2003-12-26 21:39:06 +01:00
<?xml version="1.0" encoding="UTF-8"?>
< !DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article >
<articleinfo >
<title > Shorewall Errata</title>
<authorgroup >
<author >
<firstname > Tom</firstname>
<surname > Eastep</surname>
</author>
</authorgroup>
2005-04-01 01:26:45 +02:00
<pubdate > 2004-08-30</pubdate>
2003-12-26 21:39:06 +01:00
<copyright >
2004-01-04 17:11:20 +01:00
<year > 2001-2004</year>
2003-12-26 21:39:06 +01:00
<holder > Thomas M. Eastep</holder>
</copyright>
<legalnotice >
<para > Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
2005-04-01 01:26:45 +02:00
<quote > <ulink url= "GnuCopyright.htm" > GNU Free Documentation
License</ulink> </quote> .</para>
2003-12-26 21:39:06 +01:00
</legalnotice>
</articleinfo>
<caution >
<itemizedlist >
<listitem >
<para > If you use a Windows system to download a corrected script, be
sure to run the script through <ulink
url="http://www.megaloman.com/~hany/software/hd2u/">dos2unix</ulink>
after you have moved it to your Linux system.</para>
</listitem>
<listitem >
<para > If you are installing Shorewall for the first time and plan to
use the .tgz and install.sh script, you can untar the archive, replace
2003-12-28 17:24:57 +01:00
the <quote > firewall</quote> script in the untarred directory with the
one you downloaded below, and then run install.sh.</para>
2003-12-26 21:39:06 +01:00
</listitem>
<listitem >
<para > When the instructions say to install a corrected firewall script
in /usr/share/shorewall/firewall, you may rename the existing file
before copying in the new file.</para>
</listitem>
<listitem >
<para > <emphasis role= "bold" > DO NOT INSTALL CORRECTED COMPONENTS ON A
2005-04-01 01:26:45 +02:00
RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW.</emphasis> For example, do NOT install the 1.3.9a firewall
script if you are running 1.3.7c.</para>
2003-12-26 21:39:06 +01:00
</listitem>
</itemizedlist>
</caution>
2004-01-24 16:56:22 +01:00
<section >
<title > RFC1918 File</title>
2005-04-01 01:26:45 +02:00
<para > <ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918">Here</ulink>
2004-01-24 16:56:22 +01:00
is the most up to date version of the <ulink
url="Documentation.htm#rfc1918">rfc1918 file</ulink> .</para>
</section>
2003-12-26 21:39:06 +01:00
<section >
<title > Problems in Version 1.4</title>
2004-06-30 22:20:01 +02:00
<section >
<title > Shorewall 1.4.10f</title>
<itemizedlist >
<listitem >
<para > Slackware users find that version 1.4.10f fails to start
because their <command > mktemp</command> utility does not support the
-d option. This may be corrected by installing <ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.10/functions">this
corrected <filename > functions</filename> file</ulink> in <filename
class="directory">/var/lib/shorewall/functions</filename> .</para>
</listitem>
<listitem >
2005-04-01 01:26:45 +02:00
<para > Shorewall fails to start if there is no
<command > mktemp</command> utility.</para>
2004-06-30 22:20:01 +02:00
</listitem>
</itemizedlist>
2005-04-01 01:26:45 +02:00
<para > These problems have been corrected in Shorewall version
1.4.10g.</para>
2004-06-30 22:20:01 +02:00
</section>
2004-02-08 19:31:31 +01:00
<section >
<title > Shorewall 1.4.10</title>
<itemizedlist >
<listitem >
2005-04-01 01:26:45 +02:00
<para > Unexplained errors may occur during "shorewall [re]start" when
the /etc/shorewall/masq file is being processed.</para>
2004-02-08 19:31:31 +01:00
</listitem>
2004-02-08 21:31:13 +01:00
<listitem >
<para > The <emphasis role= "bold" > maclist</emphasis> interface option
2005-04-01 01:26:45 +02:00
previously wasn't available on Atheros WiFi cards.</para>
