1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall 1.2 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="blends 011">
</head>
<body background="_themes/blends/blegtext.gif" bgcolor="#CCCCCC" text="#000000" link="#993300" vlink="#0000FF" alink="#FF9900"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font color="#330099">Shorewall Errata<!--mstheme--></font></h1>
<p align="center">
<font face="Century Gothic, Arial, Helvetica">
<b><u>IMPORTANT</u></b></font></p>
<p align="center">
<b><u>If you use a Windows system to download a corrected script, be sure to
run the script through <a href="http://www.megaloman.com/%7Ehany/software/hd2u/">
dos2unix</a>
after you have moved it to your Linux system.</u></b></p>
<p align="center">
<u><b>When you install a new <i>firewall </i>script, do not simply copy the
new script to /etc/shorewall/firewall. /etc/shorewall/firewall is a symbolic
link that points to the actual script. Determine where that symbolic link
points ("ls -l /etc/shorewall/firewall") and copy the new file to that
location.</b></u></p>
<p align="left">
Example:</p>
<div align="left">
<!--mstheme--></font><pre> ls -l /etc/shorewall/firewall
lrwxrwxrwx 1 root root 31 Jan 30 10:11 /etc/shorewall/firewall -> ../../etc/rc.d/init.d/shorewall</pre><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
</div>
<div align="left">
<p align="left">In this case you would copy the firewall script to /etc/rc.d/init.d/shorewall.
</div>
<div align="left">
<p align="left"><b>Note:</b> When the pathname pointed to by a symbolic link
is relative (does not start with "/"), the pathname is resolved relative to
the directory containing the symbolic link. Hence, the pathname ../../etc/rc.d/init.d/shorewall
is resolved relative to /etc/shorewall.</div>
<div align="left">
<p align="left"> </div>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<h3 align="Left"><!--mstheme--><font color="#330099"><font color="#660066">
<a href="errata_1.htm">
Problems in Version 1.1</a></font><!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<h3 align="Left"><!--mstheme--><font color="#330099"><a href="#V1.2">Problems in Version 1.2</a><!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<h3 align="Left"><!--mstheme--><font color="#330099"><font color="#660066"><a href="#iptables">
Problem with iptables version 1.2.3</a></font><!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<h3 align="Left"><!--mstheme--><font color="#330099"><a href="#Debug">Problems with kernel 2.4.18 and
RedHat iptables</a><!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<!--msthemeseparator--><p align="center"><img src="_themes/blends/blesepa.gif" width="600" height="10"></p>
<h3 align="Left"><!--mstheme--><font color="#330099"><a name="V1.2"></a>Problems in Version 1.2<!--mstheme--></font></h3>
<h3 align="Left"><!--mstheme--><font color="#330099">Version 1.2.11<!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<p align="Left">The 'try' command is broken.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<p align="Left">The usage text printed by the shorewall utility
doesn't show the optional timeout for the 'try' command.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<p align="Left">Both problems are corrected by
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.11/shorewall">
this new version of /sbin/shorewall</a>.</p>
<h3 align="Left"><!--mstheme--><font color="#330099">Sample Configurations:<!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<p align="Left">There have been several problems with SSH, DNS and
ping in the two- and three-interface examples. Before reporting
problems with these services, please verify that you have the latest
version of the appropriate sample 'rules' file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<h3 align="Left"><!--mstheme--><font color="#330099">All Versions through 1.2.10<!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<p align="Left">The <a href="PPTP.htm#ServerFW">documentation for
running PoPToP on the firewall system</a> contained an incorrect entry
in the /etc/shorewall/hosts file. The corrected entry (underlined) is
shown here:<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<blockquote>
<blockquote>
<!--mstheme--></font><table border="2" bordercolordark="#000000" bordercolorlight="#999999">
<tr>
<td><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica"><b>HOST(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica"><b>OPTIONS</b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica"><u>eth2</u>:192.168.1.0/24<!--mstheme--></font></td>
<td><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">routestopped<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">ppp+:192.168.1.0/24<!--mstheme--></font></td>
<td><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica"> <!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
</blockquote>
</blockquote>
<h3 align="Left"><!--mstheme--><font color="#330099">All Versions through 1.2.8<!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<p align="Left">The shorewall.conf file and the documentation
incorrectly refer to a parameter in /etc/shorewall/shorewall.conf
called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (<a href="Documentation.htm#Conf">see
the corrected online documentation</a>). Users of the rpm should
change the name (and possibly the value) of this parameter so that
Shorewall interacts properly with the SysV init scripts. The
documentation on this web site has been corrected and
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.8/shorewall.conf">
here's a corrected version of shorewall.conf</a>.</p>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<p align="Left">The documentation indicates that a comma-separated
list of IP/subnet addresses may appear in an entry in the hosts file.
