Important Notices

2019-12-19

Contents

Issue with Ubuntu 14.04 LTS
End of Support Life for Shorewall 4.4
Nasty Bug in Shorewall 4.4.13-4.4.22
End of Support Life for Shorewall 4.0 and 4.2
Blacklisting Broken in Shorewall 4.4.13
Attention Shorwall-shell Users
Attention Users of BRIDGING=Yes
Attention Kernel 2.4 Users

Issue with Ubuntu 14.04 LTS

We have had a number of reports of system crashes when starting Shorewall after upgrading to Ubuntu 14.04 LTS. The problem is with the xtables-addons-dkms - removing that package eliminates the problem.

Shorewall is now GPLv2+

All future releases of Shorewall will be licensed under GPLv2 or (at your option) any later version

End of Support Life for Shorewall 4.4

With the release of Debian Wheezy, support for Shorewall 4.4 has ended. Users are encouraged to upgrade to Shorewall 4.5 or 4.6 at the earliest opportunity.

Nasty Bug in Shorewall 4.4.13-4.4.22

A bug in recent versions of Shorewall can result in rules that are wider in scope than intended.

If a zone name begins with 'all', then rules referring to that zone are incorrectly handled as if the keyword 'all' had been entered rather than the zone name.

Users who are running one of these versions of Shorewall and who have zone names beginning with 'all' are urged to either:

End of Support Life for Shorewall 4.0 and 4.2

With the release of Debian Squeeze, support for Shorewall 4.0 and Shorewall 4.2 has ended. Users are encouraged to upgrade to Shorewall 4.4 at the earliest opportunity.

Blacklisting Broken in Shorewall 4.4.13

Prior to Shorewall 4.4.13, blacklisting was associated with an interface or host group by using the 'blacklist' option in /etc/shorewall/interfaces or /etc/shorewall/hosts. Beginning with Shorewall 4.4.13, Shorewall associates blacklisting with zones by accepting the 'blacklist' option in the OPTIONS, IN_OPTIONS and OUT_OPTIONS column of /etc/shorewall/zones. To maintain compatibility with earlier releases, setting 'blacklist' in /etc/shorewall/interfaces or /etc/shorewall/hosts is treated as if the option had been entered under IN_OPTIONS in the associated zone entry in /etc/shorewall/zones.

Unfortunately, a defect in this implementation causes blacklisting to be disabled in some simple existing configurations. If you use blacklisting and have installed Shorewall 4.4.13, you are urged to upgrade to 4.4.13.1 as soon as possible.

If you cannot upgrade immediately, you can work around the problem by including 'blacklist' in the IN_OPTIONS of any zones on which you want incoming blacklisting to occur.

End-of-life for Shorewall-shell in Shorewall 4.4

Shorewall 4.4, released in August 2009, does not include Shorewall-shell. Because Shorewall 4.0 is included in Debian Lenny, Shorewall-shell will continue to be supported until Debian Squeeze is released.

Shorewall-shell users concerned about upgrading are encouraged to migrate to Shorewall-perl before upgrading to Shorewall 4.4. By migrating before upgrading, you will be able to have both Shorewall-shell and Shorewall-perl installed at the same time; that way, you can quickly fall back to Shorewall-shell if you have problems.

Users who run Shorewall-shell on an embedded system that is too small to support Perl should consider switching to Shorewall-lite with Shorewall-perl installed on an administrative system (may be a Windows[tm] system running Cygwin[tm] or a Mac running OS X).

For those of you who may have already upgraded and are having issues, this article should help.

Attention Shorewall-perl 4.2 Users

Shorewall-perl 4.2.6 and Earlier

On February 28, 2008, Klemens Rutz reported a problem that affects all Shorewall-perl 4.2 versions prior to 4.2.6.1.

The problem:

  1. Only occurs when there are multiple non-firewall zones.
  2. Results in the following interface options not being applied to forwarded traffic.
    • blacklist
    • dhcp
    • maclist (when MACLIST_TABLE=filter)
    • norfc1918
    • nosmurfs
    • tcpflags

User are encouraged to either:

Attention Users of BRIDGING=Yes

In Linux Kernel version 2.6.20, the Netfilter team changed Physdev Match so that it is no longer capable of supporting BRIDGING=Yes. The solutions available to users are to either:

  1. Switch to using the technique described at http://www.shorewall.org/3.0/NewBridge.html; or
  2. Upgrade to Shorewall 4.0 or later, migrate to using Shorewall-perl, and follow the instructions at http://www1.shorewall.net/bridge-Shorewall-perl.html.

The first approach allows you to switch back and forth between kernels older and newer than 2.6.20. The second approach is a better long-term solution.

Attention Users of Kernel 2.4

The Shorewall developers do not test Shorewall running on Kernel 2.4 and we make no representation about the functionality of Shorewall on that Kernel. Any failure of Shorewall on Kernel 2.4 will not be investigated by the Shorewall team.

Documentation

Frequently Used Articles

- FAQs - Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.4/4.5/4.6 Documentation

Shorewall 4.0/4.2 Documentation

Shorewall 5.0/5.1/5.2 HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Docker - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shared Shorewall/Shorewall6 Configuration - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page