Shorewall Errata
Tom
Eastep
2005-07-17
2001-2005
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License
.
If you use a Windows system to download a corrected script, be
sure to run the script through dos2unix
after you have moved it to your Linux system.
If you are installing Shorewall for the first time and plan to
use the .tgz and install.sh script, you can untar the archive, replace
the firewall
script in the untarred directory with the
one you downloaded below, and then run install.sh.
When the instructions say to install a corrected firewall script
in /usr/share/shorewall/firewall, you may rename the existing file
before copying in the new file.
DO NOT INSTALL CORRECTED COMPONENTS ON A
RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW. For example, do NOT install the 2.0.2 firewall
script if you are running 2.0.0-RC2
RFC1918 File
Here
is the most up to date version of the rfc1918 file. This file only applies to Shorewall versions 1.4.* and 2.0.0
and its bugfix updates. In Shorewall 2.0.1 and later releases,
the bogons file lists IP ranges that are reserved by
the IANA and the rfc1918 file only lists those three
ranges that are reserved by RFC 1918.
Bogons File
Here
is the most up to date version of the bogons file. This file only applies to Shorewall versions 2.0.1 and
later.
Problems in Version 2.2 and Later
Beginning with Shorewall version 2.2.0, errata will not be published
on this page. Rather, the download directory for each version will
contain:
A known_problems.txt file. This file will
list all known problems and will describe to any corrections or
workarounds available.
An errata sub-directory.
This directory will contain updated components that correct problems
listed in the known_problems.txt file.
Problems in Version 2.0
Shorewall 2.0.17
Users specifying TCP_FLAGS_LOG_LEVEL=ULOG will find that
"shorewall [re]start" fails with the following error:
iptables v1.3.2: Unknown arg `--log-ip-options'
Try `iptables -h' or 'iptables --help' for more information.
ERROR: Command "/usr/sbin/iptables -A logflags -j ULOG --log-ip-options --ulog-prefix "Shorewall:logflags:DROP:"" Failed
Install the 'firewall'
script in the errata directory into
/usr/share/shorewall/firewall replacing the file by that
name.
Setting MACLIST_DISPOSITION=ACCEPT opens a serious security
vulnerability. Install the 'firewall'
script in the errata directoryinto
/usr/share/shorewall/firewall replacing the file by that
name.
Shorewall 2.0.15-2.0.16
If the "rejNotSyn" action is invoked, an error occurs at
startup.
Corrected in this
firewall script which may be installed in
/usr/share/shorewall/firewall as described above.
Shorewall 2.0.12
The "shorewall add" command produces the error message:
/usr/share/shorewall/firewall: line 1: match_destination_hosts: command not found
You can correct the problem yourself by editing
/usr/share/shorewall/firewall and on line 5805, replace match_destination_hosts with match_dest_hosts.
Corrected in this
firewall script which may be installed in
/usr/share/shorewall/firewall as described above.
Shorewall 2.0.10
The initial packages uploaded to the FTP and HTTP servers were
incorrect. Here are the MD5 sums of the incorrect packages.
14e8f2bfa08cc5ca2715c8b1179d5eb2 shorewall-2.0.10-1.noarch.rpm
54bcbb2216ad3db9870507cd9716fd99 shorewall-2.0.10.tgz
c2fe0acc7f056acb56d089cf8dafa39a shorwall-2.0.10.lrp
These incorrect packages have been replaced with correct ones
having the following MD5 sums:
d5af452d38538b4b994c3c4abab8e012 shorewall-2.0.10-1.noarch.rpm
985ce9215ea9cc0299f0b5450fdbe05e shorewall-2.0.10.tgz
0ec7a65e4ed4ad1db0d2a4cb0c7bd5bf shorwall-2.0.10.lrp
If you have installed an incorrect package, please replace
/sbin/shorewall with this
file.
Shorewall 2.0.3 through 2.0.8
An empty PROTO column in /etc/shorewall/tcrules produced
iptables errors during shorewall start. A value
of all in that column produced a similar
error.
Corrected in this
firewall script which may be installed in
/usr/share/shorewall/firewall as described above.
Shorewall 2.0.3a through 2.0.7
Entries in the USER/GROUP column of an action file (made from
action.template) may be ignored or cause odd errors.
Corrected in this
firewall script which may be installed in
/usr/share/shorewall/firewall as described above.
Shorewall 2.0.3a through 2.0.4
Error messages regarding $RESTOREBASE occur during shorewall stop if DISABLE_IPV6=Yes in
shorewall.conf.
Corrected in this
firewall script which may be installed in
/usr/share/shorewall/firewall as described above. Also fixed in
Shorewall Version 2.0.5.
Shorewall 2.0.2 and all Shorewall 2.0.3 Releases.
