Shorewall 2.x

Tom Eastep

The information on this site applies only to 2.x releases of Shorewall. For older versions:

The current 2.0 Stable Release is 2.0.13 -- Here are the release notes.
The current Developement Release is 2.2.0 Beta 6 -- Here are the release notes.

Copyright © 2001-2004 Thomas M. Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

2004-12-02


Table of Contents

Introduction to Shorewall

Glossary
What is Shorewall?
Getting Started with Shorewall
Looking for Information?
Running Shorewall on Mandrake® with a two-interface setup?
License

News

Shorewall 2.0.13
Shorewall 2.0.12
Shorewall 2.2.0 Beta 6
Shorewall 2.2.0 Beta 5
Shorewall 2.0.11
Shorewall 2.2.0 Beta 4
Shorewall 2.2.0 Beta 3
Shorewall 2.2.0 Beta 2
Shorewall 2.0.10
Shorewall 2.2.0 Beta 1

Leaf

Donations

Introduction to Shorewall

Glossary

What is Shorewall?

The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.

Shorewall is not a daemon. Once Shorewall has configured Netfilter, it's job is complete. After that, there is no Shorewall code running although the /sbin/shorewall program can be used at any time to monitor the Netfilter firewall.

Getting Started with Shorewall

New to Shorewall? Start by selecting the QuickStart Guide that most closely matches your environment and follow the step by step instructions.

Looking for Information?

The Documentation Index is a good place to start as is the Quick Search in the frame above.

Running Shorewall on Mandrake® with a two-interface setup?

If so, the documentation on this site will not apply directly to your setup. If you want to use the documentation that you find here, you will want to consider uninstalling what you have and installing a setup that matches the documentation on this site. See the Two-interface QuickStart Guide for details.

Update: I've been informed by Mandrake Development that this problem has been corrected in Mandrake 10.0 Final (the problem still exists in the 10.0 Community release).

License

This program is free software; you can redistribute it and/or modify it under the terms of Version 2 of the GNU General Public License as published by the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more detail.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".


News

12/02/2004 - Shorewall 2.0.13

Problems Corrected:
  1. A typo in /usr/share/shorewall/firewall caused the "shorewall add" to issue an error message:
    /usr/share/shorewall/firewall: line 1: match_destination_hosts: command not found
12/01/2004 - Shorewall 2.0.12

Problems Corrected:
  1. A typo in shorewall.conf (NETNOTSYN) has been corrected.
  2. The "shorewall add" and "shorewall delete" commands now work in a bridged environment. The syntax is:
     
          shorewall add <interface>[:<bridge port>][:<address>] <zone>
          shorewall delete <interface>[:<bridge port>][:<address>] <zone>
     
    Examples:
     
          shorewall add br0:eth2:192.168.1.3 OK
          shorewall delete br0:eth2:192.168.1.3 OK

  3. Previously, "shorewall save" created an out-of-sequence restore script. The commands saved in the user's /etc/shorewall/start script were executed prior to the Netfilter configuration being restored. This has been corrected so that "shorewall save" now places those commands at the end of the script.
     
    To accomplish this change, the "restore base" file (/var/lib/shorewall/restore-base) has been split into two files:
     
       /var/lib/shorewall/restore-base -- commands to be executed before the Netfilter configuration is restored.
     
       /var/lib/shorewall/restore-tail -- commands to be executed after the Netfilter configuration is restored.

  4. Previously, traffic from the firewall to a dynamic zone member host did not need to match the interface specified when the host was added to the zone. For example, if eth0:1.2.3.4 is added to dynamic zone Z then traffic out of any firewall interface to 1.2.3.4 will obey the fw->Z policies and rules. This has been corrected.
New Features:
  1. Variable expansion may now be used with the INCLUDE directive.
     
    Example:
     
            /etc/shorewall/params
     
                FILE=/etc/foo/bar
     
            Any other config file:
     
                INCLUDE $FILE
11/26/2004 - Shorewall 2.2.0 Beta 6

Beta 5 was more or less DOA. Here's Beta 6.

Problems Corrected:
  1. Fixed a number of problems associated with not having an IPTABLES value assigned in shorewall.conf
  2. Corrected a 'duplicate chain' error on "shorewall add" when the 'mss' option is present in /etc/shorewall/ipsec.
11/26/2004 - Shorewall 2.2.0 Beta 5

Problems corrected:
  1. A typo in shorewall.conf (NETNOTSYN) has been corrected.
New Features:
  1. For consistency, the CLIENT PORT(S) column in the tcrules file has been renamed SOURCE PORT(S).
  2. The contents of /proc/sys/net/ip4/icmp_echo_ignore_all is now shown in the output of "shorewall status".
  3. A new IPTABLES option has been added to shorewall.conf. IPTABLES can be used to designate the iptables executable to be used by Shorewall. If not specified, the iptables executable determined by the PATH setting is used.
11/23/2004 - Shorewall 2.0.11

