<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font
color="#ffffff">Shorewall 1.3 - <font
size="4">"<i>iptables made easy"</i></font></font><a
href="http://www.sf.net"> </a></h1>
<div align="center"><a href="/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a></div>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as� "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall system,
a multi-function gateway/router/server or on a standalone GNU/Linux
system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the terms
of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License
for more details.<br>
<br>
You should have received a
copy of the GNU General Public License
along with this program; if not, write to the
Free Software Foundation, Inc., 675 Mass Ave,
Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and
Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution called
<i>Bering</i> that features Shorewall-1.3.10
and Kernel-2.4.18. You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques
and Eric on the recent release of Bering 1.0 Final!!! <br>
</b>
<h2>News</h2>
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>New features include</p>
<ol>
<li>An OLD_PING_HANDLING option has been added to shorewall.conf.
When set to Yes, Shorewall ping handling is as it has always been (see
http://www.shorewall.net/ping.html).<br>
<br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules
and policies just like any other connection request. The FORWARDPING=Yes
option in shorewall.conf and the 'noping' and 'filterping' options in
/etc/shorewall/interfaces will all generate an error.<br>
<br>
</li>
<li>It is now possible to direct Shorewall to create a "label"
such as� "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of
just the interface name:<br>
�<br>
�� a) In the INTERFACE column of /etc/shorewall/masq<br>
�� b) In the INTERFACE column of /etc/shorewall/nat<br>
�</li>
<li>Support for OpenVPN Tunnels.<br>
<br>
</li>
<li>Support for VLAN devices with names of the form $DEV.$VID
(e.g., eth0.0)<br>
<br>
</li>
<li>In /etc/shorewall/tcrules, the MARK value may be optionally followed
by ":" and either 'F' or 'P' to designate that the marking will occur in
the FORWARD or PREROUTING chains respectively. If this additional specification
is omitted, the chain used to mark packets will be determined by the setting
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
</li>
<li>When an interface name is entered in the SUBNET column of
the /etc/shorewall/masq file, Shorewall previously masqueraded traffic
from only the first subnet defined on that interface. It did not masquerade
traffic from:<br>
�<br>
�� a) The subnets associated with other addresses on the interface.<br>
�� b) Subnets accessed through local routers.<br>
�<br>
Beginning with Shorewall 1.3.14, if you enter an interface name in
the SUBNET column, shorewall will use the firewall's routing table to
construct the masquerading/SNAT rules.<br>
�<br>
Example 1 -- This is how it works in 1.3.14.<br>
�� <br>
<pre>�� [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE������������� SUBNET����������������� ADDRESS<br> eth0������������������� eth2������������������� 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>� [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24� scope link<br> 192.168.10.0/24� proto kernel� scope link� src 192.168.10.254<br></pre>
<pre>� [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
�<br>
When upgrading to Shorewall 1.3.14, if you have multiple local subnets
connected to an interface that is specified in the SUBNET column of an
/etc/shorewall/masq entry, your /etc/shorewall/masq file will need changing.
In most cases, you will simply be able to remove redundant entries. In
some cases though, you might want to change from using the interface name
to listing specific subnetworks if the change described above will cause
masquerading to occur on subnetworks that you don't wish to masquerade.<br>
�<br>
Example 2 -- Suppose that your current config is as follows:<br>
�� <br>
<pre>�� [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE������������� SUBNET����������������� ADDRESS<br> eth0������������������� eth2������������������� 206.124.146.176<br> eth0������������������� 192.168.10.0/24�������� 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>�� [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24� scope link<br> 192.168.10.0/24� proto kernel� scope link� src 192.168.10.254<br> [root@gateway test]#</pre>
�<br>
�� In this case, the second entry in /etc/shorewall/masq is no longer
required.<br>
�<br>
Example 3 -- What if your current configuration is like this?<br>
�<br>
<pre>�� [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE������������� SUBNET����������������� ADDRESS<br> eth0������������������� eth2������������������� 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>�� [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24� scope link<br> 192.168.10.0/24� proto kernel� scope link� src 192.168.10.254<br> [root@gateway test]#</pre>
�<br>
�� In this case, you would want to change the entry in� /etc/shorewall/masq
to:<br>
<pre>�� #INTERFACE������������� SUBNET����������������� ADDRESS<br> eth0������������������� 192.168.1.0/24��������� 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li>
</ol>
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
Webmin version 1.060 now has Shorewall support included as standard.
See <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
</b>
<p><b></b></p>
<ul>
</ul>
<p><a href="News.htm">More News</a></p>
<h2> </h2>
<h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&type=3">
</a></h1>
<h4> </h4>
<h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 2/14/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</body>
</html>