forked from extern/shorewall_code
c44a5af689
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1348 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
265 lines
12 KiB
XML
265 lines
12 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article>
|
|
<articleinfo>
|
|
<title>Shorewall Errata</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2004-05-21</pubdate>
|
|
|
|
<copyright>
|
|
<year>2001-2004</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<caution>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>If you use a Windows system to download a corrected script, be
|
|
sure to run the script through <ulink
|
|
url="http://www.megaloman.com/~hany/software/hd2u/">dos2unix</ulink>
|
|
after you have moved it to your Linux system.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you are installing Shorewall for the first time and plan to
|
|
use the .tgz and install.sh script, you can untar the archive, replace
|
|
the <quote>firewall</quote> script in the untarred directory with the
|
|
one you downloaded below, and then run install.sh.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>When the instructions say to install a corrected firewall script
|
|
in /usr/share/shorewall/firewall, you may rename the existing file
|
|
before copying in the new file.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">DO NOT INSTALL CORRECTED COMPONENTS ON A
|
|
RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.</emphasis>
|
|
For example, do NOT install the 1.3.9a firewall script if you are
|
|
running 1.3.7c.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</caution>
|
|
|
|
<section>
|
|
<title>RFC1918 File</title>
|
|
|
|
<para><ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918">Here</ulink>
|
|
is the most up to date version of the <ulink
|
|
url="Documentation.htm#rfc1918">rfc1918 file</ulink>. This file only
|
|
applies to Shorewall version 2.0.0 and its bugfix updates. In Shorewall
|
|
2.0.1 and later releases, the <filename>bogons</filename> file lists IP
|
|
ranges that are reserved by the IANA and the <filename>rfc1918</filename>
|
|
file only lists those three ranges that are reserved by <ulink
|
|
url="shorewall_setup_guide.htm#RFC1918">RFC 1918</ulink>.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Bogons File</title>
|
|
|
|
<para><ulink url="http://shorewall.net/pub/shorewall/errata/2.0.1/bogons">Here</ulink>
|
|
is the most up to date version of the <ulink
|
|
url="Documentation.htm#Bogons">bogons file</ulink>.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Problems in Version 2.0</title>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.2</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Temporary restore files with names of the form
|
|
<filename>restore-</filename><emphasis>nnnnn</emphasis> are left in
|
|
/var/lib/shorewall.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>"shorewall restore" and "shorewall -f start"
|
|
do not load kernel modules.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Specifying a null common action in /etc/shorewall/actions
|
|
(e.g., :REJECT) results in a startup error.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If <filename>/var/lib/shorewall</filename> does not exist,
|
|
<command>shorewall start</command> fails.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>DNAT rules work incorrectly with dynamic zones in that the
|
|
source interface is not included in the nat table DNAT rule.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>These problems are corrected by the <filename>firewall</filename>
|
|
and <filename>functions</filename> files in <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.2">this directory</ulink>.
|
|
Both files must be installed in <filename>/usr/share/shorewall/firewall</filename>
|
|
as described above.</para>
|
|
|
|
<para>The first two problems are also corrected in Shorewall version
|
|
2.0.2a, the first four problems are corrected in 2.0.2b and all five
|
|
problems are corrected in 2.0.2c.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.1</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Confusing message mentioning IPV6 occur at startup.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Modules listed in /etc/shorewall/modules don't load or
|
|
produce errors on Mandrake 10.0 Final.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The <command>shorewall delete</command> command does not
|
|
remove all dynamic rules pertaining to the host(s) being deleted.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>These problems are corrected in <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.1/firewall">this
|
|
firewall script</ulink> which may be installed in <filename>/usr/share/shorewall/firewall</filename>
|
|
as described above.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>When run on a SuSE system, the install.sh script fails to
|
|
configure Shorewall to start at boot time. That problem is corrected
|
|
in <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.1/install.sh">this
|
|
version of the script</ulink>.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.1/2.0.0</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>On Debian systems, an install using the tarball results in an
|
|
