Shorewall 1.3 - "iptables made easy"

What is it?

The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter (iptables) based firewall that can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system.

This program is free software; you can redistribute it and/or modify it under the terms of Version 2 of the GNU General Public License as published by the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

Copyright 2001, 2002 Thomas M. Eastep

Jacques Nilo and Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD or compact flash) distribution called Bering that features Shorewall-1.3.10 and Kernel-2.4.18. You can find their work at: http://leaf.sourceforge.net/devel/jnilo

Congratulations to Jacques and Eric on the recent release of Bering 1.0 Final!!!

This is a mirror of the main Shorewall web site at SourceForge (http://shorewall.sf.net)

News

12/3/2002 - Shorewall 1.3.11a 

This is a bug-fix roll up which includes Roger Aich's fix for DNAT with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users who don't need rules of this type need not upgrade to 1.3.11.

11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 documenation. the PDF may be downloaded from

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    http://slovakia.shorewall.net/pub/shorewall/pdf/

11/24/2002 - Shorewall 1.3.11 

In this version:

• A 'tcpflags' option has been added to entries in /etc/shorewall/interfaces. This option causes Shorewall to make a set of sanity check on TCP packet header flags.
• It is now allowed to use 'all' in the SOURCE or DEST column in a rule. When used, 'all' must appear by itself (in may not be qualified) and it does not enable intra-zone traffic. For example, the rule
  
      ACCEPT loc all tcp 80
  
  does not enable http traffic from 'loc' to 'loc'.
• Shorewall's use of the 'echo' command is now compatible with bash clones such as ash and dash.
• fw->fw policies now generate a startup error. fw->fw rules generate a warning and are ignored

11/14/2002 - Shorewall Documentation in PDF Format

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation. the PDF may be downloaded from

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    http://slovakia.shorewall.net/pub/shorewall/pdf/

11/09/2002 - Shorewall is Back at SourceForge

The main Shorewall web site is now back at SourceForge at http://shorewall.sf.net.

11/09/2002 - Shorewall 1.3.10

In this version:

• You may now define the contents of a zone dynamically with the "shorewall add" and "shorewall delete" commands. These commands are expected to be used primarily within FreeS/Wan updown scripts.
• Shorewall can now do MAC verification on ethernet segments. You can specify the set of allowed MAC addresses on the segment and you can optionally tie each MAC address to one or more IP addresses.
• PPTP Servers and Clients running on the firewall system may now be defined in the /etc/shorewall/tunnels file.
• A new 'ipsecnat' tunnel type is supported for use when the remote IPSEC endpoint is behind a NAT gateway.
• The PATH used by Shorewall may now be specified in /etc/shorewall/shorewall.conf.
• The main firewall script is now /usr/lib/shorewall/firewall. The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall to do the real work. This change makes custom distributions such as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall that tends to have distribution-dependent code.

rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm

10/24/2002 - Shorewall is now in Gentoo Linux

10/23/2002 - Shorewall 1.3.10 Beta 1

• You may now define the contents of a zone dynamically with the "shorewall add" and "shorewall delete" commands. These commands are expected to be used primarily within FreeS/Wan updown scripts.
• Shorewall can now do MAC verification on ethernet segments. You can specify the set of allowed MAC addresses on the segment and you can optionally tie each MAC address to one or more IP addresses.
• PPTP Servers and Clients running on the firewall system may now be defined in the /etc/shorewall/tunnels file.
• A new 'ipsecnat' tunnel type is supported for use when the remote IPSEC endpoint is behind a NAT gateway.
• The PATH used by Shorewall may now be specified in /etc/shorewall/shorewall.conf.
• The main firewall script is now /usr/lib/shorewall/firewall. The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall to do the real work. This change makes custom distributions such as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall that tends to have distribution-dependent code.

• http://www.shorewall.net/pub/shorewall/Beta
• ftp://ftp.shorewall.net/pub/shorewall/Beta
  

10/10/2002 -  Debian 1.3.9b Packages Available 

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

10/9/2002 - Shorewall 1.3.9b 

9/30/2002 - Shorewall 1.3.9a

9/30/2002 - TUNNELS Broken in 1.3.9!!!

9/28/2002 - Shorewall 1.3.9 

In this version:

• DNS Names are now allowed in Shorewall config files (although I recommend against using them).
• The connection SOURCE may now be qualified by both interface and IP address in a Shorewall rule.
• Shorewall startup is now disabled after initial installation until the file /etc/shorewall/startup_disabled is removed. This avoids nasty surprises at reboot for users who install Shorewall but don't configure it.
• The 'functions' and 'version' files and the 'firewall' symbolic link have been moved from /var/lib/shorewall to /usr/lib/shorewall to appease the LFS police at Debian.
  

More News

Donations