mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-15 04:04:10 +01:00
8e93d3b6ec
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2380 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
534 lines
19 KiB
XML
534 lines
19 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article>
|
|
<articleinfo>
|
|
<title>Shorewall Errata</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2005-07-17</pubdate>
|
|
|
|
<copyright>
|
|
<year>2001-2005</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<caution>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>If you use a Windows system to download a corrected script, be
|
|
sure to run the script through <ulink
|
|
url="http://www.megaloman.com/~hany/software/hd2u/">dos2unix</ulink>
|
|
after you have moved it to your Linux system.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you are installing Shorewall for the first time and plan to
|
|
use the .tgz and install.sh script, you can untar the archive, replace
|
|
the <quote>firewall</quote> script in the untarred directory with the
|
|
one you downloaded below, and then run install.sh.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>When the instructions say to install a corrected firewall script
|
|
in /usr/share/shorewall/firewall, you may rename the existing file
|
|
before copying in the new file.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">DO NOT INSTALL CORRECTED COMPONENTS ON A
|
|
RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
|
|
BELOW.</emphasis> For example, do NOT install the 2.0.2 firewall
|
|
script if you are running 2.0.0-RC2</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</caution>
|
|
|
|
<section>
|
|
<title>RFC1918 File</title>
|
|
|
|
<para><ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918">Here</ulink>
|
|
is the most up to date version of the <ulink
|
|
url="Documentation.htm#rfc1918">rfc1918 file</ulink>. <emphasis
|
|
role="bold">This file only applies to Shorewall versions 1.4.* and 2.0.0
|
|
and its bugfix updates</emphasis>. In Shorewall 2.0.1 and later releases,
|
|
the <filename>bogons</filename> file lists IP ranges that are reserved by
|
|
the IANA and the <filename>rfc1918</filename> file only lists those three
|
|
ranges that are reserved by <ulink
|
|
url="shorewall_setup_guide.htm#RFC1918">RFC 1918</ulink>.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Bogons File</title>
|
|
|
|
<para><ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.10/bogons">Here</ulink>
|
|
is the most up to date version of the <ulink
|
|
url="Documentation.htm#Bogons">bogons file</ulink>. <emphasis
|
|
role="bold">This file only applies to Shorewall versions 2.0.1 and
|
|
later.</emphasis></para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Problems in Version 2.2 and Later</title>
|
|
|
|
<para>Beginning with Shorewall version 2.2.0, errata will not be published
|
|
on this page. Rather, the download directory for each version will
|
|
contain:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>A <filename>known_problems.txt</filename> file. This file will
|
|
list all known problems and will describe to any corrections or
|
|
workarounds available.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>An <filename class="directory">errata</filename> sub-directory.
|
|
This directory will contain updated components that correct problems
|
|
listed in the <filename>known_problems.txt</filename> file.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Problems in Version 2.0</title>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.17</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users specifying TCP_FLAGS_LOG_LEVEL=ULOG will find that
|
|
"shorewall [re]start" fails with the following error:</para>
|
|
|
|
<programlisting>iptables v1.3.2: Unknown arg `--log-ip-options'
|
|
Try `iptables -h' or 'iptables --help' for more information.
|
|
ERROR: Command "/usr/sbin/iptables -A logflags -j ULOG --log-ip-options --ulog-prefix "Shorewall:logflags:DROP:"" Failed</programlisting>
|
|
|
|
<para>Install the '<ulink
|
|
url="http://www1.shorewall.net/pub/shorewall/errata/2.0.17/firewall">firewall'
|
|
script in the errata directory </ulink>into
|
|
/usr/share/shorewall/firewall replacing the file by that
|
|
name.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Setting MACLIST_DISPOSITION=ACCEPT opens a serious security
|
|
vulnerability. Install the '<ulink
|
|
url="http://www1.shorewall.net/pub/shorewall/errata/2.0.17/firewall">firewall'
|
|
script in the errata directory</ulink>into
|
|
/usr/share/shorewall/firewall replacing the file by that
|
|
name.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.15-2.0.16</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>If the "rejNotSyn" action is invoked, an error occurs at
|
|
startup.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Corrected in <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.16/firewall">this
|
|
firewall script</ulink> which may be installed in
|
|
/usr/share/shorewall/firewall as described above.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.12</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>The "shorewall add" command produces the error message:</para>
|
|
|
|
<programlisting>/usr/share/shorewall/firewall: line 1: match_destination_hosts: command not found</programlisting>
|
|
|
|
<para>You can correct the problem yourself by editing
|
|
/usr/share/shorewall/firewall and on line 5805, replace <emphasis
|
|
role="bold">match_destination_hosts</emphasis> with <emphasis
|
|
role="bold">match_dest_hosts</emphasis>.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Corrected in <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.12/firewall">this
|
|
firewall script</ulink> which may be installed in
|
|
