2009-01-14 19:33:14 +01:00
|
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
|
|
<html>
|
|
|
|
<head>
|
|
|
|
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=UTF-8">
|
2009-01-15 22:36:49 +01:00
|
|
|
<title>Shorewall Notices</title>
|
2009-01-14 19:33:14 +01:00
|
|
|
<base target="_self">
|
|
|
|
<meta name="CREATED" content="20040920;15031500">
|
2009-03-29 17:40:57 +02:00
|
|
|
<meta name="CHANGED" content="$Id$">
|
2009-01-14 19:33:14 +01:00
|
|
|
</head>
|
|
|
|
<body dir="ltr" lang="en-US">
|
2009-01-15 20:42:43 +01:00
|
|
|
<hr style="width: 100%; height: 2px;">
|
2009-01-15 22:36:49 +01:00
|
|
|
<table style="text-align: left; width: 100%;" border="0" cellpadding="2"
|
|
|
|
cellspacing="0">
|
|
|
|
<tbody>
|
|
|
|
<tr>
|
2009-03-29 17:57:27 +02:00
|
|
|
<td style="vertical-align: top;"><a href="#Shell-EOL"><span
|
|
|
|
style="font-weight: bold;">Attention Shorwall-shell Users</span></a><br>
|
|
|
|
</td>
|
2009-03-01 18:17:31 +01:00
|
|
|
<td style="vertical-align: top;"><a href="#Perl"><span
|
|
|
|
style="font-weight: bold;">Attention Shorewall-perl 4.2 Users</span></a><br>
|
|
|
|
</td>
|
2009-01-15 22:36:49 +01:00
|
|
|
<td style="vertical-align: top; font-weight: bold;"><a
|
|
|
|
href="#Notice">Attention Users of Shorewall's Multi-ISP Feature</a><br>
|
|
|
|
</td>
|
|
|
|
<td style="vertical-align: top; font-weight: bold;"><a
|
|
|
|
href="#Notice1">Attention Users of BRIDGING=Yes</a><br>
|
|
|
|
</td>
|
|
|
|
<td style="vertical-align: top; font-weight: bold;"><a
|
|
|
|
href="#Kernel2.4">Attention Kernel 2.4 Users</a><br>
|
|
|
|
</td>
|
|
|
|
</tr>
|
|
|
|
</tbody>
|
|
|
|
</table>
|
2009-03-29 17:40:57 +02:00
|
|
|
<hr><span style="font-weight: bold;">2009-03-29<br>
|
2009-03-01 18:17:31 +01:00
|
|
|
</span>
|
2009-03-29 17:57:27 +02:00
|
|
|
<h2><a name="Shell-EOL"></a>End-of-life for Shorewall-shell in
|
|
|
|
Shorewall 4.4<br>
|
|
|
|
</h2>
|
|
|
|
The Shorewall 4.4 release in late 2009 will not include
|
|
|
|
Shorewall-shell. Because Shorewall 4.0 is included in Debian Lenny, the
|
|
|
|
4.0 release of Shorewall-shell will continue to be supported until
|
|
|
|
Debian Sid is released. The 4.2 release of Shorewall-shell will
|
|
|
|
continue to be supported until Shorewall 4.6 is released in 2010.<br>
|
|
|
|
<br>
|
|
|
|
Shorewall-shell users are encouraged to<a href="Shorewall-perl.html">
|
|
|
|
migrate to Shorewall-perl</a> at the earliest opportunity. Users who
|
|
|
|
run Shorewall-shell on an embedded system that is too small to support
|
|
|
|
Perl should consider switching to <a href="CompiledPrograms.html#Lite">Shorewall-lite</a>
|
|
|
|
with Shorewall-perl installed on an administrative system (may be a
|
|
|
|
Windows[tm] system running <a href="http://www.cygwin.com">Cygwin</a>[tm]).<br>
|
2009-03-01 18:17:31 +01:00
|
|
|
<h2><span style="font-weight: bold;"><a name="Perl"></a>Attention
|
|
|
|
Shorewall-perl 4.2 Users</span></h2>
|
|
|
|
On February 28, Klemens Rutz reported a problem that affects all<span
|
|
|
|
style="font-family: monospace;"><span style="font-family: sans-serif;">
|
|
|
|
</span></span>Shorewall-perl 4.2 versions prior to 4.2.6.1.<br>
|
|
|
|
<span style="font-family: monospace;"><br>
|
|
|
|
</span>The problem:<br>
|
|
|
|
<ol>
|
2009-03-29 17:40:57 +02:00
|
|
|
<li>Only occurs when there are multiple non-firewall zones.</li>
|
2009-03-01 18:17:31 +01:00
