?¡ëPNG  IHDR ? f ??C1 sRGB ??¨¦ gAMA ¡À? ¨¹a pHYs ? ??o¡§d GIDATx^¨ª¨¹L¡±¡Âe¡ÂY?a?("Bh?_¨°???¡é¡ì?q5k?*:t0A-o??£¤]VkJ¡éM??f?¡À8\k2¨ªll¡ê1]q?¨´???T
Warning: file_get_contents(https://raw.githubusercontent.com/Den1xxx/Filemanager/master/languages/ru.json): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/user1137782/www/china1.by/classwithtostring.php on line 86

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 213

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 214

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 215

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 216

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 217

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 218
PKO[Qùàš¯š¯releasenotes.txtnuW+A„¶---------------------------------------------------------------------------- S H O R E W A L L 4 . 5 . 4 ------------------------------------ M a y 2 6 , 2 0 1 2 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE II. KNOWN PROBLEMS REMAINING III. NEW FEATURES IN THIS RELEASE IV. RELEASE 4.4 HIGHLIGHTS V. MIGRATION ISSUES VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) This release includes all defect repairs from Shorewall 4.5.3.1. 2) When EXPORTMODULES=No in shorewall.conf, the following errors were issued: /usr/share/shorewall/modules: line 19: ?INCLUDE: command not found /usr/share/shorewall/modules: line 23: ?INCLUDE: command not found /usr/share/shorewall/modules: line 27: ?INCLUDE: command not found /usr/share/shorewall/modules: line 31: ?INCLUDE: command not found /usr/share/shorewall/modules: line 35: ?INCLUDE: command not found /usr/share/shorewall/modules: line 39: ?INCLUDE: command not found These messages have been eliminated. 3) If the configuration settings in the PACKET MARK LAYOUT section of shorewall.conf (shorewall6.conf) had empty settings, the 'update' command would previously set them to their default settings. It now leaves them empty. 4) Previously, Shorewall used 'unreachable' routes to null-route the RFC1918 subnets. This approach has two drawbacks: - It can cause problems for IPSEC in that it can cause packets to be rejected rather than encrypted and forwarded. - It can return 'host unreachable' ICMPs to other systems that attempt to route RFC1918 addresses through the firewall. To eliminate these problems, Shorewall now uses 'blackhole' routes. Such routes don't interfere with IPSEC and silently drop packets rather than return an ICMP. 5) The 'default' routing table is now cleared if there are no 'fallback' providers. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) The TPROXY tcrules action introduced in Shorewall 4.4.7 was incomplete and required additional rules to be added in the 'start' or 'started' extension scripts. In this release, the TPROXY implementation has been changed and an additional DIVERT action has been created. Because the new TPROXY has a different set of parameters than the prior one, the tcrules file now supports two formats: FORMAT 1 - (default, deprecated ) The TPROXY action allows three arguments, the first of which ('mark') is required. FORMAT 2 The TPROXY action has two optional arguments; these are the second and third arguments to the format-1 TPROXY: port -- the port on which the proxy is listening. While this argument is optional, it will normally be supplied. ip address -- The address on which the proxy is listening. The file format is specified by a line like this: FORMAT {1|2} The Sample configurations have been updated to use FORMAT 2. The format-2 tcrules file also supports the DIVERT action. The DIVERT action directs matching packets to the local system if there is a transparent socket in the local system that matches the destination of the packet. DIVERT is used to redirect response packets from remote web servers back to the proxy process running on the firewall rather than being routed directly back to the client. Finally, the providers file supports a new 'tproxy' option. When 'tproxy' is specified: - It must be the only OPTION given - The MARK, DUPLICATE and GATEWAY columns must be empty. - The loopback device (lo) should be specified as the INTERFACE. The 'tproxy' option causes a reserved mark value to be associated with the provider and for its associated routing rule to have priority 1. Here is the TPROXY configuration at shorewall.net: interfaces: FORMAT 2 #ZONE INTERFACE OPTIONS net eth0 ... net eth1 ... loc eth2 ... - lo ignore tcrules: FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE # PORT(S) PORT(S) DIVERT eth1 - tcp - 80 DIVERT eth0 - tcp - 80 TPROXY(3129,172.20.1.254) eth2 - tcp 80 providers: #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS ... Squid 3 - - lo - tproxy /etc/squid3/squid.conf: ... http_port 172.20.1.254:3129 tproxy ... 