2010-12-30 21:01:46 +01:00
|
|
|
1) On systems running Upstart, shorewall-init cannot reliably secure
|
2010-12-30 20:47:25 +01:00
|
|
|
the firewall before interfaces are brought up.
|
|
|
|
|
2011-04-14 02:22:07 +02:00
|
|
|
Corrected in Shorewall 4.4.19.1
|
|
|
|
|
|
|
|
2) There is a harmless duplicate ACCEPT rule in the INPUT filter chain
|
|
|
|
when the firewall is stopped.
|
|
|
|
|
|
|
|
Corrected in Shorewall 4.4.19.1
|
|
|
|
|
|
|
|
3) Shorewall interprets all 'nexthop' routes as default routes when
|
|
|
|
analyzing the pre-start routing configuration. This can lead to
|
|
|
|
unwanted default routes when the firewall was started or stopped.
|
|
|
|
|
|
|
|
Corrected in Shorewall 4.4.19.1
|
|
|
|
|
|
|
|
3) A defect introduced in Shorewall 4.4.17 broke the ability to
|
|
|
|
specify ':<low port>-<high port>' in the ADDRESS column of
|
|
|
|
/etc/shorewall/masq.
|
|
|
|
|
|
|
|
Corrected in Shorewall 4.4.19.1
|
|
|
|
|
2011-05-10 17:30:06 +02:00
|
|
|
4) There are several known problems in Complex TC:
|
|
|
|
|
|
|
|
a) The following entry in /etc/shorewall/tcclasses
|
|
|
|
|
|
|
|
A:1 - 10*full/100:50ms 20*full/100 1 tcp-ack
|
|
|
|
|
|
|
|
produces this error:
|
|
|
|
|
|
|
|
ERROR: Unknown INTERFACE (A) : /etc/shorewall/tcclasses
|
|
|
|
|
|
|
|
b) Shorewall reserves class number 1 for the root class of the
|
|
|
|
queuing discipline. Definining class 1 in
|
|
|
|
/etc/shorewall/tcclasses results in a run-time error.
|
|
|
|
|
|
|
|
c) The compiler does not complain if a CLASSID specified in the MARK
|
|
|
|
column of tcrules refers to an IFB class. Such a rule is
|
|
|
|
nonsensical since packets are passed through the IFB before
|
|
|
|
they are passed through any marking rules.
|
|
|
|
|
|
|
|
d) Where there are more than 10 tcdevices, tcfilter entries can
|
|
|
|
generate invalid rules.
|
|
|
|
|
|
|
|
These problems are corrected in Shorewall 4.4.19.2.
|
|
|
|
|
|
|
|
3) Double exclusion involving ipset lists is not detected,
|
|
|
|
resulting in anomalous behavior.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
ACCEPT:info $FW net:!10.1.0.7,10.1.0.9,+[!my-host[src]]]
|
|
|
|
|
|
|
|
Corrected in Shorewall 4.4.19.2.
|
|
|
|
|
2011-05-10 16:42:12 +02:00
|
|
|
4) The changes in 4.4.19.1 that corrected long-standing issues with
|
|
|
|
default route save/restore are incompatible with 'gawk'. When
|
|
|
|
'gawk' is installed (rather than 'mawk'), awk syntax errors having
|
|
|
|
to do with the symbol 'default' were issued.
|
|
|
|
|
|
|
|
Workaround: Install mawk
|
|
|
|
|
2011-05-10 17:31:18 +02:00
|
|
|
Corrected in Shorewall 4.4.19.3.
|
|
|
|
|
2011-05-10 16:42:12 +02:00
|
|
|
5) An entry in the USER/GROUP column in the rules and tcrules files
|
|
|
|
can cause run-time start/restart failures if the rule(s) being
|
|
|
|
added did not have the firewall as the source or and was not being
|
|
|
|
added to the POSTROUTING chain.
|
|
|
|
|
|
|
|
Workaround: Insure that all USER/GROUP matches are only specified
|
|
|
|
when the SOURCE is $FW (rules file) or is being added to the
|
|
|
|
POSTROUTING chain (:T designator in the tcrules file).
|
|
|
|
|
2011-05-10 17:31:18 +02:00
|
|
|
Corrected in Shorewall 4.4.19.3.
|
|
|
|
|
2011-05-16 23:27:07 +02:00
|
|
|
6) The compiler allow degenerate entries (only the BAND column
|
|
|
|
specified) in /etc/shorewall/tcpri. Such entries cause a run-time
|
|
|
|
failure during start/restart.
|
|
|
|
|
2011-05-17 19:54:30 +02:00
|
|
|
Corrected in Shorewall 4.4.19.4.
|
|
|
|
|
2011-05-16 23:27:07 +02:00
|
|
|
7) It is possible to specify tcfilters and tcrules that classify
|
|
|
|
traffic with the class-id of a non-leaf HFSC class. Such
|
|
|
|
classes are not capabable of handling packets.
|
|
|
|
|
|
|
|
If a non-leaf class is specified as the default class, then
|
|
|
|
a run-time start/restart failure occurs.
|
|
|
|
|
2011-05-17 19:54:30 +02:00
|
|
|
Corrected in Shorewall 4.4.19.4.
|
|
|
|
|
2011-05-16 23:27:07 +02:00
|
|
|
8) Shorewall does not check for the existance of ipsets mentioned in
|
|
|
|
the configuration, potentially resulting in a run-time
|
|
|
|
start/restart failure.
|
|
|
|
|
2011-05-17 19:54:30 +02:00
|
|
|
Corrected in Shorewall 4.4.19.4.
|
|
|
|
|
|
|
|
9) As currently implemented, the 'refresh' command can fail or
|
2011-05-16 23:27:07 +02:00
|
|
|
can result in a ruleset other than what was intended. If there
|
|
|
|
have been changes in the ruleset since it was originally
|
|
|
|
started/restarted/restored that added or deleted sequenced chains
|
|
|
|
(chains such as ~lognnn and ~exclnnn), the resulting ruleset can
|
|
|
|
jump to the wrong such chains or can fail to 'refresh'
|
|
|
|
successfully.
|
|
|
|
|
|
|
|
Workaround: Use 'restart' rather than 'refresh'
|
2011-05-17 19:54:30 +02:00
|
|
|
|
|
|
|
Corrected in Shorewall 4.4.19.4.
|
|
|
|
|
|
|
|
10) 'shorewall6 refresh issues a harmless 'ip6tables: Chain exists'
|
|
|
|
error message.
|
|
|
|
|
|
|
|
Corrected in Shorewall 4.4.19.4.
|
|
|
|
|