2004-09-24 00:58:32 +02:00
|
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
2007-10-03 04:34:25 +02:00
|
|
|
<html>
|
|
|
|
<head>
|
|
|
|
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=UTF-8">
|
2008-01-25 23:06:47 +01:00
|
|
|
<title>Shoreline Firewall (Shorewall)</title>
|
|
|
|
<base target="_self">
|
2007-09-26 16:07:40 +02:00
|
|
|
<meta name="CREATED" content="20040920;15031500">
|
2007-10-03 04:34:25 +02:00
|
|
|
<meta name="CHANGED"
|
2008-01-25 23:06:47 +01:00
|
|
|
content="$Id$">
|
2007-10-03 04:34:25 +02:00
|
|
|
</head>
|
|
|
|
<body dir="ltr" lang="en-US">
|
2009-01-14 19:33:14 +01:00
|
|
|
Copyright © 2001-2009 Thomas M. Eastep
|
2008-01-25 23:06:47 +01:00
|
|
|
<p>Permission is granted to copy, distribute and/or modify this
|
|
|
|
document
|
|
|
|
under the terms of the GNU Free Documentation License, Version 1.2 or
|
|
|
|
any
|
|
|
|
later version published by the Free Software Foundation; with no
|
|
|
|
Invariant
|
|
|
|
Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of
|
|
|
|
the
|
|
|
|
license is included in the section entitled <span
|
|
|
|
style="text-decoration: underline;">"</span><a href="GnuCopyright.htm"
|
2009-01-14 19:33:14 +01:00
|
|
|
target="_self">GNU Free Documentation License</a>".<br>
|
|
|
|
</p>
|
|
|
|
<p>The Shorewall Logo is by Gareth Davies of <a target="_top"
|
|
|
|
href="http://thusa.co.za">Thusa</a> and is licensed under the Creative
|
|
|
|
Commons
|
|
|
|
Attribution-Share Alike 2.5 South Africa License. To view a copy of
|
|
|
|
this
|
|
|
|
licence, visit <a
|
|
|
|
href="http://creativecommons.org/licenses/by-sa/2.5/za/">http://creativecommons.org/licenses/by-sa/2.5/za/
|
|
|
|
</a>or send a
|
|
|
|
letter to Creative Commons, 171 Second Street, Suite 300, San
|
|
|
|
Francisco,
|
|
|
|
California 94105, USA.</p>
|
|
|
|
<p>2009-01-14</p>
|
2008-01-25 23:06:47 +01:00
|
|
|
<hr style="width: 100%; height: 2px;">
|
2006-10-16 17:08:31 +02:00
|
|
|
<h2>Table of Contents</h2>
|
2009-01-14 19:33:14 +01:00
|
|
|
<p style="margin-bottom: 0in; margin-left: 0.4166in;"><a
|
|
|
|
href="shorewall_index.htm#Releases">Current Shorewall Releases</a><br>
|
|
|
|
<a href="shorewall_index.htm#GettingStarted">Getting Started with
|
|
|
|
Shorewall</a><br>
|
|
|
|
<a href="shorewall_index.htm#Info">Looking for Information?</a><br>
|
|
|
|
<a href="#Glossary">Glossary</a><br>
|
|
|
|
<a href="#WhatIs">What is Shorewall?</a><a href="#Info"></a><br>
|
2007-08-22 23:25:31 +02:00
|
|
|
<a href="#License">License</a></p>
|
2009-01-14 19:33:14 +01:00
|
|
|
<p style="margin-left: 0.42in;"><a href="Notices.html#Notice"><strong>Important
|
2008-01-25 23:06:47 +01:00
|
|
|
Notice to
|
2007-11-27 16:25:28 +01:00
|
|
|
users of Shorewall Multi-ISP Feature</strong></a> -- <strong>UPDATED 7
|
|
|
|
November 2007</strong></p>
|
2009-01-14 19:33:14 +01:00
|
|
|
<p style="margin-left: 0.42in;"><a href="Notices.html#Notice1"><strong>Important
|
2008-01-25 23:06:47 +01:00
|
|
|
Notice
|
2008-12-13 03:41:28 +01:00