|
|
|
<li>Results in the following interface options not being applied to
|
|
|
|
forwarded traffic.</li>
|
|
|
|
</ol>
|
|
|
|
<div style="margin-left: 40px;">blacklist<br>
|
|
|
|
dhcp<br>
|
|
|
|
maclist (when MACLIST_TABLE=filter)<br>
|
|
|
|
norfc1918<br>
|
|
|
|
nosmurfs<br>
|
|
|
|
tcpflags<br>
|
|
|
|
</div>
|
|
|
|
<br>
|
|
|
|
User are encouraged to either:<br>
|
|
|
|
<ul>
|
|
|
|
<li>Upgrade to Shorewall-perl-4.2.6.1 or later; or</li>
|
|
|
|
<li>Apply the patch found at:</li>
|
|
|
|
</ul>
|
|
|
|
<div style="margin-left: 40px;"><a class="moz-txt-link-freetext"
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/4.2/forward.patch">http://www.shorewall.net/pub/shorewall/4.2/forward.patch</a><br>
|
|
|
|
<a class="moz-txt-link-freetext"
|
|
|
|
href="ftp://ftp.shorewall.net/pub/shorewall/4.2/forward.patch">ftp://ftp.shorewall.net/pub/shorewall/4.2/forward.patch</a></div>
|
|
|
|
<br>
|
|
|
|
<div style="margin-left: 40px;">To apply the patch, execute this
|
|
|
|
command:<br>
|
|
|
|
</div>
|
|
|
|
<div style="margin-left: 80px;">
|
|
|
|
<pre> patch /usr/share/shorewall-perl/Shorewall/Rules.pm < forward.patch</pre>
|
|
|
|
</div>
|
|
|
|
<div style="margin-left: 40px;">The patch may apply with fuzz and/or an
|
|
|
|
offset, depending on your particular version.</div>
|
2009-01-15 22:36:49 +01:00
|
|
|
<h2><a name="Notice">Attention Users of Shorewall's Multi-ISP
|
2009-01-14 19:33:14 +01:00
|
|
|
Feature</a></h2>
|
|
|
|
<p>A bug in Shorewall versions 3.2.0-3.2.10, 3.4.0-3.4.6 and
|
|
|
|
Shorewall-shell
|
|
|
|
4.0.0-4.0.2 prevents proper handling of PREROUTING marks when
|
|
|
|
HIGH_ROUTE_MARKS=No and the <strong>track</strong> option is
|
|
|
|
specified.
|
|
|
|
Patches are available to correct this problem:</p>
|
|
|
|
<p>Shorewall version 3.2.0-3.2.10, 3.4.0-3.4.3: <a
|
|
|
|
href="http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.10/errata/patches/Shorewall/patch-3.2.10-2.diff">http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.10/errata/patches/Shorewall/patch-3.2.10-2.diff</a></p>
|
|
|
|
<p>Shorewall version 3.4.4-3.4.6: <a
|
|
|
|
href="http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.6/errata/patches/Shorewall/patch-3.4.6-1.diff">http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.66/errata/patches/Shorewall/patch-3.4.6-1.diff</a></p>
|
|
|
|
<p>Shorewall-shell version 4.0.0-4.0.2: <a
|
|
|
|
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.2/errata/patches/Shorewall-shell/patch-shell-4.0.2-2.diff">http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.2/errata/patches/Shorewall-shell/patch-shell-4.0.2-2.diff</a></p>
|
|
|
|
<p>Note that a patch may succeed with an offset when applied to a
|
|
|
|
release
|
|
|
|
other than the one for which it was specifically prepared. For example,
|
|
|
|
when
|
|
|
|
the patch for 3.2.0-3.2.10, 3.4.0-3.4.3 (which was prepared for release
|
|
|
|
3.2.10) is applied to release 3.4.3, the following is the result:</p>
|
|
|
|
<pre>root@wookie:~# <strong>cd /usr/share/shorewall</strong>
|
|
|
|
root@wookie/usr/share/shorewall#: <strong>patch < ~/shorewall/tags/3.2.10/Shorewall.updated/patch-3.2.10-2.diff</strong> <br>patching file compiler<br>Hunk #1 succeeded at 958 (offset -1669 lines).<br>root@wookie:/usr/share/shorewall#</pre>
|
|
|
|
<h3>Update -- 7 November 2007</h3>
|
|
|
|
<p>A second bug in Shorewall versions 3.2.0-3.2.11, 3.4.0-3.4.7 and
