Introduction to Shorewall

This is the Shorewall 2.0 Web Site

The information on this site applies only to 2.0.x releases of Shorewall. For older versions:

Glossary

  • Netfilter - the packet filter facility built into the 2.4 and later Linux kernels.
  • ipchains - the packet filter facility built into the 2.2 Linux kernels. Also the name of the utility program used to configure and control that facility. Netfilter can be used in ipchains compatibility mode.
  • iptables - the utility program used to configure and control Netfilter. The term 'iptables' is often used to refer to the combination of iptables+Netfilter (with Netfilter not in ipchains compatibility mode).

What is Shorewall?

The Shoreline Firewall, more commonly known as "Shorewall", is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.

Shorewall is not a daemon. Once Shorewall has configured Netfilter, it's job is complete. After that, there is no Shorewall code running although the /sbin/shorewall program can be used at any time to monitor the Netfilter firewall.

Getting Started with Shorewall

New to Shorewall? Start by selecting the QuickStart Guide that most closely match your environment and follow the step by step instructions.

Looking for Information?

The Documentation Index is a good place to start as is the Quick Search in the frame above.

Running Shorewall on Mandrake® with a two-interface setup?

If so, the documentation on this site will not apply directly to your setup. If you want to use the documentation that you find here, you will want to consider uninstalling what you have and installing a setup that matches the documentation on this site. See the Two-interface QuickStart Guide for details.

Update: I've been informed by Mandrake Development that this problem has been corrected in Mandrake 10.0 Final (the problem still exists in the 10.0 Community release).

License

This program is free software; you can redistribute it and/or modify it under the terms of Version 2 of the GNU General Public License as published by the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more detail.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

Copyright © 2001-2004 Thomas M. Eastep

News

4/5/2004 - Shorewall 2.0.1 (New)

Problems Corrected since 2.0.0

  1. Using actions in the manner recommended in the documentation results in a Warning that the rule is a policy.
  2. When a zone on a single interface is defined using /etc/shorewall/hosts, superfluous rules are generated in the <zone>_frwd chain.
  3. Thanks to Sean Mathews, a long-standing problem with Proxy ARP and IPSEC has been corrected. Thanks Sean!!!
  4. The "shorewall show log" and "shorewall logwatch" commands incorrectly displayed type 3 ICMP packets.
Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:

  1. The function of 'norfc1918' is now split between that option and a new 'nobogons' option.

    The rfc1918 file released with Shorewall now contains entries for only those three address ranges reserved by RFC 1918. A 'nobogons' interface option has been added which handles bogon source addresses (those which are reserved by the IANA, those reserved for DHCP auto-configuration and the class C test-net reserved for testing and documentation examples). This will allow users to perform RFC 1918 filtering without having to deal with out of date data from IANA. Those who are willing to update their /usr/share/shorewall/bogons file regularly can specify the 'nobogons' option in addition to 'norfc1918'.

    The level at which bogon packets are logged is specified in the new BOGON_LOG_LEVEL variable in shorewall.conf. If that option is not specified or is specified as empty (e.g, BOGON_LOG_LEVEL="") then bogon packets whose TARGET is 'logdrop' in /usr/share/shorewall/bogons are logged at the 'info' level.
New Features:

  1. Support for Bridging Firewalls has been added. For details, see

    http://shorewall.net/bridge.html

  2. Support for NETMAP has been added. NETMAP allows NAT to be defined between two network:

               a.b.c.1    -> x.y.z.1
               a.b.c.2    -> x.y.z.2
               a.b.c.3    -> x.y.z.3
               ...

       http://shorewall.net/netmap.htm

  3. The /sbin/shorewall program now accepts a "-x" option to cause iptables to print out the actual packet and byte counts rather than abbreviated counts such as "13MB".

    Commands affected by this are:

                shorewall -x show [ <chain>[ <chain> ...] ]
                shorewall -x show tos|mangle
                shorewall -x show nat
                shorewall -x status
                shorewall -x monitor [ <interval> ]

  4. Shorewall now traps two common zone definition errors:
    • Including the firewall zone in a /etc/shorewall/hosts record.
    • Defining an interface for a zone in both /etc/shorewall/interfaces and /etc/shorewall/hosts.

  5. In the second case, the following will appear during "shorewall [re]start" or "shorewall check":

       Determining Hosts in Zones...
          ...
          Error: Invalid zone definition for zone <name of zone>
       Terminated

  6. To support bridging, the following options have been added to entries in /etc/shorewall/hosts:

               norfc1918
               nobogons
               blacklist
               tcpflags
               nosmurfs
               newnotsyn

    With the exception of 'newnotsyn', these options are only useful when the entry refers to a bridge port.

       Example:

       #ZONE   HOST(S)      OPTIONS
       net     br0:eth0     norfc1918,nobogons,blacklist,tcpflags,nosmurfs

More News

(Leaf Logo) Jacques Nilo and Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD or compact flash) distribution called Bering that features Shorewall-1.4.2 and Kernel-2.4.20. You can find their work at: http://leaf.sourceforge.net/devel/jnilo

Congratulations to Jacques and Eric on the recent release of Bering 1.2!!!

Donations

(Alzheimer's Association Logo)Shorewall is free but if you try it and find it useful, please consider making a donation to the Alzheimer's Association. Thanks!


Updated 04/05/2004 - Tom Eastep