PGNd | 13 Aug 23:26 2014
Picon

after upgrade of distro-shorewall 4.6.2.4-144.1 -> 4.6.2.4-146.1, compile "ERROR: Invalid/Unknown leaf-1 port/service (tcp) "

After an upgrade from Opensuse_13.1-packaged shorewall 4.6.2.4-144.1 -> 4.6.2.4-146.1

	grep "shorewall|" * | tail -n 2
		2014-08-08 07:30:05|install|shorewall|4.6.2.4-144.1|noarch||Netfilter|8a7f834d22683013aba57ba4548d97fc53eb64e0b562cbdf65e716544aba45ba|
		2014-08-12 11:09:47|install|shorewall|4.6.2.4-146.1|noarch||Netfilter|d7401c67c1d548fdcacde9ab9b3de94a7d87ed45e248aeef49a02e6b40da7193|

When I simply recompile my previously working rulesets etc, I now get an error

   ERROR: Invalid/Unknown leaf-1 port/service (tcp) /usr/local/etc/shorewall/IPv4/masq (line 20)

where

	cat /masq
		...
20			EXTIF  $MX_INT  $MX_EXT  tcp  25,587
		...

This works prior to the upgrade.

The recent local changelog includes,

	rpm -q --changelog shorewall
		* Mon Aug 11 2014 toganm <at> opensuse.org
		- Backported PHYSICALNAME.patch
		
		* Fri Aug 08 2014 toganm <at> opensuse.org
		- Update to version 4.6.2.4 For more details see changelog.txt and
		  releasenotes.txt
		  + Previously, inline matches were not allowed in action files, even
		    though the documentation stated that they were allowed.
(Continue reading)

CACook | 12 Aug 21:53 2014

FTP Stopped Working


For some reason my ftp no longer works. (Ubuntu Raring, kernel 3.14-1-amd64, Sw 4.6.1.2-1)

I can clearly see that Shorewall is blocking passive ftp attempts, but I don't know what to do about it.  Connexion tracking doesn't seem to be working.

I've gone through http://www.shorewall.net/FTP.html but I see nothing I'm doing wrong.  I do have nf_conntrack_ftp and nf_nat_ftp loaded.  In rules:
ACCEPT    $FW    net        tcp    ...,ftp,ftps,...    -

$ ftp 192.154.143.???                                                                   
Connected to 192.154.143.???.                                                                       
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------                                       
220-You are user number 8 of 50 allowed.                                                            
220-Local time is now 12:05. Server port: 21.                                                       
220-This is a private system - No anonymous login                                                   
220-IPv6 connections are also welcome on this server.                                               
220 You will be disconnected after 15 minutes of inactivity.                                        
Name (192.154.143.???:geo): delb                                                               
331 User delb OK. Password required                                                             
Password:
230 OK. Current restricted directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> debug
Debugging on (debug=1).
ftp> passive
Passive mode on.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PASV
227 Entering Passive Mode (192,154,143,???,41,87)
ftp: connect: Connection refused
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PASV
227 Entering Passive Mode (192,154,143,???,227,234)
ftp: connect: Connection refused
ftp> passive
Passive mode off.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PORT 192,168,1,9,218,2
421 Timeout - try typing a little faster next time
ftp>

huh?  That was instant.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Costantino | 12 Aug 17:01 2014
Picon

IP_CONNTRACK vs NF_CONNTRACK

While getting the Shorewall dump for previous issue I got some errors

 

   # shorewall  dump > dump.txt

   cat: /proc/sys/net/netfilter/nf_conntrack_count: No such file or directory

   cat: /proc/sys/net/netfilter/nf_conntrack_max: No such file or directory

 

Blogs on the internet explain that it's because I’m using the older IP_CONNTRACK modules instead of the newer NF_CONNTRACK.

 

So, is there any plus in replacing the older with the newer and what’s the impact on what’s already installed should I choose to do it?

 

Thanks,

 

Costa

------------------------------------------------------------------------------
------------------------------------------------------------------------------
PGNd | 11 Aug 19:02 2014
Picon

Firewall optimization -- tweak as-written rules and/or depend on OPTIMIZE= ?

Given the simple /rules example

 #ACTION  SOURCE  DEST  PROTO  DEST
 #                             PORT
 ACCEPT   net    $FW    tcp    1234
 ACCEPT   net    $FW    udp    5678

Is there additional/further Shorewall 'shorthand' that should 'better' consolidate. Something
equivalent to,

 ACCEPT   net    $FW    tcp:1234,udp:5678

perhaps ?

My understanding suggests that it may not be worth worrying about, as the written rules might only effect
COMPILE time.

The RUNTIME performance of the firewall would be dictated by the OPTIMIZE level.  In my case I've set it in
shorewall.conf to

 OPTIMIZE=All

How dependent is runtime performance on config file 'style'?  Just ignore it, and depend on the OPTIMIZEr to
do its best?

------------------------------------------------------------------------------
PGNd | 11 Aug 18:38 2014
Picon

integrated Revision Control for multiple SW mgmt?