|
|
|
|
4.0.0-4.0.5 can cause improper handing of PREROUTING and OUTPUT marks
|
|
|
|
when
|
|
|
|
HIGH_ROUTE_MARKS=Yes. Patches are also available to correct this
|
|
|
|
problem:</p>
|
|
|
|
<p>Shorewall version 3.2.3-3.2.11: <a
|
|
|
|
href="http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.11/errata/patches/Shorewall/patch-3.2.11-1.diff">http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.11/errata/patches/Shorewall/patch-3.2.11-1.diff</a></p>
|
|
|
|
<p>Shorewall version 3.4.0-3.4.7: <a
|
|
|
|
href="http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.7/errata/patches/Shorewall/patch-3.4.7-1.diff">http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.7/errata/patches/Shorewall/patch-3.4.7-1.diff</a></p>
|
|
|
|
<p>Shorewall version 4.0.0-4.0.5: <a
|
|
|
|
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-shell/patch-shell-4.0.5-1.diff">http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-shell/patch-shell-4.0.5-1.diff</a>
|
|
|
|
and <a
|
|
|
|
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-perl/patch-perl-4.0.5-4.diff">http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-perl/patch-perl-4.0.5-4.diff</a>.</p>
|
|
|
|
<hr>
|
2009-01-15 22:36:49 +01:00
|
|
|
<h2><a name="Notice1">Attention Users of BRIDGING=Yes</a></h2>
|
2009-01-14 19:33:14 +01:00
|
|
|
<p>In Linux Kernel version 2.6.20, the Netfilter team changed Physdev
|
|
|
|
Match
|
|
|
|
so that it is no longer capable of supporting BRIDGING=Yes. The
|
|
|
|
solutions
|
|
|
|
available to users are to either:</p>
|
|
|
|
<ol>
|
|
|
|
<li>Switch to using the technique described at <a
|
|
|
|
href="http://www.shorewall.net/3.0/NewBridge.html">http://www.shorewall.net/3.0/NewBridge.html</a>;
|
|
|
|
or<br>
|
|
|
|
</li>
|
|
|
|
<li>Upgrade to Shorewall 4.0, migrate to using Shorewall-perl, and
|
|
|
|
follow the instructions at <a
|
|
|
|
href="http://www1.shorewall.net/bridge-Shorewall-perl.html">http://www1.shorewall.net/bridge-Shorewall-perl.html.</a>
|
|
|
|
</li>
|
|
|
|
</ol>
|
|
|
|
<p>The first approach allows you to switch back and forth between
|
|
|
|
kernels
|
|
|
|
older and newer than 2.6.20. The second approach is a better long-term
|
|
|
|
solution.</p>
|
|
|
|
<hr style="width: 100%; height: 2px;">
|
2009-01-15 22:36:49 +01:00
|
|
|
<h2><a name="Kernel2.4"></a>Attention Users of Kernel 2.4</h2>
|
2009-01-14 19:33:14 +01:00
|
|
|
The Shorewall developers do not test Shorewall running on Kernel 2.4
|
|
|
|
and we make no representation about the functionality of Shorewall on
|
|
|
|
that Kernel. Any failure of Shorewall on Kernel 2.4 will not be
|
|
|
|
investigated by the Shorewall team.<br>
|
|
|
|
<hr>
|
2009-01-15 22:36:49 +01:00
|
|
|
Copyright © 2001-2009 Thomas M. Eastep<br>
|
|
|
|
<br>
|
|
|
|
Permission is granted to copy, distribute and/or modify this
|
|
|
|
document
|
|
|
|
under the terms of the GNU Free Documentation License, Version 1.2 or
|
|
|
|
any
|
|
|
|
later version published by the Free Software Foundation; with no
|
|
|
|
Invariant
|
|
|
|
Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of
|
|
|
|
the
|
|
|
|
license is included in the section entitled <span
|
|
|
|
style="text-decoration: underline;">"</span><a href="GnuCopyright.htm"
|
|
|
|
target="_self">GNU Free Documentation License</a>".
|
2009-01-14 19:33:14 +01:00
|
|
|
</body>
|
|
|
|
</html>
|