1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. 2) If you install 4.6.4 and then use the 'safe-restart' command to restart your firewall, confusing output is produced: # shorewall safe-restart Compiling... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... ... Optimizing Ruleset... Creating iptables-restore input... Shorewall configuration compiled to /var/lib/shorewall/.restart Currently-running Configuration Saved to /var/lib/shorewall/.safe Usage: /var/lib/shorewall/firewall [ options ] is one of: start stop clear disable down enable reset refresh restart run [ ... ] status up version Options are: -v and -q Standard Shorewall verbosity controls -n Don't update routing configuration -p Purge Conntrack Table -t Timestamp progress Messages -V Set verbosity explicitly -R Override RESTOREFILE setting Restarting... Restarting Shorewall.... Initializing... Processing /etc/shorewall/init ... ... Processing /etc/shorewall/start ... Processing /etc/shorewall/started ... done. Do you want to accept the new firewall configuration? [y/n] The above 'usage' information, while confusing, does not represent a problem and it is safe to answer 'y'. Corrected in Shorewall 4.6.4.1. 3) The 'Universal' sample configuration fails to start. Workaround: Remove the 'optional' option from the interfaces file entry. Corrected in Shorewall 4.6.4.1. 4) Setting LOG_BACKEND=ipt_LOG may result in the following startup failure at boot: Starting shorewall ... /var/lib/shorewall/firewall: line 2080: echo: write error: No such file or directory WARNING: Unable to set log backend to ipt_LOG Partially corrected in Shorewall 4.6.4.2. Fixed on Squeeze and RHEL6 (and derivatives). Not fixed on Fedora, Ubuntu and OpenSuSE. Corrected on other distros in 4.6.4.3.