2004-02-08 21:31:13 +01:00
</listitem>
2004-06-19 18:05:50 +02:00
<listitem >
<para > In the /etc/shorewall/masq entry <quote > eth0:!10.1.1.150
2005-04-01 01:26:45 +02:00
0.0.0.0/0!10.1.0.0/16 10.1.2.16</quote> ,
2004-06-19 18:05:50 +02:00
the <quote > !10.1.0.0/16</quote> is ignored.</para>
</listitem>
<listitem >
<para > A startup error occurs if an entry in the tcrules file has an
empty USER/GROUP column.</para>
</listitem>
<listitem >
<para > Specifying multiple excluded source zones in a REDIRECT or
2005-04-01 01:26:45 +02:00
DNAT rule produces a startup error. Example of problem
rule:<programlisting > #ACTION SOURCE DEST PROTO DEST PORT(S)
2004-06-19 18:05:50 +02:00
DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting> </para>
</listitem>
<listitem >
<para > When using an Action in the ACTIONS column of a rule, you may
receive a warning message about the rule being a policy. While this
warning may be safely ignored, it may be eliminated by installing
the updated script linked below.</para>
</listitem>
<listitem >
<para > Thanks to Sean Mathews, a long-standing problem with Proxy ARP
and IPSEC has been corrected.</para>
</listitem>
2004-06-28 20:49:16 +02:00
<listitem >
<para > A potentially exploitable vulnerability in the way that
Shorewall handles temporary files and directories has been found by
Javier Fernández-Sanguino Peña.</para>
</listitem>
2004-02-08 19:31:31 +01:00
</itemizedlist>
2004-06-28 20:49:16 +02:00
<para > The first seven problems have been corrected in <ulink
2004-02-08 19:31:31 +01:00
url="http://shorewall.net/pub/shorewall/errata/1.4.10/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
2004-06-19 18:05:50 +02:00
<para > The first two problem corrections were included in Shorewall
update 1.4.10a.</para>
<para > The first three problem corrections were included in Shorewall
update 1.4.10b.</para>
<para > The first four problem corrections were included in Shorewall
update 1.4.10c.</para>
<para > The first six problem corrections were included in Shorewall
update 1.4.10d.</para>
2004-06-28 20:49:16 +02:00
<para > The first seven problems corrections were included in Shorewall
update 1.4.10e;</para>
2005-04-01 01:26:45 +02:00
<para > All problem corrections were included in Shorewall update
1.4.10f.</para>
2004-02-08 19:31:31 +01:00
</section>
2003-12-28 23:10:28 +01:00
<section >
2004-01-24 16:56:22 +01:00
<title > Shorewall 1.4.9</title>
<itemizedlist >
<listitem >
<para > The column descriptions in the action.template file did not
match the column headings.</para>
</listitem>
</itemizedlist>
<para > This problem has been corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.9/action.template">this
2005-04-01 01:26:45 +02:00
action.template file</ulink> which may be installed in
/etc/shorewall.</para>
2004-01-24 16:56:22 +01:00
<itemizedlist >
<listitem >
<para > The presence of IPV6 addresses on devices generates error
messages during <command > [re]start </command> if ADD_IP_ALIASES=Yes
or ADD_SNAT_ALIASES=Yes are specified in
/etc/shorewall/shorewall.conf.</para>
</listitem>
2004-02-08 19:31:31 +01:00
<listitem >
2005-04-01 01:26:45 +02:00
<para > Unexplained errors may occur during "shorewall [re]start" when
the /etc/shorewall/masq file is being processed.</para>
2004-02-08 19:31:31 +01:00
</listitem>
2004-01-24 16:56:22 +01:00
</itemizedlist>
2003-12-28 23:10:28 +01:00
2004-02-08 19:31:31 +01:00
<para > These problems have been corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.9/firewall">this
2004-01-24 16:56:22 +01:00
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
2003-12-28 23:10:28 +01:00
</section>
2003-12-26 21:39:06 +01:00
<section >
<title > Shorewall 1.4.8</title>
