mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-18 11:38:14 +01:00
Just in case
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2018 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
e6e9fccab4
commit
fc113cc51c
@ -13,7 +13,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-06-30</pubdate>
|
<pubdate>2004-08-30</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2004</year>
|
||||||
@ -27,7 +27,8 @@
|
|||||||
1.2 or any later version published by the Free Software Foundation; with
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
Texts. A copy of the license is included in the section entitled
|
Texts. A copy of the license is included in the section entitled
|
||||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||||
|
License</ulink></quote>.</para>
|
||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
@ -55,9 +56,9 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis role="bold">DO NOT INSTALL CORRECTED COMPONENTS ON A
|
<para><emphasis role="bold">DO NOT INSTALL CORRECTED COMPONENTS ON A
|
||||||
RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.</emphasis>
|
RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
|
||||||
For example, do NOT install the 1.3.9a firewall script if you are
|
BELOW.</emphasis> For example, do NOT install the 1.3.9a firewall
|
||||||
running 1.3.7c.</para>
|
script if you are running 1.3.7c.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</caution>
|
</caution>
|
||||||
@ -65,7 +66,8 @@
|
|||||||
<section>
|
<section>
|
||||||
<title>RFC1918 File</title>
|
<title>RFC1918 File</title>
|
||||||
|
|
||||||
<para><ulink url="http://shorewall.net/pub/shorewall/errata/1.4.8/rfc1918">Here</ulink>
|
<para><ulink
|
||||||
|
url="http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918">Here</ulink>
|
||||||
is the most up to date version of the <ulink
|
is the most up to date version of the <ulink
|
||||||
url="Documentation.htm#rfc1918">rfc1918 file</ulink>.</para>
|
url="Documentation.htm#rfc1918">rfc1918 file</ulink>.</para>
|
||||||
</section>
|
</section>
|
||||||
@ -87,12 +89,13 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Shorewall fails to start if there is no <command>mktemp</command>
|
<para>Shorewall fails to start if there is no
|
||||||
utility.</para>
|
<command>mktemp</command> utility.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>These problems have been corrected in Shorewall version 1.4.10g.</para>
|
<para>These problems have been corrected in Shorewall version
|
||||||
|
1.4.10g.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -100,18 +103,18 @@
|
|||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Unexplained errors may occur during "shorewall
|
<para>Unexplained errors may occur during "shorewall [re]start" when
|
||||||
[re]start" when the /etc/shorewall/masq file is being processed.</para>
|
the /etc/shorewall/masq file is being processed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The <emphasis role="bold">maclist</emphasis> interface option
|
<para>The <emphasis role="bold">maclist</emphasis> interface option
|
||||||
previously wasn't available on Atheros WiFi cards.</para>
|
previously wasn't available on Atheros WiFi cards.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>In the /etc/shorewall/masq entry <quote>eth0:!10.1.1.150
|
<para>In the /etc/shorewall/masq entry <quote>eth0:!10.1.1.150
|
||||||
   0.0.0.0/0!10.1.0.0/16     10.1.2.16</quote>,
|
0.0.0.0/0!10.1.0.0/16 10.1.2.16</quote>,
|
||||||
the <quote>!10.1.0.0/16</quote> is ignored.</para>
|
the <quote>!10.1.0.0/16</quote> is ignored.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -122,7 +125,8 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Specifying multiple excluded source zones in a REDIRECT or
|
<para>Specifying multiple excluded source zones in a REDIRECT or
|
||||||
DNAT rule produces a startup error. Example of problem rule:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
DNAT rule produces a startup error. Example of problem
|
||||||
|
rule:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para>
|
DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -165,7 +169,8 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para
|
|||||||
<para>The first seven problems corrections were included in Shorewall
|
<para>The first seven problems corrections were included in Shorewall
|
||||||
update 1.4.10e;</para>
|
update 1.4.10e;</para>
|
||||||
|
|
||||||
<para>All problem corrections were included in Shorewall update 1.4.10f.</para>
|
<para>All problem corrections were included in Shorewall update
|
||||||
|
1.4.10f.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -180,7 +185,8 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para
|
|||||||
|
|
||||||
<para>This problem has been corrected in <ulink
