2002-08-13 22:45:21 +02:00
|
|
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
|
|
|
|
<html>
|
|
|
|
|
|
<head>
|
2002-09-29 23:42:38 +02:00
|
|
|
|
|
|
|
|
|
|
<meta http-equiv="Content-Type"
|
|
|
|
|
|
content="text/html; charset=windows-1252">
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<title>Shorewall 1.3 Errata</title>
|
2002-09-29 23:42:38 +02:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
2002-09-29 23:42:38 +02:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
2002-09-29 23:42:38 +02:00
|
|
|
|
|
2002-08-22 23:21:41 +02:00
|
|
|
|
<meta name="Microsoft Theme" content="none">
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</head>
|
2002-09-29 23:42:38 +02:00
|
|
|
|
<body>
|
|
|
|
|
|
|
|
|
|
|
|
<table border="0" cellpadding="0" cellspacing="0"
|
|
|
|
|
|
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
|
|
|
|
|
bgcolor="#400169" height="90">
|
|
|
|
|
|
<tbody>
|
|
|
|
|
|
<tr>
|
|
|
|
|
|
<td width="100%">
|
|
|
|
|
|
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
|
|
|
|
|
|
</td>
|
|
|
|
|
|
</tr>
|
|
|
|
|
|
|
|
|
|
|
|
</tbody>
|
|
|
|
|
|
</table>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="center"> <b><u>IMPORTANT</u></b></p>
|
|
|
|
|
|
|
|
|
|
|
|
<ol>
|
|
|
|
|
|
<li>
|
|
|
|
|
|
<p align="left"> <b><u>I</u>f you use a Windows system to download
|
|
|
|
|
|
a corrected script, be sure to run the script through <u> <a
|
|
|
|
|
|
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
|
|
|
|
|
|
style="text-decoration: none;"> dos2unix</a></u> after you have moved
|
|
|
|
|
|
it to your Linux system.</b></p>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li>
|
|
|
|
|
|
<p align="left"> <b>If you are installing Shorewall for the
|
|
|
|
|
|
first time and plan to use the .tgz and install.sh script, you can
|
|
|
|
|
|
untar the archive, replace the 'firewall' script in the untarred directory
|
|
|
|
|
|
with the one you downloaded below, and then run install.sh.</b></p>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li>
|
|
|
|
|
|
<p align="left"> <b>When the instructions say to install a corrected
|
|
|
|
|
|
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
|
|
|
|
|
|
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
|
|
|
|
|
|
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
|
|
|
|
|
|
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
|
|
|
|
|
|
and /var/lib/shorewall/firewall are symbolic links that point
|
|
|
|
|
|
to the 'shorewall' file used by your system initialization scripts to
|
|
|
|
|
|
start Shorewall during boot. It is that file that must be overwritten
|
|
|
|
|
|
with the corrected script. </b></p>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
|
|
|
|
|
|
</ol>
|
|
|
|
|
|
|
|
|
|
|
|
<ul>
|
|
|
|
|
|
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
|
|
|
|
|
|
<li> <b><a href="#V1.3">Problems in Version
|
|
|
|
|
|
1.3</a></b></li>
|
|
|
|
|
|
<li> <b><a href="errata_2.htm">Problems
|
|
|
|
|
|
in Version 1.2</a></b></li>
|
|
|
|
|
|
<li> <b><font color="#660066"> <a
|
|
|
|
|
|
href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
|
|
|
|
|
|
<li> <b><font color="#660066"><a
|
|
|
|
|
|
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
|
|
|
|
|
|
<li> <b><a href="#Debug">Problems with kernels
|
|
|
|
|
|
>= 2.4.18 and RedHat iptables</a></b></li>
|
|
|
|
|
|
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
|
|
|
|
|
|
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
|
|
|
|
|
|
MULTIPORT=Yes</a></b></li>
|
|
|
|
|
|
|
|
|
|
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
|
|
<hr>
|
|
|
|
|
|
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
|
|
|
|
|
|
|
|
|
|
|
|
<h3>Version 1.3.8</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<ul>
|
|
|
|
|
|
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of the
|
|
|
|
|
|
policy file doesn't work.</li>
|
|
|
|
|
|
<li>A DNAT rule with the same original and new IP addresses but with different
|
|
|
|
|
|
port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<br>
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</li>
|
2002-09-29 23:42:38 +02:00
|
|
|
|
|
|
|
|
|
|
</ul>
|
|
|
|
|
|
Installing <a
|
|
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
|
|
|
|
|
|
this corrected firewall script</a> in /var/lib/shorewall/firewall
|
|
|
|
|
|
as described above corrects these problems.
