releasenotes.txt

sharewall is very good

    case where your ISP is using RFC 1918 addresses on their DHCP
    servers.

    NULL_ROUTE_RFC1918 defaults to 'No' and is only supported by
    Shorewall-perl; Shorewall-shell ignores the option.

34) There is now a macro.SANE which supports network-attached
    scanners. Shorewall now automatically loads the sane connection
    tracking helper module.

    Thanks for this feature go to Tuomo Soini.

35) Previously, when IP_FORWARDING=Yes in shorewall.conf, Shorewall
    would enable ip forwarding before instantiating the rules. This
    could lead to incorrect connection tracking entries being created
    between the time that forwarding was enabled and when the nat table
    rules were instantiated.

    Beginning with Shorewall 4.0.11 and 4.1.7, enabling of forwarding
    is deferred until after the rules are in place.

36) When using Shorewall-perl, the CEIL and RATE columns must now
    contain arithmetic expressions consisting of:
    
    a) Numeric digits (Hex numbers not allowed).
    b) Parentheses.
    c) The arithmetic operators +-* and /.
    d) The word 'full'.

37) The installers (install.sh) now auto-detect a Cygwin environment
    and install under the current user's ID if OWNER and GROUP are not
    given.

38) The 'start' and 'restart' commands now support a '-p' (purge)
    option which cause all entries to be removed from the Netfilter
    conntrack table. In order to use this option, the 'conntrack'
    utility must be installed on your system. Although it is generally
    not installed by default, Most distributions have this utility in
    their repositories. 

39) A 'save' extension script is added. The script is run after
    iptables-save has completed successfully.

    The 'load' and 'reload' commands copy the save script (if any) to
    /etc/shorewall-lite/ on the remove firewall system. The 'export'
    command copies the file to the same directory as the 'firewall' and
    'firewall.conf' scripts.

    I have the following commands in my 'save' script:

     [ -s /root/ipsets.save ] && cp -a /root/ipsets.save /root/ipsets.save.backup
     ipset -S > /root/ipsets.save

    These commands complement my 'init' script:

     qt modprobe ifb numifbs=1
     qt ip link set dev ifb0 up

     if [ "$COMMAND" = start ]; then
         ipset -U :all: :all:
            ipset -U :all: :default:
            ipset -F
            ipset -X
            ipset -R < /root/ipsets.save
     fi

    Those two scripts allow me to save and restore the contents of my
    ipsets automatically under Shorewall-perl/Shorewall-lite (my
    routestopped file does not use ipsets).

40) A HELPER column is included in the tcrules file. The value in this
    column names one of the Netfilter protocol 'helper' module sets
    (ftp, sip, amanda, etc).

    See http://www.shorewall.net/traffic_shaping.htm for an example.

41) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl.

42) Farkas Levante has contributed a macro.Mail macro that covers SMTP,
    SMTPS and submission.

43) Beginning with Shorewall 4.0.0, the -f option was no longer the
    default for '/etc/init.d/shorewall start'. Beginning with 4.0.13
    and 4.2.0-Beta3, this is also true for Shoreawall-lite.

44) A new USE_DEFAULT_RT option has been added to shorewall.conf. When
    set to 'Yes', it causes the Shorewall multi-ISP feature to create
    a different set of routing rules which are resilient to changes in
    the main routing table. Such changes can occur for a number of
    reasons,  VPNs going up and down being an example.

    The idea is to send packets through the main table prior to
    applying any of the Shorewall-generated routing rules. So changes
    to the main table will affect the routing of packets by default. 

    When USE_DEFAULT_RT=Yes:

    a) Both the DUPLICATE and the COPY columns in the providers file
       must remain empty (or contain "-").

    b) The default route is added to the the 'default' table rather
       than to the main table.

    c) 'balance' is assumed unless 'loose' is specified.

    d) Packets are sent through the main routing table by a rule with
       priority 999. In /etc/shorewall/routing_rules, the range 1-998
       may be used for inserting rules that bypass the main table.

    e) All provider gateways must be specified explicitly in the
       GATEWAY column. 'detect' may not be specified.

    f) You should disable all default route management outside of 
       Shorewall. If a default route is added to the main table while
       Shorewall is started, then all policy routing will stop working
       (except for those routing rules in the priority range 1-998).

