forked from extern/shorewall_code
edfbafc0cb
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@691 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
392 lines
19 KiB
HTML
392 lines
19 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
<html>
|
||
<head>
|
||
|
||
<meta http-equiv="Content-Type"
|
||
content="text/html; charset=windows-1252">
|
||
<title>Shorewall 1.4 Errata</title>
|
||
|
||
|
||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||
|
||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||
|
||
<meta name="Microsoft Theme" content="none">
|
||
|
||
<meta name="author" content="Tom Eastep">
|
||
</head>
|
||
<body>
|
||
|
||
<table border="0" cellpadding="0" cellspacing="0"
|
||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||
bgcolor="#3366ff" height="90">
|
||
<tbody>
|
||
<tr>
|
||
<td width="100%">
|
||
|
||
|
||
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
|
||
</td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
|
||
<p align="center"> <b><u>IMPORTANT</u></b></p>
|
||
|
||
<ol>
|
||
<li>
|
||
|
||
<p align="left"> <b><u>I</u>f you use a Windows system to download
|
||
a corrected script, be sure to run the script through
|
||
<u> <a
|
||
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
|
||
style="text-decoration: none;"> dos2unix</a></u> after you have moved
|
||
it to your Linux system.</b></p>
|
||
</li>
|
||
<li>
|
||
|
||
<p align="left"> <b>If you are installing Shorewall for the first
|
||
time and plan to use the .tgz and install.sh script, you can untar
|
||
the archive, replace the 'firewall' script in the untarred directory
|
||
with the one you downloaded below, and then run install.sh.</b></p>
|
||
</li>
|
||
<li>
|
||
|
||
<p align="left"> <b>When the instructions say to install a corrected
|
||
firewall script in /usr/share/shorewall/firewall,
|
||
you may rename the existing file before copying in the new file.</b></p>
|
||
</li>
|
||
<li>
|
||
|
||
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
|
||
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
|
||
BELOW. For example, do NOT install the 1.3.9a firewall script
|
||
if you are running 1.3.7c.</font></b><br>
|
||
</p>
|
||
</li>
|
||
|
||
</ol>
|
||
|
||
<ul>
|
||
<li><b><a
|
||
href="upgrade_issues.htm">Upgrade Issues</a></b></li>
|
||
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
|
||
</li>
|
||
<li> <b><a
|
||
href="errata_3.html">Problems in Version 1.3</a></b></li>
|
||
<li> <b><a
|
||
href="errata_2.htm">Problems in Version 1.2</a></b></li>
|
||
<li> <b><font
|
||
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
|
||
<li> <b><font
|
||
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
|
||
on RH7.2</a></font></b></li>
|
||
<li> <b><a
|
||
href="#Debug">Problems with kernels >= 2.4.18 and RedHat
|
||
iptables</a></b></li>
|
||
<li><b><a href="#SuSE">Problems installing/upgrading
|
||
RPM on SuSE</a></b></li>
|
||
<li><b><a href="#Multiport">Problems
|
||
with iptables version 1.2.7 and MULTIPORT=Yes</a></b></li>
|
||
<li><b><a href="#NAT">Problems with RH Kernel
|
||
2.4.18-10 and NAT</a></b></li>
|
||
<li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and
|
||
REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
|
||
alt="(New)" width="28" height="12" border="0">
|
||
</a><br>
|
||
</b></li>
|
||
|
||
</ul>
|
||
|
||
<hr>
|
||
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
|
||
|
||
<h3></h3>
|
||
|
||
<h3>1.4.6</h3>
|
||
|
||
<ul>
|
||
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall would
|
||
fail to start with the error "ERROR:<3A> Traffic Control requires Mangle";
|
||
that problem has been corrected in <a
|
||
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this firewall
|
||
script</a> which may be installed in /var/share/shorewall/firewall as described
|
||
above. This problem is also corrected in bugfix release 1.4.6a.</li>
|
||
<li>This problem occurs in all versions supporting traffic control. If
|
||
a MAC address is used in the SOURCE column, an error occurs as follows:<br>
|
||
<br>
|
||
<20> <20> <20><font size="3"><tt>iptables v1.2.8: Bad mac adress `00:08:B5:35:52:E7-d`</tt></font><br>
|
||
<br>
|
||
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected in
|
||
<a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
|
||
firewall script</a> which may be installed in /var/share/shorewall/firewall
|
||
as described above. For all other versions, you will have to edit your 'firewall'
|
||
script (in versions 1.4.*, it is located in /usr/share/shorewall/firewall).