|
<para>This problem has been corrected in <ulink
|
||||||
url="http://shorewall.net/pub/shorewall/errata/1.4.9/action.template">this
|
url="http://shorewall.net/pub/shorewall/errata/1.4.9/action.template">this
|
||||||
action.template file</ulink> which may be installed in /etc/shorewall.</para>
|
action.template file</ulink> which may be installed in
|
||||||
|
/etc/shorewall.</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -191,8 +197,8 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Unexplained errors may occur during "shorewall
|
<para>Unexplained errors may occur during "shorewall [re]start" when
|
||||||
[re]start" when the /etc/shorewall/masq file is being processed.</para>
|
the /etc/shorewall/masq file is being processed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
@ -207,15 +213,14 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para
|
|||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>When a DNAT rules specifies SNAT (e.g., when <original
|
<para>When a DNAT rules specifies SNAT (e.g., when <original dest
|
||||||
dest addr>:<SNAT addr> is given in the ORIGINAL DEST
|
addr>:<SNAT addr> is given in the ORIGINAL DEST column),
|
||||||
column), the SNAT specification is effectively ignored in some
|
the SNAT specification is effectively ignored in some cases.</para>
|
||||||
cases.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Unexplained errors may occur during "shorewall
|
<para>Unexplained errors may occur during "shorewall [re]start" when
|
||||||
[re]start" when the /etc/shorewall/masq file is being processed.</para>
|
the /etc/shorewall/masq file is being processed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
@ -232,16 +237,16 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Using some versions of <quote>ash</quote> (such as from RH8)
|
<para>Using some versions of <quote>ash</quote> (such as from RH8)
|
||||||
as the SHOREWALL_SHELL causes <quote>shorewall [re]start</quote> to
|
as the SHOREWALL_SHELL causes <quote>shorewall [re]start</quote> to
|
||||||
fail with:<programlisting>    local: --limit: bad variable name
|
fail with:<programlisting> local: --limit: bad variable name
|
||||||
   iptables v1.2.8: Couldn't load match `-j':/lib/iptables/libipt_-j.so:
|
iptables v1.2.8: Couldn't load match `-j':/lib/iptables/libipt_-j.so:
|
||||||
   cannot open shared object file: No such file or directory
|
cannot open shared object file: No such file or directory
|
||||||
   Try `iptables -h' or 'iptables --help' for more information.</programlisting></para>
|
Try `iptables -h' or 'iptables --help' for more information.</programlisting></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>When more than one ICMP type is listed in a rule and your
|
<para>When more than one ICMP type is listed in a rule and your
|
||||||
kernel includes multiport match support,  the firewall fails
|
kernel includes multiport match support, the firewall fails to
|
||||||
to start.</para>
|
start.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -255,15 +260,14 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>When a DNAT rules specifies SNAT (e.g., when <original
|
<para>When a DNAT rules specifies SNAT (e.g., when <original dest
|
||||||
dest addr>:<SNAT addr> is given in the ORIGINAL DEST
|
addr>:<SNAT addr> is given in the ORIGINAL DEST column),
|
||||||
column), the SNAT specification is effectively ignored in some
|
the SNAT specification is effectively ignored in some cases.</para>
|
||||||
cases.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Unexplained errors may occur during "shorewall
|
<para>Unexplained errors may occur during "shorewall [re]start" when
|
||||||
[re]start" when the /etc/shorewall/masq file is being processed.</para>
|
the /etc/shorewall/masq file is being processed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
@ -279,7 +283,7 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
|
<para>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
|
||||||
would fail to start with the error <quote>ERROR:  Traffic
|
would fail to start with the error <quote>ERROR: Traffic
|
||||||
Control requires Mangle</quote>; that problem has been corrected in
|
Control requires Mangle</quote>; that problem has been corrected in
|
||||||
<ulink
|
<ulink
|
||||||
url="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
|
url="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
|
||||||
@ -302,7 +306,7 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para
|
|||||||
versions, you will have to edit your <quote>firewall</quote> script
|
versions, you will have to edit your <quote>firewall</quote> script
|
||||||
(in versions 1.4.*, it is located in /usr/share/shorewall/firewall).
|
(in versions 1.4.*, it is located in /usr/share/shorewall/firewall).