45) The 'shorewall restart' command now supports an -f option. When
    this option is specified, no compilation occurs; rather, the script
    which last started or restarted Shorewall is used. 

46) A macro supporting RNDC (BIND remote management protocol) traffic
    has been added.  It can be used as any other macro (e.g., RNDC/ACCEPT)
    in the rules file.

47) If 'NONAT' is specified in the ADDRESS column of an entry in 
    /etc/shorewall/masq, then traffic matching that entry is not
    passed to the entries that follow.

New Features added in Shorewall 4.2.1

1)  With the recent renewed interest in DOS attacks, it seems
    appropriate to have connection limiting support in Shorewall. To
    that end, a CONNLIMIT column has been added to both the policy and
    rules files.

    The content of these columns is of the format

    	[!] <limit>[:<mask>]

    where

	<limit> is the limit on simultaneous TCP connections.

	<mask>  specifies the size of the network to which
		the limit applies and is specified as a
		CIDR mask length. The default value for
		<mask> is 32 which means that each remote
		IP address can have <limit> TCP connections
		active at once.

 	!	Not allowed in the policy file. In the rules file, it
		causes connections to match when the number of
		current connections exceeds <limit>.

    When specified in the policy file, the limit is enforced on all
    connections that are subject to the given policy (just like
    LIMIT:BURST). The limit is checked on new connections before the
    connection is passed through the rules in the NEW section of the
    rules file.

    It is important to note that while the limit is only checked for
    those destinations specified in the DEST column, the number of
    current connections is calculated over all destinations and not
    just the destination specified in the DEST column.

    Use of this feature requires the connlimit match capability in your
    kernel and iptables. If you use a capabilities file when compiling
    your Shorewall configuration(s), then you need to regenerate the
    file using Shorewall or Shorewall-lite 4.2.1.

2)  Shorewall now supports time/date restrictions on entries in the 
    rules file via a new TIME column.

    The contents of this column is a series of one or more "time
    elements" separated by apersands ("&"). Possible time elements are:

    utc       	Times are expressed in Greenwich Mean Time.
    localtz 	Times are expressed in local civil time (default)
    timestart=hh:mm[:ss]
    timestop=hh:mm[:ss]   Start and stop time of day for rule
    weekdays=ddd[,ddd]... where ddd is Mon,Tue,Wed,Thu,Fri,Sat or
    			  Sun
    monthdays=dd[,dd]...  where dd is an ordinal day of the month.
    datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
    datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
			  where	      yyyy = Year
                               	first mm   = Month
                                      dd   = Day
                                      hh   = Hour
                                  2nd mm   = Minute
                                      ss   = Second

    Examples:

    1)	utc&timestart=10:00&timestop=12:00

	Between 10am and 12 noon each day, GMT

    2)  datestart=2008-11-01T12:00

        Beginning November 1, 2008 at noon LCT.

    Use of this feature requires the time match capability in your
    kernel and iptables. If you use a capabilities file when compiling
    your Shorewall configuration(s), then you need to regenerate the
    file using Shorewall or Shorewall-lite 4.2.1.

3)  If your kernel and iptables support "-m conntrack --ctorigdstport"
    then Shorewall will utilize that capability to ensure that when you
    do port mapping (change the destination port but not the
    destination IP address), the final destination port is not opened
    as a side effect.

    Example:

    DNAT net loc:206.124.146.177:22 tcp 2222 - 206.124.146.177

    That rule maps port 2222 -> 22 but without this new feature, it
    also opens port 22 directly.