|
|
|
|
|
|
|
|
|
|
|
|
<h3>Version 1.3.7b</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<p>DNAT rules where the source zone is 'fw' ($FW)
|
|
|
|
|
|
result in an error message. Installing
|
|
|
|
|
|
<a
|
|
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
|
|
|
|
|
|
this corrected firewall script</a> in /var/lib/shorewall/firewall
|
|
|
|
|
|
as described above corrects this problem.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h3>Version 1.3.7a</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<p>"shorewall refresh" is not creating the proper
|
|
|
|
|
|
rule for FORWARDPING=Yes. Consequently, after
|
|
|
|
|
|
"shorewall refresh", the firewall will not forward
|
|
|
|
|
|
icmp echo-request (ping) packets. Installing
|
|
|
|
|
|
<a
|
|
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
|
|
|
|
|
|
this corrected firewall script</a> in /var/lib/shorewall/firewall
|
|
|
|
|
|
as described above corrects this problem.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h3>Version <= 1.3.7a</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<p>If "norfc1918" and "dhcp" are both specified as
|
|
|
|
|
|
options on a given interface then RFC 1918
|
|
|
|
|
|
checking is occurring before DHCP checking. This
|
|
|
|
|
|
means that if a DHCP client broadcasts using an
|
|
|
|
|
|
RFC 1918 source address, then the firewall will
|
|
|
|
|
|
reject the broadcast (usually logging it). This
|
|
|
|
|
|
has two problems:</p>
|
|
|
|
|
|
|
|
|
|
|
|
<ol>
|
|
|
|
|
|
<li>If the firewall is running a DHCP
|
|
|
|
|
|
server, the client won't be able to obtain
|
|
|
|
|
|
an IP address lease from that server.</li>
|
|
|
|
|
|
<li>With this order of checking, the "dhcp"
|
|
|
|
|
|
option cannot be used as a noise-reduction
|
|
|
|
|
|
measure where there are both dynamic and
|
|
|
|
|
|
static clients on a LAN segment.</li>
|
|
|
|
|
|
|
|
|
|
|
|
</ol>
|
|
|
|
|
|
|
|
|
|
|
|
<p> <a
|
|
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
|
|
|
|
|
|
This version of the 1.3.7a firewall script </a>
|
|
|
|
|
|
corrects the problem. It must be installed
|
|
|
|
|
|
in /var/lib/shorewall as described above.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h3>Version 1.3.7</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<p>Version 1.3.7 dead on arrival -- please use
|
|
|
|
|
|
version 1.3.7a and check your version against
|
|
|
|
|
|
these md5sums -- if there's a difference, please
|
|
|
|
|
|
download again.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
|
|
|
|
|
|
|
|
|
|
|
|
<p>In other words, type "md5sum <<i>whatever package you downloaded</i>>
|
|
|
|
|
|
and compare the result with what you see above.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
|
|
|
|
|
|
.7 version in each sequence from now on.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h3 align="left">Version 1.3.6</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<ul>
|
|
|
|
|
|
<li>
|
|
|
|
|
|
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
|
|
|
|
|
|
an error occurs when the firewall script attempts to add an SNAT
|
|
|
|
|
|
alias. </p>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li>
|
|
|
|
|
|
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
|
|
|
|
|
|
cause errors during startup when Shorewall is run with iptables
|
|
|
|
|
|
1.2.7. </p>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
|
|
|
|
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="left">These problems are fixed in <a
|
|
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
|
|
|
|
|
|
this correct firewall script</a> which must be installed in
