shorewall_code/Shorewall-docs2/errata.xml

464 lines
17 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<articleinfo>
<title>Shorewall Errata</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-12-02</pubdate>
<copyright>
<year>2001-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<caution>
<itemizedlist>
<listitem>
<para>If you use a Windows system to download a corrected script, be
sure to run the script through <ulink
url="http://www.megaloman.com/~hany/software/hd2u/">dos2unix</ulink>
after you have moved it to your Linux system.</para>
</listitem>
<listitem>
<para>If you are installing Shorewall for the first time and plan to
use the .tgz and install.sh script, you can untar the archive, replace
the <quote>firewall</quote> script in the untarred directory with the
one you downloaded below, and then run install.sh.</para>
</listitem>
<listitem>
<para>When the instructions say to install a corrected firewall script
in /usr/share/shorewall/firewall, you may rename the existing file
before copying in the new file.</para>
</listitem>
<listitem>
<para><emphasis role="bold">DO NOT INSTALL CORRECTED COMPONENTS ON A
RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW.</emphasis> For example, do NOT install the 2.0.2 firewall
script if you are running 2.0.0-RC2</para>
</listitem>
</itemizedlist>
</caution>
<section>
<title>RFC1918 File</title>
<para><ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918">Here</ulink>
is the most up to date version of the <ulink
url="Documentation.htm#rfc1918">rfc1918 file</ulink>. <emphasis
role="bold">This file only applies to Shorewall versions 1.4.* and 2.0.0
and its bugfix updates</emphasis>. In Shorewall 2.0.1 and later releases,
the <filename>bogons</filename> file lists IP ranges that are reserved by
the IANA and the <filename>rfc1918</filename> file only lists those three
ranges that are reserved by <ulink
url="shorewall_setup_guide.htm#RFC1918">RFC 1918</ulink>.</para>
</section>
<section>
<title>Bogons File</title>
<para><ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.10/bogons">Here</ulink>
is the most up to date version of the <ulink
url="Documentation.htm#Bogons">bogons file</ulink>.</para>
</section>
<section>
<title>Problems in Version 2.0</title>
<section>
<title>Shorewall 2.0.12</title>
<itemizedlist>
<listitem>
<para>The "shorewall add" command produces the error message:</para>
<programlisting>/usr/share/shorewall/firewall: line 1: match_destination_hosts: command not found</programlisting>
<para>You can correct the problem yourself by editing
/usr/share/shorewall/firewall and on line 5805, replace <emphasis
role="bold">match_destination_hosts</emphasis> with <emphasis
role="bold">match_dest_hosts</emphasis>.</para>
</listitem>
</itemizedlist>
<para>Corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.12/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section>
<title>Shorewall 2.0.10</title>
<para>The initial packages uploaded to the FTP and HTTP servers were
incorrect. Here are the MD5 sums of the incorrect packages.</para>
<programlisting>14e8f2bfa08cc5ca2715c8b1179d5eb2 &nbsp;shorewall-2.0.10-1.noarch.rpm
54bcbb2216ad3db9870507cd9716fd99 &nbsp;shorewall-2.0.10.tgz
c2fe0acc7f056acb56d089cf8dafa39a &nbsp;shorwall-2.0.10.lrp</programlisting>
<para>These incorrect packages have been replaced with correct ones
having the following MD5 sums:</para>
<programlisting>d5af452d38538b4b994c3c4abab8e012 &nbsp;shorewall-2.0.10-1.noarch.rpm
985ce9215ea9cc0299f0b5450fdbe05e &nbsp;shorewall-2.0.10.tgz
0ec7a65e4ed4ad1db0d2a4cb0c7bd5bf &nbsp;shorwall-2.0.10.lrp</programlisting>
<para>If you have installed an incorrect package, please replace
<filename>/sbin/shorewall</filename> with <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.10/shorewall">this
file</ulink>.</para>
</section>
<section>
<title>Shorewall 2.0.3 through 2.0.8</title>
<itemizedlist>
<listitem>
<para>An empty PROTO column in /etc/shorewall/tcrules produced
iptables errors during <command>shorewall start</command>. A value
of <command>all</command> in that column produced a similar
error.</para>
</listitem>
</itemizedlist>
<para>Corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.8/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section>
<title>Shorewall 2.0.3a through 2.0.7</title>
<itemizedlist>
<listitem>
