Shorwall Logo Shorewall 1.4 - "iptables made easy"

Shorewall 1.3 Site here

What is it?

The Shoreline Firewall, more commonly known as  "Shorewall", is a Netfilter (iptables) based firewall that can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system.

This program is free software; you can redistribute it and/or modify it under the terms of Version 2 of the GNU General Public License as published by the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

Copyright 2001, 2002, 2003 Thomas M. Eastep

Jacques Nilo and Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD or compact flash) distribution called Bering that features Shorewall-1.3.14 and Kernel-2.4.20. You can find their work at: http://leaf.sourceforge.net/devel/jnilo

Congratulations to Jacques and Eric on the recent release of Bering 1.1!!!

News

3/17/2003 - Shorewall 1.4.0  (New)  

Shorewall 1.4 represents the next step in the evolution of Shorewall. The main thrust of the initial release is simply to remove the cruft that has accumulated in Shorewall over time.

IMPORTANT: Shorewall 1.4.0 requires the iproute package ('ip' utility).

Function from 1.3 that has been omitted from this version include:
  1. The MERGE_HOSTS variable in shorewall.conf is no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.

  2. Interface names of the form <device>:<integer> in /etc/shorewall/interfaces now generate an error.

  3. Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error at startup as will specification of the 'noping' or 'filterping' interface options.

  4. The 'routestopped' option in the /etc/shorewall/interfaces and /etc/shorewall/hosts files is no longer supported and will generate an error at startup if specified.

  5. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer accepted.

  6. The ALLOWRELATED variable in shorewall.conf is no longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.

  7. The icmp.def file has been removed.
Changes for 1.4 include:
  1. The /etc/shorewall/shorewall.conf file has been completely reorganized into logical sections.

  2. LOG is now a valid action for a rule (/etc/shorewall/rules).

  3. The firewall script, common functions file and version file are now installed in /usr/share/shorewall.

  4. Late arriving DNS replies are now silently dropped in the common chain by default.

  5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no longer unconditionally accepts outbound ICMP packets. So if you want to 'ping' from the firewall, you will need the appropriate rule or policy.

  6. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).

  7. 802.11b devices with names of the form wlan<n> now support the 'maclist' option.

  8. Explicit Congestion Notification (ECN - RFC 3168) may now be turned off on a host or network basis using the new /etc/shorewall/ecn file. To use this facility:

       a) You must be running kernel 2.4.20
       b) You must have applied the patch in
       http://www.shorewall/net/pub/shorewall/ecn/patch.
       c) You must have iptables 1.2.7a installed.

  9. The /etc/shorewall/params file is now processed first so that variables may be used in the /etc/shorewall/shorewall.conf file.

  10. Shorewall now gives a more helpful diagnostic when the 'ipchains' compatibility kernel module is loaded and a 'shorewall start' command is issued.

  11. The SHARED_DIR variable has been removed from shorewall.conf. This variable was for use by package maintainers and was not documented for general use.

  12. Shorewall now ignores 'default' routes when detecting masq'd networks.

3/11/2003 - Shoreall 1.3.14a (New)  

A roleup of the following bug fixes and other updates:

  • There is an updated rfc1918 file that reflects the resent allocation of 222.0.0.0/8 and 223.0.0.0/8. 
  • The documentation for the routestopped file claimed that a comma-separated list could appear in the second column while the code only supported a single host or network address. 
  • Log messages produced by 'logunclean' and 'dropunclean' were not rate-limited. 
  • 802.11b devices with names of the form wlan<n> don't support the 'maclist' interface option. 
  • Log messages generated by RFC 1918 filtering are not rate limited. 
  • The firewall fails to start in the case where you have "eth0 eth1" in /etc/shorewall/masq and the default route is through eth1

2/8/2003 - Shorewall 1.3.14

New features include

  1. An OLD_PING_HANDLING option has been added to shorewall.conf. When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).

    When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and policies just like any other connection request. The FORWARDPING=Yes option in shorewall.conf and the 'noping' and 'filterping' options in /etc/shorewall/interfaces will all generate an error.

  2. It is now possible to direct Shorewall to create a "label" such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of just the interface name:
     
       a) In the INTERFACE column of /etc/shorewall/masq
       b) In the INTERFACE column of /etc/shorewall/nat
     
  3. Support for OpenVPN Tunnels.

  4. Support for VLAN devices with names of the form $DEV.$VID (e.g., eth0.0)

  5. In /etc/shorewall/tcrules, the MARK value may be optionally followed by ":" and either 'F' or 'P' to designate that the marking will occur in the FORWARD or PREROUTING chains respectively. If this additional specification is omitted, the chain used to mark packets will be determined by the setting of the MARK_IN_FORWARD_CHAIN option in shorewall.conf.

  6. When an interface name is entered in the SUBNET column of the /etc/shorewall/masq file, Shorewall previously masqueraded traffic from only the first subnet defined on that interface. It did not masquerade traffic from:
     
       a) The subnets associated with other addresses on the interface.
       b) Subnets accessed through local routers.
     
    Beginning with Shorewall 1.3.14, if you enter an interface name in the SUBNET column, shorewall will use the firewall's routing table to construct the masquerading/SNAT rules.
     
    Example 1 -- This is how it works in 1.3.14.
       
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]# shorewall start
       ...
       Masqueraded Subnets and Hosts:
           To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
           To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
       Processing /etc/shorewall/tos...
     
    When upgrading to Shorewall 1.3.14, if you have multiple local subnets connected to an interface that is specified in the SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq file will need changing. In most cases, you will simply be able to remove redundant entries. In some cases though, you might want to change from using the interface name to listing specific subnetworks if the change described above will cause masquerading to occur on subnetworks that you don't wish to masquerade.
     
    Example 2 -- Suppose that your current config is as follows:
       
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       eth0                    192.168.10.0/24         206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
     
       In this case, the second entry in /etc/shorewall/masq is no longer required.
     
    Example 3 -- What if your current configuration is like this?
     
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
     
       In this case, you would want to change the entry in  /etc/shorewall/masq to:
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    192.168.1.0/24          206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

2/5/2003 - Shorewall Support included in Webmin 1.060

Webmin version 1.060 now has Shorewall support included as standard. See http://www.webmin.com

More News

SourceForge Logo

This site is hosted by the generous folks at SourceForge.net

Donations

Shorewall is free but if you try it and find it useful, please consider making a donation to Starlight Children's Foundation. Thanks!

Updated 3/17/2003 - Tom Eastep