IMPORTANT
If you use a Windows system to download a corrected script, be sure to run the script through dos2unix after you have moved it to your Linux system.
When you install a new firewall script, do not simply copy the new script to /etc/shorewall/firewall. /etc/shorewall/firewall is a symbolic link that points to the actual script. Determine where that symbolic link points ("ls -l /etc/shorewall/firewall") and copy the new file to that location.
Example:
ls -l /etc/shorewall/firewall lrwxrwxrwx 1 root root 31 Jan 30 10:11 /etc/shorewall/firewall -> ../../etc/rc.d/init.d/shorewall
In this case you would copy the firewall script to /etc/rc.d/init.d/shorewall.
Note: When the pathname pointed to by a symbolic link is relative (does not start with "/"), the pathname is resolved relative to the directory containing the symbolic link. Hence, the pathname ../../etc/rc.d/init.d/shorewall is resolved relative to /etc/shorewall.
![]() |
Problems in Version 1.1 |
![]() |
Problems in Version 1.2 |
![]() |
Problem with iptables version 1.2.3 |
![]() |
Problems with kernel 2.4.18 and RedHat iptables |
![]() |
The 'try' command is broken. |
![]() |
The usage text printed by the shorewall utility doesn't show the optional timeout for the 'try' command. |
Both problems are corrected by this new version of /sbin/shorewall.
![]() |
There have been several problems with SSH, DNS and ping in the two- and three-interface examples. Before reporting problems with these services, please verify that you have the latest version of the appropriate sample 'rules' file. |
![]() |
The documentation for running PoPToP on the firewall system contained an incorrect entry in the /etc/shorewall/hosts file. The corrected entry (underlined) is shown here: |
ZONE | HOST(S) | OPTIONS |
loc | eth2:192.168.1.0/24 | routestopped |
loc | ppp+:192.168.1.0/24 |
![]() |
The shorewall.conf file and the documentation incorrectly refer to a parameter in /etc/shorewall/shorewall.conf called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (see the corrected online documentation). Users of the rpm should change the name (and possibly the value) of this parameter so that Shorewall interacts properly with the SysV init scripts. The documentation on this web site has been corrected and here's a corrected version of shorewall.conf. |
![]() |
The documentation indicates that a comma-separated list of IP/subnet addresses may appear in an entry in the hosts file. This is not the case; if you want to specify multiple addresses for a zone, you need to have a separate entry for each address. |
Version 1.2.7 is quite broken -- please install 1.2.8
If you have installed and started version 1.2.7 then before trying to restart under 1.2.8:
You may now restart using 1.2.8.
![]() |
GRE and IPIP tunnels are broken. |
![]() |
The following rule results in a start error: |
To correct the above problems, install this corrected firewall script in the location pointed to by the symbolic link /etc/shorewall/firewall.
![]() |
The new ADDRESS column in /etc/shorewall/masq cannot contain a $-variable name. |
![]() |
Errors result if $FW appears in the /etc/shorewall/policy file. |
![]() |
Using Blacklisting without setting BLACKLIST_LOGLEVEL results in an error at start time. |
To correct the above problems, install this corrected firewall script in the location pointed to by the symbolic link /etc/shorewall/firewall.
![]() |
The /sbin/shorewall script produces error messages saying that 'mygrep' cannot be found. Here is the correct version of /sbin/shorewall. |
![]() | This version will not install "out of the box" without modification. Before attempting to start the firewall, please change the STATEDIR in /etc/shorewall/shorewall.conf to refer to /var/lib/shorewall. This only applies to fresh installations -- if you are upgrading from a previous version of Shorewall, version 1.2.4 will work without modification. |
![]() |
When BLACKLIST_LOGLEVEL is set, packets from blacklisted hosts aren't logged. Install this corrected firewall script in the location pointed to by the symbolic link /etc/shorewall/firewall. |
Alternatively, edit /etc/shorewall/firewall and change line 1564 from:
run_iptables -A blacklst -d $addr -j LOG $LOGPARAMS --log-prefix \
to
run_iptables -A blacklst -s $addr -j LOG $LOGPARAMS --log-prefix \
![]() | The "shorewall status" command hangs after it displays the chain information. Here's a corrected /sbin/shorewall. if you want to simply modify your copy of /sbin/shorewall, then at line 445 change this: |
status) clear
to this:
status) get_config clear
![]() | The "shorewall monitor" command doesn't show the icmpdef chain - this corrected /sbin/shorewall fixes that problem as well as the status problem described above. |
![]() | In all 1.2.x versions, the 'CLIENT PORT(S)' column in /etc/shorewall/tcrules is ignored. This is corrected in this updated firewall script. Place the script in the location pointed to by the /etc/shorewall/firewall symbolic link. Thanks to Shingo Takeda for spotting this bug. |
![]() | The new logunclean interface option is not described in the help text in /etc/shorewall/interfaces. An updated interfaces file is available. |
![]() | When REJECT is specified in a TCP rule, Shorewall correctly replies with a TCP RST packet. Previous versions of the firewall script are broken in the case of a REJECT policy, however; in REJECT policy chains, all requests are currently replied to with an ICMP port-unreachable packet. This corrected firewall script replies to TCP requests with TCP RST in REJECT policy chains. Place the script in the location pointed to by the /etc/shorewall/firewall symbolic link. |
Note: If you are upgrading from one of the Beta RPMs to 1.2.0, you must use the "--oldpackage" option to rpm (e.g., rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm).
The tunnel script released in version 1.2.0 contained errors -- a corrected script is available.
There are a couple of serious bugs in iptables 1.2.3 that prevent it from working with Shorewall. Regrettably, RedHat released this buggy iptables in RedHat 7.2.
I have built a corrected 1.2.3 rpm which you can download here and I have also built an iptables-1.2.4 rpm which you can download here. If you are currently running RedHat 7.1, you can install either of these RPMs before you upgrade to RedHat 7.2.
Update 11/9/2001: RedHat has released an iptables-1.2.4 RPM of their own which you can download from http://www.redhat.com/support/errata/RHSA-2001-144.html. I have installed this RPM on my firewall and it works fine.
If you would like to patch iptables 1.2.3 yourself, the patches are available for download. This patch which corrects a problem with parsing of the --log-level specification while this patch corrects a problem in handling the TOS target.
To install one of the above patches:
![]() | cd iptables-1.2.3/extensions |
![]() | patch -p0 < the-patch-file |
Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18 may experience the following:
# shorewall start Processing /etc/shorewall/shorewall.conf ... Processing /etc/shorewall/params ... Starting Shorewall... Loading Modules... Initializing... Determining Zones... Zones: net Validating interfaces file... Validating hosts file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 iptables: libiptc/libip4tc.c:380: do_check: Assertion `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed. Aborted (core dumped) iptables: libiptc/libip4tc.c:380: do_check: Assertion `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed. Aborted (core dumped)
The RedHat iptables RPM is compiled with debugging enabled but the user-space debugging code was not updated to reflect recent changes in the Netfilter 'mangle' table. You can correct the problem by installing this iptables RPM. If you are already running a 1.2.5 version of iptables, you will need to specify the --oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").
Last updated 4/14/2002 - Tom Eastep