<itemizedlist >
<listitem >
2005-04-01 01:26:45 +02:00
<para > When a DNAT rules specifies SNAT (e.g., when < original dest
addr> :< SNAT addr> is given in the ORIGINAL DEST column),
the SNAT specification is effectively ignored in some cases.</para>
2003-12-26 21:39:06 +01:00
</listitem>
2004-02-08 19:31:31 +01:00
<listitem >
2005-04-01 01:26:45 +02:00
<para > Unexplained errors may occur during "shorewall [re]start" when
the /etc/shorewall/masq file is being processed.</para>
2004-02-08 19:31:31 +01:00
</listitem>
2003-12-26 21:39:06 +01:00
</itemizedlist>
2004-02-08 19:31:31 +01:00
<para > These problems have been corrected in <ulink
2003-12-26 21:39:06 +01:00
url="http://shorewall.net/pub/shorewall/errata/1.4.8/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section >
<title > Shorewall 1.4.7</title>
<itemizedlist >
<listitem >
2003-12-28 17:24:57 +01:00
<para > Using some versions of <quote > ash</quote> (such as from RH8)
as the SHOREWALL_SHELL causes <quote > shorewall [re]start</quote> to
2005-04-01 01:26:45 +02:00
fail with:<programlisting > local: --limit: bad variable name
iptables v1.2.8: Couldn't load match `-j':/lib/iptables/libipt_-j.so:
cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.</programlisting> </para>
2003-12-26 21:39:06 +01:00
</listitem>
<listitem >
<para > When more than one ICMP type is listed in a rule and your
2005-04-01 01:26:45 +02:00
kernel includes multiport match support, the firewall fails to
start.</para>
2003-12-26 21:39:06 +01:00
</listitem>
<listitem >
<para > Regardless of the setting of LOGUNCLEAN, the value
LOGUNCLEAN=info was used.</para>
</listitem>
<listitem >
<para > After the following error message, Shorewall was left in an
inconsistent state:<programlisting > Error: Unable to determine the routes through interface xxx</programlisting> </para>
</listitem>
<listitem >
2005-04-01 01:26:45 +02:00
<para > When a DNAT rules specifies SNAT (e.g., when < original dest
addr> :< SNAT addr> is given in the ORIGINAL DEST column),
the SNAT specification is effectively ignored in some cases.</para>
2003-12-26 21:39:06 +01:00
</listitem>
2004-02-08 19:31:31 +01:00
<listitem >
2005-04-01 01:26:45 +02:00
<para > Unexplained errors may occur during "shorewall [re]start" when
the /etc/shorewall/masq file is being processed.</para>
2004-02-08 19:31:31 +01:00
</listitem>
2003-12-26 21:39:06 +01:00
</itemizedlist>
<para > These problems have been corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.7/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section >
<title > Shorewall 1.4.6</title>
<itemizedlist >
<listitem >
<para > If TC_ENABLED is set to yes in shorewall.conf then Shorewall
2005-04-01 01:26:45 +02:00
would fail to start with the error <quote > ERROR: Traffic
2003-12-28 17:24:57 +01:00
Control requires Mangle</quote> ; that problem has been corrected in
2003-12-26 21:39:06 +01:00
<ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</ulink> which may be installed in
/use/share/shorewall/firewall as described above. This problem is
also corrected in bugfix release 1.4.6a.</para>
</listitem>
<listitem >
<para > This problem occurs in all versions supporting traffic
control. If a MAC address is used in the SOURCE column, an error
occurs as follows:</para>
<para > <programlisting > iptables v1.2.8: Bad mac adress `00:08:B5:35:52:E7-d`</programlisting> For
Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected in
<ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above. For all other
2003-12-28 17:24:57 +01:00
versions, you will have to edit your <quote > firewall</quote> script
(in versions 1.4.*, it is located in /usr/share/shorewall/firewall).