DNAT rules with fw as the
source zone and that specify logging cause shorewall
start to fail with an iptables error. The problem is
corrected for Shorewall 2.0.3 users in this
firewall script which may be installed in
/usr/share/shorewall/firewall as described above.
Shorewall 2.0.3a and 2.0.3b
Error messages regarding $RESTOREBASE occur during shorewall stop.
If CLEAR_TC=Yes in shorewall.conf,
shorewall stop fails without
removing the lock file.
The above problems are corrected in Shorewall version
2.0.3c.
Shorewall 2.0.3a
Slackware users find that version 2.0.3a fails to start
because their mktemp utility does not support the
-d option. This may be corrected by installing this
corrected functions file in /var/lib/shorewall/functions.
Shorewall fails to start if there is no
mktemp utility.
These problems are corrected in Shorewall version 2.0.3b.
Shorewall 2.0.3
A non-empty entry in the DEST column of /etc/shorewall/tcrules
will result in an error message and Shorewall fails to start. This
problem is fixed in Shorewall version 2.0.3a.
A potentially exploitable vulnerability in the way that
Shorewall handles temporary files and directories has been found by
Javier Fernández-Sanguino Peña. This vulnerability is corrected in
Shorewall 2.0.3a. All Shorewall 2.0.x users are urged to upgrade to
2.0.3a.
Shorewall 2.0.2
Temporary restore files with names of the form
restore-nnnnn are left in
/var/lib/shorewall.
"shorewall restore" and "shorewall -f start" do not load
kernel modules.
The above two problems are corrected in
Shorewall 2.0.2a
Specifying a null common action in /etc/shorewall/actions
(e.g., :REJECT) results in a startup error.
If /var/lib/shorewall does not exist,
shorewall start fails.
The above four problems are corrected in
Shorewall 2.0.2b
DNAT rules work incorrectly with dynamic zones in that the
source interface is not included in the nat table DNAT rule.
The above five problems are corrected in
Shorewall 2.0.2c
During start and restart, Shorewall is detecting capabilities
before loading kernel modules. Consequently, if kernel module
autoloading is disabled, capabilities can be mis-detected during
boot.
The newnotsyn option in
/etc/shorewall/hosts has no effect.
The above seven problems are corrected
in Shorewall 2.0.2d
Use of the LOG target in an action results in two LOG or ULOG
rules.
The above eight problems are corrected
in Shorewall 2.0.2e
Kernel modules fail to load when MODULE_SUFFIX isn't set in
shorewall.conf
All of the above problems are corrected
in Shorewall 2.0.2f
These problems are all corrected by the
firewall and functions files
in this
directory. Both files must be installed in
/usr/share/shorewall/ as described above.
Shorewall 2.0.1
Confusing message mentioning IPV6 occur at startup.
Modules listed in /etc/shorewall/modules don't load or produce
errors on Mandrake 10.0 Final.
The shorewall delete command does not
remove all dynamic rules pertaining to the host(s) being
deleted.
These problems are corrected in this
firewall script which may be installed in
/usr/share/shorewall/firewall as described
above.
When run on a SuSE system, the install.sh script fails to
configure Shorewall to start at boot time. That problem is corrected
in this
version of the script.
Shorewall 2.0.1/2.0.0
On Debian systems, an install using the tarball results in an
inability to start Shorewall at system boot. If you already have
this problem, install this
file as /etc/init.d/shorewall (replacing the existing file
with that name). If you are just installing or upgrading to
Shorewall 2.0.0 or 2.0.1, then replace the
init.debian.sh file in the Shorewall
distribution directory (shorewall-2.0.x) with the updated file
before running install.sh from that
directory.
Shorewall 2.0.0
When using an Action in the ACTIONS column of a rule, you may
receive a warning message about the rule being a policy. While this
warning may be safely ignored, it can be eliminated by installing
the script from the link below.
Thanks to Sean Mathews, a long-standing problem with Proxy ARP
and IPSEC has been corrected.
The first problem has been corrected in Shorewall update
2.0.0a.
All of these problems may be corrected by installing this
firewall script in /usr/share/shorewall as described
above.
Upgrade Issues
The upgrade issues have moved to a
separate page.
Problem with iptables 1.2.9
If you want to use the new features in Shorewall 2.0.2 (Betas, RCs,
Final) or later then you need to patch your iptables 1.2.9 with this
patch or you need to use the CVS version of
iptables.
Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to
2.4.21-RC1)
Beginning with errata kernel 2.4.20-13.9, REJECT
--reject-with tcp-reset
is broken. The symptom most commonly seen
is that REJECT rules act just like DROP rules when dealing with TCP. A
kernel patch and precompiled modules to fix this problem are available at
ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel
RedHat have corrected this problem in their 2.4.20-27.x
kernels.