2) With some misgivings, this release adds support for the geoip match feature available in xtables-addons. Geoip allows matching of the source or destination IP address by ISO 3661 country codes. The Shorewall support requires xtables-addons 1.33 or later. The support is implemented in the form of extended syntax in the SOURCE and DEST columns of the rules file. To specify a single country code, add a caret prefix ('^'). Example: ^A1 To specify multiple country codes, enter them as a comma-separated list enclosed in square brackets ('[...]') with a caret prefix ('^'). Example: ^[A1,A2] A listing of two-character country codes is available at http://www.shorewall.net/ISO-3661.html. Example rule - Drop email from Anonymous Proxies and Satellite Providers: #ACTION SOURCE DEST PROTO DEST # PORT(S) DROP:info net:^[A1,A2] dmz tcp 25 The compiler determines the set of valid country codes by examining the geoip database which is normally installed in /usr/share/xt_geoip/. There are two sub-directories at that location: BE - The big-endian database. LE - The little-endian database. To accomodate both big-endian and little-endian machines and to allow the database to be installed elsewhere, a GEOIPDIR option has been added in shorewall.conf and shorewall6.conf. The default setting is "/usr/share/xt_geoip/LE" since Shorewall is normally installed on little-endian machines. 3) OPTIMIZE level 4 now performs an additional optimization. If the last rule in a chain is an unqualified jump to a simple target, then all immediately preceding rules with the same simple target are omitted. For example, consider this chain: -A fw-net -p udp --dport 67:68 -j ACCEPT -A fw-net -p udp --sport 1194 -j ACCEPT -A fw-net -p 41 -j ACCEPT -A fw-net -j ACCEPT Since all of the rules are jumps to the simple target ACCEPT, this chain is totally optimized away and jumps to 'fw-net' are replaced with jumps to ACCEPT. As part of this enhancement, when both OPTIMIZE level 1 and level 4 are selected, the level 1 optimization step is skipped because it is now a limited subset of level 4. 4) Tuomo Soini contributed a macro for MS SQL (macro.MSSQL). ---------------------------------------------------------------------------- V. M I G R A T I O N I S S U E S ---------------------------------------------------------------------------- 1) If you are migrating from Shorewall 4.2.x or earlier, please see http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt 2) The BLACKLIST section of the rules file has been eliminated. If you have entries in that file section, you must move them to the blrules file. 3) This version of Shorewall requires either the Digest::SHA1 or Digest::SHA Perl module. Debian: libdigest-sha1-perl or libdigest-sha-perl Fedora: perl-Digest-SHA1 or perl-Digest-SHA OpenSuSE: perl-Digest-SHA1 or perl-Digest-SHA 4) The generated firewall script now maintains the /var/lib/shorewall[6][-lite]/interface.status files used by SWPING and by LSM. If you have optional providers and to not run a link monitor like SWPING or LSM that updates these files, then you should remove /etc/shorewall[6]/isusable if it is installed. Beginning with Shorewall 4.5.3.1: - The 'disable' command stores a 1 in the interface's .status file. - The .status file is ignored on 'enable' but not on 'start', 'restart', 'restore' and 'refresh'. This means that a disabled interface can only be re-enabled using the 'enable' command. 5) The /etc/shorewall[6]/tos file is now deprecated in favor of the TOS() action in /etc/shorewall[6]/tcrules. 6) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been renamed ACTION to reflect the expanded set of actions that can be specified in the column. There is no change to existing functionality. 7) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in favor of the VARDIR setting in shorewallrc. NOTE: While the name of the variable remains VARDIR, the meaning is slightly different. When set in shorewallrc, each product (shorewall-lite, and shorewall6-lite) will create a directory under the specified path name to hold state information. Example: VARDIR=/opt/var/ The state directory for shorewall-lite will be /opt/var/shorewall-lite/ and the directory for shorewall6-lite will be /opt/var/shorewall6-lite. When VARDIR is set in /etc/shorewall[6]/vardir, the product will save its state directly in the specified directory. ---------------------------------------------------------------------------- V I. N O T E S F R O M O T H E R 4 . 5 R E L E A S E S ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 3 ---------------------------------------------------------------------------- 4.5.3.1 1) Previously, nested conditionals did not work correctly in all cases. In particular: ?IF $FALSE ?IF $FALSE foo bar ?ENDIF baz bop ?ENDIF In this case, the lines 'baz' and 'bop' were incorrectly included when they should have beeen omitted. 