|
|
|
|
|
|
/var/lib/shorewall/ as described above. These problems are also
|
|
|
|
|
|
corrected in version 1.3.7.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="left">A line was inadvertently deleted from the "interfaces
|
|
|
|
|
|
file" -- this line should be added back in if the version that you
|
|
|
|
|
|
downloaded is missing it:</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="left">net<EFBFBD><EFBFBD><EFBFBD> eth0<68><30><EFBFBD> detect<63><74><EFBFBD> routefilter,dhcp,norfc1918</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="left">If you downloaded two-interfaces-a.tgz then the above
|
|
|
|
|
|
line should already be in the file.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h3 align="left">Version 1.3.5-1.3.5b</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="left">The new 'proxyarp' interface option doesn't work :-(
|
|
|
|
|
|
This is fixed in <a
|
|
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
|
|
|
|
|
|
this corrected firewall script</a> which must be installed in
|
|
|
|
|
|
/var/lib/shorewall/ as described above.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h3 align="left">Versions 1.3.4-1.3.5a</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="left">Prior to version 1.3.4, host file entries such as the
|
|
|
|
|
|
following were allowed:</p>
|
|
|
|
|
|
|
|
|
|
|
|
<div align="left">
|
|
|
|
|
|
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
|
|
|
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
|
|
<div align="left">
|
|
|
|
|
|
<p align="left">That capability was lost in version 1.3.4 so that it is only
|
|
|
|
|
|
possible to<74> include a single host specification on each line. This
|
|
|
|
|
|
problem is corrected by <a
|
|
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
|
|
|
|
|
|
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
|
|
|
|
|
|
as instructed above.</p>
|
|
|
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
|
|
<div align="left">
|
|
|
|
|
|
<p align="left">This problem is corrected in version 1.3.5b.</p>
|
|
|
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
|
|
<h3 align="left">Version 1.3.5</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="left">REDIRECT rules are broken in this version. Install
|
|
|
|
|
|
<a
|
|
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
|
|
|
|
|
|
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
|
|
|
|
|
|
as instructed above. This problem is corrected in version 1.3.5a.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h3 align="left">Version 1.3.n, n < 4</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="left">The "shorewall start" and "shorewall restart" commands
|
|
|
|
|
|
to not verify that the zones named in the /etc/shorewall/policy
|
|
|
|
|
|
file have been previously defined in the /etc/shorewall/zones
|
|
|
|
|
|
file. The "shorewall check" command does perform this verification
|
|
|
|
|
|
so it's a good idea to run that command after you have made configuration
|
|
|
|
|
|
changes.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h3 align="left">Version 1.3.n, n < 3</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="left">If you have upgraded from Shorewall 1.2 and after
|
|
|
|
|
|
"Activating rules..." you see the message: "iptables: No chains/target/match
|
|
|
|
|
|
by that name" then you probably have an entry in /etc/shorewall/hosts
|
|
|
|
|
|
that specifies an interface that you didn't include in /etc/shorewall/interfaces.
|
|
|
|
|
|
To correct this problem, you must add an entry to /etc/shorewall/interfaces.
