shorewall_code/web/Notices.html

182 lines
8.9 KiB
HTML
Raw Normal View History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=UTF-8">
<title>Shorewall Notices</title>
<base target="_self">
<meta name="CREATED" content="20040920;15031500">
<meta name="CHANGED" content="$Id$">
</head>
<body dir="ltr" lang="en-US">
<hr style="width: 100%; height: 2px;">
<table style="text-align: left; width: 100%;" border="0" cellpadding="2"
cellspacing="0">
<tbody>
<tr style="font-weight: bold;">
<td style="vertical-align: top;"><a href="#Shell-EOL">Attention
Shorwall-shell Users</a><br>
</td>
<td style="vertical-align: top;"><a href="#Perl">Attention
Shorewall-perl 4.2 Users</a><br>
</td>
<td style="vertical-align: top;"><a href="#Notice">Attention
Users of Shorewall's Multi-ISP Feature</a><br>
</td>
</tr>
<tr>
<td style="vertical-align: top; font-weight: bold;"><a
href="Notices.html#Notice1">Attention Users of BRIDGING=Yes</a></td>
<td style="vertical-align: top; font-weight: bold;"><a
href="Notices.html#Kernel2.4">Attention Kernel 2.4 Users</a></td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
<hr><span style="font-weight: bold;">2009-08-03<br>
</span>
<h2><a name="Shell-EOL"></a>End-of-life for Shorewall-shell in
Shorewall 4.4<br>
</h2>
The Shorewall 4.4 release in the fall of 2009 will not include
Shorewall-shell. Because Shorewall 4.0 is included in Debian Lenny, the
4.0 release of Shorewall-shell will continue to be supported until
Debian Squeeze is released. The 4.2 release of Shorewall-shell will
continue to be supported until Shorewall 4.6 is released in 2010.<br>
<br>
Shorewall-shell users are encouraged to<a href="Shorewall-perl.html">
migrate to Shorewall-perl</a> at the earliest opportunity. Users who
run Shorewall-shell on an embedded system that is too small to support
Perl should consider switching to <a href="CompiledPrograms.html#Lite">Shorewall-lite</a>
with Shorewall-perl installed on an administrative system (may be a
Windows[tm] system running <a href="http://www.cygwin.com">Cygwin</a>[tm]).<br>
<h2><span style="font-weight: bold;"><a name="Perl"></a>Attention
Shorewall-perl 4.2 Users</span></h2>
<h3>Shorewall-perl 4.2.8</h3>
Shorewall-perl 4.2.8 was dead on arrival. The compiler did not rename
the generated script file with the result that it was removed when the
compiler terminated. This lead to:<br>
<ol>
<li>It was not possible to start Shorewall or Shorewall6 for the
first time after installing 4.2.8</li>
<li>Changes to the configuration were apparently ignored.</li>
</ol>
This problem was corrected in Shorewall-perl-4.2.8.1.<br>
<h3>Shorewall-perl 4.2.6 and Earlier<br>
</h3>
On February 28, Klemens Rutz reported a problem that affects all<span
style="font-family: monospace;"><span style="font-family: sans-serif;">
</span></span>Shorewall-perl 4.2 versions prior to 4.2.6.1.<br>
<span style="font-family: monospace;"><br>
</span>The problem:<br>
<ol>
<li>Only occurs when there are multiple non-firewall zones.</li>
<li>Results in the following interface options not being applied to
forwarded traffic.</li>
</ol>
<div style="margin-left: 40px;">blacklist<br>
dhcp<br>
maclist (when MACLIST_TABLE=filter)<br>
norfc1918<br>
nosmurfs<br>
tcpflags<br>
</div>
<br>
User are encouraged to either:<br>
<ul>
<li>Upgrade to Shorewall-perl-4.2.6.1 or later; or</li>
<li>Apply the patch found at:</li>
</ul>
<div style="margin-left: 40px;"><a class="moz-txt-link-freetext"
href="http://www.shorewall.net/pub/shorewall/4.2/forward.patch">http://www.shorewall.net/pub/shorewall/4.2/forward.patch</a><br>
<a class="moz-txt-link-freetext"
href="ftp://ftp.shorewall.net/pub/shorewall/4.2/forward.patch">ftp://ftp.shorewall.net/pub/shorewall/4.2/forward.patch</a></div>
<br>
<div style="margin-left: 40px;">To apply the patch, execute this
command:<br>
</div>
<div style="margin-left: 80px;">
<pre> patch /usr/share/shorewall-perl/Shorewall/Rules.pm &lt; forward.patch</pre>
</div>
<div style="margin-left: 40px;">The patch may apply with fuzz and/or an
offset, depending on your particular version.</div>
<h2><a name="Notice">Attention Users of Shorewall's Multi-ISP
Feature</a></h2>
<p>A bug in Shorewall versions 3.2.0-3.2.10, 3.4.0-3.4.6 and
Shorewall-shell
4.0.0-4.0.2 prevents proper handling of PREROUTING marks when
HIGH_ROUTE_MARKS=No and the <strong>track</strong> option is
specified.
