Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2015-03-18 13:05:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "shorewall" Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2015-02-08 11:42:31.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2015-03-18 13:05:33.000000000 +0100 @@ -1,0 +2,20 @@ +Fri Mar 13 07:52:35 UTC 2015 - toganm@opensuse.org + +- Update to version 4.6.7 For more details see changelog.txt and + releasenotes.txt + + * This release includes defect repair from Shorewall 4.6.6.2 and + earlier releases. + * The 'tunnels' file now supports 'tinc' tunnels. + * Previously, the SAME action in the mangle file had a fixed + timeout of 300 seconds (5 minutes). That action now allows + specification of a different timeout. + * It is now possible to add or delete addresses from an ipset + with entries in the mangle file. The ADD and DEL actions have + the same behavior in the mangle file as they do in the rules + file. + +- Added systemd_version macro in anticipation of detecting the + correct service file when systemd version is >= 214 + +------------------------------------------------------------------- Old: ---- shorewall-4.6.6.2.tar.bz2 shorewall-core-4.6.6.2.tar.bz2 shorewall-docs-html-4.6.6.2.tar.bz2 shorewall-init-4.6.6.2.tar.bz2 shorewall-lite-4.6.6.2.tar.bz2 shorewall6-4.6.6.2.tar.bz2 shorewall6-lite-4.6.6.2.tar.bz2 New: ---- shorewall-4.6.7.tar.bz2 shorewall-core-4.6.7.tar.bz2 shorewall-docs-html-4.6.7.tar.bz2 shorewall-init-4.6.7.tar.bz2 shorewall-lite-4.6.7.tar.bz2 shorewall6-4.6.7.tar.bz2 shorewall6-lite-4.6.7.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.PJNDnX/_old 2015-03-18 13:05:35.000000000 +0100 +++ /var/tmp/diff_new_pack.PJNDnX/_new 2015-03-18 13:05:35.000000000 +0100 @@ -20,19 +20,19 @@ %define have_systemd 1 Name: shorewall -Version: 4.6.6.2 +Version: 4.6.7 Release: 0 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems License: GPL-2.0 Group: Productivity/Networking/Security Url: http://www.shorewall.net/ -Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.6/%{name}-%version.tar.bz2 -Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.6/%{name}-core-%version.tar.bz2 -Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.6/%{name}-lite-%version.tar.bz2 -Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.6/%{name}-init-%version.tar.bz2 -Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.6/%{name}6-lite-%version.tar.bz2 -Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.6/%{name}6-%version.tar.bz2 -Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.6/%{name}-docs-html-%version.tar.bz2 +Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.7/%{name}-%version.tar.bz2 +Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.7/%{name}-core-%version.tar.bz2 +Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.7/%{name}-lite-%version.tar.bz2 +Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.7/%{name}-init-%version.tar.bz2 +Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.7/%{name}6-lite-%version.tar.bz2 +Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.7/%{name}6-%version.tar.bz2 +Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.7/%{name}-docs-html-%version.tar.bz2 Source7: %{name}-4.4.22.rpmlintrc Source8: README.openSUSE # PATCH-FIX-UPSTREAM toganm@opensuse.org Shorewall-lite init.suse.sh Required Stop @@ -346,6 +346,10 @@ %install +# find the systemd version inorder to install correct service files +%define systemd_version \ +systemd --version |grep systemd|cut -d" " -f 2 + # NOTE For REVIEWERS # # configure is used to set the installation parameters to shorewall. @@ -373,9 +377,11 @@ %if 0%{?have_systemd} servicedir=%_unitdir \ %endif -# %%if 0%%{?suse_version} >= 1210 -# systemd=%%_unitdir \ -# %%endif +# ensure correct service files are installed + %if 0%{?systemd_version} >= 214 + servicefile=${i}.service.214 \ + %endif + sharedir=%_datadir if [ $i != shorewall-init ];then ++++++ shorewall-4.6.6.2.tar.bz2 -> shorewall-4.6.7.tar.bz2 ++++++ ++++ 1622 lines of diff (skipped) ++++++ shorewall-core-4.6.6.2.tar.bz2 -> shorewall-core-4.6.7.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.6.2/changelog.txt new/shorewall-core-4.6.7/changelog.txt --- old/shorewall-core-4.6.6.2/changelog.txt 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-core-4.6.7/changelog.txt 2015-03-11 19:41:43.000000000 +0100 @@ -1,3 +1,21 @@ +Changes in 4.6.7 Final + +1) Update release documents. + +Changes in 4.6.7 RC 1 + +1) Update release documents. + +Changes in 4.6.7 Beta 1 + +1) Update release documents. + +2) Add 'tinc' tunnel support. + +3) Add <timeout> parameter to SAME. + +4) Implement ADD and DEL in the mangle file. + Changes in 4.6.6.2 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.6.2/configure new/shorewall-core-4.6.7/configure --- old/shorewall-core-4.6.6.2/configure 2015-02-06 23:28:16.000000000 +0100 +++ new/shorewall-core-4.6.7/configure 2015-03-11 19:41:43.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.6.2 +VERSION=4.6.7 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.6.2/configure.pl new/shorewall-core-4.6.7/configure.pl --- old/shorewall-core-4.6.6.2/configure.pl 2015-02-06 23:28:16.000000000 +0100 +++ new/shorewall-core-4.6.7/configure.pl 2015-03-11 19:41:43.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.6.2' + VERSION => '4.6.7' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.6.2/install.sh new/shorewall-core-4.6.7/install.sh --- old/shorewall-core-4.6.6.2/install.sh 2015-02-06 23:28:16.000000000 +0100 +++ new/shorewall-core-4.6.7/install.sh 2015-03-11 19:41:43.000000000 +0100 @@ -22,7 +22,7 @@ # along with this program; if not, see http://www.gnu.org/licenses/. # -VERSION=4.6.6.2 +VERSION=4.6.7 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.6.2/known_problems.txt new/shorewall-core-4.6.7/known_problems.txt --- old/shorewall-core-4.6.6.2/known_problems.txt 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-core-4.6.7/known_problems.txt 2015-03-11 19:41:43.000000000 +0100 @@ -1,36 +1,2 @@ 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. - -2) The SAVE and RESTORE actions are erroneously disallowed in the - INPUT chain within the mangle file. - - Corrected in 4.6.6.1 - -3) The manpage descriptions of the mangle SAVE and RESTORE actions - incorrectly require a slash (/) prior to the mask value. - - Corrected in 4.6.6.1 - -4) Race conditions can currently occur between the 'start' command and - the 'enable' and 'disable' commands. - - Corrected in 4.6.6.1 - -5) The 'update' command incorrectly adds the INLINE_MATCHES option - to shorewall.conf with a default value of 'Yes'. This causes - 'start' to fail with invalid iptables rules when the alternate - input format using ';' is used. - - Corrected in 4.6.6.1 - -6) The LOCKFILE setting is not propagated to the generated script. So - when the script is run directly, the script unconditionally uses - ${VARDIR}/lock. - - Corrected in 4.6.6.1 - -7) The compiler fails to parse the construct +<ipset>[n] where n is an - integer (e.g., +bad[2]). - - Corrected in 4.6.6.2 - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.6.2/releasenotes.txt new/shorewall-core-4.6.7/releasenotes.txt --- old/shorewall-core-4.6.6.2/releasenotes.txt 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-core-4.6.7/releasenotes.txt 2015-03-11 19:41:43.