Problems corrected:
  1. The INSTALL file now include special instructions for Slackware users.
  2. The bogons file has been updated.
  3. Service names are replaced by port numbers in /etc/shorewall/tos.
  4. A typo in the install.sh file that caused an error during a new install has been corrected.
New Features:
  1. The AllowNNTP action now allows NNTP over SSL/TLS (NTTPS).
11/19/2004 - Shorewall 2.2.0 Beta 4

Problems Corrected:
  1. A cut and paste error resulted in some nonsense in the description of the IPSEC column in /etc/shorewall/masq.
  2. A typo in /etc/shorewall/rules has been corrected.
  3. The bogons file has been updated.
  4. The "shorewall add" command previously reported success but did nothing -- now it works.
New Features:
  1. The AllowNNTP action now allows NNTP over SSL/TLS (NNTPS).
11/09/2004 - Shorewall 2.2.0 Beta 3

Problems Corrected:
  1. Missing '#' in the rfc1918 file has been corrected.
  2. The INSTALL file now includes special instructions for Slackware users.
New Features:
  1. In CLASSIFY rules (/etc/shorewall/tcrules), an interface name may now appear in the DEST column as in:
            #MARK/      SOURCE       DEST      PROTO     PORT(S)
    #CLASSIFY
    1:30        -            eth0      tcp       25
11/02/2004 - Shorewall 2.2.0 Beta 2

Problems Corrected:
  1. The "shorewall check" command results in the (harmless) error message:
     
            /usr/share/shorewall/firewall: line 2753:
               check_dupliate_zones: command not found

  2. The AllowNTP standard action now allows outgoing responses to broadcasts.
  3. A clarification has been added to the hosts file's description of the 'ipsec' option pointing out that the option is redundent if the zone named in the ZONE column has been designated an IPSEC zone in the /etc/shorewall/ipsec file.
New Features:
  1. The SUBNET column in /etc/shorewall/rfc1918 has been renamed SUBNETS and it is now possible to specify a list of addresses in that column.
10/25/2004 - Shorewall 2.0.10

Problems Corrected:
  1. The GATEWAY column was previously ignored in 'pptpserver' entries in /etc/shorewall/tunnels.
  2. When log rule numbers are included in the LOGFORMAT, duplicate rule numbers could previously be generated.
  3. The /etc/shorewall/tcrules file now includes a note to the effect that rule evaluation continues after a match.
  4. The error message produced if Shorewall couldn't obtain the routes through an interface named in the SUBNET column of /etc/shorewall/masq was less than helpful since it didn't include the interface name.
New Features:
  1. The "shorewall status" command has been enhanced to include the values of key /proc settings:

    Example from a two-interface firewall:

    /proc

       /proc/sys/net/ipv4/ip_forward = 1
       /proc/sys/net/ipv4/conf/all/proxy_arp = 0
       /proc/sys/net/ipv4/conf/all/arp_filter = 0
       /proc/sys/net/ipv4/conf/all/rp_filter = 0
       /proc/sys/net/ipv4/conf/default/proxy_arp = 0
       /proc/sys/net/ipv4/conf/default/arp_filter = 0
       /proc/sys/net/ipv4/conf/default/rp_filter = 0
       /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
       /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
       /proc/sys/net/ipv4/conf/eth0/rp_filter = 0
       /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
       /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
       /proc/sys/net/ipv4/conf/eth1/rp_filter = 0
       /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
       /proc/sys/net/ipv4/conf/lo/arp_filter = 0
       /proc/sys/net/ipv4/conf/lo/rp_filter = 0

10/24/2004 - Shorewall 2.2.0 Beta1

The first beta in the 2.2 series is now available. Download location is:

http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1
ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1

The features available in this release and the migration considerations are covered in the release notes. Highlights include:

  1. The behavior produced by specifying a log level in an action invocation is now much more rational. Previously, all packets sent to the action were logged; now each rule within the invoked action behaves as if logging had been specified on it.
  2. Support for the 2.6 Kernel's native IPSEC implementation is now available.
  3. Support for ipp2p is included.
  4. Support for the iptables CONNMARK facility is now included in Shorewall.
  5. A new LOGALLNEW option facilitates problem analysis.
  6. Users with a large static blacklist can now defer loading the blacklist until after the rest of the ruleset has been enabled. Doing so can decrease substantially the amount of time that connections are disabled during shorewall [re]start.
  7. Support for the iptables 'iprange match' feature has been enabled. Users whose kernel and iptables contain this feature can use ip address ranges in most places in their Shorewall configuration where a CIDR netowrk can be used.
  8. Accepting of source routing and martian logging may now be enabled/disabled on each interface.
  9. Shorewall now supports the CLASSIFY iptable target.

More News


Leaf

(Leaf Logo) LEAF is an open source project which provides a Firewall/router on a floppy, CD or CF. Several LEAF distributions including Bering and Bering-uClibc use Shorewall as their Netfilter configuration tool.


Donations

(Alzheimer's Association Logo)(Starlight Foundation Logo)Shorewall is free but if you try it and find it useful, please consider making a donation to the Alzheimer's Association or to the Starlight Children's Foundation.

Thanks