<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
                                                                        
                                                                        
                   
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.4</title>
                                                                        
                                                                        
                                              <base target="_self">
</head>
  <body>
                                                                        
          
<table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
                                                                        
                  <tbody>
                                                                        
                 <tr>
                                                                        
                            <td width="33%" height="90" valign="middle"
 align="left"><a href="http://www.cityofshoreline.com"><img
 src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
 border="0">
                 </a></td>
                 <td valign="middle" width="34%" align="center">        
                                                                        
                                                                        
                                                                        
                                                    
      <h1><font color="#ffffff">Shorewall 1.4</font><i><font
 color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
                 </td>
                 <td valign="middle">                                   
                                         
      <h1 align="center"><a href="http://www.shorewall.net"
 target="_top"><img border="0" src="images/shorewall.jpg" width="119"
 height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
                                                                      </a></h1>
                 <br>
                 </td>
                                          </tr>
                                                                        
                                                                        
     
  </tbody>                                      
</table>
                                                                        
          
<div align="center">                                         
<center>                                         
<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4">
                                                                        
                    <tbody>
                                                                        
                 <tr>
                                                                        
                              <td width="90%">                          
                                                                        
                                                                        
                                                                        
                                             
      <h2 align="left">What is it?</h2>
                                                                        
                                                                        
                                                                        
                                                                        
                                       
      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall        that can be used on a dedicated firewall system, a multi-function
       gateway/router/server or on a standalone GNU/Linux system.</p>
                                                                        
                                                                        
                                                                        
                                                                        
                                       
      <p>This program is free software; you can redistribute it and/or modify
                                                                        
  it          under      the    terms      of         <a
 href="http://www.gnu.org/licenses/gpl.html">Version           2 of  the
GNU General Public License</a> as published by the Free   Software      
     Foundation.<br>
                                                                        
                           <br>
                                                                        
                This     program         is   distributed            in 
 the       hope       that      it   will        be  useful,    but     
    WITHOUT        ANY         WARRANTY;         without           even the 
  implied      warranty          of MERCHANTABILITY                   or 
FITNESS     FOR   A  PARTICULAR          PURPOSE.        See the     GNU 
General     Public  License                for   more details.<br>
                                                                        
                           <br>
                                                                        
                You     should       have     received        a   copy  
  of    the       GNU     General          Public         License       
         along       with    this   program;            if   not,    write
  to    the    Free   Software              Foundation,                 
 Inc.,    675     Mass   Ave,  Cambridge,      MA    02139,       USA</p>
                                                                        
                                                                        
                                                                        
                                                                        
                                       
      <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                    
      <h2>Getting Started with Shorewall</h2>
                               New to Shorewall? Start by selecting the <a
 href="shorewall_quickstart_guide.htm">QuickStart  Guide</a> that most closely
              match your environment and follow the step by  step instructions.<br>
       
      <h2>Looking for Information?</h2>
 The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation 
Index</a> is a good place to start as is the Quick Search to your right. 
     
      <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
                     If so, the documentation<b> </b>on this site will not
 apply   directly   to  your   setup.  If you want to use the documentation
 that you  find here, you will want to consider uninstalling what you have
 and installing  a setup that matches    the documentation    on this site.
 See the <a href="two-interface.htm">Two-interface    QuickStart    Guide</a>
 for details.<br>
       
      <h2>News</h2>
                                                                        
                                                                        
                                                                        
                                                                        
                            
      <p><b></b></p>
      <ol>
                                       
      </ol>
                                           
      <p><b>7/7/2003 - Shorewall-1.4.6 Beta 2</b><b> <img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
      <br>
      </b></p>
      <p><b>Problems Corrected:</b><br>
  </p>
    
      <ol>
        <li>A problem seen on RH7.3 systems where Shorewall encountered start 
errors when started using the "service" mechanism has been worked around.<br>
      <br>
    </li>
        <li>Where a list of IP addresses appears in the DEST column of a
DNAT[-]  rule, Shorewall incorrectly created multiple DNAT rules in the nat
table (one for each element in the list). Shorewall now correctly creates
a single DNAT rule with multiple "--to-destination" clauses.<br>
     <br>
 </li>
        <li>Corrected a problem in Beta 1 where DNS names containing a "-"
were mis-handled when they appeared in the DEST column of a rule.<br>
   </li>
      </ol>
    