/usr/share/shorewall/firewall as described above.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.10</title>
|
|
|
|
<para>The initial packages uploaded to the FTP and HTTP servers were
|
|
incorrect. Here are the MD5 sums of the incorrect packages.</para>
|
|
|
|
<programlisting>14e8f2bfa08cc5ca2715c8b1179d5eb2 shorewall-2.0.10-1.noarch.rpm
|
|
54bcbb2216ad3db9870507cd9716fd99 shorewall-2.0.10.tgz
|
|
c2fe0acc7f056acb56d089cf8dafa39a shorwall-2.0.10.lrp</programlisting>
|
|
|
|
<para>These incorrect packages have been replaced with correct ones
|
|
having the following MD5 sums:</para>
|
|
|
|
<programlisting>d5af452d38538b4b994c3c4abab8e012 shorewall-2.0.10-1.noarch.rpm
|
|
985ce9215ea9cc0299f0b5450fdbe05e shorewall-2.0.10.tgz
|
|
0ec7a65e4ed4ad1db0d2a4cb0c7bd5bf shorwall-2.0.10.lrp</programlisting>
|
|
|
|
<para>If you have installed an incorrect package, please replace
|
|
<filename>/sbin/shorewall</filename> with <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.10/shorewall">this
|
|
file</ulink>.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.3 through 2.0.8</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>An empty PROTO column in /etc/shorewall/tcrules produced
|
|
iptables errors during <command>shorewall start</command>. A value
|
|
of <command>all</command> in that column produced a similar
|
|
error.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Corrected in <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.8/firewall">this
|
|
firewall script</ulink> which may be installed in
|
|
/usr/share/shorewall/firewall as described above.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.3a through 2.0.7</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Entries in the USER/GROUP column of an action file (made from
|
|
action.template) may be ignored or cause odd errors.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Corrected in <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.7/firewall">this
|
|
firewall script</ulink> which may be installed in
|
|
/usr/share/shorewall/firewall as described above.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.3a through 2.0.4</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Error messages regarding $RESTOREBASE occur during <emphasis
|
|
role="bold">shorewall stop</emphasis> if DISABLE_IPV6=Yes in
|
|
shorewall.conf.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Corrected in <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.3/firewall">this
|
|
firewall script</ulink> which may be installed in
|
|
/usr/share/shorewall/firewall as described above. Also fixed in
|
|
Shorewall Version 2.0.5.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.2 and all Shorewall 2.0.3 Releases.</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>DNAT rules with <emphasis role="bold">fw</emphasis> as the
|
|
source zone and that specify logging cause <command>shorewall
|
|
start</command> to fail with an iptables error. The problem is
|
|
corrected for Shorewall 2.0.3 users in <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.3/firewall">this
|
|
firewall script</ulink> which may be installed in
|
|
/usr/share/shorewall/firewall as described above.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.3a and 2.0.3b</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Error messages regarding $RESTOREBASE occur during <emphasis
|
|
role="bold">shorewall stop</emphasis>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If CLEAR_TC=Yes in <filename>shorewall.conf</filename>,
|
|
<emphasis role="bold">shorewall stop</emphasis> fails without
|
|
removing the lock file.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The above problems are corrected in Shorewall version
|
|
2.0.3c.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.3a</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Slackware users find that version 2.0.3a fails to start
|
|
because their <command>mktemp</command> utility does not support the
|
|
-d option. This may be corrected by installing <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.3/functions">this
|
|
corrected <filename>functions</filename> file</ulink> in <filename
|
|
class="directory">/var/lib/shorewall/functions</filename>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Shorewall fails to start if there is no
|
|
<command>mktemp</command> utility.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>These problems are corrected in Shorewall version 2.0.3b.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.3</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>A non-empty entry in the DEST column of /etc/shorewall/tcrules
|
|
will result in an error message and Shorewall fails to start. This
|
|
problem is fixed in Shorewall version 2.0.3a.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>A potentially exploitable vulnerability in the way that
|
|
Shorewall handles temporary files and directories has been found by
|
|
Javier Fernández-Sanguino Peña. This vulnerability is corrected in
|
|
Shorewall 2.0.3a. All Shorewall 2.0.x users are urged to upgrade to
|
|
2.0.3a.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.2</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Temporary restore files with names of the form
|
|
<filename>restore-</filename><emphasis>nnnnn</emphasis> are left in
|
|
/var/lib/shorewall.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>"shorewall restore" and "shorewall -f start" do not load
|
|
kernel modules.</para>
|
|
|
|
<para><emphasis role="bold">The above two problems are corrected in
|
|
Shorewall 2.0.2a</emphasis></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Specifying a null common action in /etc/shorewall/actions
|
|
(e.g., :REJECT) results in a startup error.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If <filename>/var/lib/shorewall</filename> does not exist,