2003-12-26 21:39:06 +01:00
Locate the function add_tcrule_() and in that function, replace this
2005-04-01 01:26:45 +02:00
line:<programlisting > r=`mac_match $source` </programlisting> with<programlisting > r="`mac_match $source` "</programlisting> Note
2003-12-26 21:39:06 +01:00
that there must be a space before the ending quote!</para>
</listitem>
</itemizedlist>
</section>
<section >
<title > Shorewall 1.4.4b</title>
<itemizedlist >
<listitem >
<para > Shorewall is ignoring records in /etc/shorewall/routestopped
that have an empty second column (HOSTS). This problem may be
corrected by installing <ulink
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall">this
firewall script</ulink> in /usr/share/shorewall/firewall as
described above.</para>
</listitem>
<listitem >
2005-04-01 01:26:45 +02:00
<para > The INCLUDE directive doesn't work when placed in the
2003-12-26 21:39:06 +01:00
/etc/shorewall/zones file. This problem may be corrected by
installing <ulink
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions">this
functions script</ulink> in /usr/share/shorewall/functions.</para>
</listitem>
</itemizedlist>
</section>
<section >
<title > Shorewall 1.4.4-1.4.4a</title>
<itemizedlist >
<listitem >
<para > Log messages are being displayed on the system console even
though the log level for the console is set properly according to
2005-04-01 01:26:45 +02:00
FAQ 16. This problem may be corrected by installing <ulink
url="???">this firewall script</ulink> in
/usr/share/shorewall/firewall as described above.</para>
2003-12-26 21:39:06 +01:00
</listitem>
</itemizedlist>
</section>
<section >
<title > Shorewall 1.4.4</title>
<itemizedlist >
<listitem >
<para > If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the --log-prefix in a
logging rule is too long. Upgrade to Version 1.4.4a to fix this
problem..</para>
</listitem>
</itemizedlist>
</section>
<section >
<title > Shorewall 1.4.3</title>
<itemizedlist >
<listitem >
<para > The LOGMARKER variable introduced in version 1.4.3 was
intended to allow integration of Shorewall with Fireparse
(http://www.firewparse.com). Unfortunately, LOGMARKER only solved
part of the integration problem. I have implimented a new LOGFORMAT
variable which will replace LOGMARKER which has completely solved
this problem and is currently in production with fireparse here at
shorewall.net. The updated files may be found at <ulink
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</ulink> .
See the 0README.txt file for details.</para>
</listitem>
</itemizedlist>
</section>
<section >
<title > Shorewall 1.4.2</title>
<itemizedlist >
<listitem >
2003-12-28 17:24:57 +01:00
<para > When an <quote > add</quote> or <quote > delete</quote> command is
executed, a temporary directory created in /tmp is not being
removed. This problem may be corrected by installing <ulink
2003-12-26 21:39:06 +01:00
url="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall">this
firewall script</ulink> in /usr/share/shorewall/firewall as
described above.</para>
</listitem>
</itemizedlist>
</section>
<section >
<title > Shorewall 1.4.1a, 1.4.1 and 1.4.0</title>
<itemizedlist >
<listitem >
2003-12-28 17:24:57 +01:00
<para > Some TCP requests are rejected in the <quote > common</quote>
chain with an ICMP port-unreachable response rather than the more
2003-12-26 21:39:06 +01:00
appropriate TCP RST response. This problem is corrected in <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def">this
updated common.def file</ulink> which may be installed in
/etc/shorewall/common.def.</para>
</listitem>
</itemizedlist>
</section>
<section >
<title > Shorewall 1.4.1</title>
<itemizedlist >
<listitem >
2003-12-28 17:24:57 +01:00
<para > When a <quote > shorewall check</quote> command is executed,
2005-04-01 01:26:45 +02:00
each <quote > rule</quote> produces the harmless additional
message:<programlisting > /usr/share/shorewall/firewall: line 2174: [: =: unary operator expected</programlisting> You
2003-12-26 21:39:06 +01:00
may correct the problem by installing <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall">this
corrected script</ulink> in /usr/share/shorewall/firewall as
described above.</para>
</listitem>
</itemizedlist>
</section>
<section >
<title > Shorewall 1.4.0</title>
<itemizedlist >
<listitem >
<para > When running under certain shells Shorewall will attempt to
create ECN rules even when /etc/shorewall/ecn is empty. You may
either just remove /etc/shorewall/ecn or you can install <ulink