      <p><b>Migration Issues:</b><br>
 </p>
 
      <ol>
        <li>In earlier versions, an undocumented feature allowed entries
in the host file as follows:<br>
     <br>
 � � z��� eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
     <br>
 This capability was never documented and has been removed in 1.4.6 to allow
entries of the following format:<br>
     <br>
 � � z�� eth1:192.168.1.0/24,192.168.2.0/24<br>
     <br>
   </li>
        <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically 
detected by Shorewall (see below).<br>
   </li>
      </ol>
 
      <p><b>New Features:</b><br>
  </p>
    
      <ol>
        <li>A 'newnotsyn' interface option has been added. This option may
be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No 
for packets arriving on the associated interface.<br>
      <br>
    </li>
        <li>The means for specifying a range of IP addresses in /etc/shorewall/masq
 to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address
 ranges.<br>
      <br>
    </li>
        <li>Shorewall can now add IP addresses to subnets other than the
first  one on an interface.<br>
      <br>
    </li>
        <li>DNAT[-] rules may now be used to load balance (round-robin) over
a  set of servers. Servers may be specified in a range of addresses  given
as &lt;first address&gt;-&lt;last address&gt;.<br>
      <br>
  Example:<br>
      <br>
  � � DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
      <br>
    </li>
        <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
 have been removed and have been replaced by code that detects whether these
 capabilities are present in the current kernel. The output of the start,
restart and check commands have been enhanced to report the outcome:<br>
      <br>
  Shorewall has detected the following iptables/netfilter capabilities:<br>
  � �NAT: Available<br>
  � �Packet Mangling: Available<br>
  � �Multi-port Match: Available<br>
  Verifying Configuration...<br>
      <br>
    </li>
        <li>Support for the Connection Tracking Match Extension has been
added.  This extension is available in recent kernel/iptables releases and
allows  for rules which match against elements in netfilter's connection
tracking  table. Shorewall automatically detects the availability of this
extension  and reports its availability in the output of the start, restart
and check  commands.<br>
      <br>
  Shorewall has detected the following iptables/netfilter capabilities:<br>
  � �NAT: Available<br>
  � �Packet Mangling: Available<br>
  � �Multi-port Match: Available<br>
  � �Connection Tracking Match: Available<br>
  Verifying Configuration...<br>
      <br>
  If this extension is available, the ruleset generated by Shorewall is changed
 in the following ways:</li>
        <ul>
          <li>To handle 'norfc1918' filtering, Shorewall will not create
chains  in the mangle table but will rather do all 'norfc1918' filtering
in the filter  table (rfc1918 chain).</li>
          <li>Recall that Shorewall DNAT rules generate two netfilter rules;
one  in the nat table and one in the filter table. If the Connection Tracking
Match Extension is available, the rule in the filter table is extended to
check that the original destination address was the same as specified (or
defaulted to) in the DNAT rule.<br>
        <br>
      </li>
        </ul>
        <li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
 may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
     <br>
 </li>
        <li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
     <br>
 ����� ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;
]<br>
     <br>
 Examples:<br>
     <br>
 ����� [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>
 �������� CIDR=192.168.1.0/24<br>
 �������� NETMASK=255.255.255.0<br>
 �������� NETWORK=192.168.1.0<br>
 �������� BROADCAST=192.168.1.255<br>
 ����� [root@wookie root]#<br>
     <br>
 ����� [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
 �������� CIDR=192.168.1.0/24<br>
 �������� NETMASK=255.255.255.0<br>
 �������� NETWORK=192.168.1.0<br>
 �������� BROADCAST=192.168.1.255<br>
 ����� [root@wookie root]#<br>
     <br>
 Warning:<br>
     <br>
 If your shell only supports 32-bit signed arithmatic (ash or dash), then 
the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1 
and for /1 networks. Bash should produce correct information for all valid 
IP addresses.<br>
     <br>
   </li>
        <li>An 'iprange' command has been added to /sbin/shorewall. <br>
     <br>
 ����� iprange &lt;address&gt;-&lt;address&gt;<br>
     <br>
 This command decomposes a range of IP addressses into a list of network
and host addresses. The command can be useful if you need to construct an
efficient set of rules that accept connections from a range of network addresses.<br>
     <br>
 Note: If your shell only supports 32-bit signed arithmetic (ash or dash)
then the range may not span 128.0.0.0.<br>
     <br>
 Example:<br>
     <br>
 ����� [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>
 ����� 192.168.1.4/30<br>
 ����� 192.168.1.8/29<br>
 ����� 192.168.1.16/28<br>
 ����� 192.168.1.32/27<br>
 ����� 192.168.1.64/26<br>
 ����� 192.168.1.128/25<br>
 ����� 192.168.2.0/23<br>
 ����� 192.168.4.0/22<br>
 ����� 192.168.8.0/22<br>
 ����� 192.168.12.0/29<br>
 ����� 192.168.12.8/31<br>
 ����� [root@gateway root]#<br>
     <br>
   </li>
        <li>A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.<br>
     <br>
 Example:<br>
     <br>
 ��� foo��� eth1:192.168.1.0/24,192.168.2.0/24<br>
   </li>
      </ol>
      <p><b>6/17/2003 - Shorewall-1.4.5</b><b>                         </b></p>
                                                         