|
|
<command>shorewall start</command> fails.</para>
|
|
|
|
<para><emphasis role="bold">The above four problems are corrected in
|
|
Shorewall 2.0.2b</emphasis></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>DNAT rules work incorrectly with dynamic zones in that the
|
|
source interface is not included in the nat table DNAT rule.</para>
|
|
|
|
<para><emphasis role="bold">The above five problems are corrected in
|
|
Shorewall 2.0.2c</emphasis></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>During start and restart, Shorewall is detecting capabilities
|
|
before loading kernel modules. Consequently, if kernel module
|
|
autoloading is disabled, capabilities can be mis-detected during
|
|
boot.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The <emphasis>newnotsyn</emphasis> option in
|
|
<filename>/etc/shorewall/hosts</filename> has no effect.</para>
|
|
|
|
<para><emphasis role="bold">The above seven problems are corrected
|
|
in Shorewall 2.0.2d</emphasis></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Use of the LOG target in an action results in two LOG or ULOG
|
|
rules.</para>
|
|
|
|
<para><emphasis role="bold">The above eight problems are corrected
|
|
in Shorewall 2.0.2e</emphasis></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Kernel modules fail to load when MODULE_SUFFIX isn't set in
|
|
shorewall.conf</para>
|
|
|
|
<para><emphasis role="bold">All of the above problems are corrected
|
|
in Shorewall 2.0.2f</emphasis></para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>These problems are all corrected by the
|
|
<filename>firewall</filename> and <filename>functions</filename> files
|
|
in <ulink url="http://shorewall.net/pub/shorewall/errata/2.0.2">this
|
|
directory</ulink>. Both files must be installed in
|
|
<filename>/usr/share/shorewall/</filename> as described above.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.1</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Confusing message mentioning IPV6 occur at startup.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Modules listed in /etc/shorewall/modules don't load or produce
|
|
errors on Mandrake 10.0 Final.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The <command>shorewall delete</command> command does not
|
|
remove all dynamic rules pertaining to the host(s) being
|
|
deleted.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>These problems are corrected in <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.1/firewall">this
|
|
firewall script</ulink> which may be installed in
|
|
<filename>/usr/share/shorewall/firewall</filename> as described
|
|
above.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>When run on a SuSE system, the install.sh script fails to
|
|
configure Shorewall to start at boot time. That problem is corrected
|
|
in <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.1/install.sh">this
|
|
version of the script</ulink>.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.1/2.0.0</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>On Debian systems, an install using the tarball results in an
|
|
inability to start Shorewall at system boot. If you already have
|
|
this problem, install <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.1/init.debian.sh">this
|
|
file</ulink> as /etc/init.d/shorewall (replacing the existing file
|
|
with that name). If you are just installing or upgrading to
|
|
Shorewall 2.0.0 or 2.0.1, then replace the
|
|
<filename>init.debian.sh</filename> file in the Shorewall
|
|
distribution directory (shorewall-2.0.x) with the updated file
|
|
before running <command>install.sh</command> from that
|
|
directory.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.0</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>When using an Action in the ACTIONS column of a rule, you may
|
|
receive a warning message about the rule being a policy. While this
|
|
warning may be safely ignored, it can be eliminated by installing
|
|
the script from the link below.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Thanks to Sean Mathews, a long-standing problem with Proxy ARP
|
|
and IPSEC has been corrected.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The first problem has been corrected in Shorewall update
|
|
2.0.0a.</para>
|
|
|
|
<para>All of these problems may be corrected by installing <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.0/firewall">this
|
|
firewall script</ulink> in /usr/share/shorewall as described
|
|
above.</para>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Upgrade Issues</title>
|
|
|
|
<para>The upgrade issues have moved to <ulink url="upgrade_issues.htm">a
|
|
separate page</ulink>.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Problem with iptables 1.2.9</title>
|
|
|
|
<para>If you want to use the new features in Shorewall 2.0.2 (Betas, RCs,
|
|
Final) or later then you need to patch your iptables 1.2.9 with <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/iptables-1.2.9.diff">this
|
|
patch</ulink> or you need to use the <ulink
|
|
url="http://www.netfilter.org/downloads.html#cvs">CVS version of
|
|
iptables</ulink>.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to
|
|
2.4.21-RC1)</title>
|
|
|
|
<para>Beginning with errata kernel 2.4.20-13.9, <quote>REJECT
|
|
--reject-with tcp-reset</quote> is broken. The symptom most commonly seen
|
|
is that REJECT rules act just like DROP rules when dealing with TCP. A
|
|
kernel patch and precompiled modules to fix this problem are available at
|
|
<ulink
|
|
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>
|
|
|
|
<note>
|
|
<para>RedHat have corrected this problem in their 2.4.20-27.x
|
|
kernels.</para>
|
|
</note>
|
|
</section>
|
|
</article>
|