<para>Entries in the USER/GROUP column of an action file (made from
action.template) may be ignored or cause odd errors.</para>
</listitem>
</itemizedlist>
<para>Corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.7/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section>
<title>Shorewall 2.0.3a through 2.0.4</title>
<itemizedlist>
<listitem>
<para>Error messages regarding $RESTOREBASE occur during <emphasis
role="bold">shorewall stop</emphasis> if DISABLE_IPV6=Yes in
shorewall.conf.</para>
</listitem>
</itemizedlist>
<para>Corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.3/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above. Also fixed in
Shorewall Version 2.0.5.</para>
</section>
<section>
<title>Shorewall 2.0.2 and all Shorewall 2.0.3 Releases.</title>
<itemizedlist>
<listitem>
<para>DNAT rules with <emphasis role="bold">fw</emphasis> as the
source zone and that specify logging cause <command>shorewall
start</command> to fail with an iptables error. The problem is
corrected for Shorewall 2.0.3 users in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.3/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.3a and 2.0.3b</title>
<itemizedlist>
<listitem>
<para>Error messages regarding $RESTOREBASE occur during <emphasis
role="bold">shorewall stop</emphasis>.</para>
</listitem>
<listitem>
<para>If CLEAR_TC=Yes in <filename>shorewall.conf</filename>,
<emphasis role="bold">shorewall stop</emphasis> fails without
removing the lock file.</para>
</listitem>
</itemizedlist>
<para>The above problems are corrected in Shorewall version
2.0.3c.</para>
</section>
<section>
<title>Shorewall 2.0.3a</title>
<itemizedlist>
<listitem>
<para>Slackware users find that version 2.0.3a fails to start
because their <command>mktemp</command> utility does not support the
-d option. This may be corrected by installing <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.3/functions">this
corrected <filename>functions</filename> file</ulink> in <filename
class="directory">/var/lib/shorewall/functions</filename>.</para>
</listitem>
<listitem>
<para>Shorewall fails to start if there is no
<command>mktemp</command> utility.</para>
</listitem>
</itemizedlist>
<para>These problems are corrected in Shorewall version 2.0.3b.</para>
</section>
<section>
<title>Shorewall 2.0.3</title>
<itemizedlist>
<listitem>
<para>A non-empty entry in the DEST column of /etc/shorewall/tcrules
will result in an error message and Shorewall fails to start. This
problem is fixed in Shorewall version 2.0.3a.</para>
</listitem>
<listitem>
<para>A potentially exploitable vulnerability in the way that
Shorewall handles temporary files and directories has been found by
Javier Fernández-Sanguino Peña. This vulnerability is corrected in
Shorewall 2.0.3a. All Shorewall 2.0.x users are urged to upgrade to
2.0.3a.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.2</title>
<itemizedlist>
<listitem>
<para>Temporary restore files with names of the form
<filename>restore-</filename><emphasis>nnnnn</emphasis> are left in
/var/lib/shorewall.</para>
</listitem>
<listitem>
<para>"shorewall restore" and "shorewall -f start" do not load
kernel modules.</para>
<para><emphasis role="bold">The above two problems are corrected in
Shorewall 2.0.2a</emphasis></para>
</listitem>
<listitem>
<para>Specifying a null common action in /etc/shorewall/actions
(e.g., :REJECT) results in a startup error.</para>
</listitem>
<listitem>
<para>If <filename>/var/lib/shorewall</filename> does not exist,
<command>shorewall start</command> fails.</para>
<para><emphasis role="bold">The above four problems are corrected in
Shorewall 2.0.2b</emphasis></para>
</listitem>
<listitem>
<para>DNAT rules work incorrectly with dynamic zones in that the
source interface is not included in the nat table DNAT rule.</para>
<para><emphasis role="bold">The above five problems are corrected in
Shorewall 2.0.2c</emphasis></para>
</listitem>
<listitem>
<para>During start and restart, Shorewall is detecting capabilities
before loading kernel modules. Consequently, if kernel module
autoloading is disabled, capabilities can be mis-detected during
boot.</para>
</listitem>
<listitem>
<para>The <emphasis>newnotsyn</emphasis> option in
<filename>/etc/shorewall/hosts</filename> has no effect.</para>
<para><emphasis role="bold">The above seven problems are corrected
