forked from extern/shorewall_code
706d40dfda
Signed-off-by: Tom Eastep <teastep@shorewall.net>
115 lines
4.2 KiB
Plaintext
115 lines
4.2 KiB
Plaintext
1) In all versions of Shorewall6 lite, the 'shorecap' program is
|
|
using the 'iptables' program rather than the 'ip6tables' program.
|
|
This causes many capabilities that are not available in IPv6 to
|
|
be incorrectly reported as available.
|
|
|
|
This results in errors such as:
|
|
|
|
ip6tables-restore v1.4.2: Couldn't load match `addrtype':
|
|
/lib/xtables/libip6t_addrtype.so: cannot open shared
|
|
object file: No such file or directory
|
|
|
|
To work around this problem, on the administrative system:
|
|
|
|
a) Remove the incorrect capabilties file.
|
|
b) In shorewall6.conf, set the IP6TABLES option to the
|
|
path name of ip6tables on the firewall (example:
|
|
IP6TABLES=/sbin/ip6tables).
|
|
c) 'shorewall6 load <firewall>'.
|
|
|
|
Corrected in Shorewall 4.4.11.1
|
|
|
|
2) In a number of cases, Shorewall6 generates incorrect rules
|
|
involving the IPv6 multicast network. The rules specify
|
|
ff00::/10 where they should specify ff00::/8. Also, rules
|
|
instantiated when the IPv6 firewall is stopped use ff80::/10 rather
|
|
than fe80::/10 (IPv6 link local network).
|
|
|
|
Corrected in Shorewall 4.4.11.1
|
|
|
|
3) Using a destination port-range with :random produces a fatal
|
|
compilation error in REDIRECT rules unless the firewall zone is
|
|
explicitly specified (e.g., $FW::2000-2010:random).
|
|
|
|
Corrected in Shorewall 4.4.11.1
|
|
|
|
4) /sbin/shorewall and /sbin/shorewall6 sometimes fail to honor the
|
|
'nolock' option. In other cases, this option is incorrectly passed
|
|
on to the compiled script, causing the script to issue a usage
|
|
synopsis and to terminate.
|
|
|
|
Corrected in Shorewall 4.4.11.1
|
|
|
|
5) On systems that use the Upstart init system (such as Ubuntu and
|
|
Fedora), Shorewall-init is not reliable at starting the firewall
|
|
during boot when normal firewall startup is disabled and UPDOWN=1
|
|
is specified in /etc/default/shorewall-init.
|
|
|
|
Suggested workaround is to not disable normal startup (e.g., do not
|
|
set startup=0 on Debian-based systems and do not 'checkconfig
|
|
--del...' on Fedora).
|
|
|
|
Corrected in Shorewall 4.4.11.2
|
|
|
|
6) A typo in /sbin/shorewall6-lite version 4.4.11.1 causes the
|
|
stop, reset and clear commands to hang for one minute after the
|
|
command had been executed and causes the next shorewall6-lite
|
|
command to similarly hang for one minute.
|
|
|
|
Corrected in Shorewall 4.4.11.2.
|
|
|
|
7) A typo in the Shorewall install.sh script prevents the Makefile from
|
|
being installed in /usr/share/shorewall/configfiles/Makefile.
|
|
|
|
Corrected in Shorewall 4.4.11.2.
|
|
|
|
8) On systems running Upstart, Shorewall-init cannot reliably close
|
|
the firewall before interfaces come up.
|
|
|
|
9) When 'any' is used in the SOURCE column of /etc/shorewall[6]/rules,
|
|
a duplicate rule is generated in all "fw2*" ("fw-* if
|
|
ZONE2ZONE="-"). If 'any' is used in the DEST column, then a
|
|
duplicate rule appears in all "*2fw" (*-fw) chains.
|
|
|
|
Corrected in Shorewall 4.4.11.3.
|
|
|
|
10) A port range that omits the first port number (e.g., ":80") is
|
|
rejected with the following error:
|
|
|
|
ERROR: Invalid/Unknown tcp port/service (0) : ......
|
|
|
|
A workaround is to specify the first port as 1 (e.g., "1:80").
|
|
|
|
Corrected in Shorewall 4.4.11.3.
|
|
|
|
11) AUTOMAKE=Yes is broken -- don't use it.
|
|
|
|
Corrected in Shorewall 4.4.11.3.
|
|
|
|
12) Under rare circumstances where COMMENT is used to attach comments
|
|
to rules, OPTIMIZE 8 through 15 can result in invalid
|
|
iptables-restore (ip6tables-restore) input.
|
|
|
|
Workaround: Don't use optimizaiton levels greater than 7.
|
|
|
|
13) Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
|
|
can result in invalid iptables-restore (ip6tables-restore) input.
|
|
|
|
Workaround: Don't use optimizaiton levels greater than 7.
|
|
|
|
14) When REQUIRE_INTERFACE=Yes, start/restart will fail unless the last
|
|
optional interface defined in the interfaces file is available.
|
|
|
|
Workaround: None available.
|
|
|
|
15) The compiler erroneously allows exclusion in CONTINUE rules
|
|
(tcrules and rules files). The generated iptables (ip6tables) rules
|
|
do not work as expected.
|
|
|
|
Workaround: Do not use exclusion with CONTINUE.
|
|
|
|
16) Exclusion in blacklist file entries is correctly validated but is
|
|
then ignored when generating iptables (ip6tables) input.
|
|
|
|
Workaround: Do not use exclusion in the blacklist file.
|