|
||||||
Locate the function add_tcrule_() and in that function, replace this
|
Locate the function add_tcrule_() and in that function, replace this
|
||||||
line:<programlisting>   r=`mac_match $source` </programlisting>with<programlisting>      r="`mac_match $source` "</programlisting>Note
|
line:<programlisting> r=`mac_match $source` </programlisting>with<programlisting> r="`mac_match $source` "</programlisting>Note
|
||||||
that there must be a space before the ending quote!</para>
|
that there must be a space before the ending quote!</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
@ -322,7 +326,7 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The INCLUDE directive doesn't work when placed in the
|
<para>The INCLUDE directive doesn't work when placed in the
|
||||||
/etc/shorewall/zones file. This problem may be corrected by
|
/etc/shorewall/zones file. This problem may be corrected by
|
||||||
installing <ulink
|
installing <ulink
|
||||||
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions">this
|
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions">this
|
||||||
@ -338,9 +342,9 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Log messages are being displayed on the system console even
|
<para>Log messages are being displayed on the system console even
|
||||||
though the log level for the console is set properly according to
|
though the log level for the console is set properly according to
|
||||||
FAQ 16. This problem may be corrected by installing <ulink url="???">this
|
FAQ 16. This problem may be corrected by installing <ulink
|
||||||
firewall script</ulink> in /usr/share/shorewall/firewall as
|
url="???">this firewall script</ulink> in
|
||||||
described above.</para>
|
/usr/share/shorewall/firewall as described above.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
@ -412,7 +416,8 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>When a <quote>shorewall check</quote> command is executed,
|
<para>When a <quote>shorewall check</quote> command is executed,
|
||||||
each <quote>rule</quote> produces the harmless additional message:<programlisting>     /usr/share/shorewall/firewall: line 2174: [: =: unary operator expected</programlisting>You
|
each <quote>rule</quote> produces the harmless additional
|
||||||
|
message:<programlisting> /usr/share/shorewall/firewall: line 2174: [: =: unary operator expected</programlisting>You
|
||||||
may correct the problem by installing <ulink
|
may correct the problem by installing <ulink
|
||||||
url="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall">this
|
url="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall">this
|
||||||
corrected script</ulink> in /usr/share/shorewall/firewall as
|
corrected script</ulink> in /usr/share/shorewall/firewall as
|
||||||
@ -449,12 +454,12 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para
|
|||||||
|
|
||||||
<para>There are a couple of serious bugs in iptables 1.2.3 that prevent it
|
<para>There are a couple of serious bugs in iptables 1.2.3 that prevent it
|
||||||
from working with Shorewall. Regrettably, RedHat released this buggy
|
from working with Shorewall. Regrettably, RedHat released this buggy
|
||||||
iptables in RedHat 7.2. </para>
|
iptables in RedHat 7.2. </para>
|
||||||
|
|
||||||
<para>I have built a <ulink
|
<para>I have built a <ulink
|
||||||
url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">corrected
|
url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">corrected
|
||||||
1.2.3 rpm which you can download here</ulink>  and I have also
|
1.2.3 rpm which you can download here</ulink> and I have also built
|
||||||
built an <ulink
|
an <ulink
|
||||||
url="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">iptables-1.2.4
|
url="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">iptables-1.2.4
|
||||||
rpm which you can download here</ulink>. If you are currently running
|
rpm which you can download here</ulink>. If you are currently running
|
||||||
RedHat 7.1, you can install either of these RPMs before you upgrade to
|
RedHat 7.1, you can install either of these RPMs before you upgrade to
|
||||||
@ -462,7 +467,8 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para
|
|||||||
|
|
||||||
<para><emphasis role="bold">Update 11/9/2001:</emphasis> RedHat has
|
<para><emphasis role="bold">Update 11/9/2001:</emphasis> RedHat has
|
||||||
released an iptables-1.2.4 RPM of their own which you can download from
|
released an iptables-1.2.4 RPM of their own which you can download from
|
||||||
<ulink url="http://www.redhat.com/support/errata/RHSA-2001-144.html.">http://www.redhat.com/support/errata/RHSA-2001-144.html</ulink>.I
|
<ulink
|
||||||
|
url="http://www.redhat.com/support/errata/RHSA-2001-144.html.">http://www.redhat.com/support/errata/RHSA-2001-144.html</ulink>.I
|
||||||
have installed this RPM on my firewall and it works fine.</para>
|
have installed this RPM on my firewall and it works fine.</para>
|
||||||
|
|
||||||
<para>If you would like to patch iptables 1.2.3 yourself, the patches are
|
<para>If you would like to patch iptables 1.2.3 yourself, the patches are
|
||||||
@ -471,14 +477,14 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para
|
|||||||
which corrects a problem with parsing of the --log-level specification
|
which corrects a problem with parsing of the --log-level specification
|
||||||
while this <ulink
|
while this <ulink
|
||||||
url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</ulink>
|
url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</ulink>
|
||||||
corrects a problem in handling the  TOS target.</para>
|
corrects a problem in handling the TOS target.</para>
|
||||||
|
|
||||||
<para>To install one of the above patches:<programlisting> cd iptables-1.2.3/extensions
|
<para>To install one of the above patches:<programlisting> cd iptables-1.2.3/extensions
|
||||||
patch -p0 < the-patch-file</programlisting></para>
|
patch -p0 < the-patch-file</programlisting></para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Problems with kernels >= 2.4.18 and RedHat iptables</title>
|
<title>Problems with kernels >= 2.4.18 and RedHat iptables</title>
|
||||||
|
|
||||||
<para>Users who use RedHat iptables RPMs and who upgrade to kernel
|
<para>Users who use RedHat iptables RPMs and who upgrade to kernel
|
||||||
2.4.18/19 may experience the following:</para>
|
2.4.18/19 may experience the following:</para>
|
||||||
@ -497,10 +503,10 @@ Validating hosts file...
