From fc113cc51c1ab3f0a7f78113987c8e9b6b87a2e2 Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 31 Mar 2005 23:26:45 +0000 Subject: [PATCH] Just in case git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2018 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/errata.xml | 237 +++++++++++++++++++++++++++----------- 1 file changed, 169 insertions(+), 68 deletions(-) diff --git a/Shorewall-docs/errata.xml b/Shorewall-docs/errata.xml index db39894d6..61d63e5aa 100644 --- a/Shorewall-docs/errata.xml +++ b/Shorewall-docs/errata.xml @@ -13,7 +13,7 @@ - 2004-06-30 + 2004-08-30 2001-2004 @@ -27,7 +27,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -55,9 +56,9 @@ DO NOT INSTALL CORRECTED COMPONENTS ON A - RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. - For example, do NOT install the 1.3.9a firewall script if you are - running 1.3.7c. + RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER + BELOW. For example, do NOT install the 1.3.9a firewall + script if you are running 1.3.7c. @@ -65,7 +66,8 @@
RFC1918 File - Here + Here is the most up to date version of the rfc1918 file.
@@ -87,12 +89,13 @@ - Shorewall fails to start if there is no mktemp - utility. + Shorewall fails to start if there is no + mktemp utility. - These problems have been corrected in Shorewall version 1.4.10g. + These problems have been corrected in Shorewall version + 1.4.10g.
@@ -100,18 +103,18 @@ - Unexplained errors may occur during "shorewall - [re]start" when the /etc/shorewall/masq file is being processed. + Unexplained errors may occur during "shorewall [re]start" when + the /etc/shorewall/masq file is being processed. The maclist interface option - previously wasn't available on Atheros WiFi cards. + previously wasn't available on Atheros WiFi cards. In the /etc/shorewall/masq entry eth0:!10.1.1.150 -    0.0.0.0/0!10.1.0.0/16     10.1.2.16, +    0.0.0.0/0!10.1.0.0/16     10.1.2.16, the !10.1.0.0/16 is ignored. @@ -122,7 +125,8 @@ Specifying multiple excluded source zones in a REDIRECT or - DNAT rule produces a startup error. Example of problem rule:#ACTION SOURCE DEST PROTO DEST PORT(S) + DNAT rule produces a startup error. Example of problem + rule:#ACTION SOURCE DEST PROTO DEST PORT(S) DNAT z1!z2,z3 z4:192.168.4.5 tcp 22 @@ -165,7 +169,8 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22The first seven problems corrections were included in Shorewall update 1.4.10e; - All problem corrections were included in Shorewall update 1.4.10f. + All problem corrections were included in Shorewall update + 1.4.10f.
@@ -180,7 +185,8 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22This problem has been corrected in this - action.template file which may be installed in /etc/shorewall. + action.template file which may be installed in + /etc/shorewall. @@ -191,8 +197,8 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22 - Unexplained errors may occur during "shorewall - [re]start" when the /etc/shorewall/masq file is being processed. + Unexplained errors may occur during "shorewall [re]start" when + the /etc/shorewall/masq file is being processed. @@ -207,15 +213,14 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22 - When a DNAT rules specifies SNAT (e.g., when <original - dest addr>:<SNAT addr> is given in the ORIGINAL DEST - column), the SNAT specification is effectively ignored in some - cases. + When a DNAT rules specifies SNAT (e.g., when <original dest + addr>:<SNAT addr> is given in the ORIGINAL DEST column), + the SNAT specification is effectively ignored in some cases. - Unexplained errors may occur during "shorewall - [re]start" when the /etc/shorewall/masq file is being processed. + Unexplained errors may occur during "shorewall [re]start" when + the /etc/shorewall/masq file is being processed. @@ -232,16 +237,16 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22 Using some versions of ash (such as from RH8) as the SHOREWALL_SHELL causes shorewall [re]start to - fail with:    local: --limit: bad variable name -    iptables v1.2.8: Couldn't load match `-j':/lib/iptables/libipt_-j.so: -    cannot open shared object file: No such file or directory -    Try `iptables -h' or 'iptables --help' for more information. + fail with:    local: --limit: bad variable name +    iptables v1.2.8: Couldn't load match `-j':/lib/iptables/libipt_-j.so: +    cannot open shared object file: No such file or directory +    Try `iptables -h' or 'iptables --help' for more information. When more than one ICMP type is listed in a rule and your - kernel includes multiport match support,  the firewall fails - to start. + kernel includes multiport match support,  the firewall fails to + start. @@ -255,15 +260,14 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22 - When a DNAT rules specifies SNAT (e.g., when <original - dest addr>:<SNAT addr> is given in the ORIGINAL DEST - column), the SNAT specification is effectively ignored in some - cases. + When a DNAT rules specifies SNAT (e.g., when <original dest + addr>:<SNAT addr> is given in the ORIGINAL DEST column), + the SNAT specification is effectively ignored in some cases. - Unexplained errors may occur during "shorewall - [re]start" when the /etc/shorewall/masq file is being processed. + Unexplained errors may occur during "shorewall [re]start" when + the /etc/shorewall/masq file is being processed. @@ -279,7 +283,7 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22 If TC_ENABLED is set to yes in shorewall.conf then Shorewall - would fail to start with the error ERROR:  Traffic + would fail to start with the error ERROR:  Traffic Control requires Mangle; that problem has been corrected in this @@ -302,7 +306,7 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22firewall script (in versions 1.4.*, it is located in /usr/share/shorewall/firewall). Locate the function add_tcrule_() and in that function, replace this - line:   r=`mac_match $source` with      r="`mac_match $source` "Note + line:   r=`mac_match $source` with      r="`mac_match $source` "Note that there must be a space before the ending quote! @@ -322,7 +326,7 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22 - The INCLUDE directive doesn't work when placed in the + The INCLUDE directive doesn't work when placed in the /etc/shorewall/zones file. This problem may be corrected by installing this @@ -338,9 +342,9 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22 Log messages are being displayed on the system console even though the log level for the console is set properly according to - FAQ 16. This problem may be corrected by installing this - firewall script in /usr/share/shorewall/firewall as - described above. + FAQ 16. This problem may be corrected by installing this firewall script in + /usr/share/shorewall/firewall as described above.
