2009-08-29 00:58:14 +02:00
|
|
|
1) If ULOG is specified as the LOG LEVEL in the all->all policy, the
|
|
|
|
rules at the end of the INPUT and OUTPUT chains still use the
|
|
|
|
LOG target rather than ULOG.
|
|
|
|
|
|
|
|
You can work around this problem by adding two additional policies
|
|
|
|
before the all->all one:
|
|
|
|
|
|
|
|
all $FW DROP ULOG
|
|
|
|
$FW all REJECT ULOG
|
|
|
|
|
|
|
|
This problem was corrected in Shorewall 4.4.0.1.
|
|
|
|
|
|
|
|
2) Use of CONTINUE policies with a nested IPSEC zone was broken in
|
|
|
|
some cases.
|
|
|
|
|
|
|
|
This problem was corrected in Shorewall 4.4.0.1.
|
|
|
|
|
|
|
|
3) If MULTICAST=Yes in shorewall.conf, multicast traffic is
|
|
|
|
incorrectly exempted from ACCEPT policies.
|
|
|
|
|
|
|
|
This problem was corrected in Shorewall 4.4.0.2.
|
|
|
|
|
2009-08-29 17:58:21 +02:00
|
|
|
4) If a zone is defined with "nets=" in /etc/shorewall/zones, that
|
2009-08-29 16:27:32 +02:00
|
|
|
definition cannot be extended by entries in /etc/shorewall/hosts.
|
|
|
|
|
|
|
|
This problem was corrected in Shorewall 4.4.0.2.
|
2009-08-29 17:58:21 +02:00
|
|
|
|
|
|
|
5) Shoerwall accepts "nets=" in a multi-zone interface entry (one with
|
|
|
|
"-" in the ZONES column) in /etc/shorewall/interfaces.
|
|
|
|
|
|
|
|
This problem was corrected in Shorewall 4.4.0.2.
|
2009-08-29 18:32:38 +02:00
|
|
|
|
|
|
|
6) MULTICAST=Yes generates an incorrect rule that limits its
|
|
|
|
effectiveness to a small part of the multicast address space.
|
|
|
|
|
|
|
|
|