2002-08-07 16:28:04 +02:00
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
< html >
< head >
2003-04-13 17:28:32 +02:00
2002-09-30 20:11:25 +02:00
< meta http-equiv = "Content-Type"
content="text/html; charset=windows-1252">
2003-03-18 16:16:33 +01:00
< title > Shorewall 1.4 Errata< / title >
2003-04-13 17:28:32 +02:00
2002-08-07 16:28:04 +02:00
< meta name = "GENERATOR" content = "Microsoft FrontPage 5.0" >
2003-04-13 17:28:32 +02:00
2003-01-14 21:32:45 +01:00
< meta name = "ProgId" content = "FrontPage.Editor.Document" >
2003-04-13 17:28:32 +02:00
2002-08-22 23:33:54 +02:00
< meta name = "Microsoft Theme" content = "none" >
2003-04-13 17:28:32 +02:00
2003-03-18 16:16:33 +01:00
< meta name = "author" content = "Tom Eastep" >
2002-08-07 16:28:04 +02:00
< / head >
2002-09-30 20:11:25 +02:00
< body >
2003-04-13 17:28:32 +02:00
2002-09-30 20:11:25 +02:00
< table border = "0" cellpadding = "0" cellspacing = "0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
2003-04-13 17:28:32 +02:00
< tbody >
< tr >
< td width = "100%" >
2002-09-30 20:11:25 +02:00
< h1 align = "center" > < font color = "#ffffff" > Shorewall Errata/Upgrade Issues< / font > < / h1 >
2003-04-13 17:28:32 +02:00
< / td >
< / tr >
< / tbody >
2002-09-30 20:11:25 +02:00
< / table >
2003-04-13 17:28:32 +02:00
2002-09-30 20:11:25 +02:00
< p align = "center" > < b > < u > IMPORTANT< / u > < / b > < / p >
2003-04-13 17:28:32 +02:00
2002-09-30 20:11:25 +02:00
< ol >
2003-04-13 17:28:32 +02:00
< li >
< p align = "left" > < b > < u > I< / u > f you use a Windows system to download
a corrected script, be sure to run the script through < u >
2003-03-23 19:47:54 +01:00
< a href = "http://www.megaloman.com/%7Ehany/software/hd2u/"
2003-04-13 17:28:32 +02:00
style="text-decoration: none;"> dos2unix< / a > < / u > after you have moved
it to your Linux system.< / b > < / p >
< / li >
< li >
2003-03-23 19:47:54 +01:00
< p align = "left" > < b > If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
2003-04-13 17:28:32 +02:00
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.< / b > < / p >
< / li >
< li >
2003-03-23 19:47:54 +01:00
< p align = "left" > < b > When the instructions say to install a corrected
2003-04-13 17:28:32 +02:00
firewall script in /usr/share/shorewall/firewall, you may
rename the existing file before copying in the new file.< / b > < / p >
< / li >
< li >
< p align = "left" > < b > < font color = "#ff0000" > DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.< / font > < / b > < br >
< / p >
< / li >
2002-09-30 20:11:25 +02:00
< / ol >
2003-04-13 17:28:32 +02:00
2003-03-18 16:16:33 +01:00
< ul >
2003-04-13 17:28:32 +02:00
< li > < b > < a href = "upgrade_issues.htm" > Upgrade Issues< / a > < / b > < / li >
< li > < b > < a href = "#V1.4" > Problems in Version 1.4< / a > < / b > < br >
< / li >
< li > < b > < a
2003-03-18 16:16:33 +01:00
href="errata_3.html">Problems in Version 1.3< / a > < / b > < / li >
2003-04-13 17:28:32 +02:00
< li > < b > < a
2002-12-28 16:38:03 +01:00
href="errata_2.htm">Problems in Version 1.2< / a > < / b > < / li >
2003-04-13 17:28:32 +02:00
< li > < b > < font
2003-01-14 21:32:45 +01:00
color="#660066"> < a href = "errata_1.htm" > Problems in Version 1.1< / a > < / font > < / b > < / li >
2003-04-13 17:28:32 +02:00
< li > < b > < font
2003-03-23 19:47:54 +01:00
color="#660066">< a href = "#iptables" > Problem with iptables version 1.2.3
2003-04-13 17:28:32 +02:00
on RH7.2< / a > < / font > < / b > < / li >
< li > < b > < a
2003-03-23 19:47:54 +01:00
href="#Debug">Problems with kernels > = 2.4.18 and RedHat
iptables< / a > < / b > < / li >