|
|
|
|
|
|
Shorewall 1.3.3 and later versions produce a clearer error message
|
|
|
|
|
|
in this case.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h3 align="left">Version 1.3.2</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="left">Until approximately 2130 GMT on 17 June 2002, the
|
|
|
|
|
|
download sites contained an incorrect version of the .lrp file. That
|
|
|
|
|
|
file can be identified by its size (56284 bytes). The correct
|
|
|
|
|
|
version has a size of 38126 bytes.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<ul>
|
|
|
|
|
|
<li>The code to detect a duplicate interface entry in
|
|
|
|
|
|
/etc/shorewall/interfaces contained a typo that prevented it from
|
|
|
|
|
|
working correctly. </li>
|
|
|
|
|
|
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just like
|
|
|
|
|
|
"NAT_BEFORE_RULES=Yes".</li>
|
|
|
|
|
|
|
|
|
|
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="left">Both problems are corrected in <a
|
|
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
|
|
|
|
|
|
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
|
|
|
|
|
|
as described above.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<ul>
|
|
|
|
|
|
<li>
|
|
|
|
|
|
<p align="left">The IANA have just announced the allocation of subnet
|
|
|
|
|
|
221.0.0.0/8. This <a
|
|
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
|
|
|
|
|
|
updated rfc1918</a> file reflects that allocation.</p>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
|
2002-08-22 23:21:41 +02:00
|
|
|
|
</ul>
|
2002-09-29 23:42:38 +02:00
|
|
|
|
|
|
|
|
|
|
<h3 align="left">Version 1.3.1</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<ul>
|
|
|
|
|
|
<li>TCP SYN packets may be double counted when
|
|
|
|
|
|
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
|
|
|
|
|
|
packet is sent through the limit chain twice).</li>
|
|
|
|
|
|
<li>An unnecessary jump to the policy chain is sometimes
|
2002-08-13 22:45:21 +02:00
|
|
|
|
generated for a CONTINUE policy.</li>
|
2002-09-29 23:42:38 +02:00
|
|
|
|
<li>When an option is given for more than one interface in
|
|
|
|
|
|
/etc/shorewall/interfaces then depending on the option, Shorewall
|
|
|
|
|
|
may ignore all but the first appearence of the option. For
|
|
|
|
|
|
example:<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
net<65><74><EFBFBD> eth0<68><30><EFBFBD> dhcp<br>
|
|
|
|
|
|
loc<6F><63><EFBFBD> eth1<68><31><EFBFBD> dhcp<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
Shorewall will ignore the 'dhcp' on eth1.</li>
|
|
|
|
|
|
<li>Update 17 June 2002 - The bug described in the prior bullet
|
|
|
|
|
|
affects the following options: dhcp, dropunclean, logunclean,
|
|
|
|
|
|
norfc1918, routefilter, multi, filterping and noping. An additional
|
|
|
|
|
|
bug has been found that affects only the 'routestopped' option.<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
Users who downloaded the corrected script prior to 1850 GMT
|
|
|
|
|
|
today should download and install the corrected script again
|
|
|
|
|
|
to ensure that this second problem is corrected.</li>
|
|
|
|
|
|
|
|
|
|
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="left">These problems are corrected in <a
|
|
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
|
|
|
|
|
|
this firewall script</a> which should be installed in /etc/shorewall/firewall
|
|
|
|
|
|
as described above.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h3 align="left">Version 1.3.0</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<ul>
|
|
|
|
|
|
<li>Folks who downloaded 1.3.0 from the links on the download
|
|
|
|
|
|
page before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13
|
|
|
|
|
|
rather than 1.3.0. The "shorewall version" command will tell
|
|
|
|
|
|
you which version that you have installed.</li>
|
|
|
|
|
|
<li>The documentation NAT.htm file uses non-existent
|
|
|
|
|
|
wallpaper and bullet graphic files. The <a
|
|
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
|
|
|
|
|
|
corrected version is here</a>.</li>
|
|
|
|
|
|
|
|
|
|
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
|
|
<hr>
|
|
|
|
|
|
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="left">The upgrade issues have moved to <a
|
|
|
|
|
|
href="upgrade_issues.htm">a separate page</a>.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<hr>
|
|
|
|
|
|
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
|
|
|
|
|
|
iptables version 1.2.3</font></h3>
|
|
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
|
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
|
|
|
|
|
|
prevent it from working with Shorewall. Regrettably, RedHat released
