1) In all versions of Shorewall6 lite, the 'shorecap' program is using the 'iptables' program rather than the 'ip6tables' program. This causes many capabilities that are not available in IPv6 to be incorrectly reported as available. This results in errors such as: ip6tables-restore v1.4.2: Couldn't load match `addrtype': /lib/xtables/libip6t_addrtype.so: cannot open shared object file: No such file or directory To work around this problem, on the administrative system: a) Remove the incorrect capabilties file. b) In shorewall6.conf, set the IP6TABLES option to the path name of ip6tables on the firewall (example: IP6TABLES=/sbin/ip6tables). c) 'shorewall6 load '. Corrected in Shorewall 4.4.11.1 2) In a number of cases, Shorewall6 generates incorrect rules involving the IPv6 multicast network. The rules specify ff00::/10 where they should specify ff00::/8. Also, rules instantiated when the IPv6 firewall is stopped use ff80::/10 rather than fe80::/10 (IPv6 link local network). Corrected in Shorewall 4.4.11.1 3) Using a destination port-range with :random produces a fatal compilation error in REDIRECT rules unless the firewall zone is explicitly specified (e.g., $FW::2000-2010:random). Corrected in Shorewall 4.4.11.1 4) /sbin/shorewall and /sbin/shorewall6 sometimes fail to honor the 'nolock' option. In other cases, this option is incorrectly passed on to the compiled script, causing the script to issue a usage synopsis and to terminate. Corrected in Shorewall 4.4.11.1 5) On systems that use the Upstart init system (such as Ubuntu and Fedora), Shorewall-init is not reliable at starting the firewall during boot when normal firewall startup is disabled and UPDOWN=1 is specified in /etc/default/shorewall-init. Suggested workaround is to not disable normal startup (e.g., do not set startup=0 on Debian-based systems and do not 'checkconfig --del...' on Fedora).