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 6 . 2 + S H O R E W A L L 4 . 6 . 7 ------------------------------------ - F e b r u a r y 0 6 , 2 0 1 5 + M a r c h 0 8 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,49 +14,9 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.6.2 - -1) The compiler failed to parse the construct +<ipset>[n] where n is an - integer (e.g., +bad[2]). - -2) Orion Paplawski has provided a patch that adds 'ko.xz' to the - default MODULE_SUFFIX setting. This change deals with recent Fedora - releases where the module names now end with ".ko.xz". - - In addition to Orion's patch, the sample configurations have been - modified to specify MODULE_SUFFIX="ko ko.xz". - -4.6.6.1 - -1) Previously the SAVE and RESTORE actions were erroneously disallowed - in the INPUT chain within the mangle file. - -2) The manpage descriptions of the mangle SAVE and RESTORE actions - incorrectly required a slash (/) prior to the mask value. - -3) Race conditions could previously occur between the 'start' command - and the 'enable' and 'disable' commands. - -4) The 'update' command incorrectly added the INLINE_MATCHES option - to shorewall.conf with a default value of 'Yes'. This caused - 'start' to fail with invalid iptables rules when the alternate - input format using ';' is used. - -6) Previously the LOCKFILE setting was not propagated to the generated - script. So when the script was run directly, the script - unconditionally used ${VARDIR}/lock. - -4.6.6 - -1) This release includes defect repair from Shorewall 4.6.5.5 and +1) This release includes defect repair from Shorewall 4.6.6.2 and earlier releases. -2) Previously, a line beginning with 'shell' was interpreted as a - shell script. Now, the line must begin with 'SHELL' - (case-sensitive). - - Note that ?SHELL and BEGIN SHELL are still case-insensitive. - ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- @@ -68,92 +28,15 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Previously, the firewall products (Shorewall, Shorewall6 and - *-lite) specified "After=network.target" in their .service files. - - Beginning with this release, those products specify - "After=network-online.target" like the service.214 files. This - change is intended to delay firewall startup until after network - initialization is complete. - -2) The 'TARPIT' target is now supported in the rules file. Using this - target requires the appropriate support in your kernel and - iptables. This feature implements a new "TARPIT Target" capability, - so if you use a capabilities file, then you need to regenerate the - file after installing this release. - - TARPIT captures and holds incoming TCP connections using no local - per-connection resources. - - - TARPIT only works with the PROTO column set to tcp (6), and is - totally application agnostic. This module will answer a TCP request - and play along like a listening server, but aside from sending an - ACK or RST, no data is sent. Incoming packets are ignored and - dropped. The attacker will terminate the session eventually. This - module allows the initial packets of an attack to be captured by - other software for inspection. In most cases this is sufficient to - determine the nature of the attack. - - - This offers similar functionality to LaBrea - http://www.hackbusters.net/LaBrea/ but does not require dedicated - hardware or IPs. Any TCP port that you would normally DROP or - REJECT can instead become a tarpit. - - The target accepts a single optional parameter: +1) The 'tunnels' file now supports 'tinc' tunnels. - tarpit (default) - - This mode completes a connection with the attacker but limits - the window size to 0, thus keeping the attacker waiting long - periods of time. While he is maintaining state of the - connection and trying to continue every 60-240 seconds, we - keep none, so it is very lightweight. Attempts to close the - connection are ignored, forcing the remote side to time out - the connection in 12-24 minutes. - - honeypot - - This mode completes a connection with the attacker, but - signals a normal window size, so that the remote side will - attempt to send data, often with some very nasty exploit - attempts. We can capture these packets for decoding and - further analysis. The module does not send any data, so if - the remote expects an application level response, the game - is up. - - reset - - This mode is handy because we can send an inline RST - (reset). It has no other function. - -3) A 'loopback' option has been added to the interfaces files to - designate the interface as the loopback device. This option is - assumed if the device's physical name is 'lo'. Only one - interface may specify 'loopback'. - - If no interface has physical name 'lo' and no interface specifies - the 'loopback' option, then the compiler implicitly defines an - interface as follows: - - #ZONE INTERFACE OPTIONS - - lo ignore,loopback - -4) The compiler now takes advantage of the iptables 'iface' match - capability for identifying loopback traffic. - -5) The 'primary' provider option has been added as a synonym for - 'balance=1'. The rationale for this addition is that 'balance' - seems inappropriate when only a single provider specifies that - option. For example, if there are two providers and one specifies - 'fallback', then the other would specify 'primary' rather than - 'balance'. - -6) Two new Macros have been contributed: - - Zabbix - Tuomo Soini - Tinc - Răzvan Sandu +2) Previously, the SAME action in the mangle file had a fixed timeout + of 300 seconds (5 minutes). That action now allows specification of + a different timeout. + +3) It is now possible to add or delete addresses from an ipset with + entries in the mangle file. The ADD and DEL actions have the same + behavior in the mangle file as they do in the rules file. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -448,6 +331,142 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 6 +---------------------------------------------------------------------------- + +1) This release includes defect repair from Shorewall 4.6.5.5 and + earlier releases. + +2) Previously, a line beginning with 'shell' was interpreted as a + shell script. Now, the line must begin with 'SHELL' + (case-sensitive). + + Note that ?SHELL and BEGIN SHELL are still case-insensitive. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 6 +---------------------------------------------------------------------------- + +4.6.6.2 + +1) The compiler failed to parse the construct +<ipset>[n] where n is an + integer (e.g., +bad[2]). + +2) Orion Paplawski has provided a patch that adds 'ko.xz' to the + default MODULE_SUFFIX setting. This change deals with recent Fedora + releases where the module names now end with ".ko.xz". + + In addition to Orion's patch, the sample configurations have been + modified to specify MODULE_SUFFIX="ko ko.xz". + +4.6.6.1 + +1) Previously the SAVE and RESTORE actions were erroneously disallowed + in the INPUT chain within the mangle file. + +2) The manpage descriptions of the mangle SAVE and RESTORE actions + incorrectly required a slash (/) prior to the mask value. + +3) Race conditions could previously occur between the 'start' command + and the 'enable' and 'disable' commands. + +4) The 'update' command incorrectly added the INLINE_MATCHES option + to shorewall.conf with a default value of 'Yes'. This caused + 'start' to fail with invalid iptables rules when the alternate + input format using ';' is used. + +6) Previously the LOCKFILE setting was not propagated to the generated + script. So when the script was run directly, the script + unconditionally used ${VARDIR}/lock. + +1) Previously, the firewall products (Shorewall, Shorewall6 and + *-lite) specified "After=network.target" in their .service files. + + Beginning with this release, those products specify + "After=network-online.target" like the service.214 files. This + change is intended to delay firewall startup until after network + initialization is complete. + +2) The 'TARPIT' target is now supported in the rules file. Using this + target requires the appropriate support in your kernel and + iptables. This feature implements a new "TARPIT Target" capability, + so if you use a capabilities file, then you need to regenerate the + file after installing this release. + + TARPIT captures and holds incoming TCP connections using no local + per-connection resources. + + + TARPIT only works with the PROTO column set to tcp (6), and is + totally application agnostic. This module will answer a TCP request + and play along like a listening server, but aside from sending an + ACK or RST, no data is sent. Incoming packets are ignored and + dropped. The attacker will terminate the session eventually. This + module allows the initial packets of an attack to be captured by + other software for inspection. In most cases this is sufficient to + determine the nature of the attack. + + + This offers similar functionality to LaBrea + http://www.hackbusters.net/LaBrea/ but does not require dedicated + hardware or IPs. Any TCP port that you would normally DROP or + REJECT can instead become a tarpit. + + The target accepts a single optional parameter: + + tarpit (default) + + This mode completes a connection with the attacker but limits + the window size to 0, thus keeping the attacker waiting long + periods of time. While he is maintaining state of the + connection and trying to continue every 60-240 seconds, we + keep none, so it is very lightweight. Attempts to close the + connection are ignored, forcing the remote side to time out + the connection in 12-24 minutes. + + honeypot + + This mode completes a connection with the attacker, but + signals a normal window size, so that the remote side will + attempt to send data, often with some very nasty exploit + attempts. We can capture these packets for decoding and + further analysis. The module does not send any data, so if + the remote expects an application level response, the game + is up. + + reset + + This mode is handy because we can send an inline RST + (reset). It has no other function. + +3) A 'loopback' option has been added to the interfaces files to + designate the interface as the loopback device. This option is + assumed if the device's physical name is 'lo'. Only one + interface may specify 'loopback'. + + If no interface has physical name 'lo' and no interface specifies + the 'loopback' option, then the compiler implicitly defines an + interface as follows: + + #ZONE INTERFACE OPTIONS + - lo ignore,loopback + +4) The compiler now takes advantage of the iptables 'iface' match + capability for identifying loopback traffic. + +5) The 'primary' provider option has been added as a synonym for + 'balance=1'. The rationale for this addition is that 'balance' + seems inappropriate when only a single provider specifies that + option. For example, if there are two providers and one specifies + 'fallback', then the other would specify 'primary' rather than + 'balance'. + +6) Two new Macros have been contributed: + + Zabbix - Tuomo Soini + Tinc - Răzvan Sandu + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 5 ---------------------------------------------------------------------------- @@ -525,7 +544,7 @@ then servicd failed to start/stop Shorewall-init. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 4 + N E W F E A T U R E S I N 4 . 6 . 5 ---------------------------------------------------------------------------- 1) The configure scripts and installers now support SERVICEDIR as an diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.6.2/shorewall-core.spec new/shorewall-core-4.6.7/shorewall-core.spec --- old/shorewall-core-4.6.6.2/shorewall-core.spec 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-core-4.6.7/shorewall-core.spec 2015-03-11 19:41:43.