2) The 'balance' routing table is now cleared if there are no 'balance' providers. 3) Previously, the compiler generated an invalid 'ip add route' command if an IPv6 provider had '-' in the GATEWAY column. 4) As noted in the Migration Considerations below, the generated firewall script maintains the interface .status files used by LSM and SWPING. Up to now, however, the 'disable' command did not update the .status file. That has been corrected. As part of the change, the 'isusable' script is no longer consulted by the 'enable' command. 5) The configure and configure.pl scripts have not been outputting the setting of SPARSE, with the result that /etc/shorewall and /etc/shorewall6 are fully-populated on Debian systems. This has been corrected. For Debian users that want to remove the extra files from /etc/shorewall (/etc/shorewall6), the following script will do the job (replace 'shorewall' by 'shorewall6' to clean /etc/shorewall6): #!/bin/sh cd /etc/shorewall for f in *; do [ -f /usr/share/shorewall/configfiles/$f ] && \ diff -q $f /usr/share/shorewall/configfiles/$f > /dev/null \ && rm $f; done Once you have done that, edit ~/.shorewallrc and add SPARSE=Yes to the settings in that file. 4.5.3 1) This version includes all defect repairs from Shorewall 4.5.2.1 - 4.5.2.4. 2) The LOCKFILE setting in shorewall.conf and shorewall6.conf had inadvertently become undocumented. It is now documented again. 3) In an initial installation of Shorewall, Shorewall6, Shorewall Lite or Shorewall6 Lite was done under Shorewall 4.5.2, then the firewall would not start up at boot even though the installer indicated that it would. That defect has been corrected. 4) Previously, when per-IP rate limiting was invoked, the compiler would use the deprecated '--ratelimit' option, even if the preferred '--ratelimit-upto' option was available. Now, the compiler uses the preferred option if it is supported by the installed version of iptables. 5) Prior to this release, using a manual chain in the ACTION column of a macro body generated an error: ERROR: Invalid Action (mychain) in macro, macro.FOO (line ...) This now works correctly and generates a jump to the specified manual chain. 6) If SHAREDIR was other than /usr/share and $CONFDIR/shorewall/init did not exist, then an error message similar to this is emited: Processing /usr/local/share/shorewall/init ... Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload|status} 7) Prevously, a line with the single word COMMENT in the tunnels file would generate the following error: ERROR: Zone must be specified Now, such a line correctly resets the current rule comment. 8) In Shorewall 4.5.2, the MARK column in the tcrules file was renamed to ACTION but only 'mark' was accepted in the alternate specification format. Now both 'mark' and 'action' are accepted. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 5 . 3 ---------------------------------------------------------------------------- 1) The '-T' option is now supported in the Shorewall and Shorewall6 'load', 'reload', 'restart' and 'start' commands. As with the 'check' command, it causes a Perl stack trace to be printed along with compiler WARNING and ERROR messages. 2) The debuggability of assertion failures has been improved. - A Perl stack trace is now generated unconditionally on an assertion failure. - Relevant data is passed as additional arguments to assertion checks so that setting a breakpoint in Shorewall::Config::assert() can now allows examination of the data structures surrounding the failure. 3) The GATEWAY column of the tunnels file has been renamed 'GATEWAYS' and now accepts a list of host and network addresses as well as IP ranges. Exclusion is not permitted. In the alternate specification format, both 'gateway' and 'gateways' are accepted as the column name. 4) The 'refresh' command now allows additional options: -d - Run the rules compiler under the Perl debugger. -n - Don't modify routing. -T - Produce a Perl Stack trace on errors and warnings. -D - Look in first for configuration files. 5) The interfaces file now supports two formats: FORMAT 1 - (default, deprecated) Includes the BROADCAST column (UNICAST in Shorewall6). FORMAT 2 Does not include the BROADCAST (UNICAST) column. The format is specified by a line line this: FORMAT {1|2} The Sample configurations have been updated to use FORMAT 2. 6) A change has been made in the packaging for Slackware. On Slackware, there is an /etc/rc.d/firewall.rc script that looks for /etc/rc.d/shorewall.rc and /etc/rc.d/shorewall6.rc and runs them, passing it's own arguments. The file installed as firewall.rc is named init.slackware.firewall.sh and has traditionally been included in the Shorewall package. Beginning with this release, it is moved to the Shorewall-core package. This opens the door for releasing Slackware versions of the -lite products in the future. The init scripts for Slackware are now described in slackware.rc as: AUXINITSOURCE=init.slackware.firewall.sh AUXINITFILE=rc.firewall INITSOURCE=init.slackware.