Patches are available to correct this problem:</p>
<p>Shorewall version 3.2.0-3.2.10, 3.4.0-3.4.3: <a
href="http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.10/errata/patches/Shorewall/patch-3.2.10-2.diff">http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.10/errata/patches/Shorewall/patch-3.2.10-2.diff</a></p>
<p>Shorewall version 3.4.4-3.4.6: <a
href="http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.6/errata/patches/Shorewall/patch-3.4.6-1.diff">http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.66/errata/patches/Shorewall/patch-3.4.6-1.diff</a></p>
<p>Shorewall-shell version 4.0.0-4.0.2: <a
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.2/errata/patches/Shorewall-shell/patch-shell-4.0.2-2.diff">http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.2/errata/patches/Shorewall-shell/patch-shell-4.0.2-2.diff</a></p>
<p>Note that a patch may succeed with an offset when applied to a
release
other than the one for which it was specifically prepared. For example,
when
the patch for 3.2.0-3.2.10, 3.4.0-3.4.3 (which was prepared for release
3.2.10) is applied to release 3.4.3, the following is the result:</p>
<pre>root@wookie:~# <strong>cd /usr/share/shorewall</strong>
root@wookie/usr/share/shorewall#: <strong>patch &lt; ~/shorewall/tags/3.2.10/Shorewall.updated/patch-3.2.10-2.diff</strong> <br>patching file compiler<br>Hunk #1 succeeded at 958 (offset -1669 lines).<br>root@wookie:/usr/share/shorewall#</pre>
<h3>Update -- 7 November 2007</h3>
<p>A second bug in Shorewall versions 3.2.0-3.2.11, 3.4.0-3.4.7 and
4.0.0-4.0.5 can cause improper handing of PREROUTING and OUTPUT marks
when
HIGH_ROUTE_MARKS=Yes. Patches are also available to correct this
problem:</p>
<p>Shorewall version 3.2.3-3.2.11: <a
href="http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.11/errata/patches/Shorewall/patch-3.2.11-1.diff">http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.11/errata/patches/Shorewall/patch-3.2.11-1.diff</a></p>
<p>Shorewall version 3.4.0-3.4.7: <a
href="http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.7/errata/patches/Shorewall/patch-3.4.7-1.diff">http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.7/errata/patches/Shorewall/patch-3.4.7-1.diff</a></p>
<p>Shorewall version 4.0.0-4.0.5: <a
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-shell/patch-shell-4.0.5-1.diff">http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-shell/patch-shell-4.0.5-1.diff</a>
and <a
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-perl/patch-perl-4.0.5-4.diff">http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-perl/patch-perl-4.0.5-4.diff</a>.</p>
<hr>
<h2><a name="Notice1">Attention Users of BRIDGING=Yes</a></h2>
<p>In Linux Kernel version 2.6.20, the Netfilter team changed Physdev
Match
so that it is no longer capable of supporting BRIDGING=Yes. The
solutions
available to users are to either:</p>
<ol>
<li>Switch to using the technique described at <a
href="http://www.shorewall.net/3.0/NewBridge.html">http://www.shorewall.net/3.0/NewBridge.html</a>;
or<br>
</li>
<li>Upgrade to Shorewall 4.0, migrate to using Shorewall-perl, and
follow the instructions at <a
href="http://www1.shorewall.net/bridge-Shorewall-perl.html">http://www1.shorewall.net/bridge-Shorewall-perl.html.</a>
</li>
</ol>
<p>The first approach allows you to switch back and forth between
kernels
older and newer than 2.6.20. The second approach is a better long-term
solution.</p>
<hr style="width: 100%; height: 2px;">
<h2><a name="Kernel2.4"></a>Attention Users of Kernel 2.4</h2>
The Shorewall developers do not test Shorewall running on Kernel 2.4
and we make no representation about the functionality of Shorewall on
that Kernel. Any failure of Shorewall on Kernel 2.4 will not be
investigated by the Shorewall team.<br>
<hr>
Copyright © 2001-2009 Thomas M. Eastep<br>
<br>
Permission is granted to copy, distribute and/or modify this
document
under the terms of the GNU Free Documentation License, Version 1.2 or
any
later version published by the Free Software Foundation; with no
Invariant
Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of
the
license is included in the section entitled <span
style="text-decoration: underline;">"</span><a href="GnuCopyright.htm"
target="_self">GNU Free Documentation License</a>".
</body>
</html>