|
|
|
to users of BRIDGING=Yes</strong></a><br>
|
|
|
|
</p>
|
2009-01-14 19:33:14 +01:00
|
|
|
<p style="margin-left: 0.42in;"><a href="Notices.html#Kernel2.4"><strong>Important
|
2008-12-13 03:41:28 +01:00
|
|
|
Notice
|
|
|
|
to users running Kernel 2.4</strong></a></p>
|
|
|
|
<p style="margin-left: 0.42in;"></p>
|
2009-01-14 19:33:14 +01:00
|
|
|
<h3><a name="Releases"></a>Current Shorewall Releases</h3>
|
|
|
|
<p style="margin-left: 40px;">The <span style="font-weight: bold;">current
|
|
|
|
Stable Release</span> version is 4.2.4 which contains <a
|
|
|
|
href="IPv6Support.html">IPv6 support.</a><br>
|
|
|
|
</p>
|
|
|
|
<ul style="margin-left: 40px;">
|
|
|
|
<li>Here are the <a
|
|
|
|
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.4/releasenotes.txt">release
|
|
|
|
notes</a> <br>
|
|
|
|
</li>
|
|
|
|
<li>Here are the <a
|
|
|
|
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.4/known_problems.txt">known
|
|
|
|
problems</a>.
|
|
|
|
<p>Read more about the Shorewall <a href="Shorewall-4.html">4.x
|
|
|
|
releses here</a>.<br>
|
|
|
|
</p>
|
|
|
|
</li>
|
|
|
|
</ul>
|
|
|
|
<div style="margin-left: 40px;">
|
|
|
|
The <span style="font-weight: bold;">previous Stable Release</span>
|
|
|
|
version
|
|
|
|
is 4.0.14<br>
|
|
|
|
<ul>
|
|
|
|
<li>Here are the <a
|
|
|
|
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.14/releasenotes.txt">release
|
|
|
|
notes</a> <br>
|
|
|
|
</li>
|
|
|
|
<li>Here are the <a
|
|
|
|
href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.14/known_problems.txt">known
|
|
|
|
problems</a>.</li>
|
|
|
|
</ul>
|
|
|
|
</div>
|
|
|
|
<div style="margin-left: 40px;">
|
|
|
|
<p>The <span style="font-weight: bold;">current Development Release</span>
|
|
|
|
series is 4.3. There is currently no 4.3 code releases.<br>
|
|
|
|
</p>
|
|
|
|
<p>Get them from the <a href="download.htm">download sites</a></p>
|
|
|
|
</div>
|
|
|
|
<h3><a name="GettingStarted"></a>Getting Started with Shorewall</h3>
|
|
|
|
<p style="margin-left: 0.42in;">New to Shorewall? Download the current
|
|
|
|
Stable
|
|
|
|
version (see above) then select the <a
|
|
|
|
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
|
|
|
|
closely
|
|
|
|
matches your environment and follow the step by step instructions.</p>
|
|
|
|
<h3><a name="Info"></a>Looking for Information?</h3>
|
|
|
|
<p style="margin-left: 0.42in;">The <a href="Documentation.html">Documentation
|
|
|
|
Index</a> is a good place to start as
|
|
|
|
is the Site Search in the frame above.</p>
|
2006-03-23 18:18:44 +01:00
|
|
|
<h3><a name="Glossary"></a>Glossary</h3>
|
|
|
|
<ul>
|
2008-01-25 23:06:47 +01:00
|
|
|
<li>
|
|
|
|
<p style="margin-bottom: 0in;"><a href="http://www.netfilter.org/"
|
|
|
|
target="_top">Netfilter</a> - the packet filter facility built into
|
|
|
|
the 2.4 and later Linux kernels.</p>
|
|
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<p style="margin-bottom: 0in;">ipchains - the packet filter
|
|
|
|
