update Shoreline Firewall (Shorewall) v- 4.5.4

Our Post Before : http://www.seclist.us/2012/04/update-shoreline-firewall-shorewall-v.html

An iptables based firewall for systems running the Linux 2.4 or later kernel. Very flexible configuration allows the firewall to be used in a wide variety of firewall/gateway/router and VPN environments.

N E W  F E A T U R E S  I N  4 . 5 .4

1)  The ‘-T’ option is now supported in the Shorewall and Shorewall6
‘load’, ‘reload’, ‘restart’ and ‘start’ commands. As with the
‘check’ command, it causes a Perl stack trace to be printed along
with compiler WARNING and ERROR messages.

2)  The debuggability of assertion failures has been improved.

– A Perl stack trace is now generated unconditionally on an
assertion failure.

– Relevant data is passed as additional arguments to assertion
checks so that setting a breakpoint in
Shorewall::Config::assert() can now allows examination of the
data structures surrounding the failure.

3)  The GATEWAY column of the tunnels file has been renamed ‘GATEWAYS’
and now accepts a list of host and network addresses as well as IP

Exclusion is not permitted.

In the alternate specification format, both ‘gateway’ and
‘gateways’ are accepted as the column name.

4)  The ‘refresh’ command now allows additional options:

-d – Run the rules compiler under the Perl debugger.

-n – Don’t modify routing.

-T – Produce a Perl Stack trace on errors and warnings.

-D – Look in first for configuration files.

5)  The interfaces file now supports two formats:

FORMAT 1 – (default, deprecated)

Includes the BROADCAST column (UNICAST in Shorewall6).


Does not include the BROADCAST (UNICAST) column.

The format is specified by a line line this:

FORMAT {1|2}

The Sample configurations have been updated to use FORMAT 2.

6)  A change has been made in the packaging for Slackware. On
Slackware, there is an /etc/rc.d/firewall.rc script that looks for
/etc/rc.d/shorewall.rc and /etc/rc.d/shorewall6.rc and runs them,
passing it’s own arguments.

The file installed as firewall.rc is named
init.slackware.firewall.sh and has traditionally been included in
the Shorewall package. Beginning with this release, it is moved to
the Shorewall-core package. This opens the door for releasing
Slackware versions of the -lite products in the future.

The init scripts for Slackware are now described in slackware.rc


7)  Previously, errors reported in macros were hard to analyze.


ERROR: Unknown destination zone (bar)
/usr/share/shorewall/macro.SSH (line 11),

In this case, we don’t know where the SSH macro was invoked
incorrectly. Beginning with this release, the stack of
includes/opens will be included in ERROR and WARNING messages.


ERROR: Unknown destination zone (bar)
/usr/share/shorewall/macro.SSH (line 11)
from /etc/shorewall/rules (line 42)

This shows that the SSH macro was invoked on line 42 of the rules

8)  There is now a BLACKLIST macro that works as follows:

– If BLACKLIST_LOGLEVEL is set, then the macro invokes the
‘blacklog’ action.
– Otherwise, the macro invokes the BLACKLIST_DISPOSITION action.

9)  An RST action has been added which matches tcp packets with the RST
flag set. The action accepts two optional parameters:

– Action (ACCEPT or DROP). Default is DROP.
– Audit  (‘audit’ or omitted). Default is omitted.

Download Right Here for all varian Unix/Linux
Read more For Installations, configure, Setup ..etc : http://www.shorewall.net/