2009-06-17 20:21:58 +02:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
|
|
<article>
|
|
|
|
<!--$Id$-->
|
|
|
|
|
|
|
|
<articleinfo>
|
|
|
|
<title>Shorewall Version 4</title>
|
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
<author>
|
|
|
|
<firstname>Tom</firstname>
|
|
|
|
|
|
|
|
<surname>Eastep</surname>
|
|
|
|
</author>
|
|
|
|
</authorgroup>
|
|
|
|
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
|
|
|
|
<copyright>
|
|
|
|
<year>2007</year>
|
|
|
|
|
|
|
|
<year>2009</year>
|
|
|
|
|
2015-06-08 18:46:51 +02:00
|
|
|
<year>2015</year>
|
|
|
|
|
2009-06-17 20:21:58 +02:00
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
|
|
</copyright>
|
|
|
|
|
|
|
|
<legalnotice>
|
|
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
|
|
Texts. A copy of the license is included in the section entitled
|
|
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
|
|
License</ulink></quote>.</para>
|
|
|
|
</legalnotice>
|
|
|
|
</articleinfo>
|
|
|
|
|
|
|
|
<section id="Intro">
|
|
|
|
<title>Introduction</title>
|
|
|
|
|
|
|
|
<para>Shorewall version 4.0 represented a substantial shift in direction
|
|
|
|
for Shorewall. Up until then</para>
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>Shorewall had been written entirely in Bourne Shell.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Shorewall had run the <command>iptables</command> utility to add
|
|
|
|
each Netfilter rule.</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
<para>Shorewall version 4.0 offered you a choice. You could continue to
|
|
|
|
use the existing shell-based implementation or you could use a new
|
|
|
|
implementation of the Shorewall compiler written in the Perl programming
|
|
|
|
language. The new compiler:</para>
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>had a small disk footprint</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>was very fast.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>generateed a firewall script that uses
|
|
|
|
<command>iptables-restore</command>; so the script was very
|
|
|
|
fast.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>generated better and more consistent error messages.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>did a much more thorough job of checking the configuration to
|
|
|
|
avoid run-time errors.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>supported creating either Ipv4 or Ipv6 firewalls (Shorewall
|
|
|
|
4.2.4 and later).</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
2009-06-21 17:31:19 +02:00
|
|
|
<para><ulink url="Shorewall-perl.html#Install">Both compilers could be
|
|
|
|
installed on your system</ulink> and you could <ulink
|
|
|
|
url="Shorewall-perl.html#CompilerSelection">use whichever one suited you
|
|
|
|
in a particular case</ulink>.</para>
|
2009-06-17 20:21:58 +02:00
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="Install">
|
|
|
|
<title>Shorewall 4.4</title>
|
|
|
|
|
2015-06-08 18:46:51 +02:00
|
|
|
<para>Shorewall 4.4 discontinued the availability of the legacy
|
2010-04-11 21:49:30 +02:00
|
|
|
shell-based compiler. All users must migrate to the perl-based compiler
|
2015-06-08 18:46:51 +02:00
|
|
|
before or during an upgrade to Shorewall version 4.4 or later. We highly
|
|
|
|
recommend that current users of the shell-based compiler migrate before
|
|
|
|
upgrading to 4.4 or later so that both compilers are available during the
|
|
|
|
migration.</para>
|
2009-06-17 20:21:58 +02:00
|
|
|
|
2011-01-22 16:30:58 +01:00
|
|
|
<para>Shorewall 4.4 contains five packages:</para>
|
2009-06-17 20:21:58 +02:00
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para><emphasis role="bold">Shorewall</emphasis> - Everything needed
|
|
|
|
to create an IPv4 firewall.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para><emphasis role="bold">Shorewall-lite</emphasis>- Can run scripts
|
|
|
|