2003-04-13 17:28:32 +02:00
< li > < b > < a href = "#SuSE" > Problems installing/upgrading
RPM on SuSE< / a > < / b > < / li >
< li > < b > < a href = "#Multiport" > Problems with iptables
version 1.2.7 and MULTIPORT=Yes< / a > < / b > < / li >
< li > < b > < a href = "#NAT" > Problems with RH Kernel 2.4.18-10
and NAT< / a > < / b > < br >
< / li >
2002-09-30 20:11:25 +02:00
< / ul >
2003-04-13 17:28:32 +02:00
< hr >
2003-03-18 16:16:33 +01:00
< h2 align = "left" > < a name = "V1.4" > < / a > Problems in Version 1.4< / h2 >
2003-04-13 17:28:32 +02:00
2003-03-18 16:16:33 +01:00
< h3 > < / h3 >
2003-04-13 17:28:32 +02:00
< h3 > 1.4.1a, 1.4.1 and 1.4.0< / h3 >
< ul >
< li > Some TCP requests are rejected in the 'common' chain with an ICMP port-unreachable
response rather than the more appropriate TCP RST response. This problem
is corrected in this updated common.def file which may be installed in /etc/shorewall/common.def.< br >
< / li >
< / ul >
< h3 > 1.4.1< / h3 >
< ul >
< li > When a "shorewall check" command is executed, each "rule" produces
the harmless additional message:< br >
< br >
<20> <20> <20> /usr/share/shorewall/firewall: line 2174: [: =: unary operator expected< br >
< br >
You may correct the problem by installing < a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script< / a > in /usr/share/shorewall/firewall
as described above.< br >
< / li >
< / ul >
2003-03-23 19:47:54 +01:00
< h3 > 1.4.0< / h3 >
2003-04-13 17:28:32 +02:00
2003-03-23 19:47:54 +01:00
< ul >
2003-04-13 17:28:32 +02:00
< li > When running under certain shells Shorewall will attempt to create
ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
/etc/shorewall/ecn or you can install < a
2003-03-23 19:47:54 +01:00
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
2003-04-13 17:28:32 +02:00
correct script< / a > in /usr/share/shorewall/firewall as described above.< br >
< / li >
2003-03-23 19:47:54 +01:00
< / ul >
2003-04-13 17:28:32 +02:00
< hr width = "100%" size = "2" >
2002-09-30 20:11:25 +02:00
< h2 align = "left" > < a name = "Upgrade" > < / a > Upgrade Issues< / h2 >
2003-04-13 17:28:32 +02:00
2002-09-30 20:11:25 +02:00
< p align = "left" > The upgrade issues have moved to < a
href="upgrade_issues.htm">a separate page< / a > .< / p >
2003-04-13 17:28:32 +02:00
< hr >
< h3 align = "left" > < a name = "iptables" > < / a > < font color = "#660066" > Problem with
iptables version 1.2.3< / font > < / h3 >
< blockquote >
2003-03-23 19:47:54 +01:00
< p align = "left" > There are a couple of serious bugs in iptables 1.2.3 that
2003-04-13 17:28:32 +02:00
prevent it from working with Shorewall. Regrettably,
2003-03-23 19:47:54 +01:00
RedHat released this buggy iptables in RedHat 7.2.<2E> < / p >
2003-04-13 17:28:32 +02:00
2002-09-30 20:11:25 +02:00
< p align = "left" > I have built a < a
2003-03-23 19:47:54 +01:00
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
2003-04-13 17:28:32 +02:00
corrected 1.2.3 rpm which you can download here< / a > <EFBFBD> and I have
also built an < a
2003-03-23 19:47:54 +01:00
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
2003-04-13 17:28:32 +02:00
iptables-1.2.4 rpm which you can download here< / a > . If you are currently
running RedHat 7.1, you can install either of these RPMs
< b > < u > before< / u > < / b > you upgrade to RedHat 7.2.< / p >
< p align = "left" > < font color = "#ff6633" > < b > Update 11/9/2001: < / b > < / font > RedHat
has released an iptables-1.2.4 RPM of their own which you can
download from< font color = "#ff6633" > < a
2003-03-23 19:47:54 +01:00
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html< / a > .
