shorewall_code/web/Notices.html

151 lines
7.3 KiB
HTML
Raw Normal View History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=UTF-8">
<title>Shorewall Notices</title>
<base target="_self">
<meta name="CREATED" content="20040920;15031500">
<meta name="CHANGED"
content="$Id$">
</head>
<body dir="ltr" lang="en-US">
<hr style="width: 100%; height: 2px;">
<table style="text-align: left; width: 100%;" border="0" cellpadding="2"
cellspacing="0">
<tbody>
<tr>
<td style="vertical-align: top;"><a href="#Perl"><span
style="font-weight: bold;">Attention Shorewall-perl 4.2 Users</span></a><br>
</td>
<td style="vertical-align: top; font-weight: bold;"><a
href="#Notice">Attention Users of Shorewall's Multi-ISP Feature</a><br>
</td>
<td style="vertical-align: top; font-weight: bold;"><a
href="#Notice1">Attention Users of BRIDGING=Yes</a><br>
</td>
<td style="vertical-align: top; font-weight: bold;"><a
href="#Kernel2.4">Attention Kernel 2.4 Users</a><br>
</td>
</tr>
</tbody>
</table>
<hr><span style="font-weight: bold;">2009-02-28<br>
</span>
<h2><span style="font-weight: bold;"><a name="Perl"></a>Attention
Shorewall-perl 4.2 Users</span></h2>
On February 28, Klemens Rutz reported a problem that affects all<span
style="font-family: monospace;"><span style="font-family: sans-serif;">
</span></span>Shorewall-perl 4.2 versions prior to 4.2.6.1.<br>
<span style="font-family: monospace;"><br>
</span>The problem:<br>
<ol>
<li>Only occurs when there are more than one non-firewall zone.</li>
<li>Results in the following interface options not being applied to
forwarded traffic.</li>
</ol>
<div style="margin-left: 40px;">blacklist<br>
dhcp<br>
maclist (when MACLIST_TABLE=filter)<br>
norfc1918<br>
nosmurfs<br>
tcpflags<br>
</div>
<br>
User are encouraged to either:<br>
<ul>
<li>Upgrade to Shorewall-perl-4.2.6.1 or later; or</li>
<li>Apply the patch found at:</li>
</ul>
<div style="margin-left: 40px;"><a class="moz-txt-link-freetext"
href="http://www.shorewall.net/pub/shorewall/4.2/forward.patch">http://www.shorewall.net/pub/shorewall/4.2/forward.patch</a><br>
<a class="moz-txt-link-freetext"
href="ftp://ftp.shorewall.net/pub/shorewall/4.2/forward.patch">ftp://ftp.shorewall.net/pub/shorewall/4.2/forward.patch</a></div>
<br>
<div style="margin-left: 40px;">To apply the patch, execute this
command:<br>
</div>
<div style="margin-left: 80px;">
<pre> patch /usr/share/shorewall-perl/Shorewall/Rules.pm &lt; forward.patch</pre>
</div>
<div style="margin-left: 40px;">The patch may apply with fuzz and/or an
offset, depending on your particular version.</div>
<h2><a name="Notice">Attention Users of Shorewall's Multi-ISP
Feature</a></h2>
<p>A bug in Shorewall versions 3.2.0-3.2.10, 3.4.0-3.4.6 and
Shorewall-shell
4.0.0-4.0.2 prevents proper handling of PREROUTING marks when
HIGH_ROUTE_MARKS=No and the <strong>track</strong> option is
specified.