    To use this feature, you must be running Shorewall-perl and the
    output of 'shorewall show capabilities' must show:

       Extended Connection Tracking Match Support: Available

New Featurs in Shorewall 4.2.2

1)  A macro supporting JAP (anonymization protocol) has been added.
    It can be used as any other macro (e.g., JAP/ACCEPT) in the rules
    file.

2)  A macro supporting DAAP (Digital Audio Access Protocol) has been added.
    It can be used as any other macro (e.g., DAAP/ACCEPT) in the rules
    file.

3)  A macro supporting DCC (Distributed Checksum Clearinghouse) has been
    added.  It can be used as any other macro (e.g., DCCP/ACCEPT) in the
    rules file.

4)  A macro supporting GNUnet (secure peer-to-peer networking) has been
    added.  It can be used as any other macro (e.g., GNUnet/ACCEPT) in the
    rules file.

5)  In 4.2.1, a single capability ("Extended conntrack match support")
    was used both to control the use of --ctorigport and to trigger use
    of the new syntax for inversion of --ctorigdst (e.g., "!
    --ctorigdst ..."). In 4.2.2, these are controlled by two separate
    capabilities. If you use a capabilities file when compiling your
    configuration, be sure to generate a new one after installing
    4.2.2.

Problems corrected in Shorewall 4.2.1

1)  A description of the CONNBYTES column has been added to
    shorewall-tcrules(5).

2)  Previously, Shorewall-perl would accept zero as the <max> value in
    the CONNBYTES column of tcrules even when the <min> field was
    non-zero. A value of zero for <max> was equivalent to omitting
    <max>.

3)  iptables 1.4.1 discontinued support of syntax generated by
    shorewall in some cases. Shorewall now detects when the new syntax
    is required and uses it instead.

4)  The Shorewall-perl implementation of the LENGTH column in
    /etc/shorewall/tcrules was incomplete with the result that 
    all LENGTH rules matched. Thanks to Lennart Sorensen for the patch.

5)  The 'export' command no longer fails with the error:

    /sbin/shorewall: 1413: Syntax error: "(" unexpected (expecting "fi")

Problems corrected in Shorewall 4.2.2

1)  Shorewall-perl now insures that each line copied from a
    configuration file or user exit is terminated with a newline
    character.

2) When ipranges were used to define zones, Shorewall-perl could
   generate invalid iptables-restore input if 'Repeat Match' was not
   available. Repeat Match is not a true match -- it rather is a
   feature of recent iptables releases that allows a match to be
   repeated within a rule.

3)  With Shorewall-perl, if a destination port list had exactly 16
    ports, where a port-range counts as two ports, then Shorewall-perl
    would fail to split the rule into multiple rules and an
    iptables-restore error would result.

4)  The change to Shorewall-perl in 4.2.1 that promised iptables 1.4.1
    compatibility contained a typo that prevented it from working
    correctly.

5)  If a no-NAT rule (DNAT-, ACCEPT+, NONAT) included a destination IP
    address and no zone name in the DEST column, Shorewall-perl would
    reject the rule. If a zone name was specified, Shorewall-perl 
    would issue a Warning message.     

Problems corrected in Shorewall 4.2.3

1)  Previously, Shorewall would allow compilation for export of a
    script named 'shorewall' with the unfortunate side effect that
    the 'shorewall.conf' file was overwritten. Scripts named
    'shorewall' now cause a fatal error to be raised.

2)  Previously, Shorewall-perl attempted to do Shell variable
    substitution on the first line in /etc/shorewall/compile.

3)  Following the Netfilter tradition, the IPP2P maintainer has made an
    incompatible syntax change (the --ipp2p option has been
    removed). Shorewall has always used "-m ipp2p --ipp2p" when
    detecting the presence of IPP2P support.

    Shorewall-common and Shorewall-perl have been modified to use 
    "-m ipp2p --edk" instead.

4)  When Extended Conntrack Match support was available, Shorewall-perl
    would create invalid iptables-restore input for certain DNAT rules.

5)  An optimization in all Shorewall-perl 4.2 versions could  cause
    undesirable side effects. The optimization deleted the