<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
  <articleinfo>
    <title>Shorewall Errata</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate>2004-09-02</pubdate>

    <copyright>
      <year>2001-2004</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <caution>
    <itemizedlist>
      <listitem>
        <para>If you use a Windows system to download a corrected script, be
        sure to run the script through <ulink
        url="http://www.megaloman.com/~hany/software/hd2u/">dos2unix</ulink>
        after you have moved it to your Linux system.</para>
      </listitem>

      <listitem>
        <para>If you are installing Shorewall for the first time and plan to
        use the .tgz and install.sh script, you can untar the archive, replace
        the <quote>firewall</quote> script in the untarred directory with the
        one you downloaded below, and then run install.sh.</para>
      </listitem>

      <listitem>
        <para>When the instructions say to install a corrected firewall script
        in /usr/share/shorewall/firewall, you may rename the existing file
        before copying in the new file.</para>
      </listitem>

      <listitem>
        <para><emphasis role="bold">DO NOT INSTALL CORRECTED COMPONENTS ON A
        RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
        BELOW.</emphasis> For example, do NOT install the 2.0.2 firewall
        script if you are running 2.0.0-RC2</para>
      </listitem>
    </itemizedlist>
  </caution>

  <section>
    <title>RFC1918 File</title>

    <para><ulink
    url="http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918">Here</ulink>
    is the most up to date version of the <ulink
    url="Documentation.htm#rfc1918">rfc1918 file</ulink>. This file only
    applies to Shorewall version 2.0.0 and its bugfix updates. In Shorewall
    2.0.1 and later releases, the <filename>bogons</filename> file lists IP
    ranges that are reserved by the IANA and the <filename>rfc1918</filename>
    file only lists those three ranges that are reserved by <ulink
    url="shorewall_setup_guide.htm#RFC1918">RFC 1918</ulink>.</para>
  </section>

  <section>
    <title>Bogons File</title>

    <para><ulink
    url="http://shorewall.net/pub/shorewall/errata/2.0.8/bogons">Here</ulink>
    is the most up to date version of the <ulink
    url="Documentation.htm#Bogons">bogons file</ulink>.</para>
  </section>

  <section>
    <title>Problems in Version 2.0</title>

    <section>
      <title>Shorewall 2.0.3 through 2.0.8</title>

      <itemizedlist>
        <listitem>
          <para>An empty PROTO column in /etc/shorewall/tcrules produced
          iptables errors during <command>shorewall start</command>. A value
          of <command>all</command> in that column produced a similar
          error.</para>
        </listitem>
      </itemizedlist>

      <para>Corrected in <ulink
      url="http://shorewall.net/pub/shorewall/errata/2.0.8/firewall">this
      firewall script</ulink> which may be installed in
      /usr/share/shorewall/firewall as described above.</para>
    </section>

    <section>
      <title>Shorewall 2.0.3a through 2.0.7</title>

      <itemizedlist>
        <listitem>
          <para>Entries in the USER/GROUP column of an action file (made from
          action.template) may be ignored or cause odd errors.</para>
        </listitem>
      </itemizedlist>

      <para>Corrected in <ulink
      url="http://shorewall.net/pub/shorewall/errata/2.0.7/firewall">this
      firewall script</ulink> which may be installed in
      /usr/share/shorewall/firewall as described above.</para>
    </section>

    <section>
      <title>Shorewall 2.0.3a through 2.0.4</title>

      <itemizedlist>
        <listitem>
          <para>Error messages regarding $RESTOREBASE occur during <emphasis
          role="bold">shorewall stop</emphasis> if DISABLE_IPV6=Yes in
          shorewall.conf.</para>
        </listitem>
      </itemizedlist>

      <para>Corrected in <ulink
      url="http://shorewall.net/pub/shorewall/errata/2.0.3/firewall">this
      firewall script</ulink> which may be installed in
      /usr/share/shorewall/firewall as described above. Also fixed in
      Shorewall Version 2.0.5.</para>
    </section>

    <section>
      <title>Shorewall 2.0.2 and all Shorewall 2.0.3 Releases.</title>

      <itemizedlist>
        <listitem>
          <para>DNAT rules with <emphasis role="bold">fw</emphasis> as the
          source zone and that specify logging cause <command>shorewall
          start</command> to fail with an iptables error. The problem is
          corrected for Shorewall 2.0.3 users in <ulink
          url="http://shorewall.net/pub/shorewall/errata/2.0.3/firewall">this
          firewall script</ulink> which may be installed in
          /usr/share/shorewall/firewall as described above.</para>
        </listitem>
      </itemizedlist>
    </section>