Patches are available to correct this problem:</p>
<p>Shorewall version 3.2.0-3.2.10, 3.4.0-3.4.3: <a
href="http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.10/errata/patches/Shorewall/patch-3.2.10-2.diff">http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.10/errata/patches/Shorewall/patch-3.2.10-2.diff</a></p>
<p>Shorewall version 3.4.4-3.4.6: <a
href="http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.6/errata/patches/Shorewall/patch-3.4.6-1.diff">http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.66/errata/patches/Shorewall/patch-3.4.6-1.diff</a></p>
<p>Shorewall-shell version 4.0.0-4.0.2: <a
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.2/errata/patches/Shorewall-shell/patch-shell-4.0.2-2.diff">http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.2/errata/patches/Shorewall-shell/patch-shell-4.0.2-2.diff</a></p>
<p>Note that a patch may succeed with an offset when applied to a
release
other than the one for which it was specifically prepared. For example,
when
the patch for 3.2.0-3.2.10, 3.4.0-3.4.3 (which was prepared for release
3.2.10) is applied to release 3.4.3, the following is the result:</p>
<pre>root@wookie:~# <strong>cd /usr/share/shorewall</strong>
root@wookie/usr/share/shorewall#: <strong>patch &lt; ~/shorewall/tags/3.2.10/Shorewall.updated/patch-3.2.10-2.diff</strong> <br>patching file compiler<br>Hunk #1 succeeded at 958 (offset -1669 lines).<br>root@wookie:/usr/share/shorewall#</pre>
<h3>Update -- 7 November 2007</h3>
<p>A second bug in Shorewall versions 3.2.0-3.2.11, 3.4.0-3.4.7 and
4.0.0-4.0.5 can cause improper handing of PREROUTING and OUTPUT marks
when
HIGH_ROUTE_MARKS=Yes. Patches are also available to correct this
problem:</p>
<p>Shorewall version 3.2.3-3.2.11: <a
href="http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.11/errata/patches/Shorewall/patch-3.2.11-1.diff">http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.11/errata/patches/Shorewall/patch-3.2.11-1.diff</a></p>
<p>Shorewall version 3.4.0-3.4.7: <a
href="http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.7/errata/patches/Shorewall/patch-3.4.7-1.diff">http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.7/errata/patches/Shorewall/patch-3.4.7-1.diff</a></p>
<p>Shorewall version 4.0.0-4.0.5: <a
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-shell/patch-shell-4.0.5-1.diff">http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-shell/patch-shell-4.0.5-1.diff</a>
and <a
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-perl/patch-perl-4.0.5-4.diff">http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-perl/patch-perl-4.0.5-4.diff</a>.</p>
<hr>
<h2><a name="Notice1">Attention Users of BRIDGING=Yes</a></h2>
<p>In Linux Kernel version 2.6.20, the Netfilter team changed Physdev
Match
so that it is no longer capable of supporting BRIDGING=Yes. The
solutions
available to users are to either:</p>
<ol>
<li>Switch to using the technique described at <a
href="http://www.shorewall.net/3.0/NewBridge.html">http://www.shorewall.net/3.0/NewBridge.html</a>;
or<br>
</li>
<li>Upgrade to Shorewall 4.0, migrate to using Shorewall-perl, and
follow the instructions at <a
href="http://www1.shorewall.net/bridge-Shorewall-perl.html">http://www1.shorewall.net/bridge-Shorewall-perl.html.</a>
</li>
</ol>
<p>The first approach allows you to switch back and forth between
kernels
older and newer than 2.6.20. The second approach is a better long-term
solution.</p>
<hr style="width: 100%; height: 2px;">
<h2><a name="Kernel2.4"></a>Attention Users of Kernel 2.4</h2>
The Shorewall developers do not test Shorewall running on Kernel 2.4
and we make no representation about the functionality of Shorewall on
that Kernel. Any failure of Shorewall on Kernel 2.4 will not be
investigated by the Shorewall team.<br>
<hr>
Copyright © 2001-2009 Thomas M. Eastep<br>
<br>
Permission is granted to copy, distribute and/or modify this
document
under the terms of the GNU Free Documentation License, Version 1.2 or
any
later version published by the Free Software Foundation; with no
Invariant
Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of
the
license is included in the section entitled <span
style="text-decoration: underline;">"</span><a href="GnuCopyright.htm"
target="_self">GNU Free Documentation License</a>".
</body>
</html>