2009-08-18
End-of-life for Shorewall-shell in
Shorewall 4.4
Shorewall 4.4, released in August 2009, does not include
Shorewall-shell. Because Shorewall 4.0 is included in Debian Lenny, the
4.0 release of Shorewall-shell will continue to be supported until
Debian Squeeze is released. The 4.2 release of Shorewall-shell will
continue to be supported until Shorewall 4.6 is released in 2010.
Shorewall-shell users concerned about upgrading are encouraged to
migrate to Shorewall-perl before upgrading to Shorewall 4.4. By
migrating
before upgrading, you will be able to have both
Shorewall-shell and Shorewall-perl installed at the same time; that
way, you can quickly fall back to Shorewall-shell if you have problems.
Users who
run Shorewall-shell on an embedded system that is too small to support
Perl should consider switching to Shorewall-lite
with Shorewall-perl installed on an administrative system (may be a
Windows[tm] system running Cygwin[tm]).
Attention
Shorewall-perl 4.2 Users
Shorewall-perl 4.2.8
Shorewall-perl 4.2.8 was dead on arrival. The compiler did not rename
the generated script file with the result that it was removed when the
compiler terminated. This lead to:
- It was not possible to start Shorewall or Shorewall6 for the
first time after installing 4.2.8
- Changes to the configuration were apparently ignored.
This problem was corrected in Shorewall-perl-4.2.8.1.
Shorewall-perl 4.2.6 and Earlier
On February 28, Klemens Rutz reported a problem that affects all
Shorewall-perl 4.2 versions prior to 4.2.6.1.
The problem:
- Only occurs when there are multiple non-firewall zones.
- Results in the following interface options not being applied to
forwarded traffic.
blacklist
dhcp
maclist (when MACLIST_TABLE=filter)
norfc1918
nosmurfs
tcpflags
User are encouraged to either:
- Upgrade to Shorewall-perl-4.2.6.1 or later; or
- Apply the patch found at:
To apply the patch, execute this
command:
patch /usr/share/shorewall-perl/Shorewall/Rules.pm < forward.patch
The patch may apply with fuzz and/or an
offset, depending on your particular version.
A bug in Shorewall versions 3.2.0-3.2.10, 3.4.0-3.4.6 and
Shorewall-shell
4.0.0-4.0.2 prevents proper handling of PREROUTING marks when
HIGH_ROUTE_MARKS=No and the track option is
specified.
Patches are available to correct this problem:
Shorewall version 3.2.0-3.2.10, 3.4.0-3.4.3: http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.10/errata/patches/Shorewall/patch-3.2.10-2.diff
Shorewall version 3.4.4-3.4.6: http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.66/errata/patches/Shorewall/patch-3.4.6-1.diff
Shorewall-shell version 4.0.0-4.0.2: http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.2/errata/patches/Shorewall-shell/patch-shell-4.0.2-2.diff
Note that a patch may succeed with an offset when applied to a
release
other than the one for which it was specifically prepared. For example,
when
the patch for 3.2.0-3.2.10, 3.4.0-3.4.3 (which was prepared for release
3.2.10) is applied to release 3.4.3, the following is the result:
root@wookie:~# cd /usr/share/shorewall
root@wookie/usr/share/shorewall#: patch < ~/shorewall/tags/3.2.10/Shorewall.updated/patch-3.2.10-2.diff
patching file compiler
Hunk #1 succeeded at 958 (offset -1669 lines).
root@wookie:/usr/share/shorewall#
Update -- 7 November 2007
A second bug in Shorewall versions 3.2.0-3.2.11, 3.4.0-3.4.7 and
4.0.0-4.0.5 can cause improper handing of PREROUTING and OUTPUT marks
when
HIGH_ROUTE_MARKS=Yes. Patches are also available to correct this
problem:
Shorewall version 3.2.3-3.2.11: http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.11/errata/patches/Shorewall/patch-3.2.11-1.diff
Shorewall version 3.4.0-3.4.7: http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.7/errata/patches/Shorewall/patch-3.4.7-1.diff
Shorewall version 4.0.0-4.0.5: http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-shell/patch-shell-4.0.5-1.diff
and http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-perl/patch-perl-4.0.5-4.diff.
In Linux Kernel version 2.6.20, the Netfilter team changed Physdev
Match
so that it is no longer capable of supporting BRIDGING=Yes. The
solutions
available to users are to either:
- Switch to using the technique described at http://www.shorewall.net/3.0/NewBridge.html;
or
- Upgrade to Shorewall 4.0, migrate to using Shorewall-perl, and
follow the instructions at http://www1.shorewall.net/bridge-Shorewall-perl.html.
The first approach allows you to switch back and forth between
kernels
older and newer than 2.6.20. The second approach is a better long-term
solution.
Attention Users of Kernel 2.4
The Shorewall developers do not test Shorewall running on Kernel 2.4
and we make no representation about the functionality of Shorewall on
that Kernel. Any failure of Shorewall on Kernel 2.4 will not be
investigated by the Shorewall team.
Copyright © 2001-2009 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document
under the terms of the GNU Free Documentation License, Version 1.2 or
any
later version published by the Free Software Foundation; with no
Invariant
Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of
the
license is included in the section entitled "GNU Free Documentation License".