1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
1) In all versions of Shorewall6 lite, the 'shorecap' program is
using the 'iptables' program rather than the 'ip6tables' program.
This causes many capabilities that are not available in IPv6 to
be incorrectly reported as available.
This results in errors such as:
ip6tables-restore v1.4.2: Couldn't load match `addrtype':
/lib/xtables/libip6t_addrtype.so: cannot open shared
object file: No such file or directory
To work around this problem, on the administrative system:
a) Remove the incorrect capabilties file.
b) In shorewall6.conf, set the IP6TABLES option to the
path name of ip6tables on the firewall (example:
IP6TABLES=/sbin/ip6tables).
c) 'shorewall6 load <firewall>'.
Corrected in Shorewall 4.4.11.1
2) In a number of cases, Shorewall6 generates incorrect rules
involving the IPv6 multicast network. The rules specify
ff00::/10 where they should specify ff00::/8. Also, rules
instantiated when the IPv6 firewall is stopped use ff80::/10 rather
than fe80::/10 (IPv6 link local network).
Corrected in Shorewall 4.4.11.1
3) Using a destination port-range with :random produces a fatal
compilation error in REDIRECT rules unless the firewall zone is
explicitly specified (e.g., $FW::2000-2010:random).
Corrected in Shorewall 4.4.11.1
4) /sbin/shorewall and /sbin/shorewall6 sometimes fail to honor the
'nolock' option. In other cases, this option is incorrectly passed
on to the compiled script, causing the script to issue a usage
synopsis and to terminate.
Corrected in Shorewall 4.4.11.1
5) On systems that use the Upstart init system (such as Ubuntu and
Fedora), Shorewall-init is not reliable at starting the firewall
during boot when normal firewall startup is disabled and UPDOWN=1
is specified in /etc/default/shorewall-init.
Suggested workaround is to not disable normal startup (e.g., do not
set startup=0 on Debian-based systems and do not 'checkconfig
--del...' on Fedora).
Corrected in Shorewall 4.4.11.2
6) A typo in /sbin/shorewall6-lite version 4.4.11.1 causes the
stop, reset and clear commands to hang for one minute after the
command had been executed and causes the next shorewall6-lite
command to similarly hang for one minute.
Corrected in Shorewall 4.4.11.2.
7) A typo in the Shorewall install.sh script prevents the Makefile from
being installed in /usr/share/shorewall/configfiles/Makefile.
Corrected in Shorewall 4.4.11.2.
8) On systems running Upstart, Shorewall-init cannot reliably close
the firewall before interfaces come up.
9) When 'any' is used in the SOURCE column of /etc/shorewall[6]/rules,
a duplicate rule is generated in all "fw2*" ("fw-* if
ZONE2ZONE="-"). If 'any' is used in the DEST column, then a
duplicate rule appears in all "*2fw" (*-fw) chains.
Corrected in Shorewall 4.4.11.3.
10) A port range that omits the first port number (e.g., ":80") is
rejected with the following error:
ERROR: Invalid/Unknown tcp port/service (0) : ......
A workaround is to specify the first port as 1 (e.g., "1:80").
Corrected in Shorewall 4.4.11.3.
11) AUTOMAKE=Yes is broken -- don't use it.
Corrected in Shorewall 4.4.11.3.
12) Under rare circumstances where COMMENT is used to attach comments
to rules, OPTIMIZE 8 through 15 can result in invalid
iptables-restore (ip6tables-restore) input.
Corrected in Shorewall 4.4.11.4.
13) Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
can result in invalid iptables-restore (ip6tables-restore) input.
Corrected in Shorewall 4.4.11.4.
14) When REQUIRE_INTERFACE=Yes, start/restart will fail unless the last
optional interface defined in the interfaces file is available.
Corrected in Shorewall 4.4.11.4.
15) The compiler erroneously allows non-trivial exclusion in CONTINUE
rules (tcrules and rules files). The generated iptables (ip6tables)
rules do not work as expected.
Corrected in Shorewall 4.4.11.4.
16) Exclusion in blacklist file entries is correctly validated but is
then ignored when generating iptables (ip6tables) input.
Corrected in Shorewall 4.4.11.4.
17) The interface options combination of 'optional' and 'upnpclient'
does not work correctly.
Corrected in Shorewall 4.4.11.4.
18) The SAME target in tcrules generates invalid iptables-restore
(ip6tables-restore) input.
Corrected in Shorewall 4.4.11.5.
19) The Shorewall-lite and Shorewall6-lite Debian init scripts have a
syntax error.
This line:
[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
should be:
[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
Corrected in Shorewall 4.4.11.6
20) If the -v or -q options are used in /sbin/shorewall-lite or
/sbin/shorewall6-lite commands that involve the compiled firewall
script and the resulting effective VERBOSITY is > 2 or < -1, then
the command will fail.
Corrected in Shorewall 4.4.11.6
21) The log-reading commands (show log, logwatch and dump) always
showed an empty log when issued to one of the -lite packages.
Corrected in Shorewall 4.4.11.6
22) If 10 or more interfaces are configured in Complex Traffic Shaping
(/etc/shorewall/tcdevices), the following compilation diagnostic
is issued:
Argument "a" isn't numeric in sprintf at
/usr/share/shorewall/Shorewall/Config.pm line 893.
and an invalid TC configuration is generated.
A fix is available at
http://shorewall.git.sourceforge.net/git/gitweb.cgi?p=shorewall/shorewall;a=commitdiff;h=20bb781874c739c01b798d2db31b6c1d9cfefe96
|