in Shorewall 2.0.2d</emphasis></para>
</listitem>
<listitem>
<para>Use of the LOG target in an action results in two LOG or ULOG
rules.</para>
<para><emphasis role="bold">The above eight problems are corrected
in Shorewall 2.0.2e</emphasis></para>
</listitem>
<listitem>
<para>Kernel modules fail to load when MODULE_SUFFIX isn't set in
shorewall.conf</para>
<para><emphasis role="bold">All of the above problems are corrected
in Shorewall 2.0.2f</emphasis></para>
</listitem>
</itemizedlist>
<para>These problems are all corrected by the
<filename>firewall</filename> and <filename>functions</filename> files
in <ulink url="http://shorewall.net/pub/shorewall/errata/2.0.2">this
directory</ulink>. Both files must be installed in
<filename>/usr/share/shorewall/</filename> as described above.</para>
</section>
<section>
<title>Shorewall 2.0.1</title>
<itemizedlist>
<listitem>
<para>Confusing message mentioning IPV6 occur at startup.</para>
</listitem>
<listitem>
<para>Modules listed in /etc/shorewall/modules don't load or produce
errors on Mandrake 10.0 Final.</para>
</listitem>
<listitem>
<para>The <command>shorewall delete</command> command does not
remove all dynamic rules pertaining to the host(s) being
deleted.</para>
</listitem>
</itemizedlist>
<para>These problems are corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.1/firewall">this
firewall script</ulink> which may be installed in
<filename>/usr/share/shorewall/firewall</filename> as described
above.</para>
<itemizedlist>
<listitem>
<para>When run on a SuSE system, the install.sh script fails to
configure Shorewall to start at boot time. That problem is corrected
in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.1/install.sh">this
version of the script</ulink>.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.1/2.0.0</title>
<itemizedlist>
<listitem>
<para>On Debian systems, an install using the tarball results in an
inability to start Shorewall at system boot. If you already have
this problem, install <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.1/init.debian.sh">this
file</ulink> as /etc/init.d/shorewall (replacing the existing file
with that name). If you are just installing or upgrading to
Shorewall 2.0.0 or 2.0.1, then replace the
<filename>init.debian.sh</filename> file in the Shorewall
distribution directory (shorewall-2.0.x) with the updated file
before running <command>install.sh</command> from that
directory.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.0</title>
<itemizedlist>
<listitem>
<para>When using an Action in the ACTIONS column of a rule, you may
receive a warning message about the rule being a policy. While this
warning may be safely ignored, it can be eliminated by installing
the script from the link below.</para>
</listitem>
<listitem>
<para>Thanks to Sean Mathews, a long-standing problem with Proxy ARP
and IPSEC has been corrected.</para>
</listitem>
</itemizedlist>
<para>The first problem has been corrected in Shorewall update
2.0.0a.</para>
<para>All of these problems may be corrected by installing <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.0/firewall">this
firewall script</ulink> in /usr/share/shorewall as described
above.</para>
</section>
</section>
<section>
<title>Upgrade Issues</title>
<para>The upgrade issues have moved to <ulink url="upgrade_issues.htm">a
separate page</ulink>.</para>
</section>
<section>
<title>Problem with iptables 1.2.9</title>
<para>If you want to use the new features in Shorewall 2.0.2 (Betas, RCs,
Final) or later then you need to patch your iptables 1.2.9 with <ulink
url="http://shorewall.net/pub/shorewall/errata/iptables-1.2.9.diff">this
patch</ulink> or you need to use the <ulink
url="http://www.netfilter.org/downloads.html#cvs">CVS version of
iptables</ulink>.</para>
</section>
<section>
<title>Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to
2.4.21-RC1)</title>
<para>Beginning with errata kernel 2.4.20-13.9, <quote>REJECT
--reject-with tcp-reset</quote> is broken. The symptom most commonly seen
is that REJECT rules act just like DROP rules when dealing with TCP. A
kernel patch and precompiled modules to fix this problem are available at
<ulink
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>
<note>
<para>RedHat have corrected this problem in their 2.4.20-27.x
kernels.</para>
</note>
</section>
</article>