|
|
|
|
|
|
this buggy iptables in RedHat 7.2.<2E></p>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="left"> I have built a <a
|
|
|
|
|
|
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
|
|
|
|
|
|
corrected 1.2.3 rpm which you can download here</a><EFBFBD> and I have also built
|
|
|
|
|
|
an <a
|
|
|
|
|
|
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
|
|
|
|
|
|
iptables-1.2.4 rpm which you can download here</a>. If you are currently
|
|
|
|
|
|
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
|
|
|
|
|
|
</b>you upgrade to RedHat 7.2.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
|
|
|
|
|
|
has released an iptables-1.2.4 RPM of their own which you can download
|
|
|
|
|
|
from<font color="#ff6633"> <a
|
|
|
|
|
|
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
|
|
|
|
|
|
</font>I have installed this RPM on my firewall and it works fine.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="left">If you would like to patch iptables 1.2.3 yourself,
|
|
|
|
|
|
the patches are available for download. This <a
|
|
|
|
|
|
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
|
|
|
|
|
|
which corrects a problem with parsing of the --log-level specification
|
|
|
|
|
|
while this <a
|
|
|
|
|
|
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
|
|
|
|
|
|
corrects a problem in handling the<68> TOS target.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p align="left">To install one of the above patches:</p>
|
|
|
|
|
|
|
|
|
|
|
|
<ul>
|
|
|
|
|
|
<li>cd iptables-1.2.3/extensions</li>
|
|
|
|
|
|
<li>patch -p0 < <i>the-patch-file</i></li>
|
|
|
|
|
|
|
|
|
|
|
|
</ul>
|
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
|
|
|
|
<h3><a name="Debug"></a>Problems with kernels >= 2.4.18
|
|
|
|
|
|
and RedHat iptables</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
|
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
|
|
|
|
|
|
may experience the following:</p>
|
2002-08-13 22:45:21 +02:00
|
|
|
|
|
2002-09-29 23:42:38 +02:00
|
|
|
|
<blockquote>
|
|
|
|
|
|
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.<br>Aborted (core dumped)<br></pre>
|
|
|
|
|
|
</blockquote>
|
2002-08-13 22:45:21 +02:00
|
|
|
|
|
2002-09-29 23:42:38 +02:00
|
|
|
|
<p>The RedHat iptables RPM is compiled with debugging enabled but the
|
|
|
|
|
|
user-space debugging code was not updated to reflect recent changes in
|
|
|
|
|
|
the Netfilter 'mangle' table. You can correct the problem by installing
|
|
|
|
|
|
<a
|
|
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
|
|
|
|
|
|
this iptables RPM</a>. If you are already running a 1.2.5 version of
|
|
|
|
|
|
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
|
|
|
|
|
|
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
|
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
|
|
|
|
<h3><a name="SuSE"></a>Problems installing/upgrading
|
|
|
|
|
|
RPM on SuSE</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<p>If you find that rpm complains about a conflict
|
|
|
|
|
|
with kernel <= 2.2 yet you have a 2.4 kernel
|
|
|
|
|
|
installed, simply use the "--nodeps" option to
|
|
|
|
|
|
rpm.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>Installing: rpm -ivh --nodeps <i><shorewall rpm></i></p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>Upgrading: rpm -Uvh --nodeps <i><shorewall rpm></i></p>
|
|
|
|
|
|
|
|
|
|
|
|
<h3><a name="Multiport"></a><b>Problems with
|
|
|
|
|
|
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
|
|
|
|
|
|
|
|
|
|
|
|
<p>The iptables 1.2.7 release of iptables has made
|
|
|
|
|
|
an incompatible change to the syntax used to
|
|
|
|
|
|
specify multiport match rules; as a consequence,
|
|
|
|
|
|
if you install iptables 1.2.7 you must be running
|
|
|
|
|
|
Shorewall 1.3.7a or later or:</p>
|
|
|
|
|
|
|
|
|
|
|
|
<ul>
|
|
|
|
|
|
<li>set MULTIPORT=No in
|
|
|
|
|
|
/etc/shorewall/shorewall.conf; or </li>
|
|
|
|
|
|
<li>if you are running Shorewall 1.3.6
|
|
|
|
|
|
you may install
|
|
|
|
|
|
<a
|
|
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
|
|
|
|
|
|
this firewall script</a> in /var/lib/shorewall/firewall
|
|
|
|
|
|
as described above.</li>
|
|
|
|
|
|
|
|
|
|
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
|
|
<p><font size="2"> Last updated 9/28/2002 -
|
|
|
|
|
|
<a href="support.htm">Tom Eastep</a></font> </p>
|
|
|
|
|
|
|
|
|
|
|
|
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
|
|
|
|
|
<20> <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
<br>
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</body>
|
2002-09-29 23:42:38 +02:00
|
|
|
|
</html>
|