|
|||||||
Determining Hosts in Zones...
|
Determining Hosts in Zones...
|
||||||
Net Zone: eth0:0.0.0.0/0
|
Net Zone: eth0:0.0.0.0/0
|
||||||
iptables: libiptc/libip4tc.c:380: do_check: Assertion
|
iptables: libiptc/libip4tc.c:380: do_check: Assertion
|
||||||
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
|
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
|
||||||
Aborted (core dumped)
|
Aborted (core dumped)
|
||||||
iptables: libiptc/libip4tc.c:380: do_check: Assertion
|
iptables: libiptc/libip4tc.c:380: do_check: Assertion
|
||||||
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
|
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
|
||||||
Aborted (core dumped)</programlisting>
|
Aborted (core dumped)</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
@ -511,7 +517,8 @@ Aborted (core dumped)</programlisting>
|
|||||||
url="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">this
|
url="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">this
|
||||||
iptables RPM</ulink>. If you are already running a 1.2.5 version of
|
iptables RPM</ulink>. If you are already running a 1.2.5 version of
|
||||||
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
|
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
|
||||||
<quote>iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm</quote>).</para>
|
<quote>iptables -Uvh --oldpackage
|
||||||
|
iptables-1.2.5-1.i386.rpm</quote>).</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -542,8 +549,8 @@ Aborted (core dumped)</programlisting>
|
|||||||
<para>/etc/shorewall/nat entries of the following form will result in
|
<para>/etc/shorewall/nat entries of the following form will result in
|
||||||
Shorewall being unable to start:</para>
|
Shorewall being unable to start:</para>
|
||||||
|
|
||||||
<programlisting> #EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
|
<programlisting> #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||||
192.0.2.22    eth0    192.168.9.22   yes     yes
|
192.0.2.22 eth0 192.168.9.22 yes yes
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||||
|
|
||||||
<para>Error message is:</para>
|
<para>Error message is:</para>
|
||||||
@ -567,26 +574,120 @@ Aborted (core dumped)</programlisting>
|
|||||||
--reject-with tcp-reset</quote> is broken. The symptom most commonly seen
|
--reject-with tcp-reset</quote> is broken. The symptom most commonly seen
|
||||||
is that REJECT rules act just like DROP rules when dealing with TCP. A
|
is that REJECT rules act just like DROP rules when dealing with TCP. A
|
||||||
kernel patch and precompiled modules to fix this problem are available at
|
kernel patch and precompiled modules to fix this problem are available at
|
||||||
<ulink url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>
|
<ulink
|
||||||
|
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>RedHat have corrected this problem in their 2.4.20-27.x kernels.</para>
|
<para>RedHat have corrected this problem in their 2.4.20-27.x
|
||||||
|
kernels.</para>
|
||||||
</note>
|
</note>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<appendix>
|
<appendix>
|
||||||
<title>Revision History4</title>
|
<title>Revision History4</title>
|
||||||
|
|
||||||
<para><revhistory><revision><revnumber>1.9</revnumber><date>2004-03-20</date><authorinitials>TE</authorinitials><revremark>Proxy
|
<para><revhistory>
|
||||||
ARP/IPSEC fix.</revremark></revision><revision><revnumber>1.8</revnumber><date>2004-03-04</date><authorinitials>TE</authorinitials><revremark>Multiple
|
<revision>
|
||||||
excluded zones problem..</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-02-15</date><authorinitials>TE</authorinitials><revremark>TCrules