facility built into the 2.2 Linux kernels. Also the name of the utility
|
|
|
|
program used to configure and control that facility. Netfilter can be
|
|
|
|
used in ipchains compatibility mode.</p>
|
|
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<p>iptables - the utility program used to configure and control
|
|
|
|
Netfilter. The term 'iptables' is often used to refer to the
|
|
|
|
combination of iptables+Netfilter (with Netfilter not in ipchains
|
|
|
|
compatibility mode).</p>
|
2006-03-23 18:18:44 +01:00
|
|
|
</li>
|
2008-12-31 00:02:30 +01:00
|
|
|
<li>iptables-restore - a utility program that used to configure and
|
|
|
|
control Netfilter. Unlike iptables, which performs only one operation
|
|
|
|
per execution, iptables-restore can configure an entire ruleset in one
|
|
|
|
execution. It takes much less time to configure a firewall using
|
|
|
|
iptables-restore than it does using iptables.<br>
|
|
|
|
<br>
|
|
|
|
</li>
|
|
|
|
<li>Shorewall-shell - the legacy Shorewall rules compiler written in
|
|
|
|
Bourne Shell. It generates a shell script that uses iptables to
|
|
|
|
configure the firewall.<br>
|
|
|
|
<br>
|
|
|
|
</li>
|
|
|
|
<li>Shorewall-perl - a Shorewall rules compiler written in Perl. It
|
|
|
|
generates a shell script that uses iptables-restore to configure the
|
|
|
|
firewall.<br>
|
|
|
|
</li>
|
2006-03-23 18:18:44 +01:00
|
|
|
</ul>
|
|
|
|
<h3><a name="WhatIs"></a>What is Shorewall?</h3>
|
2008-01-25 23:06:47 +01:00
|
|
|
<p style="margin-left: 0.42in;">The Shoreline Firewall, more commonly
|
|
|
|
known
|
|
|
|
as "Shorewall", is a high-level tool for configuring Netfilter. You
|
|
|
|
describe
|
|
|
|
your firewall/gateway requirements using entries in a set of
|
|
|
|
configuration
|
2008-12-31 00:02:30 +01:00
|
|
|
files. Shorewall reads those configuration files and generates a shell
|
|
|
|
script. That shell script uses the
|
|
|
|
iptables or iptables-restore utility to configure Netfilter to match
|
|
|
|
your
|
2008-01-25 23:06:47 +01:00
|
|
|
requirements.
|
2007-04-23 00:01:55 +02:00
|
|
|
Shorewall can be used on a dedicated firewall system, a multi-function
|
2008-01-25 23:06:47 +01:00
|
|
|
gateway/router/server or on a standalone GNU/Linux system. Shorewall
|
|
|
|
does not
|
|
|
|
use Netfilter's ipchains compatibility mode; as a consequence,
|
|
|
|
Shorewall can
|
2007-04-23 00:01:55 +02:00
|
|
|
take advantage of Netfilter's connection state tracking capabilities to
|
2008-12-31 00:02:30 +01:00
|
|
|
create a stateful firewall.</p>
|
|
|
|
<p style="margin-left: 0.42in;">The current version of
|
|
|
|
Shorewall can configure both IPv4 and IPv6 firewalls.<br>
|
|
|
|
<br>
|
2008-01-25 23:06:47 +01:00
|
|
|
Shorewall is <u>not</u> a daemon. Once Shorewall has configured
|
|
|
|
Netfilter,
|
2007-04-23 00:01:55 +02:00
|
|
|
it's job is complete and there is no Shorewall code left running in the
|
2007-10-03 04:34:25 +02:00
|
|
|
system. The <a href="starting_and_stopping_shorewall.htm">/sbin/shorewall
|
