shorewall_code/Shorewall-docs2/errata.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
  <articleinfo>
    <title>Shorewall Errata</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate>2004-05-27</pubdate>

    <copyright>
      <year>2001-2004</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <caution>
    <itemizedlist>
      <listitem>
        <para>If you use a Windows system to download a corrected script, be
        sure to run the script through <ulink
        url="http://www.megaloman.com/~hany/software/hd2u/">dos2unix</ulink>
        after you have moved it to your Linux system.</para>
      </listitem>

      <listitem>
        <para>If you are installing Shorewall for the first time and plan to
        use the .tgz and install.sh script, you can untar the archive, replace
        the <quote>firewall</quote> script in the untarred directory with the
        one you downloaded below, and then run install.sh.</para>
      </listitem>

      <listitem>
        <para>When the instructions say to install a corrected firewall script
        in /usr/share/shorewall/firewall, you may rename the existing file
        before copying in the new file.</para>
      </listitem>

      <listitem>
        <para><emphasis role="bold">DO NOT INSTALL CORRECTED COMPONENTS ON A
        RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.</emphasis>
        For example, do NOT install the 1.3.9a firewall script if you are
        running 1.3.7c.</para>
      </listitem>
    </itemizedlist>
  </caution>

  <section>
    <title>RFC1918 File</title>

    <para><ulink
    url="http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918">Here</ulink>
    is the most up to date version of the <ulink
    url="Documentation.htm#rfc1918">rfc1918 file</ulink>. This file only
    applies to Shorewall version 2.0.0 and its bugfix updates. In Shorewall
    2.0.1 and later releases, the <filename>bogons</filename> file lists IP
    ranges that are reserved by the IANA and the <filename>rfc1918</filename>
    file only lists those three ranges that are reserved by <ulink
    url="shorewall_setup_guide.htm#RFC1918">RFC 1918</ulink>.</para>
  </section>

  <section>
    <title>Bogons File</title>

    <para><ulink url="http://shorewall.net/pub/shorewall/errata/2.0.1/bogons">Here</ulink>
    is the most up to date version of the <ulink
    url="Documentation.htm#Bogons">bogons file</ulink>.</para>
  </section>

  <section>
    <title>Problems in Version 2.0</title>

    <section>
      <title>Shorewall 2.0.2</title>

      <itemizedlist>
        <listitem>
          <para>Temporary restore files with names of the form
          <filename>restore-</filename><emphasis>nnnnn</emphasis> are left in
          /var/lib/shorewall.</para>
        </listitem>

        <listitem>
          <para>&#34;shorewall restore&#34; and &#34;shorewall -f start&#34;
          do not load kernel modules.</para>
        </listitem>

        <listitem>
          <para>Specifying a null common action in /etc/shorewall/actions
          (e.g., :REJECT) results in a startup error.</para>
        </listitem>

        <listitem>
          <para>If <filename>/var/lib/shorewall</filename> does not exist,
          <command>shorewall start</command> fails.</para>
        </listitem>

        <listitem>
          <para>DNAT rules work incorrectly with dynamic zones in that the
          source interface is not included in the nat table DNAT rule.</para>
        </listitem>

        <listitem>
          <para>During start and restart, Shorewall is detecting capabilities
          before loading kernel modules. Consequently, if kernel module
          autoloading is disabled, capabilities can be mis-detected during
          boot.</para>
        </listitem>
      </itemizedlist>

      <para>These problems are corrected by the <filename>firewall</filename>
      and <filename>functions</filename> files in <ulink
      url="http://shorewall.net/pub/shorewall/errata/2.0.2">this directory</ulink>.
      Both files must be installed in <filename>/usr/share/shorewall/firewall</filename>
      as described above.</para>

      <para>The first two problems are also corrected in Shorewall version
      2.0.2a, the first four problems are corrected in 2.0.2b and the first
      five problems are corrected in 2.0.2c. All problems are corrected in
      Shorewall 2.0.2d.</para>
    </section>

    <section>
      <title>Shorewall 2.0.1</title>

      <itemizedlist>
        <listitem>
          <para>Confusing message mentioning IPV6 occur at startup.</para>
        </listitem>

        <listitem>
          <para>Modules listed in /etc/shorewall/modules don&#39;t load or
          produce errors on Mandrake 10.0 Final.</para>
        </listitem>

        <listitem>
          <para>The <command>shorewall delete</command> command does not
          remove all dynamic rules pertaining to the host(s) being deleted.</para>
        </listitem>
      </itemizedlist>

      <para>These problems are corrected in <ulink
      url="http://shorewall.net/pub/shorewall/errata/2.0.1/firewall">this
      firewall script</ulink> which may be installed in <filename>/usr/share/shorewall/firewall</filename>
      as described above.</para>

      <itemizedlist>
        <listitem>
          <para>When run on a SuSE system, the install.sh script fails to
          configure Shorewall to start at boot time. That problem is corrected
          in <ulink
          url="http://shorewall.net/pub/shorewall/errata/2.0.1/install.sh">this
          version of the script</ulink>.</para>
        </listitem>
      </itemizedlist>
    </section>