    <section>
      <title>Shorewall 2.0.3a and 2.0.3b</title>

      <itemizedlist>
        <listitem>
          <para>Error messages regarding $RESTOREBASE occur during <emphasis
          role="bold">shorewall stop</emphasis>.</para>
        </listitem>

        <listitem>
          <para>If CLEAR_TC=Yes in <filename>shorewall.conf</filename>,
          <emphasis role="bold">shorewall stop</emphasis> fails without
          removing the lock file.</para>
        </listitem>
      </itemizedlist>

      <para>The above problems are corrected in Shorewall version
      2.0.3c.</para>
    </section>

    <section>
      <title>Shorewall 2.0.3a</title>

      <itemizedlist>
        <listitem>
          <para>Slackware users find that version 2.0.3a fails to start
          because their <command>mktemp</command> utility does not support the
          -d option. This may be corrected by installing <ulink
          url="http://shorewall.net/pub/shorewall/errata/2.0.3/functions">this
          corrected <filename>functions</filename> file</ulink> in <filename
          class="directory">/var/lib/shorewall/functions</filename>.</para>
        </listitem>

        <listitem>
          <para>Shorewall fails to start if there is no
          <command>mktemp</command> utility.</para>
        </listitem>
      </itemizedlist>

      <para>These problems are corrected in Shorewall version 2.0.3b.</para>
    </section>

    <section>
      <title>Shorewall 2.0.3</title>

      <itemizedlist>
        <listitem>
          <para>A non-empty entry in the DEST column of /etc/shorewall/tcrules
          will result in an error message and Shorewall fails to start. This
          problem is fixed in Shorewall version 2.0.3a.</para>
        </listitem>

        <listitem>
          <para>A potentially exploitable vulnerability in the way that
          Shorewall handles temporary files and directories has been found by
          Javier Fernández-Sanguino Peña. This vulnerability is corrected in
          Shorewall 2.0.3a. All Shorewall 2.0.x users are urged to upgrade to
          2.0.3a.</para>
        </listitem>
      </itemizedlist>
    </section>

    <section>
      <title>Shorewall 2.0.2</title>

      <itemizedlist>
        <listitem>
          <para>Temporary restore files with names of the form
          <filename>restore-</filename><emphasis>nnnnn</emphasis> are left in
          /var/lib/shorewall.</para>
        </listitem>

        <listitem>
          <para>"shorewall restore" and "shorewall -f start" do not load
          kernel modules.</para>

          <para><emphasis role="bold">The above two problems are corrected in
          Shorewall 2.0.2a</emphasis></para>
        </listitem>

        <listitem>
          <para>Specifying a null common action in /etc/shorewall/actions
          (e.g., :REJECT) results in a startup error.</para>
        </listitem>

        <listitem>
          <para>If <filename>/var/lib/shorewall</filename> does not exist,
          <command>shorewall start</command> fails.</para>

          <para><emphasis role="bold">The above four problems are corrected in
          Shorewall 2.0.2b</emphasis></para>
        </listitem>

        <listitem>
          <para>DNAT rules work incorrectly with dynamic zones in that the
          source interface is not included in the nat table DNAT rule.</para>

          <para><emphasis role="bold">The above five problems are corrected in
          Shorewall 2.0.2c</emphasis></para>
        </listitem>

        <listitem>
          <para>During start and restart, Shorewall is detecting capabilities
          before loading kernel modules. Consequently, if kernel module
          autoloading is disabled, capabilities can be mis-detected during
          boot.</para>
        </listitem>

        <listitem>
          <para>The <emphasis>newnotsyn</emphasis> option in
          <filename>/etc/shorewall/hosts</filename> has no effect.</para>

          <para><emphasis role="bold">The above seven problems are corrected
          in Shorewall 2.0.2d</emphasis></para>
        </listitem>

        <listitem>
          <para>Use of the LOG target in an action results in two LOG or ULOG
          rules.</para>

          <para><emphasis role="bold">The above eight problems are corrected
          in Shorewall 2.0.2e</emphasis></para>
        </listitem>

        <listitem>
          <para>Kernel modules fail to load when MODULE_SUFFIX isn't set in
          shorewall.conf</para>