2006-03-23 18:18:44 +01:00
|
|
|
program can be used at any time to monitor the Netfilter firewall</a>.</p>
|
2008-01-25 23:06:47 +01:00
|
|
|
<p style="margin-left: 0.42in;">Shorewall is not the easiest to use of
|
|
|
|
the
|
|
|
|
available iptables configuration tools but I believe that it is the
|
|
|
|
most
|
|
|
|
flexible and powerful. So if you are looking for a simple
|
|
|
|
point-and-click
|
|
|
|
set-and-forget Linux firewall solution that requires a minimum of
|
|
|
|
networking
|
|
|
|
knowledge, I would encourage you to check out the following
|
|
|
|
alternatives:</p>
|
2006-03-23 18:18:44 +01:00
|
|
|
<ul>
|
2008-01-25 23:06:47 +01:00
|
|
|
<li>
|
2008-04-28 03:19:47 +02:00
|
|
|
<p style="margin-bottom: 0in;"><span
|
|
|
|
style="text-decoration: underline;"><a
|
|
|
|
href="http://www.kmyfirewall.org/">kmyfirewall</a></span><br>
|
|
|
|
</p>
|
2008-01-25 23:06:47 +01:00
|
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<p><a href="http://www.fs-security.com/">Firestarter<br>
|
2007-11-27 16:25:28 +01:00
|
|
|
</a></p>
|
2006-03-23 18:18:44 +01:00
|
|
|
</li>
|
|
|
|
</ul>
|
2008-01-25 23:06:47 +01:00
|
|
|
<p style="margin-left: 0.42in;">On the other hand, if you are looking
|
|
|
|
for a
|
|
|
|
Linux firewall solution that can handle complex and fast changing
|
|
|
|
network
|
2007-04-23 00:01:55 +02:00
|
|
|
environments then Shorewall is a logical choice.</p>
|
2008-01-25 23:06:47 +01:00
|
|
|
<p style="margin-left: 0.42in;">To see some of the many things that you
|
|
|
|
can
|
2007-10-03 04:34:25 +02:00
|
|
|
do with Shorewall, see the <a href="shorewall_features.htm">Shorewall
|
2006-10-16 17:08:31 +02:00
|
|
|
Features page</a>.<br>
|
|
|
|
</p>
|
2006-03-23 18:18:44 +01:00
|
|
|
<h3><a name="License"></a>License</h3>
|
2008-01-25 23:06:47 +01:00
|
|
|
<p style="margin-left: 0.42in;">This program is free software; you can
|
2007-10-03 04:34:25 +02:00
|
|
|
redistribute it and/or modify it under the terms of <a
|
2008-01-25 23:06:47 +01:00
|
|
|
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
|
|
|
General
|
2007-04-23 00:01:55 +02:00
|
|
|
Public License</a> as published by the Free Software Foundation.</p>
|
2008-01-25 23:06:47 +01:00
|
|
|
<p style="margin-left: 0.42in;">This program is distributed in the hope
|
|
|
|
that
|
2007-04-23 00:01:55 +02:00
|
|
|
it will be useful, but WITHOUT ANY WARRANTY; without even the implied
|
2008-01-25 23:06:47 +01:00
|
|
|
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
|
|
|
|
the GNU
|
2007-04-23 00:01:55 +02:00
|
|
|
General Public License for more detail.</p>
|
2008-01-25 23:06:47 +01:00
|
|
|
<p style="margin-left: 0.42in;">You should have received a copy of the
|
|
|
|
GNU
|
|
|
|
General Public License along with this program; if not, write to the
|
|
|
|
Free
|
2007-10-03 04:34:25 +02:00
|
|
|
Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
|
|
02110-1301 USA.</p>
|
2008-01-25 23:06:47 +01:00
|
|
|
<p style="margin-left: 0.42in;">Permission is granted to copy,
