holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Convert errata.htm to Docbook XML

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@980 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-12-26 20:39:06 +00:00
parent c245e77bb9
commit 9ff5fc30c1
2 changed files with 426 additions and 349 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

349
Shorewall-docs/errata.htm
View File

@ -1,349 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.4 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
<meta name="author" content="Tom Eastep">
</head>
<body>
<p align="center"> </p>
<h1 style="text-align: center;">Shorewall Errata<br>
</h1>
<p align="center"><b><u>IMPORTANT</u></b></p>
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it
to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar the
archive, replace the 'firewall' script in the untarred directory with
the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a
corrected firewall script in /usr/share/shorewall/firewall, you may
rename the existing file before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED
COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW. For example, do NOT install the 1.3.9a firewall script if you
are
running 1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li>
<li> <b><a href="errata_3.html">Problems in Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a href="errata_1.htm">Problems in
Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a href="#iptables"> Problem with
iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b></li>
<li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and
REJECT (also applies to 2.4.21-RC1) <img src="new10.gif" alt="(New)"
width="28" height="12" border="0"> </a><br>
</b></li>
</ul>
<hr>
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
<h3></h3>
<h3>1.4.8</h3>
<ul>
<li>When a DNAT rules specifies SNAT (e.g., when &lt;original dest
addr&gt;:&lt;SNAT addr&gt; is given in the ORIGINAL DEST column), the
SNAT specification is effectively ignored in some cases.</li>
</ul>
This problem has been corrected in this <a
href="http://shorewall.net/pub/shorewall/errata/1.4.8/firewall">firewall
script</a> which may be installed in /usr/share/shorewall/firewall as
described above.<br>
<h3>1.4.7</h3>
<ul>
<li>Using some versions of 'ash' (such as from RH8) as the
SHOREWALL_SHELL causes "shorewall [re]start" to fail with:<br>
<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so: <br>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.</li>
<li>When more than one ICMP type is listed in a rule and your kernel
includes multiport match support,&nbsp; the firewall fails to
start.&nbsp;</li>
<li>Regardless of the setting of LOGUNCLEAN, the value
LOGUNCLEAN=info was used.</li>
<li>After the following error message, Shorewall was left in an
inconsistent state:<br>
Error: Unable to determine the routes through interface xxx<br>
</li>
<li>When a DNAT rules specifies SNAT (e.g., when &lt;original dest
addr&gt;:&lt;SNAT addr&gt; is given in the ORIGINAL DEST column), the
SNAT specification is effectively ignored in some cases.</li>
</ul>
These problems have been corrected in this <a
href="http://shorewall.net/pub/shorewall/errata/1.4.7/firewall">firewall
script</a> which may be installed in /usr/share/shorewall/firewall as
described above.<br>
<h3>1.4.6</h3>
<ul>
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
would fail to start with the error "ERROR:&nbsp; Traffic Control
requires
Mangle"; that problem has been corrected in <a
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</a> which may be installed in
/use/share/shorewall/firewall as described above. This problem is also
corrected in bugfix release 1.4.6a.</li>
<li>This problem occurs in all versions supporting traffic control.
If a MAC address is used in the SOURCE column, an error occurs as
follows:<br>
<br>
&nbsp; &nbsp; &nbsp;<font size="3"><tt>iptables v1.2.8: Bad mac adress
`00:08:B5:35:52:E7-d`</tt></font><br>
<br>
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
in <a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</a> which may be installed in
/usr/share/shorewall/firewall as described above. For all other
versions, you will have to edit your 'firewall' script (in versions
1.4.*, it is located in /usr/share/shorewall/firewall). Locate the
function add_tcrule_() and in that function, replace this line:<br>
<br>
&nbsp; &nbsp; <span style="font-family: monospace;">r=`mac_match
$source`&nbsp;</span><br>
<br>
with<br>
<br>
&nbsp; &nbsp; &nbsp;<span style="font-family: monospace;">r="`mac_match
$source` "</span><br>
<br>
Note that there must be a space before the ending quote!<br>
</li>
</ul>
<h3>1.4.4b</h3>
<ul>
<li>Shorewall is ignoring records in /etc/shorewall/routestopped that
have an empty second column (HOSTS). This problem may be corrected by
installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall
as described above.</li>
<li>The INCLUDE directive doesn't work when placed in the
/etc/shorewall/zones file. This problem may be corrected by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
target="_top">this functions script</a> in
/usr/share/shorewall/functions.<br>
</li>
</ul>
<h3>1.4.4-1.4.4a</h3>
<ul>
<li>Log messages are being displayed on the system console even
though the log level for the console is set properly according to <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by
installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall
as described above.<br>
</li>
</ul>
<h3>1.4.4<br>
</h3>
<ul>
<li> If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the --log-prefix in a
logging rule is too long. Upgrade to Version 1.4.4a to fix this
problem..</li>
</ul>
<h3>1.4.3</h3>
<ul>
<li>The LOGMARKER variable introduced in version 1.4.3 was intended
to allow integration of Shorewall with Fireparse
(http://www.firewparse.com). Unfortunately, LOGMARKER only solved part
of the integration problem. I have implimented a new LOGFORMAT variable
which will replace LOGMARKER which has completely solved this problem
and is currently in production with fireparse here at shorewall.net.