|
<revnumber>1.9</revnumber>
|
||||||
file problem..</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-09</date><authorinitials>TE</authorinitials><revremark>Masq
|
|
||||||
file exclusion problem.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Startup
|
<date>2004-03-20</date>
|
||||||
Problem</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-19</date><authorinitials>TE</authorinitials><revremark>IPV6
|
|
||||||
address problems. Make RFC1918 file section more prominent.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Confusing
|
<authorinitials>TE</authorinitials>
|
||||||
template file in 1.4.9</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Added
|
|
||||||
note about REJECT RedHat Kernal problem being corrected.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Updated
|
<revremark>Proxy ARP/IPSEC fix.</revremark>
|
||||||
RFC1918 file</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-17</date><authorinitials>TE</authorinitials><revremark>Initial
|
</revision>
|
||||||
Conversion to Docbook XML</revremark></revision></revhistory></para>
|
|
||||||
|
<revision>
|
||||||
|
<revnumber>1.8</revnumber>
|
||||||
|
|
||||||
|
<date>2004-03-04</date>
|
||||||
|
|
||||||
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
<revremark>Multiple excluded zones problem..</revremark>
|
||||||
|
</revision>
|
||||||
|
|
||||||
|
<revision>
|
||||||
|
<revnumber>1.7</revnumber>
|
||||||
|
|
||||||
|
<date>2004-02-15</date>
|
||||||
|
|
||||||
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
<revremark>TCrules file problem..</revremark>
|
||||||
|
</revision>
|
||||||
|
|
||||||
|
<revision>
|
||||||
|
<revnumber>1.6</revnumber>
|
||||||
|
|
||||||
|
<date>2004-02-09</date>
|
||||||
|
|
||||||
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
<revremark>Masq file exclusion problem.</revremark>
|
||||||
|
</revision>
|
||||||
|
|
||||||
|
<revision>
|
||||||
|
<revnumber>1.5</revnumber>
|
||||||
|
|
||||||
|
<date>2004-02-05</date>
|
||||||
|
|
||||||
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
<revremark>Startup Problem</revremark>
|
||||||
|
</revision>
|
||||||
|
|
||||||
|
<revision>
|
||||||
|
<revnumber>1.4</revnumber>
|
||||||
|
|
||||||
|
<date>2004-01-19</date>
|
||||||
|
|
||||||
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
<revremark>IPV6 address problems. Make RFC1918 file section more
|
||||||
|
prominent.</revremark>
|
||||||
|
</revision>
|
||||||
|
|
||||||
|
<revision>
|
||||||
|
<revnumber>1.3</revnumber>
|
||||||
|
|
||||||
|
<date>2004-01-14</date>
|
||||||
|
|
||||||
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
<revremark>Confusing template file in 1.4.9</revremark>
|
||||||
|
</revision>
|
||||||
|
|
||||||
|
<revision>
|
||||||
|
<revnumber>1.3</revnumber>
|
||||||
|
|
||||||
|
<date>2004-01-03</date>
|
||||||
|
|
||||||
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
<revremark>Added note about REJECT RedHat Kernal problem being
|
||||||
|
corrected.</revremark>
|
||||||
|
</revision>
|
||||||
|
|
||||||
|
<revision>
|
||||||
|
<revnumber>1.2</revnumber>
|
||||||
|
|
||||||
|
<date>2003-12-29</date>
|
||||||
|
|
||||||
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
<revremark>Updated RFC1918 file</revremark>
|
||||||
|
</revision>
|
||||||
|
|
||||||
|
<revision>
|
||||||
|
<revnumber>1.1</revnumber>
|
||||||
|
|
||||||
|
<date>2003-12-17</date>
|
||||||
|
|
||||||
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
<revremark>Initial Conversion to Docbook XML</revremark>
|
||||||
|
</revision>
|
||||||
|
</revhistory></para>
|
||||||
</appendix>
|
</appendix>
|
||||||
</article>
|
</article>
|
||||||
Loading…
Reference in New Issue
Block a user