Shorewall Errata/Upgrade Issues

IMPORTANT

If you use a Windows system to download a corrected script, be sure to run the script through dos2unix after you have moved it to your Linux system.
If you are installing Shorewall for the first time and plan to use the .tgz and install.sh script, you can untar the archive, replace the 'firewall' script in the untarred directory with the one you downloaded below, and then run install.sh.
If you are running a Shorewall version earlier than 1.3.11, when the instructions say to install a corrected firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall are symbolic links that point to the 'shorewall' file used by your system initialization scripts to start Shorewall during boot. It is that file that must be overwritten with the corrected script. Beginning with Shorewall 1.3.11, you may rename the existing file before copying in the new file.
DO NOT INSTALL CORRECTED COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.

Upgrade Issues
Problems in Version 1.3
Problems in Version 1.2
Problems in Version 1.1
Problem with iptables version 1.2.3 on RH7.2
Problems with kernels >= 2.4.18 and RedHat iptables
Problems installing/upgrading RPM on SuSE
Problems with iptables version 1.2.7 and MULTIPORT=Yes
Problems with RH Kernel 2.4.18-10 and NAT

Problems in Version 1.3

Version 1.3.14

There is an updated rfc1918 file that reflects the resent allocation of 222.0.0.0/8 and 223.0.0.0/8.

The documentation for the routestopped file claimed that a comma-separated list could appear in the second column while the code only supported a single host or network address.
Log messages produced by 'logunclean' and 'dropunclean' were not rate-limited.
802.11b devices with names of the form wlan<n> don't support the 'maclist' interface option.
Log messages generated by RFC 1918 filtering are not rate limited.
The firewall fails to start in the case where you have "eth0 eth1" in /etc/shorewall/masq and the default route is through eth1.

These problems have been corrected in this firewall script which may be installed in /usr/lib/shorewall as described above.

Version 1.3.13

The 'shorewall add' command produces an error message referring to 'find_interfaces_by_maclist'.
The 'shorewall delete' command can leave behind undeleted rules.
The 'shorewall add' command can fail with "iptables: Index of insertion too big".

All three problems are corrected by this firewall script which may be installed in /usr/lib/shorewall as described above.

VLAN interface names of the form "ethn.m" (e.g., eth0.1) are not supported in this version or in 1.3.12. If you need such support, post on the users list and I can provide you with a patched version.

Version 1.3.12

If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is corrected by this firewall script which may be installed in /usr/lib/shorewall as described above.
VLAN interface names of the form "ethn.m" (e.g., eth0.1) are not supported in this version or in 1.3.13. If you need such support, post on the users list and I can provide you with a patched version.

Version 1.3.12 LRP

The .lrp was missing the /etc/shorewall/routestopped file -- a new lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.

Version 1.3.11a

This copy of /etc/shorewall/rfc1918 reflects the recent allocation of 82.0.0.0/8.

Version 1.3.11

When installing/upgrading using the .rpm, you may receive the following warnings:

user teastep does not exist - using root
group teastep does not exist - using root

These warnings are harmless and may be ignored. Users downloading the .rpm from shorewall.net or mirrors should no longer see these warnings as the .rpm you will get from there has been corrected.
DNAT rules that exclude a source subzone (SOURCE column contains ! followed by a sub-zone list) result in an error message and Shorewall fails to start.

Install this corrected script in /usr/lib/shorewall/firewall to correct this problem. Thanks go to Roger Aich who analyzed this problem and provided a fix.

This problem is corrected in version 1.3.11a.

Version 1.3.10

If you experience problems connecting to a PPTP server running on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, this version of the firewall script may help. Please report any cases where installing this script in /usr/lib/shorewall/firewall solved your connection problems. Beginning with version 1.3.10, it is safe to save the old version of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall is the real script now and not just a symbolic link to the real script.

Version 1.3.9a

If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then the following message appears during "shorewall [re]start":

          recalculate_interfacess: command not found

The updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described above.

Alternatively, edit /usr/lob/shorewall/firewall and change the single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' to 'recalculate_interface'.