The
updated files may be found at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
See the 0README.txt file for details.<br>
</li>
</ul>
<h3>1.4.2</h3>
<ul>
<li>When an 'add' or 'delete' command is executed, a temporary
directory created in /tmp is not being removed. This problem may be
corrected by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall
as described above. <br>
</li>
</ul>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul>
<li>Some TCP requests are rejected in the 'common' chain with an ICMP
port-unreachable response rather than the more appropriate TCP RST
response. This problem is corrected in <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
target="_top">this updated common.def file</a> which may be installed
in /etc/shorewall/common.def.<br>
</li>
</ul>
<h3>1.4.1</h3>
<ul>
<li>When a "shorewall check" command is executed, each "rule"
produces the harmless additional message:<br>
<br>
&nbsp; &nbsp; &nbsp;/usr/share/shorewall/firewall: line 2174: [: =:
unary operator
expected<br>
<br>
You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script</a> in
/usr/share/shorewall/firewall as described above.<br>
</li>
</ul>
<h3>1.4.0</h3>
<ul>
<li>When running under certain shells Shorewall will attempt to
create ECN rules even when /etc/shorewall/ecn is empty. You may either
just remove /etc/shorewall/ecn or you can install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
</ul>
<hr width="100%" size="2">
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem
with iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3
that prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2.&nbsp;</p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have
also
built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are
currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you
upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.</font>I
have installed this RPM on my firewall and it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the&nbsp; TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and RedHat
iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel
2.4.18/19 may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing
<a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm
(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as a
consequence, if you install iptables 1.2.7 you must be running
Shorewall
1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall 1.3.6 you may install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /usr/lib/shorewall/firewall as described
above.</li>
</ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will result in
Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INTERNAL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ALL INTERFACES&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOCAL<br>192.0.2.22&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; 192.168.9.22&nbsp;&nbsp; yes&nbsp;&nbsp;&nbsp;&nbsp; yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
2.4.19 kernel contains corrected support under a new kernel
configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<br>
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9
and
REJECT (also applies to 2.4.21-RC1)</b></h3>
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with
tcp-reset" is broken. The symptom most commonly seen is that REJECT
rules act just like DROP rules when dealing with TCP. A kernel patch
and
precompiled modules to fix this problem are available at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
<hr>
<p><font size="2"> Last updated 12/17/2003 - <a href="support.htm">Tom
Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</body>
</html>

426
Shorewall-docs/errata.xml Normal file
View File

@ -0,0 +1,426 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!---->
<articleinfo>
<title>Shorewall Errata</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2003-12-17</pubdate>
<copyright>
<year>2001-2003</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<caution>
<itemizedlist>
<listitem>
<para>If you use a Windows system to download a corrected script, be
sure to run the script through <ulink
url="http://www.megaloman.com/~hany/software/hd2u/">dos2unix</ulink>
after you have moved it to your Linux system.</para>
</listitem>
<listitem>
<para>If you are installing Shorewall for the first time and plan to
use the .tgz and install.sh script, you can untar the archive, replace
the &#39;firewall&#39; script in the untarred directory with the one
you downloaded below, and then run install.sh.</para>
</listitem>
<listitem>
<para>When the instructions say to install a corrected firewall script
in /usr/share/shorewall/firewall, you may rename the existing file
before copying in the new file.</para>
</listitem>
<listitem>
<para><emphasis role="bold">DO NOT INSTALL CORRECTED COMPONENTS ON A
RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.</emphasis>
For example, do NOT install the 1.3.9a firewall script if you are
running 1.3.7c.</para>
</listitem>
</itemizedlist>
</caution>
<section>
<title>Problems in Version 1.4</title>
<section>
