+ Support Forum+ |
+
Updated 3/6/2003 - Tom Eastep +
+ +Copyright © 2003 Thomas M. Eastep.
+
+ Visit Seattle in the Springtime!!!!+ |
+
+ 
+
+
+The view from my office window -- think I'll go out and enjoy the deck
+(Yes -- that is snow on the deck...).
+
Updated 3/7/2003 - Tom Eastep +
+ +Copyright © 2001, 2002 Thomas M. Eastep.
+| + |
-
+
Shorewall Errata/Upgrade Issues- |
-
IMPORTANT
- +If you use a Windows system to download - a corrected script, be sure to run the script through - dos2unix after you have moved + +
If you use a Windows system to download + a corrected script, be sure to run the script through + dos2unix after you have moved it to your Linux system.
-If you are installing Shorewall for the -first time and plan to use the .tgz and install.sh script, you can -untar the archive, replace the 'firewall' script in the untarred directory + +
If you are installing Shorewall for the first +time and plan to use the .tgz and install.sh script, you can untar +the archive, replace the 'firewall' script in the untarred directory with the one you downloaded below, and then run install.sh.
-If you are running a Shorewall version earlier - than 1.3.11, when the instructions say to install a corrected -firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall - or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to -overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD -/etc/shorewall/firewall or /var/lib/shorewall/firewall before -you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall - are symbolic links that point to the 'shorewall' file used by -your system initialization scripts to start Shorewall during -boot. It is that file that must be overwritten with the corrected -script. Beginning with Shorewall 1.3.11, you may rename the existing file + +
If you are running a Shorewall version earlier + than 1.3.11, when the instructions say to install a corrected firewall + script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall + or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to +overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD +/etc/shorewall/firewall or /var/lib/shorewall/firewall before +you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall + are symbolic links that point to the 'shorewall' file used by your + system initialization scripts to start Shorewall during boot. +It is that file that must be overwritten with the corrected +script. Beginning with Shorewall 1.3.11, you may rename the existing file before copying in the new file.
-DO NOT INSTALL CORRECTED COMPONENTS - ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. - For example, do NOT install the 1.3.9a firewall script if you are running +
DO NOT INSTALL CORRECTED COMPONENTS
+ ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
+ For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.
-
recalculate_interfacess: command not found- +
The updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - corrects this problem.Copy the script to /usr/lib/shorewall/firewall - as described above.- -
-
Alternatively, edit /usr/lob/shorewall/firewall and change the - single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' - to 'recalculate_interface'.- -
-
Alternatively, edit /usr/lob/shorewall/firewall and change the + single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' + to 'recalculate_interface'.+ +
+
DNAT rules where the source zone is 'fw' ($FW) - result in an error message. Installing - - this corrected firewall script in /var/lib/shorewall/firewall - as described above corrects this - problem.
- - -"shorewall refresh" is not creating the proper - rule for FORWARDPING=Yes. Consequently, after - "shorewall refresh", the firewall will not forward - icmp echo-request (ping) packets. Installing - - this corrected firewall script in /var/lib/shorewall/firewall - as described above corrects this - problem.
- - -If "norfc1918" and "dhcp" are both specified as - options on a given interface then RFC 1918 - checking is occurring before DHCP checking. This - means that if a DHCP client broadcasts using an - RFC 1918 source address, then the firewall will - reject the broadcast (usually logging it). This - has two problems:
- - -- This version of the 1.3.7a firewall script - corrects the problem. It must be -installed in /var/lib/shorewall as -described above.
- - -Version 1.3.7 dead on arrival -- please use - version 1.3.7a and check your version against - these md5sums -- if there's a difference, please - download again.
- - -d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz- -
6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp
In other words, type "md5sum <whatever package you downloaded> - and compare the result with what you see above.
- -I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the - .7 version in each sequence from now on.
- -If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, - an error occurs when the firewall script attempts to - add an SNAT alias.
-The logunclean and dropunclean options - cause errors during startup when Shorewall is run with iptables - 1.2.7.
DNAT rules where the source zone is 'fw' ($FW) + result in an error message. Installing + + this corrected firewall script in /var/lib/shorewall/firewall + as described above corrects this + problem.
+ + +"shorewall refresh" is not creating the proper + rule for FORWARDPING=Yes. Consequently, after + "shorewall refresh", the firewall will not forward + icmp echo-request (ping) packets. Installing + + this corrected firewall script in /var/lib/shorewall/firewall + as described above corrects this + problem.
