shorewall_code/Shorewall-Website/shorewall_index.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
  <meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8">
  <title>Shoreline Firewall (Shorewall) 2.0</title>
  <base target="_self">
  <meta name="GENERATOR" content="OpenOffice.org 1.1.1  (Linux)">
  <meta name="CREATED" content="20040920;15031500">
  <meta name="CHANGED" content="20040920;15183300">
</head>
<body dir="ltr" lang="en-US">
<h1>Shorewall 2.0</h1>
<p><b>Tom Eastep</b><br>
<br>
The information on this site applies only
to 2.0.x releases of Shorewall. For older versions:</p>
<ul>
  <li>
    <p style="margin-bottom: 0in;">The 1.4 site is <a
 href="http://www.shorewall.net/1.4" target="_top">here.</a></p>
  </li>
  <li>
    <p style="margin-bottom: 0in;">The 1.3 site is <a
 href="http://www.shorewall.net/1.3" target="_top">here.</a> </p>
  </li>
  <li>
    <p>The 1.2 site is <a href="http://shorewall.net/1.2/"
 target="_top">here</a>. </p>
  </li>
</ul>
<p>The current 2.0 Stable Release is 2.0.10 -- Here are the <a
 href="http://shorewall.net/pub/shorewall/2.0/shorewall-2.0.10/releasenotes.txt">release
notes</a>.<br>
The current Developement Release is 2.2.0 Beta 2 -- Here
are the <a
 href="http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2/releasenotes.txt">release
notes</a>.<br>
<br>
Copyright © 2001-2004 Thomas M. Eastep</p>
<p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License,
Version 1.2 or any later version published by the Free Software
Foundation; with no Invariant Sections, with no Front-Cover, and with
no Back-Cover Texts. A copy of the license is included in the section
entitled “<a href="GnuCopyright.htm" target="_self">GNU
Free Documentation License</a>”.</p>
<p>2004-11-02</p>
<hr>
<h3>Table of Contents</h3>
<p style="margin-left: 0.42in; margin-bottom: 0in;"><a href="#Intro">Introduction
to Shorewall</a></p>
<p style="margin-left: 0.83in; margin-bottom: 0in;"><a href="#Glossary">Glossary</a><br>
<a href="#WhatIs">What
is Shorewall?</a><br>
<a href="#GettingStarted">Getting Started with
Shorewall</a><br>
<a href="#Info">Looking for Information?</a><br>
<a href="#Mandrake">Running
Shorewall on Mandrake® with a two-interface setup?</a><br>
<a href="#License">License</a></p>
<p style="margin-bottom: 0in; margin-left: 40px;"><a href="#2_0_10">News</a></p>
<p style="margin-left: 0.83in; margin-bottom: 0in;"><a
 href="#2_2_0_Beta2">Shorewall 2.2.0 Beta 2</a><br>
<a href="#2_0_10">Shorewall
2.0.10</a><br>
<a href="#2_2_0_Beta1">Shorewall 2.2.0 Beta 1</a><br>
<br>
</p>
<div style="margin-left: 40px;"><a href="#Leaf">Leaf</a><br>
</div>
<p style="margin-left: 40px;"><a href="#Donations">Donations</a></p>
<h2><a name="Intro"></a>Introduction to Shorewall</h2>
<h3><a name="Glossary"></a>Glossary</h3>
<ul>
  <li>
    <p style="margin-bottom: 0in;"><a href="http://www.netfilter.org/"
 target="_top">Netfilter</a> - the packet filter facility built into
the 2.4 and later Linux kernels. </p>
  </li>
  <li>
    <p style="margin-bottom: 0in;">ipchains - the packet filter
facility built into the 2.2 Linux kernels. Also the name of the utility
program used to configure and control that facility. Netfilter can be
used in ipchains compatibility mode. </p>
  </li>
  <li>
    <p>iptables - the utility program used to configure and control
Netfilter. The term 'iptables' is often used to refer to the
combination of iptables+Netfilter (with Netfilter not in ipchains
compatibility mode). </p>
  </li>
</ul>
<h3><a name="WhatIs"></a>What is Shorewall?</h3>
<p style="margin-left: 0.42in;">The Shoreline Firewall, more commonly
known as "Shorewall", is a high-level tool for configuring
Netfilter. You describe your firewall/gateway requirements using
entries in a set of configuration files. Shorewall reads those
configuration files and with the help of the iptables utility,
Shorewall configures Netfilter to match your requirements. Shorewall
can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system. Shorewall
does not use Netfilter's ipchains compatibility mode and can thus
take advantage of Netfilter's <a
 href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html"
 target="_top">connection
state tracking capabilities</a>.<br>
<br>
Shorewall is <u>not</u> a
daemon. Once Shorewall has configured Netfilter, it's job is