          <para><emphasis role="bold">All of the above problems are corrected
          in Shorewall 2.0.2f</emphasis></para>
        </listitem>
      </itemizedlist>

      <para>These problems are all corrected by the
      <filename>firewall</filename> and <filename>functions</filename> files
      in <ulink url="http://shorewall.net/pub/shorewall/errata/2.0.2">this
      directory</ulink>. Both files must be installed in
      <filename>/usr/share/shorewall/</filename> as described above.</para>
    </section>

    <section>
      <title>Shorewall 2.0.1</title>

      <itemizedlist>
        <listitem>
          <para>Confusing message mentioning IPV6 occur at startup.</para>
        </listitem>

        <listitem>
          <para>Modules listed in /etc/shorewall/modules don't load or produce
          errors on Mandrake 10.0 Final.</para>
        </listitem>

        <listitem>
          <para>The <command>shorewall delete</command> command does not
          remove all dynamic rules pertaining to the host(s) being
          deleted.</para>
        </listitem>
      </itemizedlist>

      <para>These problems are corrected in <ulink
      url="http://shorewall.net/pub/shorewall/errata/2.0.1/firewall">this
      firewall script</ulink> which may be installed in
      <filename>/usr/share/shorewall/firewall</filename> as described
      above.</para>

      <itemizedlist>
        <listitem>
          <para>When run on a SuSE system, the install.sh script fails to
          configure Shorewall to start at boot time. That problem is corrected
          in <ulink
          url="http://shorewall.net/pub/shorewall/errata/2.0.1/install.sh">this
          version of the script</ulink>.</para>
        </listitem>
      </itemizedlist>
    </section>

    <section>
      <title>Shorewall 2.0.1/2.0.0</title>

      <itemizedlist>
        <listitem>
          <para>On Debian systems, an install using the tarball results in an
          inability to start Shorewall at system boot. If you already have
          this problem, install <ulink
          url="http://shorewall.net/pub/shorewall/errata/2.0.1/init.debian.sh">this
          file</ulink> as /etc/init.d/shorewall (replacing the existing file
          with that name). If you are just installing or upgrading to
          Shorewall 2.0.0 or 2.0.1, then replace the
          <filename>init.debian.sh</filename> file in the Shorewall
          distribution directory (shorewall-2.0.x) with the updated file
          before running <command>install.sh</command> from that
          directory.</para>
        </listitem>
      </itemizedlist>
    </section>

    <section>
      <title>Shorewall 2.0.0</title>

      <itemizedlist>
        <listitem>
          <para>When using an Action in the ACTIONS column of a rule, you may
          receive a warning message about the rule being a policy. While this
          warning may be safely ignored, it can be eliminated by installing
          the script from the link below.</para>
        </listitem>

        <listitem>
          <para>Thanks to Sean Mathews, a long-standing problem with Proxy ARP
          and IPSEC has been corrected.</para>
        </listitem>
      </itemizedlist>

      <para>The first problem has been corrected in Shorewall update
      2.0.0a.</para>

      <para>All of these problems may be corrected by installing <ulink
      url="http://shorewall.net/pub/shorewall/errata/2.0.0/firewall">this
      firewall script</ulink> in /usr/share/shorewall as described
      above.</para>
    </section>
  </section>

  <section>
    <title>Upgrade Issues</title>

    <para>The upgrade issues have moved to <ulink url="upgrade_issues.htm">a
    separate page</ulink>.</para>
  </section>

  <section>
    <title>Problem with iptables 1.2.9</title>

    <para>If you want to use the new features in Shorewall 2.0.2 (Betas, RCs,
    Final) or later then you need to patch your iptables 1.2.9 with <ulink
    url="http://shorewall.net/pub/shorewall/errata/iptables-1.2.9.diff">this
    patch</ulink> or you need to use the <ulink
    url="http://www.netfilter.org/downloads.html#cvs">CVS version of
    iptables</ulink>.</para>
  </section>

  <section>
    <title>Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to
    2.4.21-RC1)</title>

    <para>Beginning with errata kernel 2.4.20-13.9, <quote>REJECT
    --reject-with tcp-reset</quote> is broken. The symptom most commonly seen
    is that REJECT rules act just like DROP rules when dealing with TCP. A
    kernel patch and precompiled modules to fix this problem are available at
    <ulink
    url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>

    <note>
      <para>RedHat have corrected this problem in their 2.4.20-27.x
      kernels.</para>
    </note>
  </section>
</article>