The installer (install.sh) issues a misleading message "Common functions installed in /var/lib/shorewall/functions" whereas the file is installed in /usr/lib/shorewall/functions. The installer also performs incorrectly when updating old configurations that had the file /etc/shorewall/functions. Here is an updated version that corrects these problems.

Version 1.3.9

TUNNELS Broken in 1.3.9!!! There is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall -- copy that file to /usr/lib/shorewall/firewall as described above.

Version 1.3.8

Use of shell variables in the LOG LEVEL or SYNPARMS columns of the policy file doesn't work.
A DNAT rule with the same original and new IP addresses but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")

Installing this corrected firewall script in /var/lib/shorewall/firewall as described above corrects these problems.

Version 1.3.7b

DNAT rules where the source zone is 'fw' ($FW) result in an error message. Installing this corrected firewall script in /var/lib/shorewall/firewall as described above corrects this problem.

Version 1.3.7a

"shorewall refresh" is not creating the proper rule for FORWARDPING=Yes. Consequently, after "shorewall refresh", the firewall will not forward icmp echo-request (ping) packets. Installing this corrected firewall script in /var/lib/shorewall/firewall as described above corrects this problem.

Version <= 1.3.7a

If "norfc1918" and "dhcp" are both specified as options on a given interface then RFC 1918 checking is occurring before DHCP checking. This means that if a DHCP client broadcasts using an RFC 1918 source address, then the firewall will reject the broadcast (usually logging it). This has two problems:

If the firewall is running a DHCP server, the client won't be able to obtain an IP address lease from that server.
With this order of checking, the "dhcp" option cannot be used as a noise-reduction measure where there are both dynamic and static clients on a LAN segment.

This version of the 1.3.7a firewall script corrects the problem. It must be installed in /var/lib/shorewall as described above.

Version 1.3.7

Version 1.3.7 dead on arrival -- please use version 1.3.7a and check your version against these md5sums -- if there's a difference, please download again.

	d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz
	6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
	3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp

In other words, type "md5sum <whatever package you downloaded> and compare the result with what you see above.

I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the .7 version in each sequence from now on.

Version 1.3.6

If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, an error occurs when the firewall script attempts to add an SNAT alias.
The logunclean and dropunclean options cause errors during startup when Shorewall is run with iptables 1.2.7.

These problems are fixed in this correct firewall script which must be installed in /var/lib/shorewall/ as described above. These problems are also corrected in version 1.3.7.

Two-interface Samples 1.3.6 (file two-interfaces.tgz)

A line was inadvertently deleted from the "interfaces file" -- this line should be added back in if the version that you downloaded is missing it:

net eth0 detect routefilter,dhcp,norfc1918

If you downloaded two-interfaces-a.tgz then the above line should already be in the file.

Version 1.3.5-1.3.5b

The new 'proxyarp' interface option doesn't work :-( This is fixed in this corrected firewall script which must be installed in /var/lib/shorewall/ as described above.

Versions 1.3.4-1.3.5a

Prior to version 1.3.4, host file entries such as the following were allowed:

	adm	eth0:1.2.4.5,eth0:5.6.7.8

That capability was lost in version 1.3.4 so that it is only possible to include a single host specification on each line. This problem is corrected by this modified 1.3.5a firewall script. Install the script in /var/lib/pub/shorewall/firewall as instructed above.

This problem is corrected in version 1.3.5b.

Version 1.3.5

REDIRECT rules are broken in this version. Install this corrected firewall script in /var/lib/pub/shorewall/firewall as instructed above. This problem is corrected in version 1.3.5a.

Version 1.3.n, n < 4

The "shorewall start" and "shorewall restart" commands to not verify that the zones named in the /etc/shorewall/policy file have been previously defined in the /etc/shorewall/zones file. The "shorewall check" command does perform this verification so it's a good idea to run that command after you have made configuration changes.

Version 1.3.n, n < 3

If you have upgraded from Shorewall 1.2 and after "Activating rules..." you see the message: "iptables: No chains/target/match by that name" then you probably have an entry in /etc/shorewall/hosts that specifies an interface that you didn't include in /etc/shorewall/interfaces. To correct this problem, you must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and later versions produce a clearer error message in this case.

Version 1.3.2

Until approximately 2130 GMT on 17 June 2002, the download sites contained an incorrect version of the .lrp file. That file can be identified by its size (56284 bytes). The correct version has a size of 38126 bytes.