url="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</ulink> in /usr/share/shorewall/firewall as described
above.</para>
</listitem>
</itemizedlist>
</section>
</section>
<section >
<title > Upgrade Issues</title>
<para > The upgrade issues have moved to <ulink url= "upgrade_issues.htm" > a
separate page</ulink> .</para>
</section>
<section >
<title > Problem with iptables version 1.2.3</title>
<para > There are a couple of serious bugs in iptables 1.2.3 that prevent it
from working with Shorewall. Regrettably, RedHat released this buggy
2005-04-01 01:26:45 +02:00
iptables in RedHat 7.2. </para>
2003-12-26 21:39:06 +01:00
<para > I have built a <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">corrected
2005-04-01 01:26:45 +02:00
1.2.3 rpm which you can download here</ulink> and I have also built
an <ulink
2003-12-26 21:39:06 +01:00
url="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">iptables-1.2.4
rpm which you can download here</ulink> . If you are currently running
RedHat 7.1, you can install either of these RPMs before you upgrade to
RedHat 7.2.</para>
<para > <emphasis role= "bold" > Update 11/9/2001:</emphasis> RedHat has
released an iptables-1.2.4 RPM of their own which you can download from
2005-04-01 01:26:45 +02:00
<ulink
url="http://www.redhat.com/support/errata/RHSA-2001-144.html.">http://www.redhat.com/support/errata/RHSA-2001-144.html</ulink> .I
2003-12-26 21:39:06 +01:00
have installed this RPM on my firewall and it works fine.</para>
<para > If you would like to patch iptables 1.2.3 yourself, the patches are
available for download. This <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</ulink>
which corrects a problem with parsing of the --log-level specification
while this <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</ulink>
2005-04-01 01:26:45 +02:00
corrects a problem in handling the TOS target.</para>
2003-12-26 21:39:06 +01:00
<para > To install one of the above patches:<programlisting > cd iptables-1.2.3/extensions
2005-04-01 01:26:45 +02:00
patch -p0 < the-patch-file</programlisting> </para>
2003-12-26 21:39:06 +01:00
</section>
<section >
2005-04-01 01:26:45 +02:00
<title > Problems with kernels > = 2.4.18 and RedHat iptables</title>
2003-12-26 21:39:06 +01:00
<para > Users who use RedHat iptables RPMs and who upgrade to kernel
2.4.18/19 may experience the following:</para>
<blockquote >
<programlisting > # shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
2005-04-01 01:26:45 +02:00
`h-> info.valid_hooks == (1 < < 0 | 1 < < 3)' failed.
2003-12-26 21:39:06 +01:00
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
2005-04-01 01:26:45 +02:00
`h-> info.valid_hooks == (1 < < 0 | 1 < < 3)' failed.
2003-12-26 21:39:06 +01:00
Aborted (core dumped)</programlisting>
</blockquote>
<para > The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in the
2003-12-28 17:24:57 +01:00
Netfilter <quote > mangle</quote> table. You can correct the problem by
2003-12-26 21:39:06 +01:00
installing <ulink
url="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">this
iptables RPM</ulink> . If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
2005-04-01 01:26:45 +02:00
<quote > iptables -Uvh --oldpackage
iptables-1.2.5-1.i386.rpm</quote> ).</para>
2003-12-26 21:39:06 +01:00
</section>
<section >
<title > Problems with iptables version 1.2.7 and MULTIPORT=Yes</title>
<para > The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as a
consequence, if you install iptables 1.2.7 you must be running Shorewall
1.3.7a or later or:</para>
<itemizedlist >
<listitem >
<para > set MULTIPORT=No in /etc/shorewall/shorewall.conf; or</para>
</listitem>
<listitem >
<para > If you are running Shorewall 1.3.6 you may install <ulink
url="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">this
firewall script</ulink> in /usr/lib/shorewall/firewall as described
above.</para>
</listitem>
</itemizedlist>
</section>
<section >
<title > Problems with RH Kernel 2.4.18-10 and NAT</title>
<para > /etc/shorewall/nat entries of the following form will result in
Shorewall being unable to start:</para>
2005-04-01 01:26:45 +02:00
<programlisting > #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
192.0.2.22 eth0 192.168.9.22 yes yes
2003-12-26 21:39:06 +01:00
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
2003-12-28 17:24:57 +01:00
<para > Error message is:</para>
2003-12-26 21:39:06 +01:00
<programlisting > Setting up NAT...