complete. After that, there is no Shorewall code running although the
<a href="starting_and_stopping_shorewall.htm">/sbin/shorewall program
can be used at any time to monitor the Netfilter firewall</a>.</p>
<h3><a name="GettingStarted"></a>Getting Started with Shorewall</h3>
<p style="margin-left: 0.42in;">New to Shorewall? Start by selecting
the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
that most closely matches your environment and follow the step by
step instructions.</p>
<h3><a name="Info"></a>Looking for Information?</h3>
<p style="margin-left: 0.42in;">The <a href="Documentation_Index.html">Documentation
Index</a> is a good place to start as is the Quick Search in the
frame above. </p>
<h3><a name="Mandrake"></a>Running Shorewall on Mandrake® with a
two-interface setup?</h3>
<p style="margin-left: 0.42in;">If so, the documentation on this site
will not apply directly to your setup. If you want to use the
documentation that you find here, you will want to consider
uninstalling what you have and installing a setup that matches the
documentation on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br>
<br>
<b>Update: </b>I've been
informed by Mandrake Development that this problem has been corrected
in Mandrake 10.0 Final (the problem still exists in the 10.0
Community release).</p>
<h3><a name="License"></a>License</h3>
<p style="margin-left: 0.42in;">This program is free software; you can
redistribute it and/or modify it under the terms of <a
 href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.</p>
<p style="margin-left: 0.42in;">This program is distributed in the
hope that it will be useful, but WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more detail.</p>
<p style="margin-left: 0.42in;">You should have received a copy of the
GNU General Public License along with this program; if not, write to
the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA
02139, USA</p>
<p style="margin-left: 0.42in;">Permission is granted to copy,
distribute and/or modify this document under the terms of the GNU
Free Documentation License, Version 1.2 or any later version
published by the Free Software Foundation; with no Invariant
Sections, with no Front-Cover, and with no Back-Cover Texts. A copy
of the license is included in the section entitled "GNU Free
Documentation License". </p>
<hr>
<h2><a name="News"></a>News</h2>
<span style="font-weight: bold;"><a name="2_2_0_Beta2"></a>11/02/2004 -
Shorewall 2.2.0 Beta 2<br>
<br>
</span>Problems Corrected:<br>
<ol>
  <li>The "shorewall check" command results in the (harmless) error
message:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
/usr/share/shorewall/firewall: line 2753:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
check_dupliate_zones: command not found<br>
    <br>
  </li>
  <li>The AllowNTP standard action now allows outgoing responses to
broadcasts.</li>
  <li>A clarification has been added to the hosts file's description of
the 'ipsec' option pointing out that the option is redundent if the
zone named in the ZONE column has been designated an IPSEC zone in the
/etc/shorewall/ipsec file.<span style="font-weight: bold;"></span></li>
</ol>
New Features:<br>
<ol>
  <li>The SUBNET column in /etc/shorewall/rfc1918 has been renamed
SUBNETS and it is now possible to specify a list of addresses in that
column.<br>
  </li>
</ol>
<span style="font-weight: bold;"><a name="2_0_10"></a>10/25/2004 -
Shorewall 2.0.10<br>
</span><br>
Problems Corrected:<br>
<ol>
  <li>The GATEWAY column was previously ignored in 'pptpserver' entries
in /etc/shorewall/tunnels.</li>
  <li>When log rule numbers are included in the LOGFORMAT, duplicate
rule numbers could previously be generated.</li>
  <li>The /etc/shorewall/tcrules file now includes a note to the effect
that rule evaluation continues after a match.</li>
  <li>The error message produced if Shorewall couldn't obtain the
routes
through an interface named in the SUBNET column of /etc/shorewall/masq
was less than helpful since it didn't include the interface name.<br>
  </li>
</ol>
New Features:<br>
<ol>
  <li>The "shorewall status" command has been enhanced to include the
values of key /proc settings:<br>
    <br>
Example from a two-interface firewall:<br>
    <br>
/proc<br>
    <br>
&nbsp;&nbsp; /proc/sys/net/ipv4/ip_forward = 1<br>
