holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity
5ddc7b5f2a
shorewall_code/Shorewall/known_problems.txt
Tom Eastep 5ddc7b5f2a Document CONFIG_PATH search with AUTOMAKE. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-15 13:30:17 -07:00

71 lines
2.2 KiB
Plaintext
Raw Blame History

1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
2) The 4.4.20 Shorewall6 installer always installs the 'plain'
(unannotated) version of shorewall6.conf, regardless of the '-p'
option.
Corrected in 4.4.20.1
3) Fixed item 1 from 4.4.19.4 was inadvertently omitted from
4.4.20.
Corrected in 4.4.20.2
2) A defect introduced in 4.4.20 can cause the following failure at
start/restart:
ERROR: Command "tc qdisc add dev eth0 parent 1:11 handle 1:
sfq quantum 12498 limit 127 perturb 10" failed
The error occurs when explicit interface numbers are assigned in
/etc/shorewall/tcdevices and the default HTB queuing discipline is
used.
Corrected in 4.4.20.2
3) The 'sfilter' interface option introduced in 4.4.20 is not applied
to traffic addressed to the firewall itself.
Corrected in 4.4.20.2
4) IPSEC traffic is incorrectly included in the rules generated by
sfiltering.
Corrected in 4.4.20.2
5) Shorewall 4.4.20 can, under some circumstances, fail during
iptables-restore with a message such as the following:
iptables-restore v1.4.10: Couldn't load target
`dsl0_fwd':/usr/lib/xtables/libipt_dsl0_fwd.so: cannot open shared object
file: No such file or directory
Error occurred at line: 113
Try `iptables-restore -h' or 'iptables-restore --help' for more
information.
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
Corrected in 4.4.20.2
6) The following extraneous warning message may be ignored:
WARNING: sfilter is ineffective with FASTACCEPT=Yes
Corrected in 4.4.20.2
7) A simple configuration like the 'Universal' sample that includes a
single wildcard interface ('+' in the INTERFACE column) produces a
ruleset that blocks all incoming packets.
Workaround: Add the 'routeback' option to the entry in
/etc/shorewall/interfaces.
Corrected in 4.4.20.3
8) AUTOMAKE only searches /etc/shorewall[6] for files newer than the
current compiled script (/var/lib/shorewall[6]/firewall) and not
the entire CONFIG_PATH.
View Git Blame Copy Permalink