generated by Shorewall on another system.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para><emphasis role="bold">Shorewall6</emphasis> - The utilities for
|
|
|
|
creating and operating an Ipv6 firewall. Requires Shorewall.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para><emphasis role="bold">Shorewall6-lite</emphasis> - Ipv6
|
|
|
|
equivalent of Shorewall Lite. Can run scripts generated by Shoreall on
|
|
|
|
another system.</para>
|
|
|
|
</listitem>
|
2011-01-22 16:30:58 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para><emphasis role="bold">Shorewall-init</emphasis> - An add-on
|
|
|
|
package for any of the other packages which can:</para>
|
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>Secure the firewall(s) prior to bringing up the interfaces
|
|
|
|
(does not work with systems running Upstart)</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>React to ifup/ifdown events and restart the firewall(s) if
|
|
|
|
needed</para>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
</listitem>
|
2009-06-17 20:21:58 +02:00
|
|
|
</itemizedlist>
|
|
|
|
</section>
|
|
|
|
|
2012-01-02 19:19:07 +01:00
|
|
|
<section>
|
2014-06-01 21:39:00 +02:00
|
|
|
<title>Shorewall 4.5/4.6</title>
|
2012-01-02 19:19:07 +01:00
|
|
|
|
2014-06-01 21:39:00 +02:00
|
|
|
<para>Shorewall 4.5 added an additional <emphasis
|
2012-01-02 19:19:07 +01:00
|
|
|
role="bold">Shorewall-core</emphasis> package. This package contains the
|
|
|
|
core Shorewall shell libraries that are required by the other
|
|
|
|
packages.</para>
|
|
|
|
</section>
|
|
|
|
|
2009-06-17 20:21:58 +02:00
|
|
|
<section id="Prereqs">
|
2014-06-01 21:39:00 +02:00
|
|
|
<title>Prerequisites for using the Shorewall Version 4.2/4.4/4.5/4.6
|
2012-01-02 19:19:07 +01:00
|
|
|
Perl-based Compiler</title>
|
2009-06-17 20:21:58 +02:00
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
2015-06-08 18:46:51 +02:00
|
|
|
<para>Perl (I use Perl 5.14.2 but other 5.8 or later versions should
|
|
|
|
work fine). <note>
|
2009-06-17 20:21:58 +02:00
|
|
|
<para>If you want to be able to use DNS names in your Shorewall6
|
2015-06-08 18:46:51 +02:00
|
|
|
configuration files, then Perl 5.10 or later is required together
|
|
|
|
with the Perl <emphasis role="bold">Socket6</emphasis>
|
|
|
|
module.</para>
|
2009-06-17 20:21:58 +02:00
|
|
|
</note></para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Perl <emphasis role="bold">Cwd</emphasis> Module</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Perl <emphasis role="bold">File::Basename</emphasis>
|
|
|
|
Module</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Perl <emphasis role="bold">File::Temp</emphasis> Module</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Perl <emphasis role="bold">Getopt::Long</emphasis> Module</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Perl <emphasis role="bold">Carp</emphasis> Module</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Perl <emphasis role="bold">FindBin</emphasis> Module</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Perl <emphasis role="bold">Scalar::Util </emphasis>Module</para>
|
|
|
|
</listitem>
|
2012-01-02 19:19:07 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Perl <emphasis role="bold">Digest::SHA1</emphasis> Module
|
|
|
|
(Shorewall 4.5 only)</para>
|
|
|
|
</listitem>
|
2009-06-17 20:21:58 +02:00
|
|
|
</itemizedlist>
|
2009-06-21 17:31:19 +02:00
|
|
|
|
|
|
|
<para>Please note that there are <ulink url="IPv6Support.html">additional
|
|
|
|
requirements</ulink> if you plan to install and use Shorewall6.</para>
|
2009-06-17 20:21:58 +02:00
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="Incompatibilities">
|
|
|
|
<title>Incompatibilities Introduced in the Shorewall Version 4 Perl-based
|
|
|
|
Compiler</title>
|
|
|
|
|
|
|
|
<para>The Shorewall Perl-based compiler is not 100% compatible with the
|
|
|
|
Shorewall shell-based version. See <ulink url="Shorewall-perl.html">this
|
|
|
|
document</ulink> for details.</para>
|
|
|
|
</section>
|
|
|
|
</article>
|