+ + +If "norfc1918" and "dhcp" are both specified as + options on a given interface then RFC 1918 + checking is occurring before DHCP checking. This + means that if a DHCP client broadcasts using an + RFC 1918 source address, then the firewall will + reject the broadcast (usually logging it). This + has two problems:
+ + ++ This version of the 1.3.7a firewall script + corrects the problem. It must be + installed in /var/lib/shorewall +as described above.
+ + +Version 1.3.7 dead on arrival -- please use + version 1.3.7a and check your version against + these md5sums -- if there's a difference, please + download again.
+ + +d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz+ +
6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp
In other words, type "md5sum <whatever package you downloaded> + and compare the result with what you see above.
+ +I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the + .7 version in each sequence from now on.
+ + +If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, + an error occurs when the firewall script attempts to + add an SNAT alias.
+The logunclean and dropunclean options + cause errors during startup when Shorewall is run with iptables + 1.2.7.
+These problems are fixed in - this correct firewall script which must be installed in - /var/lib/shorewall/ as described above. These problems are also - corrected in version 1.3.7.
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> + this correct firewall script which must be installed in + /var/lib/shorewall/ as described above. These problems are also + corrected in version 1.3.7. +A line was inadvertently deleted from the "interfaces - file" -- this line should be added back in if the version that you + +
A line was inadvertently deleted from the "interfaces + file" -- this line should be added back in if the version that you downloaded is missing it:
+net eth0 detect routefilter,dhcp,norfc1918
-If you downloaded two-interfaces-a.tgz then the above - line should already be in the file.
+ +If you downloaded two-interfaces-a.tgz then the above + line should already be in the file.
+The new 'proxyarp' interface option doesn't work :-( - This is fixed in - this corrected firewall script which must be installed in - /var/lib/shorewall/ as described above.
+ +The new 'proxyarp' interface option doesn't work :-( + This is fixed in + this corrected firewall script which must be installed in + /var/lib/shorewall/ as described above.
+Prior to version 1.3.4, host file entries such as the - following were allowed:
+ +Prior to version 1.3.4, host file entries such as the + following were allowed:
-adm eth0:1.2.4.5,eth0:5.6.7.8-
That capability was lost in version 1.3.4 so that it is only - possible to include a single host specification on each line. +
That capability was lost in version 1.3.4 so that it is only + possible to include a single host specification on each line. This problem is corrected by this - modified 1.3.5a firewall script. Install the script in + href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this + modified 1.3.5a firewall script. Install the script in /var/lib/pub/shorewall/firewall as instructed above.
-This problem is corrected in version 1.3.5b.
-REDIRECT rules are broken in this version. Install - - this corrected firewall script in /var/lib/pub/shorewall/firewall - as instructed above. This problem is corrected in version + +
REDIRECT rules are broken in this version. Install + + this corrected firewall script in /var/lib/pub/shorewall/firewall + as instructed above. This problem is corrected in version 1.3.5a.
+The "shorewall start" and "shorewall restart" commands - to not verify that the zones named in the /etc/shorewall/policy -file have been previously defined in the /etc/shorewall/zones -file. The "shorewall check" command does perform this verification -so it's a good idea to run that command after you have made configuration + +
The "shorewall start" and "shorewall restart" commands + to not verify that the zones named in the /etc/shorewall/policy file + have been previously defined in the /etc/shorewall/zones file. +The "shorewall check" command does perform this verification so +it's a good idea to run that command after you have made configuration changes.
+If you have upgraded from Shorewall 1.2 and after - "Activating rules..." you see the message: "iptables: No chains/target/match - by that name" then you probably have an entry in /etc/shorewall/hosts - that specifies an interface that you didn't include -in /etc/shorewall/interfaces. To correct this problem, you - must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 - and later versions produce a clearer error message in -this case.
+ +If you have upgraded from Shorewall 1.2 and after + "Activating rules..." you see the message: "iptables: No chains/target/match + by that name" then you probably have an entry in /etc/shorewall/hosts + that specifies an interface that you didn't include +in /etc/shorewall/interfaces. To correct this problem, you + must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 + and later versions produce a clearer error message in this + case.
+Until approximately 2130 GMT on 17 June 2002, the - download sites contained an incorrect version of the .lrp file. That - file can be identified by its size (56284 bytes). The correct -version has a size of 38126 bytes.
+ +Until approximately 2130 GMT on 17 June 2002, the + download sites contained an incorrect version of the .lrp file. That + file can be identified by its size (56284 bytes). The correct version + has a size of 38126 bytes.
+Both problems are corrected in - this script which should be installed in /var/lib/shorewall + href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall"> + this script which should be installed in /var/lib/shorewall as described above.