inability to start Shorewall at system boot. If you already have
|
|
this problem, install <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.1/init.debian.sh">this
|
|
file</ulink> as /etc/init.d/shorewall (replacing the existing file
|
|
with that name). If you are just installing or upgrading to
|
|
Shorewall 2.0.0 or 2.0.1, then replace the <filename>init.debian.sh</filename>
|
|
file in the Shorewall distribution directory (shorewall-2.0.x) with
|
|
the updated file before running <command>install.sh</command> from
|
|
that directory.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall 2.0.0</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>When using an Action in the ACTIONS column of a rule, you may
|
|
receive a warning message about the rule being a policy. While this
|
|
warning may be safely ignored, it can be eliminated by installing
|
|
the script from the link below.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Thanks to Sean Mathews, a long-standing problem with Proxy ARP
|
|
and IPSEC has been corrected.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The first problem has been corrected in Shorewall update 2.0.0a.</para>
|
|
|
|
<para>All of these problems may be corrected by installing <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/2.0.0/firewall">this
|
|
firewall script</ulink> in /usr/share/shorewall as described above.</para>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Upgrade Issues</title>
|
|
|
|
<para>The upgrade issues have moved to <ulink url="upgrade_issues.htm">a
|
|
separate page</ulink>.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Problem with iptables 1.2.9</title>
|
|
|
|
<para>If you want to use the new features in Shorewall 2.0.2 (Betas, RCs,
|
|
Final) or later then you need to patch your iptables 1.2.9 with <ulink
|
|
url="http://shorewall.net/pub/shorewall/errata/iptables-1.2.9.diff">this
|
|
patch</ulink> or you need to use the <ulink
|
|
url="http://www.netfilter.org/downloads.html#cvs">CVS version of iptables</ulink>.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to
|
|
2.4.21-RC1)</title>
|
|
|
|
<para>Beginning with errata kernel 2.4.20-13.9, <quote>REJECT
|
|
--reject-with tcp-reset</quote> is broken. The symptom most commonly seen
|
|
is that REJECT rules act just like DROP rules when dealing with TCP. A
|
|
kernel patch and precompiled modules to fix this problem are available at
|
|
<ulink url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>
|
|
|
|
<note>
|
|
<para>RedHat have corrected this problem in their 2.4.20-27.x kernels.</para>
|
|
</note>
|
|
</section>
|
|
|
|
<appendix>
|
|
<title>Revision History</title>
|
|
|
|
<para><revhistory><revision><revnumber>1.17</revnumber><date>2004-05-21</date><authorinitials>TE</authorinitials><revremark>Added
|
|
DNAT dynamic zone bug.</revremark></revision><revision><revnumber>1.16</revnumber><date>2004-05-17</date><authorinitials>TE</authorinitials><revremark>Added
|
|
null common action bug.</revremark></revision><revision><revnumber>1.15</revnumber><date>2004-05-16</date><authorinitials>TE</authorinitials><revremark>Added
|
|
2.0.2 bugs</revremark></revision><revision><revnumber>1.14</revnumber><date>2004-05-10</date><authorinitials>TE</authorinitials><revremark>Add
|
|
link to Netfilter CVS</revremark></revision><revision><revnumber>1.13</revnumber><date>2004-05-04</date><authorinitials>TE</authorinitials><revremark>Add
|
|
Alex Wilms's "install.sh" fix.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-05-03</date><authorinitials>TE</authorinitials><revremark>Add
|
|
Stefan Engel's "shorewall delete" fix.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-04-28</date><authorinitials>TE</authorinitials><revremark>Add
|
|
iptables 1.2.9 iptables-save bug notice.</revremark></revision><revision><revnumber>1.10</revnumber><date>2004-04-21</date><authorinitials>TE</authorinitials><revremark>Debian
|
|
initialization script problem. Deleted obsolete sections.</revremark></revision><revision><revnumber>1.9</revnumber><date>2004-04-20</date><authorinitials>TE</authorinitials><revremark>Updated
|
|
RFC1918 and BOGONS files.</revremark></revision><revision><revnumber>1.8</revnumber><date>2004-03-20</date><authorinitials>TE</authorinitials><revremark>Proxy
|
|
ARP/IPSEC fix.</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-03-17</date><authorinitials>TE</authorinitials><revremark>Action
|
|
rules are reported as policies.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-03</date><authorinitials>TE</authorinitials><revremark>Update
|
|
for Shorewall 2.0.0.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-19</date><authorinitials>TE</authorinitials><revremark>IPV6
|
|
address problems. Make RFC1918 file section more prominent.</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Confusing
|
|
template file in 1.4.9</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Added
|
|
note about REJECT RedHat Kernal problem being corrected.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Updated
|
|
RFC1918 file</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-17</date><authorinitials>TE</authorinitials><revremark>Initial
|
|
Conversion to Docbook XML</revremark></revision></revhistory></para>
|
|
</appendix>
|
|
</article> |