2010-07-15 22:26:42 +02:00
|
|
|
1) In all versions of Shorewall6 lite, the 'shorecap' program is
|
|
|
|
using the 'iptables' program rather than the 'ip6tables' program.
|
|
|
|
This causes many capabilities that are not available in IPv6 to
|
|
|
|
be incorrectly reported as available.
|
|
|
|
|
|
|
|
This results in errors such as:
|
|
|
|
|
|
|
|
ip6tables-restore v1.4.2: Couldn't load match `addrtype':
|
|
|
|
/lib/xtables/libip6t_addrtype.so: cannot open shared
|
|
|
|
object file: No such file or directory
|
|
|
|
|
|
|
|
To work around this problem, on the administrative system:
|
|
|
|
|
|
|
|
a) Remove the incorrect capabilties file.
|
|
|
|
b) In shorewall6.conf, set the IP6TABLES option to the
|
|
|
|
path name of ip6tables on the firewall (example:
|
|
|
|
IP6TABLES=/sbin/ip6tables).
|
|
|
|
c) 'shorewall6 load <firewall>'.
|
2010-07-16 18:31:37 +02:00
|
|
|
|
2010-07-24 16:23:01 +02:00
|
|
|
Corrected in Shorewall 4.4.11.1
|
|
|
|
|
2010-07-16 18:31:37 +02:00
|
|
|
2) In a number of cases, Shorewall6 generates incorrect rules
|
|
|
|
involving the IPv6 multicast network. The rules specify
|
2010-07-16 19:16:57 +02:00
|
|
|
ff00::/10 where they should specify ff00::/8. Also, rules
|
|
|
|
instantiated when the IPv6 firewall is stopped use ff80::/10 rather
|
2010-07-21 17:49:09 +02:00
|
|
|
than fe80::/10 (IPv6 link local network).
|
2010-07-16 18:31:37 +02:00
|
|
|
|
2010-07-24 16:23:01 +02:00
|
|
|
Corrected in Shorewall 4.4.11.1
|
2010-07-22 21:29:01 +02:00
|
|
|
|
2010-07-24 16:23:01 +02:00
|
|
|
3) Using a destination port-range with :random produces a fatal
|
|
|
|
compilation error in REDIRECT rules unless the firewall zone is
|
|
|
|
explicitly specified (e.g., $FW::2000-2010:random).
|
2010-07-22 21:29:01 +02:00
|
|
|
|
2010-07-24 16:23:01 +02:00
|
|
|
Corrected in Shorewall 4.4.11.1
|
2010-07-22 21:29:01 +02:00
|
|
|
|
2010-07-24 16:23:01 +02:00
|
|
|
4) /sbin/shorewall and /sbin/shorewall6 sometimes fail to honor the
|
2010-07-23 22:24:07 +02:00
|
|
|
'nolock' option. In other cases, this option is incorrectly passed
|
|
|
|
on to the compiled script, causing the script to issue a usage
|
|
|
|
synopsis and to terminate.
|
|
|
|
|
2010-07-24 16:23:01 +02:00
|
|
|
Corrected in Shorewall 4.4.11.1
|
2010-07-23 22:24:07 +02:00
|
|
|
|
2010-07-24 16:23:01 +02:00
|
|
|
5) On systems that use the Upstart init system (such as Ubuntu and
|
|
|
|
Fedora), Shorewall-init is not reliable at starting the firewall
|
|
|
|
during boot when normal firewall startup is disabled and UPDOWN=1
|
|
|
|
is specified in /etc/default/shorewall-init.
|
2010-07-22 21:29:01 +02:00
|
|
|
|
2010-07-24 16:23:01 +02:00
|
|
|
Suggested workaround is to not disable normal startup (e.g., do not
|
|
|
|
set startup=0 on Debian-based systems and do not 'checkconfig
|
|
|
|
--del...' on Fedora).
|
2010-07-31 18:14:24 +02:00
|
|
|
|
2010-08-08 17:27:16 +02:00
|
|
|
Corrected in Shorewall 4.4.11.2
|
|
|
|
|
2010-07-31 18:14:24 +02:00
|
|
|
6) A typo in /sbin/shorewall6-lite version 4.4.11.1 causes the
|
|
|
|
stop, reset and clear commands to hang for one minute after the
|
|
|
|
command had been executed and causes the next shorewall6-lite
|
|
|
|
command to similarly hang for one minute.
|
|
|
|
|
|
|
|
Corrected in Shorewall 4.4.11.2.
|
2010-08-07 23:17:45 +02:00
|
|
|
|
|
|
|
7) A typo in the Shorewall install.sh script prevents the Makefile from
|
|
|
|
being installed in /usr/share/shorewall/configfiles/Makefile.
|
|
|
|
|
|
|
|
Corrected in Shorewall 4.4.11.2.
|
2010-08-08 17:27:16 +02:00
|
|
|
|
|
|
|
8) On systems running Upstart, Shorewall-init cannot reliably close
|
|
|
|
the firewall before interfaces come up.
|
|
|
|
|
2010-08-12 16:47:52 +02:00
|
|
|
9) When 'any' is used in the SOURCE column of /etc/shorewall[6]/rules,
|
|
|
|
a duplicate rule is generated in all "fw2*" ("fw-* if
|
|
|
|
ZONE2ZONE="-"). If 'any' is used in the DEST column, then a
|
|
|
|
duplicate rule appears in all "*2fw" (*-fw) chains.
|
2010-08-12 20:48:15 +02:00
|
|
|
|
2010-08-22 23:45:54 +02:00
|
|
|
Corrected in Shorewall 4.4.11.3.
|
|
|
|
|
2010-08-12 20:48:15 +02:00
|
|
|
10) A port range that omits the first port number (e.g., ":80") is
|
|
|
|
rejected with the following error:
|
|
|
|
|
|
|
|
ERROR: Invalid/Unknown tcp port/service (0) : ......
|
|
|
|
|
|
|
|
A workaround is to specify the first port as 1 (e.g., "1:80").
|
|
|
|
|
2010-08-22 23:45:54 +02:00
|
|
|
Corrected in Shorewall 4.4.11.3.
|
2010-08-14 16:46:53 +02:00
|
|
|
|
2010-08-22 23:45:54 +02:00
|
|
|
11) AUTOMAKE=Yes is broken -- don't use it.
|
2010-08-12 20:48:15 +02:00
|
|
|
|
2010-08-22 23:45:54 +02:00
|
|
|
Corrected in Shorewall 4.4.11.3.
|