2002-08-07 16:28:04 +02:00
|
|
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
|
|
|
<html>
|
|
|
|
|
<head>
|
|
|
|
|
|
|
|
|
|
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
|
|
|
|
<title>Shorewall 1.3 Errata</title>
|
|
|
|
|
|
|
|
|
|
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
|
|
|
|
|
|
|
|
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
|
|
|
|
|
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<meta name="Microsoft Theme" content="none">
|
2002-08-07 16:28:04 +02:00
|
|
|
|
</head>
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<body>
|
|
|
|
|
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
|
|
|
|
|
<tr>
|
|
|
|
|
<td width="100%">
|
|
|
|
|
<h1 align="center"><font color="#FFFFFF">Shorewall Errata/Upgrade Issues</font></h1>
|
|
|
|
|
</td>
|
|
|
|
|
</tr>
|
|
|
|
|
</table>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
<p align="center">
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<b><u>IMPORTANT</u></b></p>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
<ol>
|
|
|
|
|
<li>
|
|
|
|
|
|
|
|
|
|
<p align="left">
|
|
|
|
|
|
|
|
|
|
<b><u>I</u>f you use a Windows system to download a corrected script, be sure to
|
|
|
|
|
run the script through <u>
|
|
|
|
|
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" style="text-decoration: none">
|
|
|
|
|
dos2unix</a></u>
|
|
|
|
|
after you have moved it to your Linux system.</b></p>
|
|
|
|
|
|
|
|
|
|
</li>
|
|
|
|
|
<li>
|
|
|
|
|
|
|
|
|
|
<p align="left">
|
|
|
|
|
|
|
|
|
|
<b>If you are installing Shorewall for the first time and plan to use the
|
|
|
|
|
.tgz and install.sh script, you can untar the archive, replace the
|
|
|
|
|
'firewall' script in the untarred directory with the one you downloaded
|
|
|
|
|
below, and then run install.sh.</b></p>
|
|
|
|
|
|
|
|
|
|
</li>
|
|
|
|
|
<li>
|
|
|
|
|
|
|
|
|
|
<p align="left">
|
|
|
|
|
|
|
|
|
|
<b>When the instructions say to install a corrected firewall script in
|
|
|
|
|
/etc/shorewall/firewall or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the
|
|
|
|
|
existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
|
|
|
|
|
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
|
|
|
|
|
and /var/lib/shorewall/firewall are symbolic links that point
|
|
|
|
|
to the 'shorewall' file used by your system initialization scripts to
|
|
|
|
|
start Shorewall during boot. It is that file that must be overwritten
|
|
|
|
|
with the corrected script. </b></p>
|
|
|
|
|
|
|
|
|
|
</li>
|
|
|
|
|
</ol>
|
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<ul>
|
|
|
|
|
<li><b><a href="#Upgrade">Upgrade Issues</a></b></li>
|
|
|
|
|
<li>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
<b><font color="#660066">
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
|
|
|
|
|
<li>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
|
|
|
|
|
<li>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<b><a href="#V1.3">Problems in Version 1.3</a></b></li>
|
|
|
|
|
<li>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
<b><font color="#660066"><a href="#iptables">
|
2002-08-22 23:33:54 +02:00
|
|
|
|
Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
|
|
|
|
|
<li>
|
|
|
|
|
|
|
|
|
|
<b><a href="#Debug">Problems with kernels >= 2.4.18 and
|
|
|
|
|
RedHat iptables</a></b></li>
|
|
|
|
|
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
|
|
|
|
|
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
|
|
|
|
|
MULTIPORT=Yes</a></b></li>
|
|
|
|
|
</ul>
|
|
|
|
|
<hr>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<h2 align="Left"><a name="Upgrade"></a>Upgrade Issues</h2>
|
|
|
|
|
|
|
|
|
|
<h3>Version >= 1.3.7</h3>
|
|
|
|
|
|
|
|
|
|
<p>Users specifying ALLOWRELATED=No in
|
|
|
|
|
/etc/shorewall.conf will need to include the
|
|
|
|
|
following rules in their /etc/shorewall/icmpdef
|
|
|
|
|
file (creating this file if necessary):</p>
|
|
|
|
|
|
|
|
|
|
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
|
|
|
|
|
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
|
|
|
|
|
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
|
|
|
|
|
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
|
|
|
|
|
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
|
|
|
|
|
<p>Users having an /etc/shorewall/icmpdef file may remove the ".
