1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. 2) The 4.4.20 Shorewall6 installer always installs the 'plain' (unannotated) version of shorewall6.conf, regardless of the '-p' option. 3) Fixed item 1 from 4.4.19.4 was inadvertently omitted from 4.4.20. 2) A defect introduced in 4.4.20 can cause the following failure at start/restart: ERROR: Command "tc qdisc add dev eth0 parent 1:11 handle 1: sfq quantum 12498 limit 127 perturb 10" failed The error occurs when explicit interface numbers are assigned in /etc/shorewall/tcdevices and the default HTB queuing discipline is used. 3) The 'sfilter' interface option introduced in 4.4.20 is not applied to traffic addressed to the firewall itself. 4) IPSEC traffic is incorrectly included in the rules generated by sfiltering. 5) Shorewall 4.4.20 can, under some circumstances, fail during iptables-restore with a message such as the following: iptables-restore v1.4.10: Couldn't load target `dsl0_fwd':/usr/lib/xtables/libipt_dsl0_fwd.so: cannot open shared object file: No such file or directory Error occurred at line: 113 Try `iptables-restore -h' or 'iptables-restore --help' for more information. ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input