&nbsp;&nbsp; /proc/sys/net/ipv4/conf/all/proxy_arp = 0<br>
&nbsp;&nbsp; /proc/sys/net/ipv4/conf/all/arp_filter = 0<br>
&nbsp;&nbsp; /proc/sys/net/ipv4/conf/all/rp_filter = 0<br>
&nbsp;&nbsp; /proc/sys/net/ipv4/conf/default/proxy_arp = 0<br>
&nbsp;&nbsp; /proc/sys/net/ipv4/conf/default/arp_filter = 0<br>
&nbsp;&nbsp; /proc/sys/net/ipv4/conf/default/rp_filter = 0<br>
&nbsp;&nbsp; /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0<br>
&nbsp;&nbsp; /proc/sys/net/ipv4/conf/eth0/arp_filter = 0<br>
&nbsp;&nbsp; /proc/sys/net/ipv4/conf/eth0/rp_filter = 0<br>
&nbsp;&nbsp; /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0<br>
&nbsp;&nbsp; /proc/sys/net/ipv4/conf/eth1/arp_filter = 0<br>
&nbsp;&nbsp; /proc/sys/net/ipv4/conf/eth1/rp_filter = 0<br>
&nbsp;&nbsp; /proc/sys/net/ipv4/conf/lo/proxy_arp = 0<br>
&nbsp;&nbsp; /proc/sys/net/ipv4/conf/lo/arp_filter = 0<br>
&nbsp;&nbsp; /proc/sys/net/ipv4/conf/lo/rp_filter = 0<br>
  </li>
</ol>
<br>
<span style="font-weight: bold;"><a name="2_2_0_Beta1"></a>10/24/2004 -
Shorewall 2.2.0 Beta1<br>
<br>
</span>The first beta in the 2.2 series is now available. Download
location is:<br>
<br>
<div style="margin-left: 40px;"><a
 href="http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1">http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1</a><br>
<a target="_top"
 href="ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1">ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1</a><br>
</div>
<p>The features available in this release and the migration
considerations are covered in the <a
 href="http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1/releasenotes.txt">release
notes</a>. Highlights include:<br>
</p>
<ol>
  <li>The behavior produced by specifying a log level in an action
invocation is now much more rational. Previously, all packets sent to
the action were logged; now each rule within the invoked action behaves
as if logging had been specified on it.</li>
  <li>Support for the 2.6 Kernel's native IPSEC implementation is now
available.</li>
  <li>Support for ipp2p is included.</li>
  <li>Support for the iptables CONNMARK facility is now included in
Shorewall.</li>
  <li>A new LOGALLNEW option facilitates problem analysis.</li>
  <li>Users with a large static blacklist can now defer loading the
blacklist until after the rest of the ruleset has been enabled. Doing
so can decrease substantially the amount of time that connections are
disabled during <span style="font-weight: bold;">shorewall [re]start</span>.</li>
  <li>Support for the iptables 'iprange match' feature has been
enabled. Users whose kernel and iptables contain this feature can use
ip address ranges in most places in their Shorewall configuration where
a CIDR netowrk can be used.</li>
  <li>Accepting of source routing and martian logging may now be
enabled/disabled on each interface.</li>
  <li>Shorewall now supports the CLASSIFY iptable target.</li>
</ol>
<p><a href="News.htm">More News</a></p>
<hr>
<h2><a name="Leaf"></a>Leaf</h2>
<p><a href="http://leaf.sourceforge.net/" target="_top"><font
 color="#000000"><img src="images/leaflogo.gif" name="Graphic1"
 alt="(Leaf Logo)" align="bottom" border="1" height="39" width="52"></font></a>
LEAF is an open source project which provides a Firewall/router on a
floppy, CD or CF. Several LEAF distributions including Bering and
Bering-uClibc use Shorewall as their Netfilter configuration tool.</p>
<hr>
<h2><a name="Donations"></a>Donations</h2>
<p align="left"><a href="http://www.alz.org/" target="_top"><font
 color="#000000"><img src="images/alz_logo2.gif" name="Graphic2"
 alt="(Alzheimer's Association Logo)" align="right" border="1"
 height="63" width="303"></font></a><a href="http://www.starlight.org/"
 target="_top"><font color="#000000"><img src="images/newlog.gif"
 name="Graphic3" alt="(Starlight Foundation Logo)" align="right"
 border="1" height="105" width="62"></font></a><font size="4">Shorewall
is free but if you try it and find it useful, please consider making
a donation to the <a href="http://www.alz.org/" target="_top">Alzheimer's
Association</a> or to the <a href="http://www.starlight.org/"
 target="_top">Starlight
Children's Foundation</a>.</font></p>
<p align="left"><font size="4">Thanks</font></p>
<p align="left"><br>
<br>
</p>
</body>
</html>