For those of you who downloaded the 1.1.6 updated
firewall script prior to June 19, 2001:
Prior to 0800 19 June 2001, the link under 1.1.6 below was
incorrect and pointed to an earlier version of the firewall script. This link
has now been corrected. I apologize for any confusion this may have caused.
Gotchas
If the firewall fails to start
If you receive an error message when starting or restarting
the firewall and you can't determine the cause, then do the following:
-
shorewall debug start 2> /tmp/trace
-
Look at the /tmp/trace file and see if that helps you
determine what the problem is.
-
If you still can't determine what's wrong then post the /tmp/trace
file to shorewall-users@lists.sourceforge.net
along with any additional information you believe is relevant.
If you are having connection problems:
Check your log. If you don't see Shorewall packet messages, then
your problem is probably NOT a Shorewall problem. If you DO see packet messages,
it is an indication that you are missing one or more rules.
Example:
Jun 27 15:37:56 all2all:REJECT:IN=eth2
OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63
ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47
Let's look at the important parts of this message:
-
all2all:REJECT - the packet was rejected under the
"all"->"all" REJECT policy
-
IN=eth2 - the packet entered the firewall via eth2
-
OUT=eth1 - if accepted, the packet would be sent on eth1
-
SRC=192.168.2.2 - the packet was sent by 192.168.2.2
-
DST=192.168.1.3 - the packet is destined for 192.168.1.3
-
PROTO=UDP - UDP Protocol
-
DPT=53 - DNS
In this case, 192.168.2.2 was in the "dmz" zone and
192.168.1.3 is in the "loc" zone. I was missing the rule:
ACCEPT dmz
loc udp 53
Problems in Version 1.1
Versions 1.1.11 & 1.1.12
There are no known problems with these versions.
Version 1.1.10
If the following conditions were met:
-
A LAN segment attached to the firewall was served by a
DHCP server running on the firewall.
-
There were entries in /etc/shorewall/hosts that referred
to the interface to that LAN segment.
then up until now it has been necessary to include entries
for 0.0.0.0 and 255.255.255.255 for that interface in /etc/shorewall/hosts. This
version of the firewall script makes those additions unnecessary
provided that you simply include "dhcp" in the options for the
interface in /etc/shorewall/interfaces. Install the script into
the location pointed to by the symbolic link /etc/shorewall/firewall.
This problem has also been corrected in version 1.1.11.
Version 1.1.9
Version 1.1.8
Under some circumstances, the "dhcp" option on an
interface triggers a bug in the firewall script that results in a
"chain already exists" error. This
version of the firewall script corrects this problem. Install it into
the location pointed to by the symbolic link /etc/shorewall/firewall.
This problem is also corrected in version 1.1.9.
Version 1.1.7
This problem is also corrected in version 1.1.8
Version 1.1.6
This problem is also corrected in version 1.1.7
Version 1.1.5
-
The .rpm for this and all previous versions is missing the
"tunnels" file /etc/shorewall/tunnels. You
can download the tunnels template from here. If you downloaded the tar
ball and used install.sh, that installer failed to copy the
"tunnels" file to /etc/shorewall. You still have a copy of the
template in the shorewall-1.1.5 directory.
-
This and previous versions of Shorewall have an
implementation of Static NAT which violates the principle of least
surprise. NAT only occurs for packets arriving at (DNAT) or send from
(SNAT) the interface named in the INTERFACE column of /etc/shorewall/nat. This
version of the firewall script makes NAT effective regardless of which
interface packets come from or are destined to. To get compatibility with
prior versions, I have added a new "ALL INTERFACES" column to
/etc/shorewall/nat as
shown in this template. By placing "no" or "No" in
the new column, the NAT behavior of prior versions may be retained.
These problems are also corrected in version 1.1.6.
Version 1.1.4
This problem is also corrected in version 1.1.5.
Version 1.1.3
-
If "shorewall start" is aborted early (due to
kernel configuration errors for example), superfluous 'sed' errors are
reported. The corrected firewall script referred to below corrects this
problem.
-
If a port is redirected to the firewall system (to use
Squid, for example), the resulting filter rule incorrectly uses the original
destination port rather than the redirected port. The result is that
connections are rejected by the firewall.
Example:
ACCEPT
local fw::3128
tcp 80 - all
An attempt to connect to an external web site from a local client results in
a message appearing in /var/log/messages and the request is denied. This
problem can be corrected by adding a second rule as follows:
ACCEPT local fw
tcp 3128
or by downloading and installing this
corrected version of the firewall script to correct this problem. The script should be installed in the
location pointed to by the symbolic link /etc/shorewall/firewall.
These problems are also corrected in version 1.1.4.
Version 1.1.2
-
In the .lrp version, the file /var/lib/lrpkg/shorwall.conf
has a couple of defects:
1. There is an extra space after "/etc/shorewall/policy"; this
makes it impossible to edit that file from lrcfg.
2. There is no entry for "/etc/shorwall/rules" and thus that file
cannot be edited from lrcfg.
You can either edit this file yourself to correct these defects (be sure to
backup the shorwall package afterward) or you can download
a corrected .lrp.
-
Placing "-" in the PORT(S) column of an entry in
/etc/shorewall/rules results in an inability to start the firewall. Install this
corrected version of the firewall script to correct this problem. The script should be installed in the
location pointed to by the symbolic link /etc/shorewall/firewall
These problems are also corrected in version 1.1.3.
Version 1.1.1
Last updated 7/27/2001 - Tom
Eastep
|