2003-04-13 17:28:32 +02:00
< / font > I have installed this RPM on my firewall and it works
fine.< / p >
< p align = "left" > If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This < a
2003-03-23 19:47:54 +01:00
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch< / a >
2003-04-13 17:28:32 +02:00
which corrects a problem with parsing of the --log-level
specification while this < a
2003-03-23 19:47:54 +01:00
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch< / a >
2003-04-13 17:28:32 +02:00
corrects a problem in handling the<68> TOS target.< / p >
2002-09-30 20:11:25 +02:00
< p align = "left" > To install one of the above patches:< / p >
2003-04-13 17:28:32 +02:00
2002-09-30 20:11:25 +02:00
< ul >
2003-04-13 17:28:32 +02:00
< li > cd iptables-1.2.3/extensions< / li >
< li > patch -p0 < < i > the-patch-file< / i > < / li >
2002-09-30 20:11:25 +02:00
< / ul >
2003-04-13 17:28:32 +02:00
< / blockquote >
2003-03-23 19:47:54 +01:00
2003-04-13 17:28:32 +02:00
< h3 > < a name = "Debug" > < / a > Problems with kernels > = 2.4.18 and
RedHat iptables< / h3 >
< blockquote >
< p > Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:< / p >
< blockquote >
2002-12-04 01:02:25 +01:00
< pre > # shorewall start< br > Processing /etc/shorewall/shorewall.conf ...< br > Processing /etc/shorewall/params ...< br > Starting Shorewall...< br > Loading Modules...< br > Initializing...< br > Determining Zones...< br > Zones: net< br > Validating interfaces file...< br > Validating hosts file...< br > Determining Hosts in Zones...< br > Net Zone: eth0:0.0.0.0/0< br > iptables: libiptc/libip4tc.c:380: do_check: Assertion< br > `h-> info.valid_hooks == (1 < < 0 | 1 < < 3)' failed.< br > Aborted (core dumped)< br > iptables: libiptc/libip4tc.c:380: do_check: Assertion< br > `h-> info.valid_hooks == (1 < < 0 | 1 < < 3)' failed.< br > Aborted (core dumped)< br > < / pre >
2003-04-13 17:28:32 +02:00
< / blockquote >
< p > The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by
installing < a
2003-03-23 19:47:54 +01:00
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
2003-04-13 17:28:32 +02:00
this iptables RPM< / a > . If you are already running a 1.2.5
version of iptables, you will need to specify the --oldpackage
option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").< / p >
< / blockquote >
< h3 > < a name = "SuSE" > < / a > Problems installing/upgrading
RPM on SuSE< / h3 >
< p > If you find that rpm complains about a conflict with kernel < =
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.< / p >
2002-09-30 20:11:25 +02:00
< p > Installing: rpm -ivh --nodeps < i > < shorewall rpm> < / i > < / p >
2003-04-13 17:28:32 +02:00
2002-09-30 20:11:25 +02:00
< p > Upgrading: rpm -Uvh --nodeps < i > < shorewall rpm> < / i > < / p >
2003-04-13 17:28:32 +02:00
< h3 > < a name = "Multiport" > < / a > < b > Problems with iptables version 1.2.7 and
MULTIPORT=Yes< / b > < / h3 >
< p > The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as
a consequence, if you install iptables 1.2.7 you must be
running Shorewall 1.3.7a or later or:< / p >
2002-09-30 20:11:25 +02:00
< ul >
2003-04-13 17:28:32 +02:00
< li > set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or
< / li >
< li > if you are running
Shorewall 1.3.6 you may install
< a
2003-03-23 19:47:54 +01:00
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
2003-04-13 17:28:32 +02:00
this firewall script< / a > in /var/lib/shorewall/firewall
as described above.< / li >
2002-09-30 20:11:25 +02:00
< / ul >
2003-04-13 17:28:32 +02:00
2002-10-09 17:47:48 +02:00
< h3 > < a name = "NAT" > < / a > Problems with RH Kernel 2.4.18-10 and NAT< br >
2003-04-13 17:28:32 +02:00
< / h3 >
/etc/shorewall/nat entries of the following form will
result in Shorewall being unable to start:< br >
< br >
2002-10-09 17:47:48 +02:00
< pre > #EXTERNAL<41> <4C> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> INTERFACE<43> <45> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> INTERNAL<41> <4C> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> ALL INTERFACES<45> <53> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> LOCAL< br > 192.0.2.22<EFBFBD> <EFBFBD> <EFBFBD> eth0<68> <30> <EFBFBD> 192.168.9.22<EFBFBD> <EFBFBD> yes<65> <73> <EFBFBD> <EFBFBD> yes< br > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE< / pre >
2003-04-13 17:28:32 +02:00
Error message is:< br >
2002-10-09 17:47:48 +02:00
< pre > Setting up NAT...< br > iptables: Invalid argument< br > Terminated< br > < br > < / pre >
2003-04-13 17:28:32 +02:00
The solution is to put "no" in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a
new kernel configuraiton option; see < a href = "Documentation.htm#NAT" > http://www.shorewall.net/Documentation.htm#NAT< / a > < br >
< p > < font size = "2" > Last updated 3/25/2003 - < a href = "support.htm" > Tom Eastep< / a > < / font >
< / p >
2003-01-14 21:32:45 +01:00
< p > < a href = "copyright.htm" > < font size = "2" > Copyright< / font > <20> < font
size="2">2001, 2002, 2003 Thomas M. Eastep.< / font > < / a > < br >
2003-04-13 17:28:32 +02:00
< / p >
< br >
< br >
2003-03-23 19:47:54 +01:00
< br >
2003-03-09 02:33:17 +01:00
< br >
2002-08-22 23:33:54 +02:00
< / body >
2002-09-30 20:11:25 +02:00
< / html >