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-core -%define version 4.6.6 -%define release 2 +%define version 4.6.7 +%define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -63,12 +63,12 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog -* Mon Jan 26 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.6-2 -* Mon Jan 26 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.6-2 -* Thu Jan 22 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.6-1 +* Thu Mar 05 2015 Tom Eastep tom@shorewall.net +- Updated to 4.6.7-0base +* Tue Mar 03 2015 Tom Eastep tom@shorewall.net +- Updated to 4.6.7-0RC1 +* Sat Jan 17 2015 Tom Eastep tom@shorewall.net +- Updated to 4.6.7-0Beta1 * Sat Jan 10 2015 Tom Eastep tom@shorewall.net - Updated to 4.6.6-0base * Tue Jan 06 2015 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.6.2/uninstall.sh new/shorewall-core-4.6.7/uninstall.sh --- old/shorewall-core-4.6.6.2/uninstall.sh 2015-02-06 23:28:16.000000000 +0100 +++ new/shorewall-core-4.6.7/uninstall.sh 2015-03-11 19:41:43.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.6.2 +VERSION=4.6.7 usage() # $1 = exit status { ++++++ shorewall-docs-html-4.6.6.2.tar.bz2 -> shorewall-docs-html-4.6.7.tar.bz2 ++++++ ++++ 7036 lines of diff (skipped) ++++++ shorewall-init-4.6.6.2.tar.bz2 -> shorewall-init-4.6.7.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.6.2/changelog.txt new/shorewall-init-4.6.7/changelog.txt --- old/shorewall-init-4.6.6.2/changelog.txt 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-init-4.6.7/changelog.txt 2015-03-11 19:41:44.000000000 +0100 @@ -1,3 +1,21 @@ +Changes in 4.6.7 Final + +1) Update release documents. + +Changes in 4.6.7 RC 1 + +1) Update release documents. + +Changes in 4.6.7 Beta 1 + +1) Update release documents. + +2) Add 'tinc' tunnel support. + +3) Add <timeout> parameter to SAME. + +4) Implement ADD and DEL in the mangle file. + Changes in 4.6.6.2 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.6.2/configure new/shorewall-init-4.6.7/configure --- old/shorewall-init-4.6.6.2/configure 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-init-4.6.7/configure 2015-03-11 19:41:43.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.6.2 +VERSION=4.6.7 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.6.2/configure.pl new/shorewall-init-4.6.7/configure.pl --- old/shorewall-init-4.6.6.2/configure.pl 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-init-4.6.7/configure.pl 2015-03-11 19:41:44.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.6.2' + VERSION => '4.6.7' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.6.2/install.sh new/shorewall-init-4.6.7/install.sh --- old/shorewall-init-4.6.6.2/install.sh 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-init-4.6.7/install.sh 2015-03-11 19:41:43.000000000 +0100 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.6.6.2 +VERSION=4.6.7 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.6.2/releasenotes.txt new/shorewall-init-4.6.7/releasenotes.txt --- old/shorewall-init-4.6.6.2/releasenotes.txt 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-init-4.6.7/releasenotes.txt 2015-03-11 19:41:44.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 6 . 2 + S H O R E W A L L 4 . 6 . 7 ------------------------------------ - F e b r u a r y 0 6 , 2 0 1 5 + M a r c h 0 8 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,49 +14,9 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.6.2 - -1) The compiler failed to parse the construct +<ipset>[n] where n is an - integer (e.g., +bad[2]). - -2) Orion Paplawski has provided a patch that adds 'ko.xz' to the - default MODULE_SUFFIX setting. This change deals with recent Fedora - releases where the module names now end with ".ko.xz". - - In addition to Orion's patch, the sample configurations have been - modified to specify MODULE_SUFFIX="ko ko.xz". - -4.6.6.1 - -1) Previously the SAVE and RESTORE actions were erroneously disallowed - in the INPUT chain within the mangle file. - -2) The manpage descriptions of the mangle SAVE and RESTORE actions - incorrectly required a slash (/) prior to the mask value. - -3) Race conditions could previously occur between the 'start' command - and the 'enable' and 'disable' commands. - -4) The 'update' command incorrectly added the INLINE_MATCHES option - to shorewall.conf with a default value of 'Yes'. This caused - 'start' to fail with invalid iptables rules when the alternate - input format using ';' is used. - -6) Previously the LOCKFILE setting was not propagated to the generated - script. So when the script was run directly, the script - unconditionally used ${VARDIR}/lock. - -4.6.6 - -1) This release includes defect repair from Shorewall 4.6.5.5 and +1) This release includes defect repair from Shorewall 4.6.6.2 and earlier releases. -2) Previously, a line beginning with 'shell' was interpreted as a - shell script. Now, the line must begin with 'SHELL' - (case-sensitive). - - Note that ?SHELL and BEGIN SHELL are still case-insensitive. - ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- @@ -68,92 +28,15 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Previously, the firewall products (Shorewall, Shorewall6 and - *-lite) specified "After=network.target" in their .service files. - - Beginning with this release, those products specify - "After=network-online.target" like the service.214 files. This - change is intended to delay firewall startup until after network - initialization is complete. - -2) The 'TARPIT' target is now supported in the rules file. Using this - target requires the appropriate support in your kernel and - iptables. This feature implements a new "TARPIT Target" capability, - so if you use a capabilities file, then you need to regenerate the - file after installing this release. - - TARPIT captures and holds incoming TCP connections using no local - per-connection resources. - - - TARPIT only works with the PROTO column set to tcp (6), and is - totally application agnostic. This module will answer a TCP request - and play along like a listening server, but aside from sending an - ACK or RST, no data is sent. Incoming packets are ignored and - dropped. The attacker will terminate the session eventually. This - module allows the initial packets of an attack to be captured by - other software for inspection. In most cases this is sufficient to - determine the nature of the attack. - - - This offers similar functionality to LaBrea - http://www.hackbusters.net/LaBrea/ but does not require dedicated - hardware or IPs. Any TCP port that you would normally DROP or - REJECT can instead become a tarpit. - - The target accepts a single optional parameter: +1) The 'tunnels' file now supports 'tinc' tunnels. - tarpit (default) - - This mode completes a connection with the attacker but limits - the window size to 0, thus keeping the attacker waiting long - periods of time. While he is maintaining state of the - connection and trying to continue every 60-240 seconds, we - keep