<title>Shorewall 1.4.8</title>
<itemizedlist>
<listitem>
<para>When a DNAT rules specifies SNAT (e.g., when &#60;original
dest addr&#62;:&#60;SNAT addr&#62; is given in the ORIGINAL DEST
column), the SNAT specification is effectively ignored in some
cases.</para>
</listitem>
</itemizedlist>
<para>This problem has been corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.8/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section>
<title>Shorewall 1.4.7</title>
<itemizedlist>
<listitem>
<para>Using some versions of &#39;ash&#39; (such as from RH8) as the
SHOREWALL_SHELL causes &#34;shorewall [re]start&#34; to fail with:<programlisting> &#x00A0;&#x00A0; local: --limit: bad variable name
&#x00A0;&#x00A0; iptables v1.2.8: Couldn&#39;t load match `-j&#39;:/lib/iptables/libipt_-j.so:
&#x00A0;&#x00A0; cannot open shared object file: No such file or directory
&#x00A0;&#x00A0; Try `iptables -h&#39; or &#39;iptables --help&#39; for more information.</programlisting></para>
</listitem>
<listitem>
<para>When more than one ICMP type is listed in a rule and your
kernel includes multiport match support,&#x00A0; the firewall fails
to start.</para>
</listitem>
<listitem>
<para>Regardless of the setting of LOGUNCLEAN, the value
LOGUNCLEAN=info was used.</para>
</listitem>
<listitem>
<para>After the following error message, Shorewall was left in an
inconsistent state:<programlisting> Error: Unable to determine the routes through interface xxx</programlisting></para>
</listitem>
<listitem>
<para>When a DNAT rules specifies SNAT (e.g., when &#60;original
dest addr&#62;:&#60;SNAT addr&#62; is given in the ORIGINAL DEST
column), the SNAT specification is effectively ignored in some
cases.</para>
</listitem>
</itemizedlist>
<para>These problems have been corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.7/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section>
<title>Shorewall 1.4.6</title>
<itemizedlist>
<listitem>
<para>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
would fail to start with the error &#34;ERROR:&#x00A0; Traffic
Control requires Mangle&#34;; that problem has been corrected in
<ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</ulink> which may be installed in
/use/share/shorewall/firewall as described above. This problem is
also corrected in bugfix release 1.4.6a.</para>
</listitem>
<listitem>
<para>This problem occurs in all versions supporting traffic
control. If a MAC address is used in the SOURCE column, an error
occurs as follows:</para>
<para><programlisting> iptables v1.2.8: Bad mac adress `00:08:B5:35:52:E7-d`</programlisting>For
Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected in
<ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above. For all other
versions, you will have to edit your &#39;firewall&#39; script (in
versions 1.4.*, it is located in /usr/share/shorewall/firewall).
Locate the function add_tcrule_() and in that function, replace this
line:<programlisting> &#x00A0; r=`mac_match $source`&#x00A0;</programlisting>with<programlisting> &#x00A0; &#x00A0; &#x00A0;r=&#34;`mac_match $source` &#34;</programlisting>Note
that there must be a space before the ending quote!</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 1.4.4b</title>
<itemizedlist>
<listitem>
<para>Shorewall is ignoring records in /etc/shorewall/routestopped
that have an empty second column (HOSTS). This problem may be
corrected by installing <ulink
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall">this
firewall script</ulink> in /usr/share/shorewall/firewall as
described above.</para>
</listitem>
<listitem>
<para>The INCLUDE directive doesn&#39;t work when placed in the
/etc/shorewall/zones file. This problem may be corrected by
installing <ulink
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions">this
functions script</ulink> in /usr/share/shorewall/functions.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 1.4.4-1.4.4a</title>
<itemizedlist>
<listitem>
<para>Log messages are being displayed on the system console even
though the log level for the console is set properly according to
FAQ 16. This problem may be corrected by installing <ulink url="???">this
firewall script</ulink> in /usr/share/shorewall/firewall as
described above.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 1.4.4</title>
<itemizedlist>
<listitem>
<para>If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the --log-prefix in a
logging rule is too long. Upgrade to Version 1.4.4a to fix this
problem..</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 1.4.3</title>
<itemizedlist>
<listitem>
<para>The LOGMARKER variable introduced in version 1.4.3 was
intended to allow integration of Shorewall with Fireparse
(http://www.firewparse.com). Unfortunately, LOGMARKER only solved
part of the integration problem. I have implimented a new LOGFORMAT
variable which will replace LOGMARKER which has completely solved
this problem and is currently in production with fireparse here at
shorewall.net. The updated files may be found at <ulink
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</ulink>.