@@ -412,7 +416,8 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22 When a shorewall check command is executed, - each rule produces the harmless additional message:     /usr/share/shorewall/firewall: line 2174: [: =: unary operator expectedYou + each rule produces the harmless additional + message:     /usr/share/shorewall/firewall: line 2174: [: =: unary operator expectedYou may correct the problem by installing this corrected script in /usr/share/shorewall/firewall as @@ -449,12 +454,12 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22There are a couple of serious bugs in iptables 1.2.3 that prevent it from working with Shorewall. Regrettably, RedHat released this buggy - iptables in RedHat 7.2.  + iptables in RedHat 7.2.  I have built a corrected - 1.2.3 rpm which you can download here  and I have also - built an   and I have also built + an iptables-1.2.4 rpm which you can download here. If you are currently running RedHat 7.1, you can install either of these RPMs before you upgrade to @@ -462,7 +467,8 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22Update 11/9/2001: RedHat has released an iptables-1.2.4 RPM of their own which you can download from - http://www.redhat.com/support/errata/RHSA-2001-144.html.I + http://www.redhat.com/support/errata/RHSA-2001-144.html.I have installed this RPM on my firewall and it works fine. If you would like to patch iptables 1.2.3 yourself, the patches are @@ -471,14 +477,14 @@ DNAT z1!z2,z3 z4:192.168.4.5 tcp 22patch - corrects a problem in handling the  TOS target. + corrects a problem in handling the  TOS target. To install one of the above patches: cd iptables-1.2.3/extensions - patch -p0 < the-patch-file + patch -p0 < the-patch-file
- Problems with kernels >= 2.4.18 and RedHat iptables + Problems with kernels >= 2.4.18 and RedHat iptables Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 may experience the following: @@ -497,10 +503,10 @@ Validating hosts file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 iptables: libiptc/libip4tc.c:380: do_check: Assertion -`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed. +`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed. Aborted (core dumped) iptables: libiptc/libip4tc.c:380: do_check: Assertion -`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed. +`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed. Aborted (core dumped) @@ -511,7 +517,8 @@ Aborted (core dumped) url="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">this iptables RPM. If you are already running a 1.2.5 version of iptables, you will need to specify the --oldpackage option to rpm (e.g., - iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm). + iptables -Uvh --oldpackage + iptables-1.2.5-1.i386.rpm).
@@ -542,8 +549,8 @@ Aborted (core dumped) /etc/shorewall/nat entries of the following form will result in Shorewall being unable to start: - #EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL - 192.0.2.22    eth0    192.168.9.22   yes     yes + #EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL + 192.0.2.22    eth0    192.168.9.22   yes     yes #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE Error message is: @@ -567,26 +574,120 @@ Aborted (core dumped) --reject-with tcp-reset is broken. The symptom most commonly seen is that REJECT rules act just like DROP rules when dealing with TCP. A kernel patch and precompiled modules to fix this problem are available at - ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel + ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel - RedHat have corrected this problem in their 2.4.20-27.x kernels. + RedHat have corrected this problem in their 2.4.20-27.x + kernels.
Revision History4 - 1.92004-03-20TEProxy - ARP/IPSEC fix.1.82004-03-04TEMultiple - excluded zones problem..1.72004-02-15TETCrules - file problem..1.62004-02-09TEMasq - file exclusion problem.1.52004-02-05TEStartup - Problem1.42004-01-19TEIPV6 - address problems. Make RFC1918 file section more prominent.1.32004-01-14TEConfusing - template file in 1.4.91.32004-01-03TEAdded - note about REJECT RedHat Kernal problem being corrected.1.22003-12-29TEUpdated - RFC1918 file1.12003-12-17TEInitial - Conversion to Docbook XML + + + 1.9 + + 2004-03-20 + + TE + + Proxy ARP/IPSEC fix. + + + + 1.8 + + 2004-03-04 + + TE + + Multiple excluded zones problem.. + + + + 1.7 + + 2004-02-15 + + TE + + TCrules file problem.. + + + + 1.6 + + 2004-02-09 + + TE + + Masq file exclusion problem. + + + + 1.5 + + 2004-02-05 + + TE + + Startup Problem + + + + 1.4 + + 2004-01-19 + + TE + + IPV6 address problems. Make RFC1918 file section more + prominent. + + + + 1.3 + + 2004-01-14 + + TE + + Confusing template file in 1.4.9 + + + + 1.3 + + 2004-01-03 + + TE + + Added note about REJECT RedHat Kernal problem being + corrected. + + + + 1.2 + + 2003-12-29 + + TE + + Updated RFC1918 file + + + + 1.1 + + 2003-12-17 + + TE + + Initial Conversion to Docbook XML + + \ No newline at end of file