+The IANA have just announced the allocation of subnet + +
The IANA have just announced the allocation of subnet 221.0.0.0/8. This - updated rfc1918 file reflects that allocation.
-These problems are corrected in - this firewall script which should be installed in /etc/shorewall/firewall + href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall"> + this firewall script which should be installed in /etc/shorewall/firewall as described above.
+The upgrade issues have moved to a separate page.
- -- -I have installed this RPM on my firewall and it works + fine. - -There are a couple of serious bugs in iptables 1.2.3 that - prevent it from working with Shorewall. Regrettably, RedHat - released this buggy iptables in RedHat 7.2.
+ ++ +There are a couple of serious bugs in iptables 1.2.3 that + prevent it from working with Shorewall. Regrettably, + RedHat released this buggy iptables in RedHat 7.2.
- +I have built a - corrected 1.2.3 rpm which you can download here and I have - also built an -iptables-1.2.4 rpm which you can download here. If you are currently - running RedHat 7.1, you can install either of these RPMs - before you upgrade to RedHat 7.2.
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> + corrected 1.2.3 rpm which you can download here and I have + also built an + iptables-1.2.4 rpm which you can download here. If you are currently + running RedHat 7.1, you can install either of these RPMs + before you upgrade to RedHat 7.2. - -Update 11/9/2001: RedHat - has released an iptables-1.2.4 RPM of their own which you can + +
Update 11/9/2001: RedHat + has released an iptables-1.2.4 RPM of their own which you can download from http://www.redhat.com/support/errata/RHSA-2001-144.html. - I have installed this RPM on my firewall and it works - fine.
+ href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html. +
If you would like to patch iptables 1.2.3 yourself, + +
If you would like to patch iptables 1.2.3 yourself, the patches are available for download. This patch - which corrects a problem with parsing of the --log-level specification - while this patch - corrects a problem in handling the TOS target.
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch + which corrects a problem with parsing of the --log-level +specification while this patch + corrects a problem in handling the TOS target. - +To install one of the above patches:
- +- -- -Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 + +
Problems with kernels >= 2.4.18 + and RedHat iptables
+ ++ ++ +Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 may experience the following:
- -- + +- -++# shorewall start-
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)The RedHat iptables RPM is compiled with debugging enabled but the - user-space debugging code was not updated to reflect recent changes in - the Netfilter 'mangle' table. You can correct the problem -by installing - this iptables RPM. If you are already running a 1.2.5 version - of iptables, you will need to specify the --oldpackage option -to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").
-The RedHat iptables RPM is compiled with debugging enabled but the + user-space debugging code was not updated to reflect recent changes in + the Netfilter 'mangle' table. You can correct the problem by + installing + this iptables RPM. If you are already running a 1.2.5 +version of iptables, you will need to specify the --oldpackage +option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").
+
If you find that rpm complains about a conflict - with kernel <= 2.2 yet you have a 2.4 kernel - installed, simply use the "--nodeps" option to - rpm.
+ +If you find that rpm complains about a conflict + with kernel <= 2.2 yet you have a 2.4 kernel + installed, simply use the "--nodeps" option to + rpm.
- +Installing: rpm -ivh --nodeps <shorewall rpm>
- +Upgrading: rpm -Uvh --nodeps <shorewall rpm>
- -The iptables 1.2.7 release of iptables has made - an incompatible change to the syntax used to - specify multiport match rules; as a consequence, - if you install iptables 1.2.7 you must be running - Shorewall 1.3.7a or later or:
+ +The iptables 1.2.7 release of iptables has made + an incompatible change to the syntax used to + specify multiport match rules; as a consequence, + if you install iptables 1.2.7 you must be running + Shorewall 1.3.7a or later or:
- +#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL- Error message is:
192.0.2.22 eth0 192.168.9.22 yes yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Setting up NAT...- The solution is to put "no" in the LOCAL column. Kernel -support for LOCAL=yes has never worked properly and 2.4.18-10 has -disabled it. The 2.4.19 kernel contains corrected support under a new -kernel configuraiton option; see http://www.shorewall.net/Documentation.htm#NAT
iptables: Invalid argument
Terminated
Last updated 2/18/2003 - - Tom Eastep
- + The solution is to put "no" in the LOCAL column. Kernel + support for LOCAL=yes has never worked properly and 2.4.18-10 has + disabled it. The 2.4.19 kernel contains corrected support under a +new kernel configuraiton option; see http://www.shorewall.net/Documentation.htm#NATLast updated 3/8/2003 - +Tom Eastep
+Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-