|
|
|
|
|
/etc/shorewall/icmp.def" command from that file since the icmp.def file is now
|
|
|
|
|
empty.</p>
|
|
|
|
|
<h3><b><a name="Bering">Upgrading </a>Bering to
|
|
|
|
|
Shorewall >= 1.3.3</b></h3>
|
|
|
|
|
|
|
|
|
|
<p>To properly upgrade with Shorewall version
|
|
|
|
|
1.3.3 and later:</p>
|
|
|
|
|
|
|
|
|
|
<ol>
|
|
|
|
|
<li>Be sure you have a backup -- you will need
|
|
|
|
|
to transcribe any Shorewall configuration
|
|
|
|
|
changes that you have made to the new
|
|
|
|
|
configuration.</li>
|
|
|
|
|
<li>Replace the shorwall.lrp package provided on
|
|
|
|
|
the Bering floppy with the later one. If you did
|
|
|
|
|
not obtain the later version from Jacques's
|
|
|
|
|
site, see additional instructions below.</li>
|
|
|
|
|
<li>Edit the /var/lib/lrpkg/root.exclude.list
|
|
|
|
|
file and remove the /var/lib/shorewall entry if
|
|
|
|
|
present. Then do not forget to backup root.lrp !</li>
|
|
|
|
|
</ol>
|
|
|
|
|
<p>The .lrp that I release isn't set up for a two-interface firewall like
|
|
|
|
|
Jacques's. You need to follow the <a href="two-interface.htm">instructions for
|
|
|
|
|
setting up a two-interface firewall</a> plus you also need to add the following
|
|
|
|
|
two Bering-specific rules to /etc/shorewall/rules:</p>
|
|
|
|
|
<blockquote>
|
|
|
|
|
<pre># Bering specific rules:
|
|
|
|
|
# allow loc to fw udp/53 for dnscache to work
|
|
|
|
|
# allow loc to fw tcp/80 for weblet to work
|
|
|
|
|
#
|
|
|
|
|
ACCEPT loc fw udp 53
|
|
|
|
|
ACCEPT loc fw tcp 80</pre>
|
|
|
|
|
</blockquote>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<h3 align="Left">Version >= 1.3.6</h3>
|
|
|
|
|
|
|
|
|
|
<p align="Left">If you have a pair of firewall systems configured for
|
|
|
|
|
failover, you will need to modify your firewall setup slightly under
|
|
|
|
|
Shorewall versions >= 1.3.6. </p>
|
|
|
|
|
|
|
|
|
|
<ol>
|
|
|
|
|
<li>
|
|
|
|
|
|
|
|
|
|
<p align="Left">Create the file /etc/shorewall/newnotsyn and in it add
|
|
|
|
|
the following rule<br>
|
|
|
|
|
<br>
|
|
|
|
|
<font face="Courier">run_iptables -A newnotsyn -j RETURN # So that the
|
|
|
|
|
connection tracking table can be rebuilt<br>
|
|
|
|
|
|
|
|
|
|
# from non-SYN packets after takeover.<br>
|
|
|
|
|
</font></li>
|
|
|
|
|
<li>
|
|
|
|
|
|
|
|
|
|
<p align="Left">Create /etc/shorewall/common (if you don't already
|
|
|
|
|
have that file) and include the following:<br>
|
|
|
|
|
<br>
|
|
|
|
|
<font face="Courier">run_iptables -A common -p tcp --tcp-flags
|
|
|
|
|
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
|
|
|
|
|
|
|
|
|
|
#tracking table. <br>
|
|
|
|
|
. /etc/shorewall/common.def</font></li>
|
|
|
|
|
</ol>
|
|
|
|
|
|
|
|
|
|
<h3 align="Left">Versions >= 1.3.5</h3>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
<p align="Left">Some forms of pre-1.3.0 rules file syntax are no
|
|
|
|
|
longer supported. </p>
|
|
|
|
|
|
|
|
|
|
<p align="Left">Example 1:</p>
|
|
|
|
|
|
|
|
|
|
<div align="left">
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
<p align="Left">Must be replaced with:</p>
|
|
|
|
|
|
|
|
|
|
<div align="left">
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
</div>
|
|
|
|
|
<div align="left">
|
|
|
|
|
<p align="left">Example 2:</div>
|
|
|
|
|
<div align="left">
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
</div>
|
|
|
|
|
<div align="left">
|
|
|
|
|
<p align="left">Must be replaced with:</div>
|
|
|
|
|
<div align="left">
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<pre> REDIRECT loc 3128 tcp 80</pre>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
</div>
|
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<h2 align="Left"><a name="V1.3"></a>Problems in Version 1.3</h2>