This is not the case; if you want to specify multiple addresses for a
zone, you need to have a separate entry for each address.</p>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<h3 align="Left"><!--mstheme--><font color="#330099">Version 1.2.7<!--mstheme--></font></h3>
<p align="Left">Version 1.2.7 is quite broken -- please install 1.2.8</p>
<p>If you have installed and started version 1.2.7 then before trying
to restart under 1.2.8:</p>
<ol>
<li>Look at your /etc/shorewall/shorewall.conf file and note the directory
named in the STATEDIR variable. If that variable is empty, assume
/var/state/shorewall.</li>
<li>Remove the file 'lock' in the directory determined in step 1.</li>
</ol>
<p>You may now restart using 1.2.8.</p>
<h3 align="Left"><!--mstheme--><font color="#330099">Version 1.2.6<!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<p align="Left">GRE and IPIP tunnels are broken.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<p align="Left">The following rule results in a start error:<br>
<br>
ACCEPT z1 z2
icmp<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<p align="Left">To correct the above problems, install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.6/firewall">this
corrected firewall script</a> in the location pointed to by the symbolic
link /etc/shorewall/firewall.<h3 align="Left"><!--mstheme--><font color="#330099">Version 1.2.5<!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<p align="Left">The new ADDRESS column in /etc/shorewall/masq cannot
contain a $-variable name.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<p align="Left">Errors result if $FW appears in the
/etc/shorewall/policy file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<p align="Left">Using Blacklisting without setting BLACKLIST_LOGLEVEL
results in an error at start time.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<p align="Left">To correct the above problems, install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/firewall">this
corrected firewall script</a> in the location pointed to by the symbolic
link /etc/shorewall/firewall.<p align="Left"> <!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<p align="Left">The /sbin/shorewall script produces error messages
saying that 'mygrep' cannot be found.
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/shorewall">
Here is the correct version of /sbin/shorewall.</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<h3 align="Left"><!--mstheme--><font color="#330099">Version 1.2.4<!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica"><p align="Left">This version will not install "out of the box" without
modification. Before attempting to start the
firewall, please change the STATEDIR in /etc/shorewall/shorewall.conf to
refer to /var/lib/shorewall. This only applies to fresh installations -- if
you are upgrading from a previous version of Shorewall, version 1.2.4 will
work without modification.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<h3 align="Left"><!--mstheme--><font color="#330099">Version 1.2.3<!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<p align="Left">When BLACKLIST_LOGLEVEL is set, packets from blacklisted
hosts aren't logged. Install <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.3/firewall">this
corrected firewall script</a> in the location pointed to by the symbolic
link /etc/shorewall/firewall.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<blockquote>
<p>Alternatively, edit /etc/shorewall/firewall and change line 1564 from:</p>
</blockquote>
<!--mstheme--></font><pre> run_iptables -A blacklst -d $addr -j LOG $LOGPARAMS --log-prefix \</pre><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<blockquote>
<p>to</p>
</blockquote>
<!--mstheme--></font><pre> run_iptables -A blacklst -s $addr -j LOG $LOGPARAMS --log-prefix \</pre><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<h3 align="Left"><!--mstheme--><font color="#330099">Version 1.2.2<!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">The "shorewall status" command hangs after
it displays the chain information. <a href="pub/shorewall/errata/1.2.2/shorewall">Here's
a corrected /sbin/shorewall.</a> if you want to simply modify your copy of
/sbin/shorewall, then at line 445 change this:<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<div align="left">
<!--mstheme--></font><pre align="Left"> status)
clear</pre><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
</div>
<blockquote>
<p align="Left">to this:</p>
</blockquote>
<div align="left">
<!--mstheme--></font><pre align="Left"> status)
get_config
clear</pre><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