I've set up central management of several hundred firewalls.

Local compiles push to remote shorewall(6)-lite instances as intended.

It all works well.

Even though I'm sharing /params & other config via symlinks from a common directory to minimize redundancy
as much as possible, there's still a lot of diffs & general chaos.  Room for lots of error.

I'm about to place the various firewalls' config under local revision control -- likely git.

I've looked at Shorewall docs and don't see either any integrated RCS, or integration hooks to git, for fw mgmt.

Does the functionality already exist, with documents or examples?

Ideally something as integrated as 

  shorewall rcs_commit "messge text"

or a

  sh shorewall reload -s <target> --rcs_commit

would be really helpful.  Can be done, of course, completely external to shorewall.

------------------------------------------------------------------------------
Costantino | 11 Aug 17:48 2014
Picon

Shorewall 4.5.6.2 and DNAT issue

Hi Tom and all,

 

I'm confronting an issue with Shorewall 4.5.6.2 and DNAT.

 

I've got a server with two ethernet interfaces: eth0 connected to WAN and eth1 to LAN.

 

Although I've got a DNAT rule allowing for requests coming through the WAN interface to be forwarded to their respective port 80, 8080 and 443 of the LAN interface, the log shows that those requests have been dropped.

At the same time the user on the client PC, while experiencing a very long delay, sees that his request in the end has been served.

 

I fail to see where my Shorewall configuration could be wrong and I would appreciate your advice to help me diagnose my issue.

I'm attaching a zip file with the output of the SHOW command and the log.

 

Thanks for your help.

Best Rgds,

Costantino

Attachment (bubblegum.zip): application/x-zip-compressed, 5095 bytes
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Marcelo Roccasalva | 8 Aug 21:41 2014
Picon

two providers, one interface

Hello,

I have an autonomous system: two providers, two routers, two class C IP address ranges but one interface on the firewall. On failure of one router/provider, both IP ranges would be served by the other one via a virtual IP. I may have two interfaces if needed...

I need to protect a LAN, a DMZ, some point to point links and a few ssl tunnels. I've read the multiple internet connections document with little success, as my source NAT outgoing traffic sometimes gets set wrong source IP.

Can you point me some clarifying docs?

TIA,

--
Marcelo

"¿No será acaso que esta vida moderna está teniendo más de moderna que de
vida?" (Mafalda)
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
PGNd | 8 Aug 06:36 2014
Picon

Use of physical= option with provider interface causes compile "ERROR: A provider interface must have at least one associated zone"

Working on a multiISP install of

	shorewall version
		4.6.2.3

Configs include

	/zones
		fw      firewall
		net     ipv4
		prov2   ipv4
		lan     ipv4
		lan2    ipv4
		lan3    ipv4

	/hosts
		lan    INTIF:10.1.20.0/24
		lan2   INTIF:10.2.20.0/24
		lan3   INTIF:10.3.20.0/24

	/providers
		prov1   1   1   main   EXT_IF   detect        track,balance    INTIF
		prov2   2   2   main   tun1     192.168.1.1   track,fallback   INTIF

If

	/interfaces
		?FORMAT 2
		net     EXTIF   physical=eth0
		-       INTIF   physical=eth1
		prov2   tun0    optional

Compile, install & function are all ok.

If, instead

	/interfaces
		?FORMAT 2
		net     EXTIF   physical=eth0
		-       INTIF   physical=eth1
-		prov2   tun1    optional
+		prov2   VPNIF   physical=tun1,optional

Compile fails

	Compiling /opt/etc/shorewall/providers...
	Use of uninitialized value $physical in pattern match (m//) at
/usr/lib/perl5/vendor_perl/5.18.1/Shorewall/Providers.pm line 463, <$currentfile> line 2.
	   ERROR: A provider interface must have at least one associated zone /opt/etc/shorewall/providers (line 2)

(1) Is the form

		prov2   VPNIF   physical=tun1,optional

	in /interfaces permitted?

(2) If "yes", is the ERROR a config problem on my end, or a bug?

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Tom Eastep | 8 Aug 01:23 2014
Picon