|
|
|
|
|
|
|
|
|
|
<h3 align="Left">Version 1.3.6</h3>
|
|
|
|
|
|
|
|
|
|
<ul>
|
|
|
|
|
<li>
|
|
|
|
|
|
|
|
|
|
<p align="Left">If ADD_SNAT_ALIASES=Yes is specified in
|
|
|
|
|
/etc/shorewall/shorewall.conf, an error occurs when the firewall
|
|
|
|
|
script attempts to add an SNAT alias.</li>
|
|
|
|
|
<li>
|
|
|
|
|
|
|
|
|
|
<p align="Left">The <b>logunclean </b>and <b>dropunclean</b> options
|
|
|
|
|
cause errors during startup when Shorewall is run with iptables 1.2.7.</li>
|
|
|
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
<p align="Left">These problems are fixed in
|
|
|
|
|
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
|
|
|
|
|
this correct firewall script</a> which must be installed in
|
|
|
|
|
/var/lib/shorewall/ as described above. These problems are also
|
|
|
|
|
corrected in version 1.3.7.</p>
|
|
|
|
|
|
|
|
|
|
<h3 align="Left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
|
|
|
|
|
|
|
|
|
|
<p align="Left">A line was inadvertently deleted from the "interfaces
|
|
|
|
|
file" -- this line should be added back in if the version that you
|
|
|
|
|
downloaded is missing it:</p>
|
|
|
|
|
|
|
|
|
|
<p align="Left">net eth0 detect
|
|
|
|
|
routefilter,dhcp,norfc1918</p>
|
|
|
|
|
|
|
|
|
|
<p align="Left">If you downloaded two-interfaces-a.tgz then the above
|
|
|
|
|
line should already be in the file.</p>
|
|
|
|
|
|
|
|
|
|
<h3 align="Left">Version 1.3.5-1.3.5b</h3>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
<p align="Left">The new 'proxyarp' interface option doesn't work :-(
|
|
|
|
|
This is fixed in
|
|
|
|
|
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
|
|
|
|
|
this corrected firewall script</a> which must be installed in
|
|
|
|
|
/var/lib/shorewall/ as described above.</p>
|
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<h3 align="Left">Versions 1.3.4-1.3.5a</h3>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
<p align="Left">Prior to version 1.3.4, host file entries such as the
|
|
|
|
|
following were allowed:</p>
|
|
|
|
|
|
|
|
|
|
<div align="left">
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
</div>
|
|
|
|
|
<div align="left">
|
|
|
|
|
<p align="left">That capability was lost in version 1.3.4 so that it is only
|
|
|
|
|
possible to include a single host specification on each line. This
|
|
|
|
|
problem is corrected by
|
|
|
|
|
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
|
|
|
|
|
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
|
|
|
|
|
as instructed above.</div>
|
|
|
|
|
|
|
|
|
|
<div align="left">
|
|
|
|
|
<p align="left">This problem is corrected in version 1.3.5b.</div>
|
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<h3 align="Left">Version 1.3.5</h3>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
<p align="Left">REDIRECT rules are broken in this version. Install
|
|
|
|
|
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
|
|
|
|
|
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
|
|
|
|
|
as instructed above. This problem is corrected in version 1.3.5a.</p>
|
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<h3 align="Left">Version 1.3.n, n < 4</h3>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
<p align="Left">The "shorewall start" and "shorewall restart" commands
|
|
|
|
|
to not verify that the zones named in the /etc/shorewall/policy file
|
|
|
|
|
have been previously defined in the /etc/shorewall/zones file. The
|
|
|
|
|
"shorewall check" command does perform this verification so it's a
|
|
|
|
|
good idea to run that command after you have made configuration
|
|
|
|
|
changes.</p>
|