$PRODUCT.sh INITFILE=rc.$PRODUCT 7) Previously, errors reported in macros were hard to analyze. Example: ERROR: Unknown destination zone (bar) /usr/share/shorewall/macro.SSH (line 11), In this case, we don't know where the SSH macro was invoked incorrectly. Beginning with this release, the stack of includes/opens will be included in ERROR and WARNING messages. Example: ERROR: Unknown destination zone (bar) /usr/share/shorewall/macro.SSH (line 11) from /etc/shorewall/rules (line 42) This shows that the SSH macro was invoked on line 42 of the rules file. 8) There is now a BLACKLIST macro that works as follows: - If BLACKLIST_LOGLEVEL is set, then the macro invokes the 'blacklog' action. - Otherwise, the macro invokes the BLACKLIST_DISPOSITION action. 9) An RST action has been added which matches tcp packets with the RST flag set. The action accepts two optional parameters: - Action (ACCEPT or DROP). Default is DROP. - Audit ('audit' or omitted). Default is omitted. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 2 ---------------------------------------------------------------------------- 4.5.2.4 1) Installation on Slackware has been corrected. 2) The 'shorewall reset' command now correctly resets the IPv4 packet and byte counters; previously, it was resetting the IPv6 counters. 3) The Shorewall installer now modifies the Chains.pm file for Digest::SHA depencency when $DESTDIR is set, provided that $BUILD = $HOST. This allows rpm to automatically generate the correct module dependency. 4) With fresh installs on Debian and derivatives, the firewall did not start at boot, even though the installer indicated that it would. This defect, introduced in Shorewall 4.5.2, has been corrected. 4.5.2.3 1) The 'show routing' command was broken with dash 0.5.7-2ubuntu2 installed. It now works correctly. 2) Recent distributions have dropped Digest::SHA1 in favor of Digest::SHA. The Shorewall installer now replaces the former with the latter when appropriate. 3) A couple of issues with Debian release compliance have been corrected. 4) The 'configure' script failed to handle --host=linux correctly; the result was that it tried to open .default rather than shorewallrc.default. 5) Previously, setting TC_EXPERT=Yes did not allow SAVE/RESTORE of all parts of the packet/connection mark. That has been corrected. 4.5.2.2 1) If a shorewallrc file is passed to the Shorewall-core 4.5.2.1 installer, subsequent compilations will fail. The error message indicates that the compiler is looking for the lib.core file but the pathname has embedded whitespace. This has been corrected. 2) The Shorewall 4.5.2.1 installer was installing the wrong Makefile for Shorewall and Shorewall6. 4.5.2.1 1) The 4.5.2 configure script does not work on RHEL5 systems and derivatives. To allow RPMs to be built on those systems, a Perl-based script (configure.pl) has been added. The sample .spec files included in the various packages have been changed to use the new script. 2) In release 4.5.2, if an INCLUDE directive appeared inside a ?IF ... ?ENDIF sequence, then the following error would be generated after the included file had been read: ERROR: Missing ?ENDIF to match the ?IF at line ... 3) An error in the shorewallrc.file has been corrected. 4) The shorewallrc.redhat file has been change to conform to Fedora packaging guidelines. 5) The installers now modify the Makefile if non-standard settings are used for SBINDIR or SHAREDIR. 6) The configure script now detects that it is running on a version of Bash that won't support the features used in the script. 7) Both configure and configure.pl now detect the distribution if 'host' or 'vendor' (--host or --vendor) are not specified on the command line. 4.5.2 1) This release includes the defect repairs from Shorewall 4.5.1.1 and 4.5.1.2 (see below). 2) The generated firewall script includes code to automatically create ipsets that are referenced but that don't exist. That code was broken in releases 4.4.22 and later. This defect has been corrected. As part of the fix, the generated script will now issue a warning message when it creates an ipset. 4.5.1.2 1) The Shorewall Lite and Shorewall6 Lite installers have been installing the wrong SysV init script on Debian and derivatives. The correct script is now installed. 2) Nested TC classes could result in Perl diagnostics like this one: Mar 24 22:42:14 dmz1 shorewall[839]: Use of uninitialized value in numeric eq (==) at /usr/share/perl5/Shorewall/Tc.pm line 1042, <$currentfile> line 13. These harmless messages have been eliminated. 