End-of-life for Shorewall-shell in Shorewall 4.4

Attention Shorewall-perl 4.2 Users

Shorewall-perl 4.2.8

1. It was not possible to start Shorewall or Shorewall6 for the first time after installing 4.2.8
2. Changes to the configuration were apparently ignored.

Shorewall-perl 4.2.6 and Earlier

1. Only occurs when there are multiple non-firewall zones.
2. Results in the following interface options not being applied to forwarded traffic.

• Upgrade to Shorewall-perl-4.2.6.1 or later; or
• Apply the patch found at:

 patch /usr/share/shorewall-perl/Shorewall/Rules.pm < forward.patch

Attention Users of Shorewall's Multi-ISP Feature

A bug in Shorewall versions 3.2.0-3.2.10, 3.4.0-3.4.6 and Shorewall-shell 4.0.0-4.0.2 prevents proper handling of PREROUTING marks when HIGH_ROUTE_MARKS=No and the track option is specified. Patches are available to correct this problem:

Shorewall version 3.2.0-3.2.10, 3.4.0-3.4.3: http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.10/errata/patches/Shorewall/patch-3.2.10-2.diff

Shorewall version 3.4.4-3.4.6: http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.66/errata/patches/Shorewall/patch-3.4.6-1.diff

Shorewall-shell version 4.0.0-4.0.2: http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.2/errata/patches/Shorewall-shell/patch-shell-4.0.2-2.diff

Note that a patch may succeed with an offset when applied to a release other than the one for which it was specifically prepared. For example, when the patch for 3.2.0-3.2.10, 3.4.0-3.4.3 (which was prepared for release 3.2.10) is applied to release 3.4.3, the following is the result:

root@wookie:~# cd /usr/share/shorewall
root@wookie/usr/share/shorewall#: patch < ~/shorewall/tags/3.2.10/Shorewall.updated/patch-3.2.10-2.diff 
patching file compiler
Hunk #1 succeeded at 958 (offset -1669 lines).
root@wookie:/usr/share/shorewall#

Update -- 7 November 2007

A second bug in Shorewall versions 3.2.0-3.2.11, 3.4.0-3.4.7 and 4.0.0-4.0.5 can cause improper handing of PREROUTING and OUTPUT marks when HIGH_ROUTE_MARKS=Yes. Patches are also available to correct this problem:

Shorewall version 3.2.3-3.2.11: http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.11/errata/patches/Shorewall/patch-3.2.11-1.diff

Shorewall version 3.4.0-3.4.7: http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.7/errata/patches/Shorewall/patch-3.4.7-1.diff

Shorewall version 4.0.0-4.0.5: http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-shell/patch-shell-4.0.5-1.diff and http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-perl/patch-perl-4.0.5-4.diff.

Attention Users of BRIDGING=Yes

In Linux Kernel version 2.6.20, the Netfilter team changed Physdev Match so that it is no longer capable of supporting BRIDGING=Yes. The solutions available to users are to either:

1. Switch to using the technique described at http://www.shorewall.net/3.0/NewBridge.html; or
   
2. Upgrade to Shorewall 4.0, migrate to using Shorewall-perl, and follow the instructions at http://www1.shorewall.net/bridge-Shorewall-perl.html.

The first approach allows you to switch back and forth between kernels older and newer than 2.6.20. The second approach is a better long-term solution.

Attention Users of Kernel 2.4