Shorewall Errata
Tom
Eastep
2004-08-30
2001-2004
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License
.
If you use a Windows system to download a corrected script, be
sure to run the script through dos2unix
after you have moved it to your Linux system.
If you are installing Shorewall for the first time and plan to
use the .tgz and install.sh script, you can untar the archive, replace
the firewall
script in the untarred directory with the
one you downloaded below, and then run install.sh.
When the instructions say to install a corrected firewall script
in /usr/share/shorewall/firewall, you may rename the existing file
before copying in the new file.
DO NOT INSTALL CORRECTED COMPONENTS ON A
RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW. For example, do NOT install the 1.3.9a firewall
script if you are running 1.3.7c.
RFC1918 File
Here
is the most up to date version of the rfc1918 file.
Problems in Version 1.4
Shorewall 1.4.10f
Slackware users find that version 1.4.10f fails to start
because their mktemp utility does not support the
-d option. This may be corrected by installing this
corrected functions file in /var/lib/shorewall/functions.
Shorewall fails to start if there is no
mktemp utility.
These problems have been corrected in Shorewall version
1.4.10g.
Shorewall 1.4.10
Unexplained errors may occur during "shorewall [re]start" when
the /etc/shorewall/masq file is being processed.
The maclist interface option
previously wasn't available on Atheros WiFi cards.
In the /etc/shorewall/masq entry eth0:!10.1.1.150
0.0.0.0/0!10.1.0.0/16 10.1.2.16
,
the !10.1.0.0/16
is ignored.
A startup error occurs if an entry in the tcrules file has an
empty USER/GROUP column.
Specifying multiple excluded source zones in a REDIRECT or
DNAT rule produces a startup error. Example of problem
rule:#ACTION SOURCE DEST PROTO DEST PORT(S)
DNAT z1!z2,z3 z4:192.168.4.5 tcp 22
When using an Action in the ACTIONS column of a rule, you may
receive a warning message about the rule being a policy. While this
warning may be safely ignored, it may be eliminated by installing
the updated script linked below.
Thanks to Sean Mathews, a long-standing problem with Proxy ARP
and IPSEC has been corrected.
A potentially exploitable vulnerability in the way that
Shorewall handles temporary files and directories has been found by
Javier Fernández-Sanguino Peña.
The first seven problems have been corrected in this
firewall script which may be installed in
/usr/share/shorewall/firewall as described above.
The first two problem corrections were included in Shorewall
update 1.4.10a.
The first three problem corrections were included in Shorewall
update 1.4.10b.
The first four problem corrections were included in Shorewall
update 1.4.10c.
The first six problem corrections were included in Shorewall
update 1.4.10d.
The first seven problems corrections were included in Shorewall
update 1.4.10e;
All problem corrections were included in Shorewall update
1.4.10f.
Shorewall 1.4.9
The column descriptions in the action.template file did not
match the column headings.
This problem has been corrected in this
action.template file which may be installed in
/etc/shorewall.
The presence of IPV6 addresses on devices generates error
messages during [re]start if ADD_IP_ALIASES=Yes
or ADD_SNAT_ALIASES=Yes are specified in
/etc/shorewall/shorewall.conf.
Unexplained errors may occur during "shorewall [re]start" when
the /etc/shorewall/masq file is being processed.
These problems have been corrected in this
firewall script which may be installed in
/usr/share/shorewall/firewall as described above.
Shorewall 1.4.8
When a DNAT rules specifies SNAT (e.g., when <original dest
addr>:<SNAT addr> is given in the ORIGINAL DEST column),
the SNAT specification is effectively ignored in some cases.
Unexplained errors may occur during "shorewall [re]start" when
the /etc/shorewall/masq file is being processed.
These problems have been corrected in this
firewall script which may be installed in
/usr/share/shorewall/firewall as described above.
Shorewall 1.4.7
Using some versions of ash
(such as from RH8)
as the SHOREWALL_SHELL causes shorewall [re]start
to
fail with: local: --limit: bad variable name
iptables v1.2.8: Couldn't load match `-j':/lib/iptables/libipt_-j.so:
cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
When more than one ICMP type is listed in a rule and your
kernel includes multiport match support, the firewall fails to
start.
Regardless of the setting of LOGUNCLEAN, the value
LOGUNCLEAN=info was used.
After the following error message, Shorewall was left in an
inconsistent state: Error: Unable to determine the routes through interface xxx
When a DNAT rules specifies SNAT (e.g., when <original dest
addr>:<SNAT addr> is given in the ORIGINAL DEST column),
the SNAT specification is effectively ignored in some cases.
Unexplained errors may occur during "shorewall [re]start" when
the /etc/shorewall/masq file is being processed.
These problems have been corrected in this
firewall script which may be installed in
/usr/share/shorewall/firewall as described above.
Shorewall 1.4.6
If TC_ENABLED is set to yes in shorewall.conf then Shorewall
would fail to start with the error ERROR: Traffic
Control requires Mangle
; that problem has been corrected in
this
firewall script which may be installed in
/use/share/shorewall/firewall as described above. This problem is
also corrected in bugfix release 1.4.6a.
This problem occurs in all versions supporting traffic
control. If a MAC address is used in the SOURCE column, an error
occurs as follows:
iptables v1.2.8: Bad mac adress `00:08:B5:35:52:E7-d`For
Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected in
this
firewall script which may be installed in
/usr/share/shorewall/firewall as described above. For all other
versions, you will have to edit your firewall
script
(in versions 1.4.*, it is located in /usr/share/shorewall/firewall).
Locate the function add_tcrule_() and in that function, replace this
line: r=`mac_match $source` with r="`mac_match $source` "Note
that there must be a space before the ending quote!