|
||
Locate the function add_tcrule_() and in that function, replace this line:<br>
|
||
<br>
|
||
<20> <20> r=`mac_match $source`<60><br>
|
||
<br>
|
||
with<br>
|
||
<br>
|
||
<20> <20> <20>r="`mac_match $source` "<br>
|
||
<br>
|
||
Note that there must be a space before the ending quote!<br>
|
||
</li>
|
||
|
||
</ul>
|
||
|
||
<h3>1.4.4b</h3>
|
||
|
||
<ul>
|
||
<li>Shorewall is ignoring records in /etc/shorewall/routestopped
|
||
that have an empty second column (HOSTS). This problem may be corrected
|
||
by installing <a
|
||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
|
||
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
|
||
described above.</li>
|
||
<li>The INCLUDE directive doesn't work when placed in the /etc/shorewall/zones
|
||
file. This problem may be corrected by installing <a
|
||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
|
||
target="_top">this functions script</a> in /usr/share/shorewall/functions.<br>
|
||
</li>
|
||
|
||
</ul>
|
||
|
||
<h3>1.4.4-1.4.4a</h3>
|
||
|
||
<ul>
|
||
<li>Log messages are being displayed on the system console even
|
||
though the log level for the console is set properly according to <a
|
||
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing
|
||
<a
|
||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
|
||
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
|
||
described above.<br>
|
||
</li>
|
||
|
||
</ul>
|
||
|
||
<h3>1.4.4<br>
|
||
</h3>
|
||
|
||
<ul>
|
||
<li> If you have zone names that are 5 characters long, you may
|
||
experience problems starting Shorewall because the --log-prefix in a logging
|
||
rule is too long. Upgrade to Version 1.4.4a to fix this problem..</li>
|
||
|
||
</ul>
|
||
|
||
<h3>1.4.3</h3>
|
||
|
||
<ul>
|
||
<li>The LOGMARKER variable introduced in version 1.4.3 was intended
|
||
to allow integration of Shorewall with Fireparse (http://www.firewparse.com).
|
||
Unfortunately, LOGMARKER only solved part of the integration problem.
|
||
I have implimented a new LOGFORMAT variable which will replace LOGMARKER
|
||
which has completely solved this problem and is currently in production
|
||
with fireparse here at shorewall.net. The updated files may be found at
|
||
<a
|
||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
|
||
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
|
||
See the 0README.txt file for details.<br>
|
||
</li>
|
||
|
||
</ul>
|
||
|
||
<h3>1.4.2</h3>
|
||
|
||
<ul>
|
||
<li>When an 'add' or 'delete' command is executed, a temporary
|
||
directory created in /tmp is not being removed. This problem may be corrected
|
||
by installing <a
|
||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
|
||
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
|
||
described above. <br>
|
||
</li>
|
||
|
||
</ul>
|
||
|
||
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
|
||
|
||
<ul>
|
||
<li>Some TCP requests are rejected in the 'common' chain with
|
||
an ICMP port-unreachable response rather than the more appropriate TCP
|
||
RST response. This problem is corrected in <a
|
||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
|
||
target="_top">this updated common.def file</a> which may be installed in
|
||
/etc/shorewall/common.def.<br>
|
||
</li>
|
||
|
||
</ul>
|
||
|
||
<h3>1.4.1</h3>
|
||
|
||
<ul>
|
||
<li>When a "shorewall check" command is executed, each "rule"
|
||
produces the harmless additional message:<br>
|
||
<br>
|
||
<20> <20> <20>/usr/share/shorewall/firewall: line 2174: [: =: unary operator
|
||
expected<br>
|
||
<br>
|
||
You may correct the problem by installing <a
|
||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
|
||
target="_top">this corrected script</a> in /usr/share/shorewall/firewall
|
||
as described above.<br>
|
||
</li>
|
||
|
||
</ul>
|
||
|
||
<h3>1.4.0</h3>
|
||
|
||
<ul>
|
||
<li>When running under certain shells Shorewall will attempt
|
||
to create ECN rules even when /etc/shorewall/ecn is empty. You may
|
||
either just remove /etc/shorewall/ecn or you can install <a
|
||
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
|
||
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
|
||
</li>
|
||
|
||
</ul>
|
||
|
||
<hr width="100%" size="2">
|
||
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
|
||
|
||
<p align="left">The upgrade issues have moved to <a
|
||
href="upgrade_issues.htm">a separate page</a>.</p>
|
||
|
||
<hr>
|
||
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
|
||
iptables version 1.2.3</font></h3>
|
||
|
||
<blockquote>
|
||
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
|
||
prevent it from working with Shorewall. Regrettably,
|
||
RedHat released this buggy iptables in RedHat 7.2.<2E></p>
|
||
|
||
<p align="left"> I have built a <a
|
||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
|
||
corrected 1.2.3 rpm which you can download here</a><EFBFBD> and
|
||
I have also built an <a
|
||
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
