forked from extern/shorewall_code
42 lines
1.6 KiB
Plaintext
42 lines
1.6 KiB
Plaintext
1) In all versions of Shorewall6 lite, the 'shorecap' program is
|
|
using the 'iptables' program rather than the 'ip6tables' program.
|
|
This causes many capabilities that are not available in IPv6 to
|
|
be incorrectly reported as available.
|
|
|
|
This results in errors such as:
|
|
|
|
ip6tables-restore v1.4.2: Couldn't load match `addrtype':
|
|
/lib/xtables/libip6t_addrtype.so: cannot open shared
|
|
object file: No such file or directory
|
|
|
|
To work around this problem, on the administrative system:
|
|
|
|
a) Remove the incorrect capabilties file.
|
|
b) In shorewall6.conf, set the IP6TABLES option to the
|
|
path name of ip6tables on the firewall (example:
|
|
IP6TABLES=/sbin/ip6tables).
|
|
c) 'shorewall6 load <firewall>'.
|
|
|
|
2) In a number of cases, Shorewall6 generates incorrect rules
|
|
involving the IPv6 multicast network. The rules specify
|
|
ff00::/10 where they should specify ff00::/8. Also, rules
|
|
instantiated when the IPv6 firewall is stopped use ff80::/10 rather
|
|
than fe80::/10 (IPv6 link local network).
|
|
|
|
3) Using a destination port-range with :random produces a fatal
|
|
compilation error in REDIRECT rules.
|
|
|
|
4) Shorewall-init is not reliable in bringing up interfaces during
|
|
boot on Ubuntu systems that use upstart.
|
|
|
|
Suggested workaround is to set startup=1 in your
|
|
/etc/default/shorewall* files.
|
|
|
|
5) /sbin/shorewall and /sbin/shorewall6 sometimes fail to honor the
|
|
'nolock' option. In other cases, this option is incorrectly passed
|
|
on to the compiled script, causing the script to issue a usage
|
|
synopsis and to terminate.
|
|
|
|
|
|
|