<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> <article> <articleinfo> <title>Shorewall Errata</title> <authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> </authorgroup> <pubdate>2004-09-02</pubdate> <copyright> <year>2001-2004</year> <holder>Thomas M. Eastep</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> </articleinfo> <caution> <itemizedlist> <listitem> <para>If you use a Windows system to download a corrected script, be sure to run the script through <ulink url="http://www.megaloman.com/~hany/software/hd2u/">dos2unix</ulink> after you have moved it to your Linux system.</para> </listitem> <listitem> <para>If you are installing Shorewall for the first time and plan to use the .tgz and install.sh script, you can untar the archive, replace the <quote>firewall</quote> script in the untarred directory with the one you downloaded below, and then run install.sh.</para> </listitem> <listitem> <para>When the instructions say to install a corrected firewall script in /usr/share/shorewall/firewall, you may rename the existing file before copying in the new file.</para> </listitem> <listitem> <para><emphasis role="bold">DO NOT INSTALL CORRECTED COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.</emphasis> For example, do NOT install the 2.0.2 firewall script if you are running 2.0.0-RC2</para> </listitem> </itemizedlist> </caution> <section> <title>RFC1918 File</title> <para><ulink url="http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918">Here</ulink> is the most up to date version of the <ulink url="Documentation.htm#rfc1918">rfc1918 file</ulink>. This file only applies to Shorewall version 2.0.0 and its bugfix updates. In Shorewall 2.0.1 and later releases, the <filename>bogons</filename> file lists IP ranges that are reserved by the IANA and the <filename>rfc1918</filename> file only lists those three ranges that are reserved by <ulink url="shorewall_setup_guide.htm#RFC1918">RFC 1918</ulink>.</para> </section> <section> <title>Bogons File</title> <para><ulink url="http://shorewall.net/pub/shorewall/errata/2.0.8/bogons">Here</ulink> is the most up to date version of the <ulink url="Documentation.htm#Bogons">bogons file</ulink>.</para> </section> <section> <title>Problems in Version 2.0</title> <section> <title>Shorewall 2.0.3 through 2.0.8</title> <itemizedlist> <listitem> <para>An empty PROTO column in /etc/shorewall/tcrules produced iptables errors during <command>shorewall start</command>. A value of <command>all</command> in that column produced a similar error.</para> </listitem> </itemizedlist> <para>Corrected in <ulink url="http://shorewall.net/pub/shorewall/errata/2.0.8/firewall">this firewall script</ulink> which may be installed in /usr/share/shorewall/firewall as described above.</para> </section> <section> <title>Shorewall 2.0.3a through 2.0.7</title> <itemizedlist> <listitem> <para>Entries in the USER/GROUP column of an action file (made from action.template) may be ignored or cause odd errors.</para> </listitem> </itemizedlist> <para>Corrected in <ulink url="http://shorewall.net/pub/shorewall/errata/2.0.7/firewall">this firewall script</ulink> which may be installed in /usr/share/shorewall/firewall as described above.</para> </section> <section> <title>Shorewall 2.0.3a through 2.0.4</title> <itemizedlist> <listitem> <para>Error messages regarding $RESTOREBASE occur during <emphasis role="bold">shorewall stop</emphasis> if DISABLE_IPV6=Yes in shorewall.conf.</para> </listitem> </itemizedlist> <para>Corrected in <ulink url="http://shorewall.net/pub/shorewall/errata/2.0.3/firewall">this firewall script</ulink> which may be installed in /usr/share/shorewall/firewall as described above. Also fixed in Shorewall Version 2.0.5.</para> </section> <section> <title>Shorewall 2.0.2 and all Shorewall 2.0.3 Releases.