>s are: min <min> Average queue size in bytes at which marking becomes a possibility. max <max> At this average queue size, the marking probability is maximal. Must be at least twice <min> to prevent synchronous retransmits, higher for low <min>. probability <probability> Maximum probability for marking, specified as a floating point number from 0.0 to 1.0. Suggested values are 0.01 or 0.02 (1 or 2%, respectively). limit <limit> Hard limit on the real (not average) queue size in bytes. Further packets are dropped. Should be set higher than <max>+<burst>. It is advised to set this a few times higher than <max>. Shorewall requires that <limit> be at least twice <min>. burst <burst> Used for determining how fast the average queue size is influenced by the real queue size. Larger values make the calculation more sluggish, allowing longer bursts of traffic before marking starts. Real life experiments support the following guideâ€line: (<min>+<min>+<max>)/(3*<avpkt>). avpkt <avpkt> Optional. Specified in bytes. Used with burst to determine the time constant for average queue size calculations. 1000 is a good value and is the Shorewall default. bandwidth <bandwidth> Optional. This rate is used for calculating the average queue size after some idle time. Should be set to the bandwidth of your interface. Does not mean that RED will shape for you! ecn RED can either 'mark' or 'drop'. Explicit Congestion Notification (ECN) allows RED to notify remote hosts that their rate exceeds the amount of bandwidth available. Non-ECN capable hosts can only be notified by dropping a packet. If this parameter is specified, packets which indicate that their hosts honor ECN will only be marked and not dropped, unless the queue size hits limit bytes. Needs a tc binary with RED support compiled in. Recommended. 4) The handling of the USER/GROUP column of the rules file has been rewritten. As part of this rewrite: a) The ability to specify a program name (e.g., +prog) has been eliminated. The kernel feature which that ability depended on was removed in kernel version 2.6.14. b) It is now possible to specify UID and/or GID ranges of the form 'low-high' where 'low' and 'high' are integers and low <= high. 5) It is now possible to use Perl-compatible expressions in ?IF directives. As before, variables must be environmental variables, options from shorewall.conf, shell variables set in the params file or capabilities. As previously, capabilities may be entered with leading '__' rather than '$'. Example: ?IF $BLACKLIST_LOGLEVEL && ! __LOG_OPTIONS 6) The ?ELSIF directive has been added allowing more convenient expression of complex include scenarios. Example (column headings abbreviated to fit release notes format): #NAME NUM MARK DUP INTERFACE GWAY OPTIONS ?IF $FALLBACK ComcastB 1 0x10000 - COMB_IF detect fallback ComcastC 2 0x20000 - COMC_IF detect fallback ?ELSIF $STATISTICAL ComcastB 1 0x10000 - COMB_IF detect load=0.66666667 ComcastC 2 0x20000 - COMC_IF detect load=0.33333333 ?ELSE ComcastB 1 0x10000 - COMB_IF detect balance=2 ComcastC 2 0x20000 - COMC_IF detect loose,balance ?ENDIF 7) And ORIGINAL DEST column has been added to the masq file, allowing SNAT rules to match only DNAT traffic to a particular original source address. V. M I G R A T I O N I S S U E S 1) If you are migrating from Shorewall 4.2.x or earlier, please see http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt 2) The BLACKLIST section of the rules file has been eliminated. If you have entries in that file section, you must move them to the blrules file. 3) This version of Shorewall requires either the Digest::SHA1 or Digest::SHA Perl module. Debian: libdigest-sha1-perl or libdigest-sha-perl Fedora: perl-Digest-SHA1 or perl-Digest-SHA OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA 4) The generated firewall script now maintains the /var/lib/shorewall[6][-lite]/interface.status files used by SWPING and by LSM. If you have optional providers and to not run a link monitor like SWPING or LSM that updates these files, then you should remove /etc/shorewall[6]/isusable if it is installed. Reproducible: Always
Done :).