Copyright © 2001-2004 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.
2004-03-20
Table of Contents
If you use a Windows system to download a corrected script, be sure to run the script through dos2unix after you have moved it to your Linux system.
If you are installing Shorewall for the first time and plan to use the .tgz and install.sh script, you can untar the archive, replace the “firewall” script in the untarred directory with the one you downloaded below, and then run install.sh.
When the instructions say to install a corrected firewall script in /usr/share/shorewall/firewall, you may rename the existing file before copying in the new file.
DO NOT INSTALL CORRECTED COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.
Here is the most up to date version of the rfc1918 file. This file only applies to Shorewall version 2.0.0 and its bugfix updates. In Shorewall 2.0.1 and later releases, the bogons file lists IP ranges that are reserved by the IANA and the rfc1918 file only lists those three ranges that are reserved by RFC 1918.
When using an Action in the ACTIONS column of a rule, you may receive a warning message about the rule being a policy. While this warning may be safely ignored, it can be eliminated by installing the script from the link below.
Thanks to Sean Mathews, a long-standing problem with Proxy ARP and IPSEC has been corrected.
The first problem has been corrected in Shorewall update 2.0.0a.
All of these problems may be corrected by installing this firewall script in /usr/share/shorewall as described above.
The upgrade issues have moved to a separate page.
There are a couple of serious bugs in iptables 1.2.3 that prevent it from working with Shorewall. Regrettably, RedHat released this buggy iptables in RedHat 7.2.
I have built a corrected 1.2.3 rpm which you can download here and I have also built an iptables-1.2.4 rpm which you can download here. If you are currently running RedHat 7.1, you can install either of these RPMs before you upgrade to RedHat 7.2.
Update 11/9/2001: RedHat has released an iptables-1.2.4 RPM of their own which you can download from http://www.redhat.com/support/errata/RHSA-2001-144.html.I have installed this RPM on my firewall and it works fine.
If you would like to patch iptables 1.2.3 yourself, the patches are available for download. This patch which corrects a problem with parsing of the --log-level specification while this patch corrects a problem in handling the TOS target.
To install one of the above patches:
cd iptables-1.2.3/extensions
patch -p0 < the-patch-file |
Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 may experience the following:
The RedHat iptables RPM is compiled with debugging enabled but the user-space debugging code was not updated to reflect recent changes in the Netfilter “mangle” table. You can correct the problem by installing this iptables RPM. If you are already running a 1.2.5 version of iptables, you will need to specify the --oldpackage option to rpm (e.g., “iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm”).
The iptables 1.2.7 release of iptables has made an incompatible change to the syntax used to specify multiport match rules; as a consequence, if you install iptables 1.2.7 you must be running Shorewall 1.3.7a or later or:
set MULTIPORT=No in /etc/shorewall/shorewall.conf; or
If you are running Shorewall 1.3.6 you may install this firewall script in /usr/lib/shorewall/firewall as described above.
/etc/shorewall/nat entries of the following form will result in Shorewall being unable to start:
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
192.0.2.22 eth0 192.168.9.22 yes yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE |
Error message is:
Setting up NAT...
iptables: Invalid argument
Terminated |
The solution is to put “no” in the LOCAL column. Kernel support for LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel contains corrected support under a new kernel configuraiton option; see http://www.shorewall.net/Documentation.htm#NAT.
Beginning with errata kernel 2.4.20-13.9, “REJECT --reject-with tcp-reset” is broken. The symptom most commonly seen is that REJECT rules act just like DROP rules when dealing with TCP. A kernel patch and precompiled modules to fix this problem are available at ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel
RedHat have corrected this problem in their 2.4.20-27.x kernels.
| Revision History | ||
|---|---|---|
| Revision 1.6 | 2004-03-20 | TE |
| Proxy ARP/IPSEC fix. | ||
| Revision 1.6 | 2004-03-17 | TE |
| Action rules are reported as policies. | ||
| Revision 1.5 | 2004-02-03 | TE |
| Update for Shorewall 2.0.0. | ||
| Revision 1.4 | 2004-01-19 | TE |
| IPV6 address problems. Make RFC1918 file section more prominent. | ||
| Revision 1.3 | 2004-01-14 | TE |
| Confusing template file in 1.4.9 | ||
| Revision 1.3 | 2004-01-03 | TE |
| Added note about REJECT RedHat Kernal problem being corrected. | ||
| Revision 1.2 | 2003-12-29 | TE |
| Updated RFC1918 file | ||
| Revision 1.1 | 2003-12-17 | TE |
| Initial Conversion to Docbook XML | ||