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<h3 align="Left">Version 1.3.n, n < 3</h3>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
<p align="Left">If you have upgraded from Shorewall 1.2 and after
|
|
|
|
|
"Activating rules..." you see the message: "iptables: No
|
|
|
|
|
chains/target/match by that name" then you probably have an entry in
|
|
|
|
|
/etc/shorewall/hosts that specifies an interface that you didn't
|
|
|
|
|
include in /etc/shorewall/interfaces. To correct this problem, you
|
|
|
|
|
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and
|
|
|
|
|
later versions produce a clearer error message in this case.</p>
|
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<h3 align="Left">Version 1.3.2</h3>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
<p align="Left">Until approximately 2130 GMT on 17 June 2002, the
|
|
|
|
|
download sites contained an incorrect version of the .lrp file. That
|
|
|
|
|
file can be identified by its size (56284 bytes). The correct version
|
|
|
|
|
has a size of 38126 bytes.</p>
|
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<ul>
|
|
|
|
|
<li>The code to detect a duplicate interface entry in
|
2002-08-07 16:28:04 +02:00
|
|
|
|
/etc/shorewall/interfaces contained a typo that prevented it from
|
2002-08-22 23:33:54 +02:00
|
|
|
|
working correctly. </li>
|
|
|
|
|
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just like "NAT_BEFORE_RULES=Yes".</li>
|
|
|
|
|
</ul>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
<p align="Left">Both problems are corrected in
|
|
|
|
|
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
|
|
|
|
|
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> as described above.</p>
|
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<ul>
|
|
|
|
|
<li>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
<p align="Left">The IANA have just announced the allocation of subnet
|
|
|
|
|
221.0.0.0/8. This
|
|
|
|
|
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
|
|
|
|
|
updated rfc1918</a> file reflects that allocation.</p>
|
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
</li>
|
|
|
|
|
</ul>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<h3 align="Left">Version 1.3.1</h3>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<ul>
|
|
|
|
|
<li>TCP SYN packets may be double counted when
|
2002-08-07 16:28:04 +02:00
|
|
|
|
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
|
2002-08-22 23:33:54 +02:00
|
|
|
|
packet is sent through the limit chain twice).</li>
|
|
|
|
|
<li>An unnecessary jump to the policy chain is sometimes
|
|
|
|
|
generated for a CONTINUE policy.</li>
|
|
|
|
|
<li>When an option is given for more than one interface in
|
2002-08-07 16:28:04 +02:00
|
|
|
|
/etc/shorewall/interfaces then depending on the option, Shorewall
|
|
|
|
|
may ignore all but the first appearence of the option. For example:<br>
|
|
|
|
|
<br>
|
|
|
|
|
net eth0 dhcp<br>
|
|
|
|
|
loc eth1 dhcp<br>
|
|
|
|
|
<br>
|
2002-08-22 23:33:54 +02:00
|
|
|
|
Shorewall will ignore the 'dhcp' on eth1.</li>
|
|
|
|
|
<li>Update 17 June 2002 - The bug described in the prior bullet
|
2002-08-07 16:28:04 +02:00
|
|
|
|
affects the following options: dhcp, dropunclean, logunclean,
|
|
|
|
|
norfc1918, routefilter, multi, filterping and noping. An additional
|
|
|
|
|
bug has been found that affects only the 'routestopped' option.<br>
|
|
|
|
|
<br>
|
|
|
|
|
Users who downloaded the corrected script prior to 1850 GMT today
|
|
|
|
|
should download and install the corrected script again to ensure
|
2002-08-22 23:33:54 +02:00
|
|
|
|
that this second problem is corrected.</li>
|
|
|
|
|