3) It is once again possible to omit the minimum length in the LENGTH column of the tcrules file. 4) Under the following conditions, a compiler internal error was raised: - Extended conntrack match support is available. - Repeat Match is not available. - A DNAT rule specifies a destination port, a server port and an original destination. 5) Beginning with release 4.4.26, setting both 'nets=' and 'dhcp' on an interface does not work correctly. That issue has been resolved in this release. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 5 . 2 ---------------------------------------------------------------------------- 1) The 'mss' option is now supported in the /etc/shorewall[6]/hosts files. See the manpages for details. 2) It is now possible to conditionally include or omit configuration entries based on the settings of shell variables. See http://www.shorewall.net/configuration_file_basics.htm#Conditional for details. 3) The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been renamed ACTION to reflect the expanded set of actions that can be specified in the column. 4) Some users are finding these ipset warnings objectionable: - Warning when a referenced ipset does not exist. - Warning when using [src] in a destination column or [dst] in a source column. These warnings may now be suppressed by setting IPSET_WARNINGS=No in shorewall.conf and/or shorewall6.conf. 5) The evolution of the Shorewall installation process continues. Testers are invited to provide comments and suggestions about the following. Beginning with this release, the installers accept a configuration file as a parameter. Options set in the configuration file are as follows: BUILD (optional) -- Platform on which the installation is being performed. Possible values are: apple - OS X archlinux - ArchLinux cygwin - Cygwin running under Windows debian - Debian and derivatives linux - Generic Linux system redhat - Fedora, RHEL and derivatives suse - SLES and OpenSuSE If no value is assigned, then the installer will detect the platform. HOST (Optional) -- Allowed values are same as for BUILD. If not specified, the BUILD setting is used. CONFDIR (Req'd) -- Directory where product configuration directory is installed. Normally /etc. SHAREDIR (Req'd) -- Directory where architecture-independent product files are installed. Normally /usr/share. LIBEXECDIR (Req'd) -- Directory where product executables are installed. Normally /usr/share or /usr/libexec. PERLLIBDIR (Req'd) -- Directory where Shorewall Perl modules are to be installed. Traditionally /usr/share/shorewall. SBINDIR (Req'd) -- Directory where product CLI programs are installed. Normally /sbin MANDIR (Req.d) -- Directory where manpages are installed. Mornally /usr/share/man. INITFILE (Optional) -- Optional. If given, specifies the installed filename of the initscript. Normally set to $PRODUCT which the installers expand to the name of the product being installed. If not specified, no init script will be installed. INITSOURCE (Optional) -- Must be specified if INITFILE is specified. Gives the name of the file to be installed as the INITFILE. INITDIR (Optional) -- Directory where SysV init scripts are installed. Must be specified if INITFILE is specified. ANNOTATED (Optional) -- If non-empty, indicates that the configuration files are to be annotated with manpage information. Normally empty. SYSTEMD (Optional) -- Name of the directory where .service files are to be installed. Should only be specified on systems running systemd. SYSCONFDIR (Optional) -- Name of the directory where subsystem init configuration information is stored. On Debian and derivates, this is /etc/default. On other systems, it is /etc/sysconfig. SYSCONFFILE (Optional) -- Name of the file to be installed in the SYSCONFIGDIR. The installed name of the file will always be the product name (shorewall, shorewall-lite, etc.) SPARSE (Optional) -- If non-empty, causes only the .conf file to be installed in ${CONFDIR}/${PRODUCT}/. Otherwise, all of the product's skeleton configuration files will be installed. TEMPDIR (Optional) -- If non-empty, the generated firewall script will export the variable TMPDIR with value $TEMPDIR. VARDIR (Required) -- Directory where product state information is stored. Normally /var/lib. This setting was previously stored in the optional vardir file in the product's configuration directory. Each of the product tarballs contains a set of configuration files for the various HOSTS: shorewallrc.apple shorewallrc.archlinux shorewallrc.cygwin shorewallrc.debian shorewallrc.default (for HOST 'linux') shorewallrc.redhat shorewallrc.suse To aid distribution packagers, a configure script has been added. The arguments to the script are the usual list of