Shorwall Logo Shorewall 1.4 - "iptables made easy"
Shorewall 1.3 Site here
Shorewall 1.2 Site here

What is it?

The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter (iptables) based firewall that can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system.

This program is free software; you can redistribute it and/or modify it under the terms of Version 2 of the GNU General Public License as published by the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

Copyright 2001, 2002, 2003 Thomas M. Eastep

Jacques Nilo and Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD or compact flash) distribution called Bering that features Shorewall-1.3.14 and Kernel-2.4.20. You can find their work at: http://leaf.sourceforge.net/devel/jnilo

Congratulations to Jacques and Eric on the recent release of Bering 1.1!!!

News

4/12/2002 - Greater Seattle Linux Users Group Presentation (New)

This morning, I gave a Shorewall presentation to GSLUG. The presentation is in HTML format but was generated from Microsoft PowerPoint and is best viewed using Internet Explorer although Konqueror also seems to work reasonably well. Neither Opera or Netscape work well to view the presentation.

4/9/2003 - Shorewall 1.4.2 (New)

    Problems Corrected:

  1. TCP connection requests rejected out of the common chain are now properly rejected with TCP RST; previously, some of these requests were rejected with an ICMP port-unreachable response.
  2. 'traceroute -I' from behind the firewall previously timed out on the first hop (e.g., to the firewall). This has been worked around.

    New Features:

  1. Where an entry in the/etc/shorewall/hosts file specifies a particular host or network, Shorewall now creates an intermediate chain for handling input from the related zone. This can substantially reduce the number of rules traversed by connections requests from such zones.

  2. Any file may include an INCLUDE directive. An INCLUDE directive consists of the word INCLUDE followed by a file name and causes the contents of the named file to be logically included into the file containing the INCLUDE. File names given in an INCLUDE directive are assumed to reside in /etc/shorewall or in an alternate configuration directory if one has been specified for the command.
     
       Examples:
       shorewall/params.mgmt:
       MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
       TIME_SERVERS=4.4.4.4
       BACKUP_SERVERS=5.5.5.5
       ----- end params.mgmt -----
     
     
       shorewall/params:
       # Shorewall 1.3 /etc/shorewall/params
       [..]
       #######################################
     
       INCLUDE params.mgmt   
     
       # params unique to this host here
       #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
       ----- end params -----
     
     
       shorewall/rules.mgmt:
       ACCEPT net:$MGMT_SERVERS          $FW    tcp    22
       ACCEPT $FW          net:$TIME_SERVERS    udp    123
       ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22
       ----- end rules.mgmt -----
     
       shorewall/rules:
       # Shorewall version 1.3 - Rules File
       [..]
       #######################################
     
       INCLUDE rules.mgmt    
     
       # rules unique to this host here
       #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
       ----- end rules -----
     
    INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives are ignored with a warning message.

  3. Routing traffic from an interface back out that interface continues to be a problem. While I firmly believe that this should never happen, people continue to want to do it. To limit the damage that such nonsense produces, I have added a new 'routeback' option in /etc/shorewall/interfaces and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the 'ZONE' column may not contain '-'; in other words, 'routeback' can't be used as an option for a multi-zone interface. The 'routeback' option CAN be specified however on individual group entries in /etc/shorewall/hosts.
     
    The 'routeback' option is similar to the old 'multi' option with two exceptions:
     
       a) The option pertains to a particular zone,interface,address tuple.
     
       b) The option only created infrastructure to pass traffic from (zone,interface,address) tuples back to themselves (the 'multi' option affected all (zone,interface,address) tuples associated with the given 'interface').
     
    See the 'Upgrade Issues' for information about how this new option may affect your configuration.

More News

SourceForge Logo

This site is hosted by the generous folks at SourceForge.net

Donations


Shorewall is free but if you try it and find it useful, please consider making a donation to Starlight Children's Foundation. Thanks!

Updated 4/12/2003 - Tom Eastep