Shorewall 1.4.4b
Shorewall is ignoring records in /etc/shorewall/routestopped
that have an empty second column (HOSTS). This problem may be
corrected by installing this
firewall script in /usr/share/shorewall/firewall as
described above.
The INCLUDE directive doesn't work when placed in the
/etc/shorewall/zones file. This problem may be corrected by
installing this
functions script in /usr/share/shorewall/functions.
Shorewall 1.4.4-1.4.4a
Log messages are being displayed on the system console even
though the log level for the console is set properly according to
FAQ 16. This problem may be corrected by installing this firewall script in
/usr/share/shorewall/firewall as described above.
Shorewall 1.4.4
If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the --log-prefix in a
logging rule is too long. Upgrade to Version 1.4.4a to fix this
problem..
Shorewall 1.4.3
The LOGMARKER variable introduced in version 1.4.3 was
intended to allow integration of Shorewall with Fireparse
(http://www.firewparse.com). Unfortunately, LOGMARKER only solved
part of the integration problem. I have implimented a new LOGFORMAT
variable which will replace LOGMARKER which has completely solved
this problem and is currently in production with fireparse here at
shorewall.net. The updated files may be found at ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/.
See the 0README.txt file for details.
Shorewall 1.4.2
When an add
or delete
command is
executed, a temporary directory created in /tmp is not being
removed. This problem may be corrected by installing this
firewall script in /usr/share/shorewall/firewall as
described above.
Shorewall 1.4.1a, 1.4.1 and 1.4.0
Some TCP requests are rejected in the common
chain with an ICMP port-unreachable response rather than the more
appropriate TCP RST response. This problem is corrected in this
updated common.def file which may be installed in
/etc/shorewall/common.def.
Shorewall 1.4.1
When a shorewall check
command is executed,
each rule
produces the harmless additional
message: /usr/share/shorewall/firewall: line 2174: [: =: unary operator expectedYou
may correct the problem by installing this
corrected script in /usr/share/shorewall/firewall as
described above.
Shorewall 1.4.0
When running under certain shells Shorewall will attempt to
create ECN rules even when /etc/shorewall/ecn is empty. You may
either just remove /etc/shorewall/ecn or you can install this
correct script in /usr/share/shorewall/firewall as described
above.
Upgrade Issues
The upgrade issues have moved to a
separate page.
Problem with iptables version 1.2.3
There are a couple of serious bugs in iptables 1.2.3 that prevent it
from working with Shorewall. Regrettably, RedHat released this buggy
iptables in RedHat 7.2.
I have built a corrected
1.2.3 rpm which you can download here and I have also built
an iptables-1.2.4
rpm which you can download here. If you are currently running
RedHat 7.1, you can install either of these RPMs before you upgrade to
RedHat 7.2.
Update 11/9/2001: RedHat has
released an iptables-1.2.4 RPM of their own which you can download from
http://www.redhat.com/support/errata/RHSA-2001-144.html.I
have installed this RPM on my firewall and it works fine.
If you would like to patch iptables 1.2.3 yourself, the patches are
available for download. This patch
which corrects a problem with parsing of the --log-level specification
while this patch
corrects a problem in handling the TOS target.
To install one of the above patches: cd iptables-1.2.3/extensions
patch -p0 < the-patch-file
Problems with kernels >= 2.4.18 and RedHat iptables
Users who use RedHat iptables RPMs and who upgrade to kernel
2.4.18/19 may experience the following:
# shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in the
Netfilter mangle
table. You can correct the problem by
installing this
iptables RPM. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
iptables -Uvh --oldpackage
iptables-1.2.5-1.i386.rpm
).
Problems with iptables version 1.2.7 and MULTIPORT=Yes
The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as a
consequence, if you install iptables 1.2.7 you must be running Shorewall
1.3.7a or later or:
set MULTIPORT=No in /etc/shorewall/shorewall.conf; or
If you are running Shorewall 1.3.6 you may install this
firewall script in /usr/lib/shorewall/firewall as described
above.
Problems with RH Kernel 2.4.18-10 and NAT
/etc/shorewall/nat entries of the following form will result in
Shorewall being unable to start:
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
192.0.2.22 eth0 192.168.9.22 yes yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Error message is:
Setting up NAT...
iptables: Invalid argument
Terminated
The solution is to put no
in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has disabled
it. The 2.4.19 kernel contains corrected support under a new kernel
configuraiton option; see http://www.shorewall.net/Documentation.htm#NAT.
Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to
2.4.21-RC1)
Beginning with errata kernel 2.4.20-13.9, REJECT
--reject-with tcp-reset
is broken. The symptom most commonly seen
is that REJECT rules act just like DROP rules when dealing with TCP. A
kernel patch and precompiled modules to fix this problem are available at
ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel
RedHat have corrected this problem in their 2.4.20-27.x
kernels.
Revision History4
1.9
2004-03-20
TE
Proxy ARP/IPSEC fix.
1.8
2004-03-04
TE
Multiple excluded zones problem..
1.7
2004-02-15
TE
TCrules file problem..
1.6
2004-02-09
TE
Masq file exclusion problem.
1.5
2004-02-05
TE
Startup Problem
1.4
2004-01-19
TE
IPV6 address problems. Make RFC1918 file section more
prominent.
1.3
2004-01-14
TE
Confusing template file in 1.4.9
1.3
2004-01-03
TE
Added note about REJECT RedHat Kernal problem being
corrected.
1.2
2003-12-29
TE
Updated RFC1918 file
1.1
2003-12-17
TE
Initial Conversion to Docbook XML