1) The IPv6 allowBcast built-in action generates an invalid ip6tables rule. This defect is present in all versions of Shorewall that support IPv6. Fixed in Shorewall 4.4.10.1. 2) If IPSET= is specified in shorewall.conf, then when an ipset is used in a configuration file entry, the following fatal compilation error occurs: ERROR: ipset names in Shorewall configuration files require Ipset Match in your kernel and iptables : /etc/shorewall/rules (line nn) You can work around this problem by executing the following at a root shell prompt: shorewall show -f capabilities > /etc/shorewall/capabilities Fixed in Shorewall 4.4.10.1. After installing this fix, if you executed the above command to work around the problem, we recommend that you remove /etc/shorewall/capabilities. 3) On Debian and derivatives, shorewall-init is starting too late. To work around this issue, at a root prompt: cd /etc/rcS.d mv S38shorewall-init S08shorewall-init