</title> <itemizedlist> <listitem> <para>DNAT rules with <emphasis role="bold">fw</emphasis> as the source zone and that specify logging cause <command>shorewall start</command> to fail with an iptables error. The problem is corrected for Shorewall 2.0.3 users in <ulink url="http://shorewall.net/pub/shorewall/errata/2.0.3/firewall">this firewall script</ulink> which may be installed in /usr/share/shorewall/firewall as described above.</para> </listitem> </itemizedlist> </section> <section> <title>Shorewall 2.0.3a and 2.0.3b</title> <itemizedlist> <listitem> <para>Error messages regarding $RESTOREBASE occur during <emphasis role="bold">shorewall stop</emphasis>.</para> </listitem> <listitem> <para>If CLEAR_TC=Yes in <filename>shorewall.conf</filename>, <emphasis role="bold">shorewall stop</emphasis> fails without removing the lock file.</para> </listitem> </itemizedlist> <para>The above problems are corrected in Shorewall version 2.0.3c.</para> </section> <section> <title>Shorewall 2.0.3a</title> <itemizedlist> <listitem> <para>Slackware users find that version 2.0.3a fails to start because their <command>mktemp</command> utility does not support the -d option. This may be corrected by installing <ulink url="http://shorewall.net/pub/shorewall/errata/2.0.3/functions">this corrected <filename>functions</filename> file</ulink> in <filename class="directory">/var/lib/shorewall/functions</filename>.</para> </listitem> <listitem> <para>Shorewall fails to start if there is no <command>mktemp</command> utility.</para> </listitem> </itemizedlist> <para>These problems are corrected in Shorewall version 2.0.3b.</para> </section> <section> <title>Shorewall 2.0.3</title> <itemizedlist> <listitem> <para>A non-empty entry in the DEST column of /etc/shorewall/tcrules will result in an error message and Shorewall fails to start. This problem is fixed in Shorewall version 2.0.3a.</para> </listitem> <listitem> <para>A potentially exploitable vulnerability in the way that Shorewall handles temporary files and directories has been found by Javier Fernández-Sanguino Peña. This vulnerability is corrected in Shorewall 2.0.3a. All Shorewall 2.0.x users are urged to upgrade to 2.0.3a.</para> </listitem> </itemizedlist> </section> <section> <title>Shorewall 2.0.2</title> <itemizedlist> <listitem> <para>Temporary restore files with names of the form <filename>restore-</filename><emphasis>nnnnn</emphasis> are left in /var/lib/shorewall.</para> </listitem> <listitem> <para>"shorewall restore" and "shorewall -f start" do not load kernel modules.</para> <para><emphasis role="bold">The above two problems are corrected in Shorewall 2.0.2a</emphasis></para> </listitem> <listitem> <para>Specifying a null common action in /etc/shorewall/actions (e.g., :REJECT) results in a startup error.</para> </listitem> <listitem> <para>If <filename>/var/lib/shorewall</filename> does not exist, <command>shorewall start</command> fails.</para> <para><emphasis role="bold">The above four problems are corrected in Shorewall 2.0.2b</emphasis></para> </listitem> <listitem> <para>DNAT rules work incorrectly with dynamic zones in that the source interface is not included in the nat table DNAT rule.</para> <para><emphasis role="bold">The above five problems are corrected in Shorewall 2.0.2c</emphasis></para> </listitem> <listitem> <para>During start and restart, Shorewall is detecting capabilities before loading kernel modules. Consequently, if kernel module autoloading is disabled, capabilities can be mis-detected during boot.</para> </listitem> <listitem> <para>The <emphasis>newnotsyn</emphasis> option in <filename>/etc/shorewall/hosts</filename> has no effect.</para> <para><emphasis role="bold">The above seven problems are corrected in Shorewall 2.0.2d</emphasis></para> </listitem> <listitem> <para>Use of the LOG target in an action results in two LOG or ULOG rules.