</ul>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
<p align="Left">These problems are corrected in
|
|
|
|
|
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
|
|
|
|
|
this firewall script</a> which should be installed in
|
|
|
|
|
/etc/shorewall/firewall as described above.</p>
|
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<h3 align="Left">Version 1.3.0</h3>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<ul>
|
|
|
|
|
<li>Folks who downloaded 1.3.0 from the links on the download page
|
2002-08-07 16:28:04 +02:00
|
|
|
|
before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13 rather than
|
|
|
|
|
1.3.0. The "shorewall version" command will tell you which version
|
2002-08-22 23:33:54 +02:00
|
|
|
|
that you have installed.</li>
|
|
|
|
|
<li>The documentation NAT.htm file uses non-existent
|
2002-08-07 16:28:04 +02:00
|
|
|
|
wallpaper and bullet graphic files. The
|
|
|
|
|
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
|
2002-08-22 23:33:54 +02:00
|
|
|
|
corrected version is here</a>.</li>
|
|
|
|
|
</ul>
|
|
|
|
|
<hr>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<h3 align="Left"><a name="iptables"></a><font color="#660066">
|
|
|
|
|
Problem with iptables version 1.2.3</font></h3>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
|
|
|
|
|
<p align="Left">There are a couple of serious bugs in iptables 1.2.3 that
|
|
|
|
|
prevent it from working with Shorewall. Regrettably,
|
|
|
|
|
RedHat released this buggy iptables in RedHat 7.2. </p>
|
|
|
|
|
|
|
|
|
|
<p align="Left"> I have built a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
|
|
|
|
|
corrected 1.2.3 rpm which you can download here</a> and I have also built
|
|
|
|
|
an <a href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
|
|
|
|
|
iptables-1.2.4 rpm which you can download here</a>. If
|
|
|
|
|
you are currently running RedHat 7.1, you can install either of these RPMs
|
|
|
|
|
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
|
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<p align="Left"><font color="#FF6633"><b>Update
|
2002-08-07 16:28:04 +02:00
|
|
|
|
11/9/2001: </b></font>RedHat has
|
2002-08-22 23:33:54 +02:00
|
|
|
|
released an iptables-1.2.4 RPM of their own which you can download from<font color="#FF6633">
|
2002-08-07 16:28:04 +02:00
|
|
|
|
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
|
|
|
|
|
</font>I have installed this RPM
|
|
|
|
|
on my firewall and it works fine.</p>
|
|
|
|
|
|
|
|
|
|
<p align="Left">If you
|
|
|
|
|
would like to patch iptables 1.2.3 yourself, the patches are available
|
|
|
|
|
for download. This <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
|
|
|
|
|
which corrects a problem with parsing of the --log-level specification while
|
|
|
|
|
this <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
|
|
|
|
|
corrects a problem in handling the TOS target.</p>
|
|
|
|
|
|
|
|
|
|
<p align="Left">To install one of the above patches:</p>
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<ul>
|
|
|
|
|
<li>cd iptables-1.2.3/extensions</li>
|
|
|
|
|
<li>patch -p0 < <i>the-patch-file</i></li>
|
|
|
|
|
</ul>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<h3><a name="Debug"></a>Problems with kernels >= 2.4.18
|
|
|
|
|
and RedHat iptables</h3>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
<blockquote>
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 may
|
2002-08-07 16:28:04 +02:00
|
|
|
|
experience the following:</p>
|
|
|
|
|
<blockquote>
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<pre># shorewall start
|
2002-08-07 16:28:04 +02:00
|
|
|
|
Processing /etc/shorewall/shorewall.conf ...
