What is it?
The Shoreline Firewall, more commonly known as "Shorewall", is
a Netfilter
(iptables) based firewall that can be used on a dedicated
firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system.
This program is free software; you can redistribute it and/or modify
it under
the terms of Version 2 of the
GNU General Public License as published by the Free Software
Foundation.
This program
is distributed in the hope that it will
be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should
have received a copy of the GNU General
Public License along with this program;
if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139,
USA
Copyright 2001, 2002, 2003 Thomas M. Eastep
Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called Bering that features
Shorewall-1.3.14 and Kernel-2.4.20. You can
find their work at: http://leaf.sourceforge.net/devel/jnilo
Congratulations
to Jacques and Eric on the recent release of Bering
1.1!!!
News
4/12/2002 - Greater Seattle Linux Users Group Presentation
This morning, I gave a Shorewall presentation to GSLUG. The presentation
is in HTML format but was generated from Microsoft PowerPoint and is best
viewed using Internet Explorer although Konqueror also seems to work reasonably
well. Neither Opera or Netscape work well to view the presentation.
4/9/2003 - Shorewall 1.4.2
Problems Corrected:
- TCP connection requests rejected out of the common
chain are now properly rejected with TCP RST; previously, some of these requests
were rejected with an ICMP port-unreachable response.
- 'traceroute -I' from behind the firewall previously timed
out on the first hop (e.g., to the firewall). This has been worked around.
New Features:
- Where an entry in the/etc/shorewall/hosts file specifies
a particular host or network, Shorewall now creates an intermediate chain
for handling input from the related zone. This can substantially reduce
the number of rules traversed by connections requests from such zones.
- Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the contents
of the named file to be logically included into the file containing the
INCLUDE. File names given in an INCLUDE directive are assumed to reside
in /etc/shorewall or in an alternate configuration directory if one has
been specified for the command.
Examples:
shorewall/params.mgmt:
MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
TIME_SERVERS=4.4.4.4
BACKUP_SERVERS=5.5.5.5
----- end params.mgmt -----
shorewall/params:
# Shorewall 1.3 /etc/shorewall/params
[..]
#######################################
INCLUDE params.mgmt
# params unique to this host here
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
----- end params -----
shorewall/rules.mgmt:
ACCEPT net:$MGMT_SERVERS $FW tcp 22
ACCEPT $FW net:$TIME_SERVERS udp 123
ACCEPT $FW net:$BACKUP_SERVERS tcp 22
----- end rules.mgmt -----
shorewall/rules:
# Shorewall version 1.3 - Rules File
[..]
#######################################
INCLUDE rules.mgmt
# rules unique to this host here
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
----- end rules -----
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.
- Routing traffic from an interface back out that interface
continues to be a problem. While I firmly believe that this should never
happen, people continue to want to do it. To limit the damage that such
nonsense produces, I have added a new 'routeback' option in /etc/shorewall/interfaces
and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the 'ZONE'
column may not contain '-'; in other words, 'routeback' can't be used as
an option for a multi-zone interface. The 'routeback' option CAN be specified
however on individual group entries in /etc/shorewall/hosts.
The 'routeback' option is similar to the old 'multi' option with two
exceptions:
a) The option pertains to a particular zone,interface,address tuple.
b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').
See the 'Upgrade Issues' for information
about how this new option may affect your configuration.
More News
This site is hosted by the generous folks at SourceForge.net
Donations
|
|