Shorewall Features
Tom
Eastep
2001-2010
Thomas M Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License
.
This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.
Features
Uses Netfilter's connection tracking facilities for stateful
packet filtering.
Can be used in a wide range of
router/firewall/gateway applications .
Completely customizable using configuration files.
No limit on the number of network interfaces.
Allows you to partition the network into zones and gives you
complete control over the connections permitted between each pair
of zones.
Multiple interfaces per zone and multiple zones per
interface permitted.
Supports nested and overlapping zones.
Supports centralized firewall
administration.
Shorewall installed on a single administrative system. May
be a Windows PC running
Cygwin or an Apple
MacIntosh running OS X.
Centrally generated firewall scripts run on the firewalls
under control of Shorewall-lite.
QuickStart Guides
(HOWTOs) to help get your first firewall up and running
quickly
A GUI is available via Webmin
1.060 and later (http://www.webmin.com)
Extensive documentation is
available in both Docbook XML and HTML formats.
Flexible address management/routing
support (and you can use all types in the same
firewall):
Masquerading/SNAT.
Port Forwarding
(DNAT).
One-to-one NAT.
Proxy ARP.
NETMAP (requires a 2.6
kernel or a patched 2.4 kernel).
Multiple ISP
support
Blacklisting of individual IP addresses
and subnetworks is supported.
Operational
Support.
Commands to start, stop and clear the firewall
Supports status monitoring with an audible alarm when an
interesting
packet is detected.
Wide variety of informational commands.
VPN Support.
IPSEC, GRE,
IPIP and OpenVPN Tunnels.
PPTP clients and
Servers.
Support for Traffic Control/Shaping.
Wide support for different GNU/Linux
Distributions.
RPM and Debian packages
available.
Includes automated install, upgrade
and uninstall facilities for users who can't use or choose
not to use the RPM or Debian packages.
Included as a standard part of LEAF/Bering
(router/firewall on a floppy, CD or compact flash).
Media Access Control (MAC) Address Verification.
Traffic
Accounting.
Bridge/Firewall support
IPv6 Support
Works with a wide range of Virtualization Solutions:
KVM
Xen
Linux-Vserver
OpenVZ
VirtualBox