</para> <para><emphasis role="bold">The above eight problems are corrected in Shorewall 2.0.2e</emphasis></para> </listitem> <listitem> <para>Kernel modules fail to load when MODULE_SUFFIX isn't set in shorewall.conf</para> <para><emphasis role="bold">All of the above problems are corrected in Shorewall 2.0.2f</emphasis></para> </listitem> </itemizedlist> <para>These problems are all corrected by the <filename>firewall</filename> and <filename>functions</filename> files in <ulink url="http://shorewall.net/pub/shorewall/errata/2.0.2">this directory</ulink>. Both files must be installed in <filename>/usr/share/shorewall/</filename> as described above.</para> </section> <section> <title>Shorewall 2.0.1</title> <itemizedlist> <listitem> <para>Confusing message mentioning IPV6 occur at startup.</para> </listitem> <listitem> <para>Modules listed in /etc/shorewall/modules don't load or produce errors on Mandrake 10.0 Final.</para> </listitem> <listitem> <para>The <command>shorewall delete</command> command does not remove all dynamic rules pertaining to the host(s) being deleted.</para> </listitem> </itemizedlist> <para>These problems are corrected in <ulink url="http://shorewall.net/pub/shorewall/errata/2.0.1/firewall">this firewall script</ulink> which may be installed in <filename>/usr/share/shorewall/firewall</filename> as described above.</para> <itemizedlist> <listitem> <para>When run on a SuSE system, the install.sh script fails to configure Shorewall to start at boot time. That problem is corrected in <ulink url="http://shorewall.net/pub/shorewall/errata/2.0.1/install.sh">this version of the script</ulink>.</para> </listitem> </itemizedlist> </section> <section> <title>Shorewall 2.0.1/2.0.0</title> <itemizedlist> <listitem> <para>On Debian systems, an install using the tarball results in an inability to start Shorewall at system boot. If you already have this problem, install <ulink url="http://shorewall.net/pub/shorewall/errata/2.0.1/init.debian.sh">this file</ulink> as /etc/init.d/shorewall (replacing the existing file with that name). If you are just installing or upgrading to Shorewall 2.0.0 or 2.0.1, then replace the <filename>init.debian.sh</filename> file in the Shorewall distribution directory (shorewall-2.0.x) with the updated file before running <command>install.sh</command> from that directory.</para> </listitem> </itemizedlist> </section> <section> <title>Shorewall 2.0.0</title> <itemizedlist> <listitem> <para>When using an Action in the ACTIONS column of a rule, you may receive a warning message about the rule being a policy. While this warning may be safely ignored, it can be eliminated by installing the script from the link below.</para> </listitem> <listitem> <para>Thanks to Sean Mathews, a long-standing problem with Proxy ARP and IPSEC has been corrected.</para> </listitem> </itemizedlist> <para>The first problem has been corrected in Shorewall update 2.0.0a.</para> <para>All of these problems may be corrected by installing <ulink url="http://shorewall.net/pub/shorewall/errata/2.0.0/firewall">this firewall script</ulink> in /usr/share/shorewall as described above.</para> </section> </section> <section> <title>Upgrade Issues</title> <para>The upgrade issues have moved to <ulink url="upgrade_issues.htm">a separate page</ulink>.</para> </section> <section> <title>Problem with iptables 1.2.9</title> <para>If you want to use the new features in Shorewall 2.0.2 (Betas, RCs, Final) or later then you need to patch your iptables 1.2.9 with <ulink url="http://shorewall.net/pub/shorewall/errata/iptables-1.2.9.diff">this patch</ulink> or you need to use the <ulink url="http://www.netfilter.org/downloads.html#cvs">CVS version of iptables</ulink>.</para> </section> <section> <title>Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to 2.4.21-RC1)</title> <para>Beginning with errata kernel 2.4.20-13.9, <quote>REJECT --reject-with tcp-reset</quote> is broken. The symptom most commonly seen is that REJECT rules act just like DROP rules when dealing with TCP. A kernel patch and precompiled modules to fix this problem are available at <ulink url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para> <note> <para>RedHat have corrected this problem in their 2.4.20-27.x kernels.</para> </note> </section> </article>