Shorewall Errata/Upgrade Issues

IMPORTANT

  1. If you use a Windows system to download a corrected script, be sure to run the script through dos2unix after you have moved it to your Linux system.

  2. If you are installing Shorewall for the first time and plan to use the .tgz and install.sh script, you can untar the archive, replace the 'firewall' script in the untarred directory with the one you downloaded below, and then run install.sh.

  3. When the instructions say to install a corrected firewall script in /etc/shorewall/firewall or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall are symbolic links that point to the 'shorewall' file used by your system initialization scripts to start Shorewall during boot. It is that file that must be overwritten with the corrected script.


Upgrade Issues

Version >= 1.3.7

Users specifying ALLOWRELATED=No in /etc/shorewall.conf will need to include the following rules in their /etc/shorewall/icmpdef file (creating this file if necessary):

	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT

Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" command from that file since the icmp.def file is now empty.

Upgrading Bering to Shorewall >= 1.3.3

To properly upgrade with Shorewall version 1.3.3 and later:

  1. Be sure you have a backup -- you will need to transcribe any Shorewall configuration changes that you have made to the new configuration.
  2. Replace the shorwall.lrp package provided on the Bering floppy with the later one. If you did not obtain the later version from Jacques's site, see additional instructions below.
  3. Edit the /var/lib/lrpkg/root.exclude.list file and remove the /var/lib/shorewall entry if present. Then do not forget to backup root.lrp !

The .lrp that I release isn't set up for a two-interface firewall like Jacques's. You need to follow the instructions for setting up a two-interface firewall plus you also need to add the following two Bering-specific rules to /etc/shorewall/rules:

# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80

Version >= 1.3.6

If you have a pair of firewall systems configured for failover, you will need to modify your firewall setup slightly under Shorewall versions >= 1.3.6.

  1. Create the file /etc/shorewall/newnotsyn and in it add the following rule

    run_iptables -A newnotsyn -j RETURN # So that the connection tracking table can be rebuilt
                                        # from non-SYN packets after takeover.
     

  2. Create /etc/shorewall/common (if you don't already have that file) and include the following:

    run_iptables -A common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection
                                                                        #tracking table.
    . /etc/shorewall/common.def

Versions >= 1.3.5

Some forms of pre-1.3.0 rules file syntax are no longer supported.

Example 1:

	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all

Must be replaced with:

	DNAT	net	loc:192.168.1.12:22	tcp	11111

Example 2:

	ACCEPT	loc	fw::3128	tcp	80	-	all

Must be replaced with:

	REDIRECT	loc	3128	tcp	80

Problems in Version 1.3

Version 1.3.6

These problems are fixed in this correct firewall script which must be installed in /var/lib/shorewall/ as described above. These problems are also corrected in version 1.3.7.

Two-interface Samples 1.3.6 (file two-interfaces.tgz)

A line was inadvertently deleted from the "interfaces file" -- this line should be added back in if the version that you downloaded is missing it:

net    eth0    detect    routefilter,dhcp,norfc1918

If you downloaded two-interfaces-a.tgz then the above line should already be in the file.

Version 1.3.5-1.3.5b

The new 'proxyarp' interface option doesn't work :-( This is fixed in this corrected firewall script which must be installed in /var/lib/shorewall/ as described above.

Versions 1.3.4-1.3.5a

Prior to version 1.3.4, host file entries such as the following were allowed:

	adm	eth0:1.2.4.5,eth0:5.6.7.8

That capability was lost in version 1.3.4 so that it is only possible to  include a single host specification on each line. This problem is corrected by this modified 1.3.5a firewall script. Install the script in /var/lib/pub/shorewall/firewall as instructed above.

This problem is corrected in version 1.3.5b.

Version 1.3.5

REDIRECT rules are broken in this version. Install this corrected firewall script in /var/lib/pub/shorewall/firewall as instructed above. This problem is corrected in version 1.3.5a.

Version 1.3.n, n < 4

The "shorewall start" and "shorewall restart" commands to not verify that the zones named in the /etc/shorewall/policy file have been previously defined in the /etc/shorewall/zones file. The "shorewall check" command does perform this verification so it's a good idea to run that command after you have made configuration changes.

Version 1.3.n, n < 3

If you have upgraded from Shorewall 1.2 and after "Activating rules..." you see the message: "iptables: No chains/target/match by that name" then you probably have an entry in /etc/shorewall/hosts that specifies an interface that you didn't include in /etc/shorewall/interfaces. To correct this problem, you must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and later versions produce a clearer error message in this case.

Version 1.3.2

Until approximately 2130 GMT on 17 June 2002, the download sites contained an incorrect version of the .lrp file. That file can be identified by its size (56284 bytes). The correct version has a size of 38126 bytes.

Both problems are corrected in this script which should be installed in /var/lib/shorewall as described above.

Version 1.3.1

These problems are corrected in this firewall script which should be installed in /etc/shorewall/firewall as described above.

Version 1.3.0


Problem with iptables version 1.2.3

There are a couple of serious bugs in iptables 1.2.3 that prevent it from working with Shorewall. Regrettably, RedHat released this buggy iptables in RedHat 7.2. 

I have built a corrected 1.2.3 rpm which you can download here  and I have also built an iptables-1.2.4 rpm which you can download here. If you are currently running RedHat 7.1, you can install either of these RPMs before you upgrade to RedHat 7.2.

Update 11/9/2001: RedHat has released an iptables-1.2.4 RPM of their own which you can download from http://www.redhat.com/support/errata/RHSA-2001-144.html. I have installed this RPM on my firewall and it works fine.

If you would like to patch iptables 1.2.3 yourself, the patches are available for download. This patch which corrects a problem with parsing of the --log-level specification while this patch corrects a problem in handling the  TOS target.

To install one of the above patches:

Problems with kernels >= 2.4.18 and RedHat iptables

Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 may experience the following:

# shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)

The RedHat iptables RPM is compiled with debugging enabled but the user-space debugging code was not updated to reflect recent changes in the Netfilter 'mangle' table. You can correct the problem by installing this iptables RPM. If you are already running a 1.2.5 version of iptables, you will need to specify the --oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").

Problems installing/upgrading RPM on SuSE

If you find that rpm complains about a conflict with kernel <= 2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps" option to rpm.

Installing: rpm -ivh <shorewall rpm>

Upgrading: rpm -Uvh <shorewall rpm>

Problems with iptables version 1.2.7 and MULTIPORT=Yes

The iptables 1.2.7 release of iptables has made an incompatible change to the syntax used to specify multiport match rules; as a consequence, if you install iptables 1.2.7 you must

Last updated 8/22/2002 - Tom Eastep

Copyright © 2001, 2002 Thomas M. Eastep.