|
|
|
|
distribute
|
|
|
|
and/or modify this document under the terms of the GNU Free
|
|
|
|
Documentation
|
|
|
|
License, Version 1.2 or any later version published by the Free
|
|
|
|
Software
|
|
|
|
Foundation; with no Invariant Sections, with no Front-Cover, and with
|
|
|
|
no
|
|
|
|
Back-Cover Texts. A copy of the license is included in the section
|
|
|
|
entitled
|
2007-04-23 00:01:55 +02:00
|
|
|
"GNU Free Documentation License".</p>
|
2006-03-23 18:18:44 +01:00
|
|
|
<hr>
|
|
|
|
<h2><a name="Leaf"></a>Leaf</h2>
|
2007-10-03 04:34:25 +02:00
|
|
|
<p><font color="#000080"><a href="http://leaf.sourceforge.net/"
|
2008-01-25 23:06:47 +01:00
|
|
|
target="_top"><font color="#000080"><img alt="(Leaf Logo)"
|
|
|
|
src="images/leaflogo.gif" name="Graphic1" align="bottom" border="1"
|
|
|
|
height="39" width="52"></font></a></font> LEAF is an open source
|
|
|
|
project which provides a
|
|
|
|
Firewall/router on a floppy, CD or CF. Several LEAF distributions
|
|
|
|
including
|
2007-04-23 00:01:55 +02:00
|
|
|
Bering and Bering-uClibc use Shorewall as their Netfilter configuration
|
|
|
|
tool.</p>
|
2006-03-23 18:18:44 +01:00
|
|
|
<hr>
|
|
|
|
<h2><a name="OpenWRT"></a>OpenWRT</h2>
|
2008-01-25 23:06:47 +01:00
|
|
|
<p style="margin-bottom: 0in;"><font color="#000000"><a
|
2007-12-29 17:31:49 +01:00
|
|
|
href="http://openwrt.org/"><font color="#000080"><img
|
2008-01-25 23:06:47 +01:00
|
|
|
alt="(OpenWRT Logo)" src="images/openwrt.png" name="graphics1"
|
|
|
|
align="bottom" border="1" height="34" hspace="4" width="91"></font></a></font>OpenWRT
|
|
|
|
is a
|
2007-04-23 00:01:55 +02:00
|
|
|
project which provides open source firmware for Linksys WRT54G wireless
|
|
|
|
routers. Two different Shorewall packages are available for OpenWRT.</p>
|
2006-03-23 18:18:44 +01:00
|
|
|
<hr>
|
|
|
|
<h2><a name="Donations"></a>Donations</h2>
|
2007-10-03 04:34:25 +02:00
|
|
|
<p><a href="http://www.alz.org/" target="_top"><font color="#000080"><img
|
2008-01-25 23:06:47 +01:00
|
|
|
alt="(Alzheimer's Association Logo)" src="images/alz_logo2.gif"
|
|
|
|
name="Graphic2" align="right" border="1" height="66" width="306"></font></a><a
|
|
|
|
href="http://www.starlight.org/" target="_top"><font color="#000080"><img
|
|
|
|
alt="(Starlight Foundation Logo)" src="images/newlog.gif"
|
|
|
|
name="Graphic3" align="right" border="1" height="108" width="65"></font></a>Shorewall
|
|
|
|
is free but if you try it and
|
2007-10-03 04:34:25 +02:00
|
|
|
find it useful, please consider making a donation to the <a
|
2008-01-25 23:06:47 +01:00
|
|
|
href="http://www.alz.org/" target="_top">Alzheimer's Association</a>
|
|
|
|
or to
|
|
|
|
the <a href="http://www.starlight.org/" target="_top">Starlight
|
|
|
|
Children's
|
2007-04-23 00:01:55 +02:00
|
|
|
Foundation</a>. <br>
|
2006-03-23 18:18:44 +01:00
|
|
|
<br>
|
|
|
|
Thank You</p>
|
|
|
|
<p align="left"><br>
|
|
|
|
<br>
|
|
|
|
</p>
|
2007-10-03 04:34:25 +02:00
|
|
|
</body>
|
|
|
|
</html>
|