Shorewall 1.4 "iptables made easy"

(Shorewall Logo)


What is it?

The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter (iptables) based firewall that can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system.

This program is free software; you can redistribute it and/or modify it under the terms of Version 2 of the GNU General Public License as published by the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

Copyright 2001, 2002, 2003 Thomas M. Eastep

Running Shorewall on Mandrake with a two-interface setup?

If so, almost NOTHING on this site will apply directly to your setup. If you want to use the documentation that you find here, it is best if you uninstall what you have and install a setup that matches the documentation on this site. See the Two-interface QuickStart Guide for details.

Getting Started with Shorewall

New to Shorewall? Start by selecting the QuickStart Guide that most closely match your environment and follow the step by step instructions.

News

6/17/2003 - Shorewall-1.4.5 (New)

Problems Corrected:

  1. The command "shorewall debug try <directory>" now correctly traces the attempt.
  2. The INCLUDE directive now works properly in the zones file; previously, INCLUDE in that file was ignored.
  3. /etc/shorewall/routestopped records with an empty second column are no longer ignored.

New Features:

  1. The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may now contain a list of addresses. If the list begins with "!' then the rule will take effect only if the original destination address in the connection request does not match any of the addresses listed.

6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8 (New)

The firewall at shorewall.net has been upgraded to the 2.4.21 kernel and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems have been encountered with this set of software. The Shorewall version is 1.4.4b plus the accumulated changes for 1.4.5.

6/8/2003 - Updated Samples

Thanks to Francesca Smith, the samples have been updated to Shorewall version 1.4.4.

5/29/2003 - Shorewall-1.4.4b

Groan -- This version corrects a problem whereby the --log-level was not being set when logging via syslog. The most commonly reported symptom was that Shorewall messages were being written to the console even though console logging was correctly configured per FAQ 16.

5/27/2003 - Shorewall-1.4.4a

The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed out that the code in 1.4.4 restricts the length of short zone names to 4 characters. I've produced version 1.4.4a that restores the previous 5-character limit by conditionally omitting the log rule number when the LOGFORMAT doesn't contain '%d'.

5/23/2003 - Shorewall-1.4.4

I apologize for the rapid-fire releases but since there is a potential configuration change required to go from 1.4.3a to 1.4.4, I decided to make it a full release rather than just a bug-fix release.

Problems corrected:
None.
New Features:
  1. A REDIRECT- rule target has been added. This target behaves for REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter nat table REDIRECT rule is added but not the companion filter table ACCEPT rule.

  2. The LOGMARKER variable has been renamed LOGFORMAT and has been changed to a 'printf' formatting template which accepts three arguments (the chain name, logging rule number and the disposition). To use LOGFORMAT with fireparse (http://www.fireparse.com), set it as:

    LOGFORMAT="fp=%s:%d a=%s "

    CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up to but not including the first '%') to find log messages in the 'show log', 'status' and 'hits' commands. This part should not be omitted (the LOGFORMAT should not begin with "%") and the leading part should be sufficiently unique for /sbin/shorewall to identify Shorewall messages.

  3. When logging is specified on a DNAT[-] or REDIRECT[-] rule, the logging now takes place in the nat table rather than in the filter table. This way, only those connections that actually undergo DNAT or redirection will be logged.

5/20/2003 - Shorewall-1.4.3a

This version primarily corrects the documentation included in the .tgz and in the .rpm. In addition:
  1. (This change is in 1.4.3 but is not documented) If you are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject replies as follows:
    a) tcp - RST
    b) udp - ICMP port unreachable
    c) icmp - ICMP host unreachable
    d) Otherwise - ICMP host prohibited
    If you are running earlier software, Shorewall will follow it's traditional convention:
    a) tcp - RST
    b) Otherwise - ICMP port unreachable
  2. UDP port 135 is now silently dropped in the common.def chain. Remember that this chain is traversed just before a DROP or REJECT policy is enforced.

5/18/2003 - Shorewall 1.4.3

Problems Corrected:
  1. There were several cases where Shorewall would fail to remove a temporary directory from /tmp. These cases have been corrected.
  2. The rules for allowing all traffic via the loopback interface have been moved to before the rule that drops status=INVALID packets. This insures that all loopback traffic is allowed even if Netfilter connection tracking is confused.
New Features:
  1. IPV6-IPV4 (6to4) tunnels are now supported in the /etc/shorewall/tunnels file.
  2. You may now change the leading portion of the --log-prefix used by Shorewall using the LOGMARKER variable in shorewall.conf. By default, "Shorewall:" is used.

5/10/2003 - Shorewall Mirror in Asia

Ed Greshko has established a mirror in Taiwan -- Thanks Ed!

5/8/2003 - Shorewall Mirror in Chile

Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.

4/26/2003 - lists.shorewall.net Downtime

The list server will be down this morning for upgrade to RH9.0.

4/21/2003 - Samples updated for Shorewall version 1.4.2

Thanks to Francesca Smith, the sample configurations are now upgraded to Shorewall version 1.4.2.

4/12/2002 - Greater Seattle Linux Users Group Presentation

This morning, I gave a Shorewall presentation to GSLUG. The presentation is in HTML format but was generated from Microsoft PowerPoint and is best viewed using Internet Explorer (although Konqueror also seems to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape work well to view the presentation.

More News

(Leaf Logo) Jacques Nilo and Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD or compact flash) distribution called Bering that features Shorewall-1.3.14 and Kernel-2.4.20. You can find their work at: http://leaf.sourceforge.net/devel/jnilo

Congratulations to Jacques and Eric on the recent release of Bering 1.2!!!

Donations

Note: Search is unavailable Daily 0200-0330 GMT.

Quick Search

Extended Search

(Starlight Logo)


Shorewall is free but if you try it and find it useful, please consider making a donation to Starlight Children's Foundation. Thanks!

Updated 6/17/2003 - Tom Eastep