Shorewall 1.4 "iptables made easy"

(Shorewall Logo)


What is it?

The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter (iptables) based firewall that can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system.

This program is free software; you can redistribute it and/or modify it under the terms of Version 2 of the GNU General Public License as published by the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

Copyright 2001, 2002, 2003 Thomas M. Eastep

Running Shorewall on Mandrake with a two-interface setup?

If so, the documentation on this site will not apply directly to your setup. If you want to use the documentation that you find here, you will want to consider uninstalling what you have and installing a setup that matches the documentation on this site. See the Two-interface QuickStart Guide for details.

Getting Started with Shorewall

New to Shorewall? Start by selecting the QuickStart Guide that most closely match your environment and follow the step by step instructions.

News

7/4/2003 - Shorewall-1.4.6 Beta 1 (New)

http://shorewall.net/pub/shorewall/testing
ftp://shorewall.net/pub/shorewall/testing

Problems Corrected:

  1. A problem seen on RH7.3 systems where Shorewall encountered start errors when started using the "service" mechanism has been worked around.

  2. Previously, where a list of IP addresses appears in the DEST column of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the nat table (one for each element in the list). Shorewall now correctly creates a single DNAT rule with multiple "--to-destination" clauses.

New Features:

  1. A 'newnotsyn' interface option has been added. This option may be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No for packets arriving on the associated interface.

  2. The means for specifying a range of IP addresses in /etc/shorewall/masq to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges.

  3. Shorewall can now add IP addresses to subnets other than the first one on an interface.

  4. DNAT[-] rules may now be used to load balance (round-robin) over a set of servers. Up to 256 servers may be specified in a range of addresses given as <first address>-<last address>.

    Example:

        DNAT net loc:192.168.10.2-192.168.10.5 tcp 80

    Note that this capability has previously been available using a combination of a DNAT- rule and one or more ACCEPT rules. That technique is still preferable for load-balancing over a large number of servers (> 16) since specifying a range in the DNAT rule causes one filter table ACCEPT rule to be generated for each IP address in the range.

  5. The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options have been removed and have been replaced by code that detects whether these capabilities are present in the current kernel. The output of the start, restart and check commands have been enhanced to report the outcome:

    Shorewall has detected the following iptables/netfilter capabilities:
       NAT: Available
       Packet Mangling: Available
       Multi-port Match: Available
    Verifying Configuration...

  6. Support for the Connection Tracking Match Extension has been added. This extension is available in recent kernel/iptables releases and allows for rules which match against elements in netfilter's connection tracking table. Shorewall automatically detects the availability of this extension and reports its availability in the output of the start, restart and check commands.

    Shorewall has detected the following iptables/netfilter capabilities:
       NAT: Available
       Packet Mangling: Available
       Multi-port Match: Available
       Connection Tracking Match: Available
       Verifying Configuration...

    If this extension is available, the ruleset generated by Shorewall is changed in the following ways:
    • To handle 'norfc1918' filtering, Shorewall will not create chains in the mangle table but will rather do all 'norfc1918' filtering in the filter table (rfc1918 chain).
    • Recall that Shorewall DNAT rules generate two netfilter rules; one in the nat table and one in the filter table. If the Connection Tracking Match Extension is available, the rule in the filter table is extended to check that the original destination address was the same as specified (or defaulted to) in the DNAT rule.

  7. The shell used to interpret the firewall script (/usr/share/shorewall/firewall) may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.

6/17/2003 - Shorewall-1.4.5

Problems Corrected:

  1. The command "shorewall debug try <directory>" now correctly traces the attempt.
  2. The INCLUDE directive now works properly in the zones file; previously, INCLUDE in that file was ignored.
  3. /etc/shorewall/routestopped records with an empty second column are no longer ignored.

New Features:

  1. The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may now contain a list of addresses. If the list begins with "!' then the rule will take effect only if the original destination address in the connection request does not match any of the addresses listed.

6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8

The firewall at shorewall.net has been upgraded to the 2.4.21 kernel and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems have been encountered with this set of software. The Shorewall version is 1.4.4b plus the accumulated changes for 1.4.5.

6/8/2003 - Updated Samples

Thanks to Francesca Smith, the samples have been updated to Shorewall version 1.4.4.

More News

(Leaf Logo) Jacques Nilo and Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD or compact flash) distribution called Bering that features Shorewall-1.4.2 and Kernel-2.4.20. You can find their work at: http://leaf.sourceforge.net/devel/jnilo

Congratulations to Jacques and Eric on the recent release of Bering 1.2!!!

Donations


Note:
Search is unavailable Daily 0200-0330 GMT.

Quick Search

Extended Search


(Starlight Logo)


Shorewall is free but if you try it and find it useful, please consider making a donation to Starlight Children's Foundation. Thanks!

Updated 7/4/2003 - Tom Eastep