See the 0README.txt file for details.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 1.4.2</title>
<itemizedlist>
<listitem>
<para>When an &#39;add&#39; or &#39;delete&#39; command is executed,
a temporary directory created in /tmp is not being removed. This
problem may be corrected by installing <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall">this
firewall script</ulink> in /usr/share/shorewall/firewall as
described above.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 1.4.1a, 1.4.1 and 1.4.0</title>
<itemizedlist>
<listitem>
<para>Some TCP requests are rejected in the &#39;common&#39; chain
with an ICMP port-unreachable response rather than the more
appropriate TCP RST response. This problem is corrected in <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def">this
updated common.def file</ulink> which may be installed in
/etc/shorewall/common.def.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 1.4.1</title>
<itemizedlist>
<listitem>
<para>When a &#34;shorewall check&#34; command is executed, each
&#34;rule&#34; produces the harmless additional message:<programlisting>&#x00A0; &#x00A0; &#x00A0;/usr/share/shorewall/firewall: line 2174: [: =: unary operator expected</programlisting>You
may correct the problem by installing <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall">this
corrected script</ulink> in /usr/share/shorewall/firewall as
described above.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 1.4.0</title>
<itemizedlist>
<listitem>
<para>When running under certain shells Shorewall will attempt to
create ECN rules even when /etc/shorewall/ecn is empty. You may
either just remove /etc/shorewall/ecn or you can install <ulink
url="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</ulink> in /usr/share/shorewall/firewall as described
above.</para>
</listitem>
</itemizedlist>
</section>
</section>
<section>
<title>Upgrade Issues</title>
<para>The upgrade issues have moved to <ulink url="upgrade_issues.htm">a
separate page</ulink>.</para>
</section>
<section>
<title>Problem with iptables version 1.2.3</title>
<para>There are a couple of serious bugs in iptables 1.2.3 that prevent it
from working with Shorewall. Regrettably, RedHat released this buggy
iptables in RedHat 7.2.&#x00A0;</para>
<para>I have built a <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">corrected
1.2.3 rpm which you can download here</ulink>&#x00A0; and I have also
built an <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">iptables-1.2.4
rpm which you can download here</ulink>. If you are currently running
RedHat 7.1, you can install either of these RPMs before you upgrade to
RedHat 7.2.</para>
<para><emphasis role="bold">Update 11/9/2001:</emphasis> RedHat has
released an iptables-1.2.4 RPM of their own which you can download from
<ulink url="http://www.redhat.com/support/errata/RHSA-2001-144.html.">http://www.redhat.com/support/errata/RHSA-2001-144.html</ulink>.I
have installed this RPM on my firewall and it works fine.</para>
<para>If you would like to patch iptables 1.2.3 yourself, the patches are
available for download. This <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</ulink>
which corrects a problem with parsing of the --log-level specification
while this <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</ulink>
corrects a problem in handling the&#x00A0; TOS target.</para>
<para>To install one of the above patches:<programlisting> cd iptables-1.2.3/extensions
patch -p0 &#60; the-patch-file</programlisting></para>
</section>
<section>
<title>Problems with kernels &#62;= 2.4.18 and RedHat iptables</title>
<para>Users who use RedHat iptables RPMs and who upgrade to kernel
2.4.18/19 may experience the following:</para>
<blockquote>
<programlisting># shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&#62;info.valid_hooks == (1 &#60;&#60; 0 | 1 &#60;&#60; 3)&#39; failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&#62;info.valid_hooks == (1 &#60;&#60; 0 | 1 &#60;&#60; 3)&#39; failed.
Aborted (core dumped)</programlisting>
</blockquote>
<para>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in the
Netfilter &#39;mangle&#39; table. You can correct the problem by
installing <ulink
url="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">this
iptables RPM</ulink>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
&#34;iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm&#34;).</para>
</section>
<section>
<title>Problems with iptables version 1.2.7 and MULTIPORT=Yes</title>
<para>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as a
consequence, if you install iptables 1.2.7 you must be running Shorewall
1.3.7a or later or:</para>
<itemizedlist>
<listitem>
<para>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or</para>
</listitem>
<listitem>
<para>If you are running Shorewall 1.3.6 you may install <ulink
url="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">this
firewall script</ulink> in /usr/lib/shorewall/firewall as described
above.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Problems with RH Kernel 2.4.18-10 and NAT</title>
<para>/etc/shorewall/nat entries of the following form will result in
Shorewall being unable to start:</para>
<programlisting> #EXTERNAL&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; INTERFACE&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; INTERNAL&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; ALL INTERFACES&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; LOCAL
192.0.2.22&#x00A0;&#x00A0;&#x00A0; eth0&#x00A0;&#x00A0;&#x00A0; 192.168.9.22&#x00A0;&#x00A0; yes&#x00A0;&#x00A0;&#x00A0;&#x00A0; yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para> Error message is:</para>
<programlisting> Setting up NAT...
iptables: Invalid argument
Terminated</programlisting>
<para>The solution is to put &#34;no&#34; in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has disabled
it. The 2.4.19 kernel contains corrected support under a new kernel
configuraiton option; see <ulink
url="http://www.shorewall.net/Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</ulink>.</para>
</section>
<section>
<title>Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to
2.4.21-RC1)</title>
<para> Beginning with errata kernel 2.4.20-13.9, &#34;REJECT --reject-with
tcp-reset&#34; is broken. The symptom most commonly seen is that REJECT
rules act just like DROP rules when dealing with TCP. A kernel patch and
precompiled modules to fix this problem are available at <ulink
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink>.</para>
</section>
</article>