</div>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">The "shorewall monitor" command
doesn't show the icmpdef chain - <a href="pub/shorewall/errata/1.2.2/shorewall">this
corrected /sbin/shorewall</a> fixes that problem as well as the status
problem described above.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">In all 1.2.x versions, the 'CLIENT PORT(S)'
column in /etc/shorewall/tcrules is ignored. This is corrected in <a href="/pub/shorewall/errata/1.2.2/firewall">this
updated firewall script</a>. Place the script in the location pointed to by
the /etc/shorewall/firewall symbolic link. Thanks to Shingo Takeda for
spotting this bug.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<h3 align="Left"><!--mstheme--><font color="#330099">Version 1.2.1<!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">The new <i>logunclean </i>interface option is not
described in the help text in /etc/shorewall/interfaces. An <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.1/interfaces">updated
interfaces file</a> is available.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">When REJECT is specified in a TCP rule, Shorewall
correctly replies with a TCP RST packet. Previous versions of the
firewall script are broken in the case of a REJECT policy, however; in
REJECT policy chains, all requests are currently replied to with an
ICMP port-unreachable packet. <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.1/firewall">This
corrected firewall script</a> replies to TCP requests with TCP RST in
REJECT policy chains. Place the script in the location pointed to by
the /etc/shorewall/firewall symbolic link.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
<h3 align="Left"><!--mstheme--><font color="#330099">Version 1.2.0<!--mstheme--></font></h3>
<blockquote>
<p align="Left"><b>Note: </b>If you are upgrading from one of the Beta
RPMs to 1.2.0, you must use the "--oldpackage" option to rpm
(e.g., rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm).</p>
<p align="Left">The tunnel script released in version 1.2.0 contained
errors -- a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.0/tunnel">corrected
script</a> is available.</p>
</blockquote>
<!--msthemeseparator--><p align="center"><img src="_themes/blends/blesepa.gif" width="600" height="10"></p>
<h3 align="Left"><!--mstheme--><font color="#330099"><a name="iptables"></a><font color="#660066">
Problem with iptables version 1.2.3</font><!--mstheme--></font></h3>
<blockquote>
<p align="Left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2. </p>
<p align="Left"> I have built a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a> and I have also built
an <a href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If
you are currently running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="Left"><font face="Century Gothic, Arial, Helvetica" color="#FF6633"><b>Update
11/9/2001: </b></font>RedHat has
released an iptables-1.2.4 RPM of their own which you can download from<font face="Century Gothic, Arial, Helvetica" color="#FF6633">
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM
on my firewall and it works fine.</p>
<p align="Left">If you
would like to patch iptables 1.2.3 yourself, the patches are available
for download. This <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification while
this <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the TOS target.</p>
<p align="Left">To install one of the above patches:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="top" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">cd iptables-1.2.3/extensions<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/blends/blebul1a.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">patch -p0 < <i>the-patch-file</i><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
</blockquote>
<h3><!--mstheme--><font color="#330099"><a name="Debug"></a>Problems with kernel 2.4.18
and RedHat iptables<!--mstheme--></font></h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18 may
experience the following:</p>
<blockquote>
<!--mstheme--></font><pre># shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
</pre><!--mstheme--><font face="Trebuchet MS, Arial, Helvetica">
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in the
Netfilter 'mangle' table. You can correct the problem by installing
<a href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<p><font face="Century Gothic, Arial, Helvetica"><font size="2">
Last updated 4/14/2002 - </font><a href="mailto:teastep@shorewall.net"><font size="2">
Tom Eastep</font></a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</html>
|