none, so it is very lightweight. Attempts to close the - connection are ignored, forcing the remote side to time out - the connection in 12-24 minutes. - - honeypot - - This mode completes a connection with the attacker, but - signals a normal window size, so that the remote side will - attempt to send data, often with some very nasty exploit - attempts. We can capture these packets for decoding and - further analysis. The module does not send any data, so if - the remote expects an application level response, the game - is up. - - reset - - This mode is handy because we can send an inline RST - (reset). It has no other function. - -3) A 'loopback' option has been added to the interfaces files to - designate the interface as the loopback device. This option is - assumed if the device's physical name is 'lo'. Only one - interface may specify 'loopback'. - - If no interface has physical name 'lo' and no interface specifies - the 'loopback' option, then the compiler implicitly defines an - interface as follows: - - #ZONE INTERFACE OPTIONS - - lo ignore,loopback - -4) The compiler now takes advantage of the iptables 'iface' match - capability for identifying loopback traffic. - -5) The 'primary' provider option has been added as a synonym for - 'balance=1'. The rationale for this addition is that 'balance' - seems inappropriate when only a single provider specifies that - option. For example, if there are two providers and one specifies - 'fallback', then the other would specify 'primary' rather than - 'balance'. - -6) Two new Macros have been contributed: - - Zabbix - Tuomo Soini - Tinc - Răzvan Sandu +2) Previously, the SAME action in the mangle file had a fixed timeout + of 300 seconds (5 minutes). That action now allows specification of + a different timeout. + +3) It is now possible to add or delete addresses from an ipset with + entries in the mangle file. The ADD and DEL actions have the same + behavior in the mangle file as they do in the rules file. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -448,6 +331,142 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 6 +---------------------------------------------------------------------------- + +1) This release includes defect repair from Shorewall 4.6.5.5 and + earlier releases. + +2) Previously, a line beginning with 'shell' was interpreted as a + shell script. Now, the line must begin with 'SHELL' + (case-sensitive). + + Note that ?SHELL and BEGIN SHELL are still case-insensitive. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 6 +---------------------------------------------------------------------------- + +4.6.6.2 + +1) The compiler failed to parse the construct +<ipset>[n] where n is an + integer (e.g., +bad[2]). + +2) Orion Paplawski has provided a patch that adds 'ko.xz' to the + default MODULE_SUFFIX setting. This change deals with recent Fedora + releases where the module names now end with ".ko.xz". + + In addition to Orion's patch, the sample configurations have been + modified to specify MODULE_SUFFIX="ko ko.xz". + +4.6.6.1 + +1) Previously the SAVE and RESTORE actions were erroneously disallowed + in the INPUT chain within the mangle file. + +2) The manpage descriptions of the mangle SAVE and RESTORE actions + incorrectly required a slash (/) prior to the mask value. + +3) Race conditions could previously occur between the 'start' command + and the 'enable' and 'disable' commands. + +4) The 'update' command incorrectly added the INLINE_MATCHES option + to shorewall.conf with a default value of 'Yes'. This caused + 'start' to fail with invalid iptables rules when the alternate + input format using ';' is used. + +6) Previously the LOCKFILE setting was not propagated to the generated + script. So when the script was run directly, the script + unconditionally used ${VARDIR}/lock. + +1) Previously, the firewall products (Shorewall, Shorewall6 and + *-lite) specified "After=network.target" in their .service files. + + Beginning with this release, those products specify + "After=network-online.target" like the service.214 files. This + change is intended to delay firewall startup until after network + initialization is complete. + +2) The 'TARPIT' target is now supported in the rules file. Using this + target requires the appropriate support in your kernel and + iptables. This feature implements a new "TARPIT Target" capability, + so if you use a capabilities file, then you need to regenerate the + file after installing this release. + + TARPIT captures and holds incoming TCP connections using no local + per-connection resources. + + + TARPIT only works with the PROTO column set to tcp (6), and is + totally application agnostic. This module will answer a TCP request + and play along like a listening server, but aside from sending an + ACK or RST, no data is sent. Incoming packets are ignored and + dropped. The attacker will terminate the session eventually. This + module allows the initial packets of an attack to be captured by + other software for inspection. In most cases this is sufficient to + determine the nature of the attack. + + + This offers similar functionality to LaBrea + http://www.hackbusters.net/LaBrea/ but does not require dedicated + hardware or IPs. Any TCP port that you would normally DROP or + REJECT can instead become a tarpit. + + The target accepts a single optional parameter: + + tarpit (default) + + This mode completes a connection with the attacker but limits + the window size to 0, thus keeping the attacker waiting long + periods of time. While he is maintaining state of the + connection and trying to continue every 60-240 seconds, we + keep none, so it is very lightweight. Attempts to close the + connection are ignored, forcing the remote side to time out + the connection in 12-24 minutes. + + honeypot + + This mode completes a connection with the attacker, but + signals a normal window size, so that the remote side will + attempt to send data, often with some very nasty exploit + attempts. We can capture these packets for decoding and + further analysis. The module does not send any data, so if + the remote expects an application level response, the game + is up. + + reset + + This mode is handy because we can send an inline RST + (reset). It has no other function. + +3) A 'loopback' option has been added to the interfaces files to + designate the interface as the loopback device. This option is + assumed if the device's physical name is 'lo'. Only one + interface may specify 'loopback'. + + If no interface has physical name 'lo' and no interface specifies + the 'loopback' option, then the compiler implicitly defines an + interface as follows: + + #ZONE INTERFACE OPTIONS + - lo ignore,loopback + +4) The compiler now takes advantage of the iptables 'iface' match + capability for identifying loopback traffic. + +5) The 'primary' provider option has been added as a synonym for + 'balance=1'. The rationale for this addition is that 'balance' + seems inappropriate when only a single provider specifies that + option. For example, if there are two providers and one specifies + 'fallback', then the other would specify 'primary' rather than + 'balance'. + +6) Two new Macros have been contributed: + + Zabbix - Tuomo Soini + Tinc - Răzvan Sandu + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 5 ---------------------------------------------------------------------------- @@ -525,7 +544,7 @@ then servicd failed to start/stop Shorewall-init. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 4 + N E W F E A T U R E S I N 4 . 6 . 5 ---------------------------------------------------------------------------- 1) The configure scripts and installers now support SERVICEDIR as an diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.6.2/shorewall-init.spec new/shorewall-init-4.6.7/shorewall-init.spec --- old/shorewall-init-4.6.6.2/shorewall-init.spec 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-init-4.6.7/shorewall-init.spec 2015-03-11 19:41:43.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.6.6 -%define release 2 +%define version 4.6.7 +%define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -126,12 +126,12 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Mon Jan 26 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.6-2 -* Mon Jan 26 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.6-2 -* Thu Jan 22 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.6-1 +* Thu Mar 05 2015 Tom Eastep tom@shorewall.net +- Updated to 4.6.7-0base +* Tue Mar 03 2015 Tom Eastep tom@shorewall.net +- Updated to 4.6.7-0RC1 +* Sat Jan 17 2015 Tom Eastep tom@shorewall.net +- Updated to 4.6.7-0Beta1 * Sat Jan 10 2015 Tom Eastep tom@shorewall.net - Updated to 4.6.6-0base * Tue Jan 06 2015 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.6.2/uninstall.sh new/shorewall-init-4.6.7/uninstall.sh --- old/shorewall-init-4.6.6.2/uninstall.sh 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-init-4.6.7/uninstall.sh 2015-03-11 19:41:43.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.6.2 +VERSION=4.6.7 usage() # $1 = exit status { ++++++ shorewall-lite-4.6.6.2.tar.bz2 -> shorewall-lite-4.6.7.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.6.2/changelog.txt new/shorewall-lite-4.6.7/changelog.txt --- old/shorewall-lite-4.6.6.2/changelog.txt 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-lite-4.6.7/changelog.txt 2015-03-11 19:41:44.000000000 +0100 @@ -1,3 +1,21 @@ +Changes in 4.6.7 Final + +1) Update release documents. + +Changes in 4.6.7 RC 1 + +1) Update release documents. + +Changes in 4.6.7 Beta 1 + +1) Update release documents. + +2) Add 'tinc' tunnel support. + +3) Add <timeout> parameter to SAME. + +4) Implement ADD and DEL in the mangle file. + Changes in 4.6.6.2 1) Update release documents. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.6.2/configure new/shorewall-lite-4.6.7/configure --- old/shorewall-lite-4.6.6.2/configure 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-lite-4.6.7/configure 2015-03-11 19:41:44.000000000 +0100 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=4.6.6.2 +VERSION=4.6.7 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.6.2/configure.pl new/shorewall-lite-4.6.7/configure.pl --- old/shorewall-lite-4.6.6.2/configure.pl 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-lite-4.6.7/configure.pl 2015-03-11 19:41:44.000000000 +0100 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '4.6.6.2' + VERSION => '4.6.7' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.6.2/install.sh new/shorewall-lite-4.6.7/install.sh --- old/shorewall-lite-4.6.6.2/install.sh 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-lite-4.6.7/install.sh 2015-03-11 19:41:44.000000000 +0100 @@ -22,7 +22,7 @@ # along with this program; if not, see http://www.gnu.org/licenses/. # -VERSION=4.6.6.2 +VERSION=4.6.7 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.6.2/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.6.7/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-4.6.6.2/manpages/shorewall-lite-vardir.5 2015-02-06 23:31:37.000000000 +0100 +++ new/shorewall-lite-4.6.7/manpages/shorewall-lite-vardir.5 2015-03-11 19:45:09.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 http://docbook.sf.net/ -.\" Date: 02/06/2015 +.\" Date: 03/11/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "02/06/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "03/11/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.6.2/manpages/shorewall-lite.8 new/shorewall-lite-4.6.7/manpages/shorewall-lite.8 --- old/shorewall-lite-4.6.6.2/manpages/shorewall-lite.8 2015-02-06 23:31:39.000000000 +0100 +++ new/shorewall-lite-4.6.7/manpages/shorewall-lite.8 2015-03-11 19:45:10.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 http://docbook.sf.net/ -.\" Date: 02/06/2015 +.\" Date: 03/11/2015 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "02/06/2015" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "03/11/2015" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.6.2/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.6.7/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-4.6.6.2/manpages/shorewall-lite.conf.5 2015-02-06 23:31:36.000000000 +0100 +++ new/shorewall-lite-4.6.7/manpages/shorewall-lite.conf.5 2015-03-11 19:45:07.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 http://docbook.sf.net/ -.\" Date: 02/06/2015 +.\" Date: 03/11/2015 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "02/06/2015" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "03/11/2015" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.6.2/releasenotes.txt new/shorewall-lite-4.6.7/releasenotes.txt --- old/shorewall-lite-4.6.6.2/releasenotes.txt 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-lite-4.6.7/releasenotes.txt 2015-03-11 19:41:44.000000000 +0100 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 6 . 6 . 2 + S H O R E W A L L 4 . 6 . 