|
|
|
|
|
Processing /etc/shorewall/params ...
|
|
|
|
|
Starting Shorewall...
|
|
|
|
|
Loading Modules...
|
|
|
|
|
Initializing...
|
|
|
|
|
Determining Zones...
|
|
|
|
|
Zones: net
|
|
|
|
|
Validating interfaces file...
|
|
|
|
|
Validating hosts file...
|
|
|
|
|
Determining Hosts in Zones...
|
|
|
|
|
Net Zone: eth0:0.0.0.0/0
|
|
|
|
|
iptables: libiptc/libip4tc.c:380: do_check: Assertion
|
|
|
|
|
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
|
|
|
|
|
Aborted (core dumped)
|
|
|
|
|
iptables: libiptc/libip4tc.c:380: do_check: Assertion
|
|
|
|
|
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
|
|
|
|
|
Aborted (core dumped)
|
2002-08-22 23:33:54 +02:00
|
|
|
|
</pre>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
</blockquote>
|
|
|
|
|
<p>The RedHat iptables RPM is compiled with debugging enabled but the
|
|
|
|
|
user-space debugging code was not updated to reflect recent changes in the
|
|
|
|
|
Netfilter 'mangle' table. You can correct the problem by installing
|
|
|
|
|
<a href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
|
|
|
|
|
this iptables RPM</a>. If you are already running a 1.2.5 version of
|
|
|
|
|
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
|
|
|
|
|
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<h3><a name="SuSE"></a>Problems
|
|
|
|
|
installing/upgrading RPM on SuSE</h3>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
<p>If you find that rpm complains about a conflict
|
|
|
|
|
with kernel <= 2.2 yet you have a 2.4 kernel
|
|
|
|
|
installed, simply use the "--nodeps" option to
|
|
|
|
|
rpm.</p>
|
|
|
|
|
|
|
|
|
|
<p>Installing: rpm -ivh <i><shorewall rpm></i></p>
|
|
|
|
|
|
|
|
|
|
<p>Upgrading: rpm -Uvh <i><shorewall rpm></i></p>
|
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
<h3><a name="Multiport"></a><b>Problems with
|
|
|
|
|
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
|
|
|
|
|
|
|
|
|
|
<p>The iptables 1.2.7 release of iptables has made
|
|
|
|
|
an incompatible change to the syntax used to
|
|
|
|
|
specify multiport match rules; as a consequence,
|
|
|
|
|
if you install iptables 1.2.7 you must</p>
|
|
|
|
|
|
|
|
|
|
<ul>
|
|
|
|
|
<li>set MULTIPORT=No in
|
|
|
|
|
/etc/shorewall/shorewall.conf; or </li>
|
|
|
|
|
<li>if you are running Shorewall 1.3.6 you may
|
|
|
|
|
install
|
|
|
|
|
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
|
|
|
|
|
this firewall script</a> in /var/lib/shorewall/firewall
|
|
|
|
|
as described above.</li>
|
|
|
|
|
</ul>
|
|
|
|
|
<p><font size="2">
|
|
|
|
|
Last updated 8/22/2002 -
|
|
|
|
|
<a href="support.htm">Tom Eastep</a></font> </p>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
|
|
|
|
|
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
|
|
|
|
<20> <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
|
</body>
|
2002-08-07 16:28:04 +02:00
|
|
|
|
</html>
|