    <section>
      <title>Shorewall 2.0.1/2.0.0</title>

      <itemizedlist>
        <listitem>
          <para>On Debian systems, an install using the tarball results in an
          inability to start Shorewall at system boot. If you already have
          this problem, install <ulink
          url="http://shorewall.net/pub/shorewall/errata/2.0.1/init.debian.sh">this
          file</ulink> as /etc/init.d/shorewall (replacing the existing file
          with that name). If you are just installing or upgrading to
          Shorewall 2.0.0 or 2.0.1, then replace the <filename>init.debian.sh</filename>
          file in the Shorewall distribution directory (shorewall-2.0.x) with
          the updated file before running <command>install.sh</command> from
          that directory.</para>
        </listitem>
      </itemizedlist>
    </section>

    <section>
      <title>Shorewall 2.0.0</title>

      <itemizedlist>
        <listitem>
          <para>When using an Action in the ACTIONS column of a rule, you may
          receive a warning message about the rule being a policy. While this
          warning may be safely ignored, it can be eliminated by installing
          the script from the link below.</para>
        </listitem>

        <listitem>
          <para>Thanks to Sean Mathews, a long-standing problem with Proxy ARP
          and IPSEC has been corrected.</para>
        </listitem>
      </itemizedlist>

      <para>The first problem has been corrected in Shorewall update 2.0.0a.</para>

      <para>All of these problems may be corrected by installing <ulink
      url="http://shorewall.net/pub/shorewall/errata/2.0.0/firewall">this
      firewall script</ulink> in /usr/share/shorewall as described above.</para>
    </section>
  </section>

  <section>
    <title>Upgrade Issues</title>

    <para>The upgrade issues have moved to <ulink url="upgrade_issues.htm">a
    separate page</ulink>.</para>
  </section>

  <section>
    <title>Problem with iptables 1.2.9</title>

    <para>If you want to use the new features in Shorewall 2.0.2 (Betas, RCs,
    Final) or later then you need to patch your iptables 1.2.9 with <ulink
    url="http://shorewall.net/pub/shorewall/errata/iptables-1.2.9.diff">this
    patch</ulink> or you need to use the <ulink
    url="http://www.netfilter.org/downloads.html#cvs">CVS version of iptables</ulink>.</para>
  </section>

  <section>
    <title>Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to
    2.4.21-RC1)</title>

    <para>Beginning with errata kernel 2.4.20-13.9, <quote>REJECT
    --reject-with tcp-reset</quote> is broken. The symptom most commonly seen
    is that REJECT rules act just like DROP rules when dealing with TCP. A
    kernel patch and precompiled modules to fix this problem are available at
    <ulink url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>

    <note>
      <para>RedHat have corrected this problem in their 2.4.20-27.x kernels.</para>
    </note>
  </section>

  <appendix>
    <title>Revision History</title>

    <para><revhistory><revision><revnumber>1.17</revnumber><date>2004-05-21</date><authorinitials>TE</authorinitials><revremark>Added
    DNAT dynamic zone bug.</revremark></revision><revision><revnumber>1.16</revnumber><date>2004-05-17</date><authorinitials>TE</authorinitials><revremark>Added
    null common action bug.</revremark></revision><revision><revnumber>1.15</revnumber><date>2004-05-16</date><authorinitials>TE</authorinitials><revremark>Added
    2.0.2 bugs</revremark></revision><revision><revnumber>1.14</revnumber><date>2004-05-10</date><authorinitials>TE</authorinitials><revremark>Add
    link to Netfilter CVS</revremark></revision><revision><revnumber>1.13</revnumber><date>2004-05-04</date><authorinitials>TE</authorinitials><revremark>Add
    Alex Wilms&#39;s &#34;install.sh&#34; fix.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-05-03</date><authorinitials>TE</authorinitials><revremark>Add
    Stefan Engel&#39;s &#34;shorewall delete&#34; fix.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-04-28</date><authorinitials>TE</authorinitials><revremark>Add
    iptables 1.2.9 iptables-save bug notice.</revremark></revision><revision><revnumber>1.10</revnumber><date>2004-04-21</date><authorinitials>TE</authorinitials><revremark>Debian
    initialization script problem. Deleted obsolete sections.</revremark></revision><revision><revnumber>1.9</revnumber><date>2004-04-20</date><authorinitials>TE</authorinitials><revremark>Updated
    RFC1918 and BOGONS files.</revremark></revision><revision><revnumber>1.8</revnumber><date>2004-03-20</date><authorinitials>TE</authorinitials><revremark>Proxy
    ARP/IPSEC fix.</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-03-17</date><authorinitials>TE</authorinitials><revremark>Action
    rules are reported as policies.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-03</date><authorinitials>TE</authorinitials><revremark>Update
    for Shorewall 2.0.0.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-19</date><authorinitials>TE</authorinitials><revremark>IPV6
    address problems. Make RFC1918 file section more prominent.</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Confusing
    template file in 1.4.9</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Added
    note about REJECT RedHat Kernal problem being corrected.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Updated
    RFC1918 file</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-17</date><authorinitials>TE</authorinitials><revremark>Initial
    Conversion to Docbook XML</revremark></revision></revhistory></para>
  </appendix>
</article>