7 ------------------------------------ - F e b r u a r y 0 6 , 2 0 1 5 + M a r c h 0 8 , 2 0 1 5 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,49 +14,9 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.6.6.2 - -1) The compiler failed to parse the construct +<ipset>[n] where n is an - integer (e.g., +bad[2]). - -2) Orion Paplawski has provided a patch that adds 'ko.xz' to the - default MODULE_SUFFIX setting. This change deals with recent Fedora - releases where the module names now end with ".ko.xz". - - In addition to Orion's patch, the sample configurations have been - modified to specify MODULE_SUFFIX="ko ko.xz". - -4.6.6.1 - -1) Previously the SAVE and RESTORE actions were erroneously disallowed - in the INPUT chain within the mangle file. - -2) The manpage descriptions of the mangle SAVE and RESTORE actions - incorrectly required a slash (/) prior to the mask value. - -3) Race conditions could previously occur between the 'start' command - and the 'enable' and 'disable' commands. - -4) The 'update' command incorrectly added the INLINE_MATCHES option - to shorewall.conf with a default value of 'Yes'. This caused - 'start' to fail with invalid iptables rules when the alternate - input format using ';' is used. - -6) Previously the LOCKFILE setting was not propagated to the generated - script. So when the script was run directly, the script - unconditionally used ${VARDIR}/lock. - -4.6.6 - -1) This release includes defect repair from Shorewall 4.6.5.5 and +1) This release includes defect repair from Shorewall 4.6.6.2 and earlier releases. -2) Previously, a line beginning with 'shell' was interpreted as a - shell script. Now, the line must begin with 'SHELL' - (case-sensitive). - - Note that ?SHELL and BEGIN SHELL are still case-insensitive. - ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- @@ -68,92 +28,15 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) Previously, the firewall products (Shorewall, Shorewall6 and - *-lite) specified "After=network.target" in their .service files. - - Beginning with this release, those products specify - "After=network-online.target" like the service.214 files. This - change is intended to delay firewall startup until after network - initialization is complete. - -2) The 'TARPIT' target is now supported in the rules file. Using this - target requires the appropriate support in your kernel and - iptables. This feature implements a new "TARPIT Target" capability, - so if you use a capabilities file, then you need to regenerate the - file after installing this release. - - TARPIT captures and holds incoming TCP connections using no local - per-connection resources. - - - TARPIT only works with the PROTO column set to tcp (6), and is - totally application agnostic. This module will answer a TCP request - and play along like a listening server, but aside from sending an - ACK or RST, no data is sent. Incoming packets are ignored and - dropped. The attacker will terminate the session eventually. This - module allows the initial packets of an attack to be captured by - other software for inspection. In most cases this is sufficient to - determine the nature of the attack. - - - This offers similar functionality to LaBrea - http://www.hackbusters.net/LaBrea/ but does not require dedicated - hardware or IPs. Any TCP port that you would normally DROP or - REJECT can instead become a tarpit. - - The target accepts a single optional parameter: +1) The 'tunnels' file now supports 'tinc' tunnels. - tarpit (default) - - This mode completes a connection with the attacker but limits - the window size to 0, thus keeping the attacker waiting long - periods of time. While he is maintaining state of the - connection and trying to continue every 60-240 seconds, we - keep none, so it is very lightweight. Attempts to close the - connection are ignored, forcing the remote side to time out - the connection in 12-24 minutes. - - honeypot - - This mode completes a connection with the attacker, but - signals a normal window size, so that the remote side will - attempt to send data, often with some very nasty exploit - attempts. We can capture these packets for decoding and - further analysis. The module does not send any data, so if - the remote expects an application level response, the game - is up. - - reset - - This mode is handy because we can send an inline RST - (reset). It has no other function. - -3) A 'loopback' option has been added to the interfaces files to - designate the interface as the loopback device. This option is - assumed if the device's physical name is 'lo'. Only one - interface may specify 'loopback'. - - If no interface has physical name 'lo' and no interface specifies - the 'loopback' option, then the compiler implicitly defines an - interface as follows: - - #ZONE INTERFACE OPTIONS - - lo ignore,loopback - -4) The compiler now takes advantage of the iptables 'iface' match - capability for identifying loopback traffic. - -5) The 'primary' provider option has been added as a synonym for - 'balance=1'. The rationale for this addition is that 'balance' - seems inappropriate when only a single provider specifies that - option. For example, if there are two providers and one specifies - 'fallback', then the other would specify 'primary' rather than - 'balance'. - -6) Two new Macros have been contributed: - - Zabbix - Tuomo Soini - Tinc - Răzvan Sandu +2) Previously, the SAME action in the mangle file had a fixed timeout + of 300 seconds (5 minutes). That action now allows specification of + a different timeout. + +3) It is now possible to add or delete addresses from an ipset with + entries in the mangle file. The ADD and DEL actions have the same + behavior in the mangle file as they do in the rules file. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -448,6 +331,142 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 6 . 6 +---------------------------------------------------------------------------- + +1) This release includes defect repair from Shorewall 4.6.5.5 and + earlier releases. + +2) Previously, a line beginning with 'shell' was interpreted as a + shell script. Now, the line must begin with 'SHELL' + (case-sensitive). + + Note that ?SHELL and BEGIN SHELL are still case-insensitive. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 6 . 