The code to detect a duplicate interface entry in /etc/shorewall/interfaces contained a typo that prevented it from working correctly.
"NAT_BEFORE_RULES=No" was broken; it behaved just like "NAT_BEFORE_RULES=Yes".

Both problems are corrected in this script which should be installed in /var/lib/shorewall as described above.

The IANA have just announced the allocation of subnet 221.0.0.0/8. This updated rfc1918 file reflects that allocation.

Version 1.3.1

TCP SYN packets may be double counted when LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each packet is sent through the limit chain twice).
An unnecessary jump to the policy chain is sometimes generated for a CONTINUE policy.
When an option is given for more than one interface in /etc/shorewall/interfaces then depending on the option, Shorewall may ignore all but the first appearence of the option. For example:

net eth0 dhcp
loc eth1 dhcp

Shorewall will ignore the 'dhcp' on eth1.
Update 17 June 2002 - The bug described in the prior bullet affects the following options: dhcp, dropunclean, logunclean, norfc1918, routefilter, multi, filterping and noping. An additional bug has been found that affects only the 'routestopped' option.

Users who downloaded the corrected script prior to 1850 GMT today should download and install the corrected script again to ensure that this second problem is corrected.

These problems are corrected in this firewall script which should be installed in /etc/shorewall/firewall as described above.

Version 1.3.0

Folks who downloaded 1.3.0 from the links on the download page before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13 rather than 1.3.0. The "shorewall version" command will tell you which version that you have installed.
The documentation NAT.htm file uses non-existent wallpaper and bullet graphic files. The corrected version is here.

Upgrade Issues

The upgrade issues have moved to a separate page.

Problem with iptables version 1.2.3

There are a couple of serious bugs in iptables 1.2.3 that prevent it from working with Shorewall. Regrettably, RedHat released this buggy iptables in RedHat 7.2.

I have built a corrected 1.2.3 rpm which you can download here and I have also built an iptables-1.2.4 rpm which you can download here. If you are currently running RedHat 7.1, you can install either of these RPMs before you upgrade to RedHat 7.2.

Update 11/9/2001: RedHat has released an iptables-1.2.4 RPM of their own which you can download from http://www.redhat.com/support/errata/RHSA-2001-144.html. I have installed this RPM on my firewall and it works fine.

If you would like to patch iptables 1.2.3 yourself, the patches are available for download. This patch which corrects a problem with parsing of the --log-level specification while this patch corrects a problem in handling the TOS target.

To install one of the above patches:

cd iptables-1.2.3/extensions

patch -p0 < the-patch-file

Problems with kernels >= 2.4.18 and RedHat iptables

Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 may experience the following:
# shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
The RedHat iptables RPM is compiled with debugging enabled but the user-space debugging code was not updated to reflect recent changes in the Netfilter 'mangle' table. You can correct the problem by installing this iptables RPM. If you are already running a 1.2.5 version of iptables, you will need to specify the --oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").

Problems installing/upgrading RPM on SuSE

If you find that rpm complains about a conflict with kernel <= 2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps" option to rpm.

Installing: rpm -ivh --nodeps <shorewall rpm>

Upgrading: rpm -Uvh --nodeps <shorewall rpm>

Problems with iptables version 1.2.7 and MULTIPORT=Yes

The iptables 1.2.7 release of iptables has made an incompatible change to the syntax used to specify multiport match rules; as a consequence, if you install iptables 1.2.7 you must be running Shorewall 1.3.7a or later or:

set MULTIPORT=No in /etc/shorewall/shorewall.conf; or
if you are running Shorewall 1.3.6 you may install this firewall script in /var/lib/shorewall/firewall as described above.

Problems with RH Kernel 2.4.18-10 and NAT

/etc/shorewall/nat entries of the following form will result in Shorewall being unable to start:

#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
192.0.2.22      eth0            192.168.9.22    yes                     yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Error message is:

Setting up NAT...
iptables: Invalid argument
Terminated

The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel contains corrected support under a new kernel configuraiton option; see http://www.shorewall.net/Documentation.htm#NAT

Last updated 3/8/2003 - Tom Eastep