Problems corrected since 2.1.8

1)  IP ranges in the routestopped and tunnels files now work.

2)  Rules where an IP range appears in both the source and destination
    now work correctly.

3)  With complex proxy arp configurations involving two or more
    ordered pairs of interfaces, the /proc/sys/net/ipv4/conf/*/proxy_arp
    flags were sometimes set incorrectly. This has been fixed.

    Users looking at their restore file (generated by "shorewall save")
    may see that one of these flags might be first reset then set in rapid
    succession. This is expected and is harmless since the correct value
    (1) results.

New features since 2.1.8

1) During "shorewall start", IP addresses to be added as a consequence
    of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted
    when /etc/shorewall/nat and /etc/shorewall/masq are processed then
    the are re-added later. This is done to help ensure that the
    addresses can be added with the specified labels but can have
    the undesirable side effect of causing routes to be quietly
    deleted. A new RETAIN_ALIASES option has been added to
    shorewall.conf; when this option is set to Yes, existing addresses
    will not be deleted. Regardless of the setting of RETAIN_ALIASES,
    addresses added during "shorewall start" are still deleted at a
    subsequent "shorewall stop" or "shorewall restart".

2) Users with a large black list (from /etc/shorewall/blacklist) may
    want to set the new DELAYBLACKLISTLOAD option in
    shorewall.conf. When DELAYBLACKLISTLOAD=Yes, Shorewall will
    enable new connections before loading the blacklist rules. While
    this may allow connections from blacklisted hosts to slip by during
    construction of the blacklist, it can substantially reduce the time
    that all new connections are disabled during "shorewall [re]start".

Visit Shorewalls Web Site for more Details

Only registered users can write comments.
Please login or register.

Powered by AkoComment 1.0 beta 2!