Shorewall Errata and Troubleshooting

 

For those of you who downloaded the 1.1.6 updated firewall script prior to June 19, 2001:

Prior to 0800 19 June 2001, the link under 1.1.6 below was incorrect and pointed to an earlier version of the firewall script. This link has now been corrected. I apologize for any confusion this may have caused.

Gotchas


If the firewall fails to start

If you receive an error message when starting or restarting the firewall and you can't determine the cause, then do the following:

  1. shorewall debug start 2> /tmp/trace

  2. Look at the /tmp/trace file and see if that helps you determine what the problem is.

  3. If you still can't determine what's wrong then post the /tmp/trace file to shorewall-users@lists.sourceforge.net along with any additional information you believe is relevant.


If you are having connection problems:

Check your log. If you don't see Shorewall packet messages, then your problem is probably NOT a Shorewall problem. If you DO see packet messages, it is an indication that you are missing one or more rules.

Example:

Jun 27 15:37:56 all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47

Let's look at the important parts of this message:

  • all2all:REJECT - the packet was rejected under the "all"->"all" REJECT policy

  • IN=eth2 - the packet entered the firewall via eth2

  • OUT=eth1 - if accepted, the packet would be sent on eth1

  • SRC=192.168.2.2 - the packet was sent by 192.168.2.2

  • DST=192.168.1.3 - the packet is destined for 192.168.1.3

  • PROTO=UDP - UDP Protocol

  • DPT=53 - DNS

In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3 is in the "loc" zone. I was missing the rule:

ACCEPT    dmz    loc    udp    53 

Problems in Version 1.1

Versions 1.1.11 & 1.1.12

There are no known problems with these versions.

Version 1.1.10

If the following conditions were met:

  1. A LAN segment attached to the firewall was served by a DHCP server running on the firewall.

  2. There were entries in /etc/shorewall/hosts that referred to the interface to that LAN segment.

then up until now it has been necessary to include entries for 0.0.0.0 and 255.255.255.255 for that interface in /etc/shorewall/hosts. This version of the firewall script makes those additions unnecessary provided that you simply include "dhcp" in the options for the interface in /etc/shorewall/interfaces. Install the script into the location pointed to by the symbolic link /etc/shorewall/firewall.

This problem has also been corrected in version 1.1.11.

Version 1.1.9

Version 1.1.8

  • Under some circumstances, the "dhcp" option on an interface triggers a bug in the firewall script that results in a "chain already exists" error. This version of the firewall script corrects this problem. Install it into the location pointed to by the symbolic link /etc/shorewall/firewall.

    This problem is also corrected in version 1.1.9.

Version 1.1.7

  • If the /etc/shorewall/rules template from version 1.1.7 is used, a warning message appears during firewall startup:

        Warning: Invalid Target - rule "@ icmp-unreachable packet." ignored

    This warning may be eliminated by replacing the "@" in column 1 of line 17 with "#"

This problem is also corrected in version 1.1.8

Version 1.1.6

  • When the firewall is stopped, the 'mangle' table is not being cleared making in impossible to remove the netfilter modules. This version of the firewall script corrects this problem. Install it into the location pointed to by the symbolic link /etc/shorewall/firewall.

This problem is also corrected in version 1.1.7

Version 1.1.5

  • The .rpm for this and all previous versions is missing the "tunnels" file /etc/shorewall/tunnels. You can download the tunnels template from here. If you downloaded the tar ball and used install.sh, that installer failed to copy the "tunnels" file to /etc/shorewall. You still have a copy of the template in the shorewall-1.1.5 directory.

  • This and previous versions of Shorewall have an implementation of Static NAT which violates the principle of least surprise.  NAT only occurs for packets arriving at (DNAT) or send from (SNAT) the interface named in the INTERFACE column of /etc/shorewall/nat. This version of the firewall script makes NAT effective regardless of which interface packets come from or are destined to. To get compatibility with prior versions, I have added a new "ALL INTERFACES" column to /etc/shorewall/nat as shown in this template. By placing "no" or "No" in the new column, the NAT behavior of prior versions may be retained. 

These problems are also corrected in version 1.1.6.

Version 1.1.4

  • Port redirection (see below under 1.1.3) is still broken :-( This firewall script fixes it. The script should be installed in the location pointed to by the symbolic link /etc/shorewall/firewall

This problem is also corrected in version 1.1.5.

Version 1.1.3

  • If "shorewall start" is aborted early (due to kernel configuration errors for example), superfluous 'sed' errors are reported. The corrected firewall script referred to below corrects this problem.

  • If a port is redirected to the firewall system (to use Squid, for example), the resulting filter rule incorrectly uses the original destination port rather than the redirected port. The result is that connections are rejected by the firewall.

    Example:     ACCEPT        local        fw::3128    tcp    80    -    all

    An attempt to connect to an external web site from a local client results in a message appearing in /var/log/messages and the request is denied. This problem can be corrected by adding a second rule as follows:

                        ACCEPT    local        fw        tcp    3128    

    or by downloading and installing this corrected version of the firewall script to correct this problem. The script should be installed in the location pointed to by the symbolic link /etc/shorewall/firewall.

These problems are also corrected in version 1.1.4.

Version 1.1.2

  • In the .lrp version, the file /var/lib/lrpkg/shorwall.conf has a couple of defects:
    1. There is an extra space after "/etc/shorewall/policy"; this makes it impossible to edit that file from lrcfg.
    2. There is no entry for "/etc/shorwall/rules" and thus that file cannot be edited from lrcfg.

    You can either edit this file yourself to correct these defects (be sure to backup the shorwall package afterward) or you can download a corrected .lrp.

  • Placing "-" in the PORT(S) column of an entry in /etc/shorewall/rules results in an inability to start the firewall. Install this corrected version of the firewall script to correct this problem. The script should be installed in the location pointed to by the symbolic link /etc/shorewall/firewall

These problems are also corrected in version 1.1.3.

Version 1.1.1

  • Port redirection is broken wherein rules such as the following produce an iptables error:

        ACCEPT    local    fw::8080    tcp    80    -    all

    A corrected firewall script is available. This script should be installed in the location pointed to by the symbolic link /etc/shorewall/firewall. This problem is also corrected in version 1.1.2.


Last updated 7/27/2001 - Tom Eastep