Shorewall Errata/Upgrade Issues

IMPORTANT

  1. If you use a Windows system to download a corrected script, be sure to run the script through dos2unix after you have moved it to your Linux system.

  2. If you are installing Shorewall for the first time and plan to use the .tgz and install.sh script, you can untar the archive, replace the 'firewall' script in the untarred directory with the one you downloaded below, and then run install.sh.

  3. When the instructions say to install a corrected firewall script in /usr/share/shorewall/firewall, you may rename the existing file before copying in the new file.

  4. DO NOT INSTALL CORRECTED COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.


Problems in Version 1.4

1.4.6

1.4.4b

1.4.4-1.4.4a

1.4.4

1.4.3

1.4.2

1.4.1a, 1.4.1 and 1.4.0

1.4.1

1.4.0


Upgrade Issues

The upgrade issues have moved to a separate page.


Problem with iptables version 1.2.3

There are a couple of serious bugs in iptables 1.2.3 that prevent it from working with Shorewall. Regrettably, RedHat released this buggy iptables in RedHat 7.2. 

I have built a corrected 1.2.3 rpm which you can download here  and I have also built an iptables-1.2.4 rpm which you can download here. If you are currently running RedHat 7.1, you can install either of these RPMs before you upgrade to RedHat 7.2.

Update 11/9/2001: RedHat has released an iptables-1.2.4 RPM of their own which you can download from http://www.redhat.com/support/errata/RHSA-2001-144.html. I have installed this RPM on my firewall and it works fine.

If you would like to patch iptables 1.2.3 yourself, the patches are available for download. This patch which corrects a problem with parsing of the --log-level specification while this patch corrects a problem in handling the  TOS target.

To install one of the above patches:

Problems with kernels >= 2.4.18 and RedHat iptables

Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 may experience the following:

# shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)

The RedHat iptables RPM is compiled with debugging enabled but the user-space debugging code was not updated to reflect recent changes in the Netfilter 'mangle' table. You can correct the problem by installing this iptables RPM. If you are already running a 1.2.5 version of iptables, you will need to specify the --oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").

Problems installing/upgrading RPM on SuSE

If you find that rpm complains about a conflict with kernel <= 2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps" option to rpm.

Installing: rpm -ivh --nodeps <shorewall rpm>

Upgrading: rpm -Uvh --nodeps <shorewall rpm>

Problems with iptables version 1.2.7 and MULTIPORT=Yes

The iptables 1.2.7 release of iptables has made an incompatible change to the syntax used to specify multiport match rules; as a consequence, if you install iptables 1.2.7 you must be running Shorewall 1.3.7a or later or:

Problems with RH Kernel 2.4.18-10 and NAT

/etc/shorewall/nat entries of the following form will result in Shorewall being unable to start:

#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
192.0.2.22    eth0    192.168.9.22   yes     yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Error message is:
Setting up NAT...
iptables: Invalid argument
Terminated

The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel contains corrected support under a new kernel configuraiton option; see http://www.shorewall.net/Documentation.htm#NAT

Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to 2.4.21-RC1)

Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with tcp-reset" is broken. The symptom most commonly seen is that REJECT rules act just like DROP rules when dealing with TCP. A kernel patch and precompiled modules to fix this problem are available at ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel.

Last updated 7/23/2003 - Tom Eastep

Copyright © 2001, 2002, 2003 Thomas M. Eastep.