Shorewall Errata

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

2004-05-17


Table of Contents

RFC1918 File
Bogons File
Problems in Version 2.0
Shorewall 2.0.2
Shorewall 2.0.1
Shorewall 2.0.1/2.0.0
Shorewall 2.0.0
Upgrade Issues
Problem with iptables 1.2.9
Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to 2.4.21-RC1)
A. Revision History

Caution

  • If you use a Windows system to download a corrected script, be sure to run the script through dos2unix after you have moved it to your Linux system.

  • If you are installing Shorewall for the first time and plan to use the .tgz and install.sh script, you can untar the archive, replace the “firewall” script in the untarred directory with the one you downloaded below, and then run install.sh.

  • When the instructions say to install a corrected firewall script in /usr/share/shorewall/firewall, you may rename the existing file before copying in the new file.

  • DO NOT INSTALL CORRECTED COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.

RFC1918 File

Here is the most up to date version of the rfc1918 file. This file only applies to Shorewall version 2.0.0 and its bugfix updates. In Shorewall 2.0.1 and later releases, the bogons file lists IP ranges that are reserved by the IANA and the rfc1918 file only lists those three ranges that are reserved by RFC 1918.

Bogons File

Here is the most up to date version of the bogons file.

Problems in Version 2.0

Shorewall 2.0.2

  • Temporary restore files with names of the form restore-nnnnn are left in /var/lib/shorewall.

  • "shorewall restore" and "shorewall -f start" do not load kernel modules.

  • Specifying a null common action in /etc/shorewall/actions (e.g., :REJECT) results in a startup error.

  • If /var/lib/shorewall does not exist, shorewall start fails.

These problems are corrected by the firewall and functions files in this directory. Both files must be installed in /usr/share/shorewall/firewall as described above.

The first two problems are also corrected in Shorewall version 2.0.2a while all four problems are corrected in 2.0.2b.

Shorewall 2.0.1

  • Confusing message mentioning IPV6 occur at startup.

  • Modules listed in /etc/shorewall/modules don't load or produce errors on Mandrake 10.0 Final.

  • The shorewall delete command does not remove all dynamic rules pertaining to the host(s) being deleted.

These problems are corrected in this firewall script which may be installed in /usr/share/shorewall/firewall as described above.

  • When run on a SuSE system, the install.sh script fails to configure Shorewall to start at boot time. That problem is corrected in this version of the script.

Shorewall 2.0.1/2.0.0

  • On Debian systems, an install using the tarball results in an inability to start Shorewall at system boot. If you already have this problem, install this file as /etc/init.d/shorewall (replacing the existing file with that name). If you are just installing or upgrading to Shorewall 2.0.0 or 2.0.1, then replace the init.debian.sh file in the Shorewall distribution directory (shorewall-2.0.x) with the updated file before running install.sh from that directory.

Shorewall 2.0.0

  • When using an Action in the ACTIONS column of a rule, you may receive a warning message about the rule being a policy. While this warning may be safely ignored, it can be eliminated by installing the script from the link below.

  • Thanks to Sean Mathews, a long-standing problem with Proxy ARP and IPSEC has been corrected.

The first problem has been corrected in Shorewall update 2.0.0a.

All of these problems may be corrected by installing this firewall script in /usr/share/shorewall as described above.

Upgrade Issues

The upgrade issues have moved to a separate page.

Problem with iptables 1.2.9

If you want to use the new features in Shorewall 2.0.2 (Betas, RCs, Final) or later then you need to patch your iptables 1.2.9 with this patch or you need to use the CVS version of iptables.

Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to 2.4.21-RC1)

Beginning with errata kernel 2.4.20-13.9, “REJECT --reject-with tcp-reset” is broken. The symptom most commonly seen is that REJECT rules act just like DROP rules when dealing with TCP. A kernel patch and precompiled modules to fix this problem are available at ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel

Note

RedHat have corrected this problem in their 2.4.20-27.x kernels.

A. Revision History

Revision History
Revision 1.162004-05-17TE
Added null common action bug.
Revision 1.152004-05-16TE
Added 2.0.2 bugs
Revision 1.142004-05-10TE
Add link to Netfilter CVS
Revision 1.132004-05-04TE
Add Alex Wilms's "install.sh" fix.
Revision 1.122004-05-03TE
Add Stefan Engel's "shorewall delete" fix.
Revision 1.112004-04-28TE
Add iptables 1.2.9 iptables-save bug notice.
Revision 1.102004-04-21TE
Debian initialization script problem. Deleted obsolete sections.
Revision 1.92004-04-20TE
Updated RFC1918 and BOGONS files.
Revision 1.82004-03-20TE
Proxy ARP/IPSEC fix.
Revision 1.72004-03-17TE
Action rules are reported as policies.
Revision 1.62004-02-03TE
Update for Shorewall 2.0.0.
Revision 1.52004-01-19TE
IPV6 address problems. Make RFC1918 file section more prominent.
Revision 1.42004-01-14TE
Confusing template file in 1.4.9
Revision 1.32004-01-03TE
Added note about REJECT RedHat Kernal problem being corrected.
Revision 1.22003-12-29TE
Updated RFC1918 file
Revision 1.12003-12-17TE
Initial Conversion to Docbook XML