iptables: Invalid argument
Terminated</programlisting>
2003-12-28 17:24:57 +01:00
<para > The solution is to put <quote > no</quote> in the LOCAL column. Kernel
2003-12-26 21:39:06 +01:00
support for LOCAL=yes has never worked properly and 2.4.18-10 has disabled
it. The 2.4.19 kernel contains corrected support under a new kernel
configuraiton option; see <ulink
url="http://www.shorewall.net/Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</ulink> .</para>
</section>
<section >
<title > Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to
2.4.21-RC1)</title>
2003-12-28 17:24:57 +01:00
<para > Beginning with errata kernel 2.4.20-13.9, <quote > REJECT
--reject-with tcp-reset</quote> is broken. The symptom most commonly seen
is that REJECT rules act just like DROP rules when dealing with TCP. A
kernel patch and precompiled modules to fix this problem are available at
2005-04-01 01:26:45 +02:00
<ulink
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink> </para>
2004-01-04 17:11:20 +01:00
<note >
2005-04-01 01:26:45 +02:00
<para > RedHat have corrected this problem in their 2.4.20-27.x
kernels.</para>
2004-01-04 17:11:20 +01:00
</note>
2003-12-26 21:39:06 +01:00
</section>
2003-12-28 23:10:28 +01:00
<appendix >
2004-01-24 16:56:22 +01:00
<title > Revision History4</title>
2003-12-28 23:10:28 +01:00
2005-04-01 01:26:45 +02:00
<para > <revhistory >
<revision >
<revnumber > 1.9</revnumber>
<date > 2004-03-20</date>
<authorinitials > TE</authorinitials>
<revremark > Proxy ARP/IPSEC fix.</revremark>
</revision>
<revision >
<revnumber > 1.8</revnumber>
<date > 2004-03-04</date>
<authorinitials > TE</authorinitials>
<revremark > Multiple excluded zones problem..</revremark>
</revision>
<revision >
<revnumber > 1.7</revnumber>
<date > 2004-02-15</date>
<authorinitials > TE</authorinitials>
<revremark > TCrules file problem..</revremark>
</revision>
<revision >
<revnumber > 1.6</revnumber>
<date > 2004-02-09</date>
<authorinitials > TE</authorinitials>
<revremark > Masq file exclusion problem.</revremark>
</revision>
<revision >
<revnumber > 1.5</revnumber>
<date > 2004-02-05</date>
<authorinitials > TE</authorinitials>
<revremark > Startup Problem</revremark>
</revision>
<revision >
<revnumber > 1.4</revnumber>
<date > 2004-01-19</date>
<authorinitials > TE</authorinitials>
<revremark > IPV6 address problems. Make RFC1918 file section more
prominent.</revremark>
</revision>
<revision >
<revnumber > 1.3</revnumber>
<date > 2004-01-14</date>
<authorinitials > TE</authorinitials>
<revremark > Confusing template file in 1.4.9</revremark>
</revision>
<revision >
<revnumber > 1.3</revnumber>
<date > 2004-01-03</date>
<authorinitials > TE</authorinitials>
<revremark > Added note about REJECT RedHat Kernal problem being
corrected.</revremark>
</revision>
<revision >
<revnumber > 1.2</revnumber>
<date > 2003-12-29</date>
<authorinitials > TE</authorinitials>
<revremark > Updated RFC1918 file</revremark>
</revision>
<revision >
<revnumber > 1.1</revnumber>
<date > 2003-12-17</date>
<authorinitials > TE</authorinitials>
<revremark > Initial Conversion to Docbook XML</revremark>
</revision>
</revhistory> </para>
2003-12-28 23:10:28 +01:00
</appendix>
2003-12-26 21:39:06 +01:00
</article>