6 +---------------------------------------------------------------------------- + +4.6.6.2 + +1) The compiler failed to parse the construct +<ipset>[n] where n is an + integer (e.g., +bad[2]). + +2) Orion Paplawski has provided a patch that adds 'ko.xz' to the + default MODULE_SUFFIX setting. This change deals with recent Fedora + releases where the module names now end with ".ko.xz". + + In addition to Orion's patch, the sample configurations have been + modified to specify MODULE_SUFFIX="ko ko.xz". + +4.6.6.1 + +1) Previously the SAVE and RESTORE actions were erroneously disallowed + in the INPUT chain within the mangle file. + +2) The manpage descriptions of the mangle SAVE and RESTORE actions + incorrectly required a slash (/) prior to the mask value. + +3) Race conditions could previously occur between the 'start' command + and the 'enable' and 'disable' commands. + +4) The 'update' command incorrectly added the INLINE_MATCHES option + to shorewall.conf with a default value of 'Yes'. This caused + 'start' to fail with invalid iptables rules when the alternate + input format using ';' is used. + +6) Previously the LOCKFILE setting was not propagated to the generated + script. So when the script was run directly, the script + unconditionally used ${VARDIR}/lock. + +1) Previously, the firewall products (Shorewall, Shorewall6 and + *-lite) specified "After=network.target" in their .service files. + + Beginning with this release, those products specify + "After=network-online.target" like the service.214 files. This + change is intended to delay firewall startup until after network + initialization is complete. + +2) The 'TARPIT' target is now supported in the rules file. Using this + target requires the appropriate support in your kernel and + iptables. This feature implements a new "TARPIT Target" capability, + so if you use a capabilities file, then you need to regenerate the + file after installing this release. + + TARPIT captures and holds incoming TCP connections using no local + per-connection resources. + + + TARPIT only works with the PROTO column set to tcp (6), and is + totally application agnostic. This module will answer a TCP request + and play along like a listening server, but aside from sending an + ACK or RST, no data is sent. Incoming packets are ignored and + dropped. The attacker will terminate the session eventually. This + module allows the initial packets of an attack to be captured by + other software for inspection. In most cases this is sufficient to + determine the nature of the attack. + + + This offers similar functionality to LaBrea + http://www.hackbusters.net/LaBrea/ but does not require dedicated + hardware or IPs. Any TCP port that you would normally DROP or + REJECT can instead become a tarpit. + + The target accepts a single optional parameter: + + tarpit (default) + + This mode completes a connection with the attacker but limits + the window size to 0, thus keeping the attacker waiting long + periods of time. While he is maintaining state of the + connection and trying to continue every 60-240 seconds, we + keep none, so it is very lightweight. Attempts to close the + connection are ignored, forcing the remote side to time out + the connection in 12-24 minutes. + + honeypot + + This mode completes a connection with the attacker, but + signals a normal window size, so that the remote side will + attempt to send data, often with some very nasty exploit + attempts. We can capture these packets for decoding and + further analysis. The module does not send any data, so if + the remote expects an application level response, the game + is up. + + reset + + This mode is handy because we can send an inline RST + (reset). It has no other function. + +3) A 'loopback' option has been added to the interfaces files to + designate the interface as the loopback device. This option is + assumed if the device's physical name is 'lo'. Only one + interface may specify 'loopback'. + + If no interface has physical name 'lo' and no interface specifies + the 'loopback' option, then the compiler implicitly defines an + interface as follows: + + #ZONE INTERFACE OPTIONS + - lo ignore,loopback + +4) The compiler now takes advantage of the iptables 'iface' match + capability for identifying loopback traffic. + +5) The 'primary' provider option has been added as a synonym for + 'balance=1'. The rationale for this addition is that 'balance' + seems inappropriate when only a single provider specifies that + option. For example, if there are two providers and one specifies + 'fallback', then the other would specify 'primary' rather than + 'balance'. + +6) Two new Macros have been contributed: + + Zabbix - Tuomo Soini + Tinc - Răzvan Sandu + +---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 5 ---------------------------------------------------------------------------- @@ -525,7 +544,7 @@ then servicd failed to start/stop Shorewall-init. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 6 . 4 + N E W F E A T U R E S I N 4 . 6 . 5 ---------------------------------------------------------------------------- 1) The configure scripts and installers now support SERVICEDIR as an diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.6.2/shorewall-lite.spec new/shorewall-lite-4.6.7/shorewall-lite.spec --- old/shorewall-lite-4.6.6.2/shorewall-lite.spec 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-lite-4.6.7/shorewall-lite.spec 2015-03-11 19:41:44.000000000 +0100 @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.6.6 -%define release 2 +%define version 4.6.7 +%define release 0base %define initdir /etc/init.d Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -106,12 +106,12 @@ %doc COPYING changelog.txt releasenotes.txt %changelog -* Mon Jan 26 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.6-2 -* Mon Jan 26 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.6-2 -* Thu Jan 22 2015 Tom Eastep tom@shorewall.net -- Updated to 4.6.6-1 +* Thu Mar 05 2015 Tom Eastep tom@shorewall.net +- Updated to 4.6.7-0base +* Tue Mar 03 2015 Tom Eastep tom@shorewall.net +- Updated to 4.6.7-0RC1 +* Sat Jan 17 2015 Tom Eastep tom@shorewall.net +- Updated to 4.6.7-0Beta1 * Sat Jan 10 2015 Tom Eastep tom@shorewall.net - Updated to 4.6.6-0base * Tue Jan 06 2015 Tom Eastep tom@shorewall.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.6.6.2/uninstall.sh new/shorewall-lite-4.6.7/uninstall.sh --- old/shorewall-lite-4.6.6.2/uninstall.sh 2015-02-06 23:28:17.000000000 +0100 +++ new/shorewall-lite-4.6.7/uninstall.sh 2015-03-11 19:41:44.000000000 +0100 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.6.6.2 +VERSION=4.6.7 PRODUCT=shorewall-lite usage() # $1 = exit status ++++++ shorewall-4.6.6.2.tar.bz2 -> shorewall6-4.6.7.tar.bz2 ++++++ ++++ 128053 lines of diff (skipped) ++++++ shorewall-lite-4.6.6.2.tar.bz2 -> shorewall6-lite-4.6.7.tar.bz2 ++++++ ++++ 8274 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org