Re: Suspected Trojan

On 8/7/2014 2:28 PM, merc1984 <at> f-m.fm wrote:
> 
> On Thu, Aug 7, 2014, at 13:27, Tom Eastep wrote:
>> Once you stopped the daemons, the worrying messages also stopped?
> 
> Stopped the daemons this morning ~9, and just noticed these, for the
> first time ever... my username:
> 
> [63829.975476] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=64.250.229.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53631 DF
> PROTO=TCP SPT=59744 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000
> GID=1000 
> [63832.985253] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=64.250.229.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20905 DF
> PROTO=TCP SPT=59746 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000
> GID=1000 
> [63838.990204] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=64.250.229.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=56816 DF
> PROTO=TCP SPT=59752 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000
> GID=1000 
> [69807.263497] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=216.229.0.179 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59773 DF PROTO=TCP
> SPT=54500 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 
> [69810.274781] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=216.229.0.179 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=19387 DF PROTO=TCP
> SPT=54503 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 
> [69816.279796] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=216.229.0.179 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=19284 DF PROTO=TCP
> SPT=54508 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 
> [69830.972496] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=64.236.96.53 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34434 DF PROTO=TCP
> SPT=47805 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 
> [69833.982281] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=64.236.96.53 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=19053 DF PROTO=TCP
> SPT=47808 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 
> [69839.987629] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=64.236.96.53 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25925 DF PROTO=TCP
> SPT=47813 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 
> [69853.600541] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=64.147.116.229 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38875 DF
> PROTO=TCP SPT=58042 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000
> GID=1000 
> [69856.595874] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=64.147.116.229 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=51025 DF
> PROTO=TCP SPT=58045 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000
> GID=1000 
> [69862.600710] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=64.147.116.229 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60537 DF
> PROTO=TCP SPT=58055 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000
> GID=1000 
> [69875.925262] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=216.229.0.179 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2649 DF PROTO=TCP
> SPT=54562 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 
> [69878.926688] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=216.229.0.179 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9464 DF PROTO=TCP
> SPT=54565 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 
> [69884.932444] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=216.229.0.179 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61431 DF PROTO=TCP
> SPT=54570 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 
> 

To get an immediate indication when a connection is being made, you can
install the 'conntrack' package, then run:

	conntrack -E -p tcp --dport 13

-Tom

PS -- please keep this on the list so others can participate
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
Tom Eastep | 7 Aug 22:27 2014
Picon

Re: Suspected Trojan

On 8/7/2014 9:35 AM, merc1984 <at> f-m.fm wrote:
> Tom, attached please find my # shorewall dump.
> 
> This machine is my laptop.  I have it set up, a number of reverse SSH
> tunnels to the server to extend ports for services to this laptop.  This
> is a very good and secure method of running daemons in one place for a
> LAN.
> 631 - cups
> 3128 - Squid
> 654? - MythTV
> 22306 - mariadb
> 
> 91?? - TOR service channels
> 4444 - i2p
> 4445 - i2p
> 6668 - i2p
> 7657 - i2p
> 7658 - i2p
> 7659 - i2p
> 7660 - i2p
> 9327 - coin miner
> 9332 - litecoin
> 6566 - sane
> 7070 - bittorrent
> 
> i2p, litecoin mining, sane and bittorrent do not have any daemon running
> at the other end.
> 
> Got these this morning:
> # dmesg
> ...
> [57691.920943] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21619 DF PROTO=TCP
> SPT=57346 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [57692.917882] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21620 DF PROTO=TCP
> SPT=57346 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [57694.923604] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21621 DF PROTO=TCP
> SPT=57346 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [57698.931001] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21622 DF PROTO=TCP
> SPT=57346 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [57706.953863] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21623 DF PROTO=TCP
> SPT=57346 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [57722.999518] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21624 DF PROTO=TCP
> SPT=57346 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [57755.090829] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21625 DF PROTO=TCP
> SPT=57346 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [57997.351443] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1179 DF PROTO=TCP
> SPT=57425 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [57998.349862] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1180 DF PROTO=TCP
> SPT=57425 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [58000.355520] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1181 DF PROTO=TCP
> SPT=57425 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [58004.366962] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1182 DF PROTO=TCP
> SPT=57425 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [58012.397800] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1183 DF PROTO=TCP
> SPT=57425 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [58028.443408] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1184 DF PROTO=TCP
> SPT=57425 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [58060.566751] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1185 DF PROTO=TCP
> SPT=57425 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> # ps aux |grep ossec
> 1004      1749  0.0  0.0  19124   776 ?        S    Aug06   0:00
> /var/ossec/bin/ossec-maild
> root      1753  0.0  0.0  12688   504 ?        S    Aug06   0:00
> /var/ossec/bin/ossec-execd
> 1003      1757  0.0  0.0  17604  2564 ?        S    Aug06   0:05
> /var/ossec/bin/ossec-analysisd
> root      1761  0.0  0.0   4424   548 ?        S    Aug06   0:00
> /var/ossec/bin/ossec-logcollector
> root      1772  0.0  0.0   5816  2280 ?        S    Aug06   0:39
> /var/ossec/bin/ossec-syscheckd
> 1003      1776  0.0  0.0  12948   808 ?        S    Aug06   0:00
> /var/ossec/bin/ossec-monitord
> root      4200  0.0  0.0  12684   964 pts/9    S+   09:29   0:00 grep
> --color=auto ossec
> 
> I'd deinstalled ossec yesterday so ps doesn't know the usernames,
> although for some reason the deinstall did not shut down the daemons. 
> Clearly ossec-maild that was doing it.

Once you stopped the daemons, the worrying messages also stopped?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
Tom Eastep | 7 Aug 20:11 2014
Picon

Shorewall 4.6.2.4

Shorewall 4.6.2.4 is now available for download.

Problem Corrected:

1)  Previously, inline matches were not allowed in action files, even
    though the documentation stated that they were allowed.

Thank you for using Shorewall.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk

Gmane