|
||
iptables-1.2.4 rpm which you can download here</a>. If you are currently
|
||
running RedHat 7.1, you can install either of these RPMs
|
||
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
|
||
|
||
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
|
||
has released an iptables-1.2.4 RPM of their own which
|
||
you can download from<font color="#ff6633"> <a
|
||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
|
||
</font>I have installed this RPM on my firewall and
|
||
it works fine.</p>
|
||
|
||
<p align="left">If you would like to patch iptables 1.2.3 yourself,
|
||
the patches are available for download. This <a
|
||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
|
||
which corrects a problem with parsing of the --log-level
|
||
specification while this <a
|
||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
|
||
corrects a problem in handling the<68> TOS target.</p>
|
||
|
||
<p align="left">To install one of the above patches:</p>
|
||
|
||
<ul>
|
||
<li>cd iptables-1.2.3/extensions</li>
|
||
<li>patch -p0 < <i>the-patch-file</i></li>
|
||
|
||
</ul>
|
||
</blockquote>
|
||
|
||
<h3><a name="Debug"></a>Problems with kernels >= 2.4.18 and
|
||
RedHat iptables</h3>
|
||
|
||
<blockquote>
|
||
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
|
||
may experience the following:</p>
|
||
|
||
<blockquote>
|
||
|
||
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.<br>Aborted (core dumped)<br></pre>
|
||
</blockquote>
|
||
|
||
<p>The RedHat iptables RPM is compiled with debugging enabled but the
|
||
user-space debugging code was not updated to reflect recent changes in
|
||
the Netfilter 'mangle' table. You can correct the problem by
|
||
installing <a
|
||
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
|
||
this iptables RPM</a>. If you are already running a
|
||
1.2.5 version of iptables, you will need to specify the
|
||
--oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
|
||
iptables-1.2.5-1.i386.rpm").</p>
|
||
</blockquote>
|
||
|
||
<h3><a name="SuSE"></a>Problems installing/upgrading
|
||
RPM on SuSE</h3>
|
||
|
||
<p>If you find that rpm complains about a conflict with kernel <=
|
||
2.2 yet you have a 2.4 kernel installed, simply use the
|
||
"--nodeps" option to rpm.</p>
|
||
|
||
<p>Installing: rpm -ivh --nodeps <i><shorewall rpm></i></p>
|
||
|
||
<p>Upgrading: rpm -Uvh --nodeps <i><shorewall rpm></i></p>
|
||
|
||
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
|
||
MULTIPORT=Yes</b></h3>
|
||
|
||
<p>The iptables 1.2.7 release of iptables has made an incompatible
|
||
change to the syntax used to specify multiport match rules;
|
||
as a consequence, if you install iptables 1.2.7 you
|
||
must be running Shorewall 1.3.7a or later or:</p>
|
||
|
||
<ul>
|
||
<li>set
|
||
MULTIPORT=No in /etc/shorewall/shorewall.conf;
|
||
or </li>
|
||
<li>if
|
||
you are running Shorewall 1.3.6 you may
|
||
install <a
|
||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
|
||
this firewall script</a> in /var/lib/shorewall/firewall
|
||
as described above.</li>
|
||
|
||
</ul>
|
||
|
||
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
|
||
</h3>
|
||
/etc/shorewall/nat entries of the following
|
||
form will result in Shorewall being unable to start:<br>
|
||
<br>
|
||
|
||
<pre>#EXTERNAL<41><4C><EFBFBD><EFBFBD><EFBFBD><EFBFBD> INTERFACE<43><45><EFBFBD><EFBFBD><EFBFBD><EFBFBD> INTERNAL<41><4C><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ALL INTERFACES<45><53><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> LOCAL<br>192.0.2.22<EFBFBD><EFBFBD><EFBFBD> eth0<68><30><EFBFBD> 192.168.9.22<EFBFBD><EFBFBD> yes<65><73><EFBFBD><EFBFBD> yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||
Error message is:<br>
|
||
|
||
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
|
||
The solution is to put "no" in the LOCAL column.
|
||
Kernel support for LOCAL=yes has never worked properly and 2.4.18-10
|
||
has disabled it. The 2.4.19 kernel contains corrected support
|
||
under a new kernel configuraiton option; see <a
|
||
href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
|
||
<br>
|
||
|
||
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and REJECT
|
||
(also applies to 2.4.21-RC1)</b></h3>
|
||
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with tcp-reset"
|
||
is broken. The symptom most commonly seen is that REJECT rules act just
|
||
like DROP rules when dealing with TCP. A kernel patch and precompiled modules
|
||
to fix this problem are available at <a
|
||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
|
||
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
|
||
|
||
<hr>
|
||
<p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||
</p>
|
||
|
||
<p><a href="copyright.htm"><font size="2">Copyright</font> <20> <font
|
||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||
</p>
|
||
<br>
|
||
<br>
|
||
</body>
|
||
</html>
|