Shorewall Errata/Upgrade
Issues
|
IMPORTANT
-
If you use a Windows system to download
a corrected script, be sure to run the script through dos2unix after you have moved
it to your Linux system.
-
If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.
-
When the instructions say to install a
corrected firewall script in /usr/share/shorewall/firewall,
you may rename the existing file before copying in the new file.
-
DO NOT INSTALL CORRECTED
COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW. For example, do NOT install the 1.3.9a firewall script
if you are running 1.3.7c.
Problems in Version 1.4
1.4.6
- If TC_ENABLED is set to yes in shorewall.conf then Shorewall
would fail to start with the error "ERROR: Traffic Control
requires Mangle";
that problem has been corrected in this
firewall script which may be installed in
/var/share/shorewall/firewall as described above. This problem is also
corrected in bugfix release 1.4.6a.
- This problem occurs in all versions supporting traffic control.
If a MAC address is used in the SOURCE column, an error occurs as
follows:
iptables v1.2.8: Bad mac adress
`00:08:B5:35:52:E7-d`
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
in this
firewall script which may be installed in
/var/share/shorewall/firewall
as described above. For all other versions, you will have to edit your
'firewall'
script (in versions 1.4.*, it is located in
/usr/share/shorewall/firewall).
Locate the function add_tcrule_() and in that function, replace this
line:
r=`mac_match
$source`
with
r="`mac_match
$source` "
Note that there must be a space before the ending quote!
1.4.4b
- Shorewall is ignoring records in /etc/shorewall/routestopped
that have an empty second column (HOSTS). This problem may be corrected
by installing this firewall script in
/usr/share/shorewall/firewall as
described above.
- The INCLUDE directive doesn't work when placed in the
/etc/shorewall/zones file. This problem may be corrected by installing this functions script in
/usr/share/shorewall/functions.
1.4.4-1.4.4a
- Log messages are being displayed on the system console even
though the log level for the console is set properly according to FAQ 16. This problem may be corrected by
installing this firewall script in
/usr/share/shorewall/firewall as
described above.
1.4.4
- If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the --log-prefix in a
logging rule is too long. Upgrade to Version 1.4.4a to fix this
problem..
1.4.3
- The LOGMARKER variable introduced in version 1.4.3 was intended
to allow integration of Shorewall with Fireparse
(http://www.firewparse.com). Unfortunately, LOGMARKER only solved part
of the integration problem. I have implimented a new LOGFORMAT variable
which will replace LOGMARKER which has completely solved this problem
and is currently in production with fireparse here at shorewall.net.
The updated files may be found at ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/.
See the 0README.txt file for details.
1.4.2
- When an 'add' or 'delete' command is executed, a temporary
directory created in /tmp is not being removed. This problem may be
corrected by installing this firewall script in
/usr/share/shorewall/firewall as
described above.
1.4.1a, 1.4.1 and 1.4.0
- Some TCP requests are rejected in the 'common' chain with an ICMP
port-unreachable response rather than the more appropriate TCP RST
response. This problem is corrected in this updated common.def file which may be installed
in /etc/shorewall/common.def.
1.4.1
- When a "shorewall check" command is executed, each "rule"
produces the harmless additional message:
/usr/share/shorewall/firewall: line 2174: [: =:
unary operator expected
You may correct the problem by installing this corrected script in
/usr/share/shorewall/firewall as described above.
1.4.0
- When running under certain shells Shorewall will attempt to
create ECN rules even when /etc/shorewall/ecn is empty. You may
either just remove /etc/shorewall/ecn or you can install this
correct script in /usr/share/shorewall/firewall as described above.
Upgrade Issues
The upgrade issues have moved to a separate page.
Problem
with iptables version 1.2.3
There are a couple of serious bugs in iptables 1.2.3
that prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2.
I have built a
corrected 1.2.3 rpm which you can download here and I have
also built an
iptables-1.2.4 rpm which you can download here. If you are
currently running RedHat 7.1, you can install either of these RPMs before
you upgrade to RedHat 7.2.
Update 11/9/2001: RedHat
has released an iptables-1.2.4 RPM of their own which
you can download from http://www.redhat.com/support/errata/RHSA-2001-144.html.
I have installed this RPM on my firewall and
it works fine.
If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This patch
which corrects a problem with parsing of the --log-level specification
while this patch
corrects a problem in handling the TOS target.
To install one of the above patches:
- cd iptables-1.2.3/extensions
- patch -p0 < the-patch-file
Problems with kernels >= 2.4.18 and
RedHat iptables
Users who use RedHat iptables RPMs and who upgrade to kernel
2.4.18/19 may experience the following:
# shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing
this iptables RPM. If you are already running a
1.2.5 version of iptables, you will need to specify the
--oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
iptables-1.2.5-1.i386.rpm").
Problems installing/upgrading RPM on SuSE
If you find that rpm complains about a conflict with kernel <=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.
Installing: rpm -ivh --nodeps <shorewall rpm>
Upgrading: rpm -Uvh --nodeps <shorewall rpm>
Problems with iptables version 1.2.7 and
MULTIPORT=Yes
The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as a
consequence, if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:
- set MULTIPORT=No in /etc/shorewall/shorewall.conf; or
- if you are running Shorewall 1.3.6 you may install
this firewall script in /var/lib/shorewall/firewall as described
above.
Problems with RH Kernel 2.4.18-10 and NAT
/etc/shorewall/nat entries of the following form will result in
Shorewall being unable to start:
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
192.0.2.22 eth0 192.168.9.22 yes yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Error message is:
Setting up NAT...
iptables: Invalid argument
Terminated
The solution is to put "no" in the LOCAL column. Kernel support for
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
2.4.19 kernel contains corrected support
under a new kernel configuraiton option; see http://www.shorewall.net/Documentation.htm#NAT
Problems with RH Kernels after 2.4.20-9
and REJECT
(also applies to 2.4.21-RC1)
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with
tcp-reset" is broken. The symptom most commonly seen is that REJECT
rules act just like DROP rules when dealing with TCP. A kernel patch
and precompiled modules to fix this problem are available at ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel.
Last updated 7/23/2003 - Tom
Eastep
Copyright © 2001, 2002, 2003 Thomas M. Eastep.