      <p>Problems Corrected:<br>
        </p>
                                                         
      <ol>
               <li>The command "shorewall debug try &lt;directory&gt;" now
 correctly   traces the attempt.</li>
               <li>The INCLUDE directive now works properly in the zones
file;    previously, INCLUDE in that file was ignored.</li>
               <li>/etc/shorewall/routestopped records with an empty second 
 column   are no longer ignored.<br>
          </li>
                                                       
      </ol>
                                                         
      <p>New Features:<br>
        </p>
                                                         
      <ol>
               <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule
  may  now contain a list of addresses. If the list begins with "!' then
the   rule  will take effect only if the original destination address in
the connection    request does not match any of the addresses listed.</li>
                                                       
      </ol>
                                                       
      <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
                           </b></p>
                                                                 
      <p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
    and iptables 1.2.8 (using the "official" RPM from netfilter.org). No
problems     have been encountered with this set of software. The Shorewall
version  is   1.4.4b plus the accumulated changes for 1.4.5.<br>
         </p>
                                                                 
      <p><b>6/8/2003 - Updated Samples</b><b>                      </b></p>
                                                                        
      <p>Thanks to Francesca Smith, the samples have been updated to Shorewall 
    version 1.4.4.</p>
                                                                        
      <p><b></b></p>
                                       
      <ol>
                                                                        
                                                                      
      </ol>
                                                                        
                                                                      
      <p><a href="News.htm">More News</a></p>
                                                                        
                                                                        
                                                                        
                                                                        
                            
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36"
 alt="(Leaf Logo)">
                                                                        
                       </a>Jacques        Nilo       and     Eric     Wolzak
        have       a   LEAF  (router/firewall/gateway                   
    on   a  floppy,       CD    or compact     flash)  distribution     
          called                 <i>Bering</i>          that          features
                 Shorewall-1.4.2         and    Kernel-2.4.20.          You 
      can     find         their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
                                                                        
                                     </a></p>
                                                                        
                                                                        
                          <b>Congratulations to Jacques and Eric on the recent
   release     of  Bering    1.2!!! </b><br>
                                                                        
                                                                        
                             
      <h2><a name="Donations"></a>Donations</h2>
                                                                  </td>
                                                                        
                              <td width="88" bgcolor="#4b017c"
 valign="top" align="center">                                           
                                                                        
                                                                        
             
      <form method="post"
 action="http://lists.shorewall.net/cgi-bin/htsearch">                   
      <strong><br>
                                                              <font
 color="#ffffff"><b>Note:              </b></font></strong><font
 color="#ffffff">Search is unavailable      Daily    0200-0330      GMT.</font><br>
                                                              <strong></strong> 
                                                                         
                                                                        
                                                                        
                                   
        <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
                                                                    <font
 face="Arial" size="-1">        <input type="text" name="words"
 size="15"></font><font size="-1"> </font>      <font face="Arial"
 size="-1">     <input type="hidden" name="format" value="long">     <input
 type="hidden" name="method" value="and">     <input type="hidden"
 name="config" value="htdig">     <input type="submit" value="Search"></font> 
           </p>
                                                                    <font
 face="Arial">            <input type="hidden" name="exclude"
 value="[http://lists.shorewall.net/pipermail/*]">   </font>        </form>
                                                                        
                                                                        
                                                                        
    
      <p><font color="#ffffff"><b><a
 href="http://lists.shorewall.net/htdig/search.html"><font
 color="#ffffff">Extended Search</font></a></b></font></p>
                                 <br>
                                              </td>
                                                                        
                        </tr>
                                                                        
                                                                        
                   
  </tbody>                                         
</table>
                                                                        
              </center>
                                                                        
            </div>
                                                                        
          
<table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#4b017c">
                                                                        
             <tbody>
                                                                        
                 <tr>
                                                                        
                       <td width="100%" style="margin-top: 1px;"
 valign="middle">                                                        
                                                                        
                                                                        
                                                                        
             
      <p align="center"><a href="http://www.starlight.org">        <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10" alt="(Starlight Logo)">
                                                                        
                         </a></p>
                                                                        
                                                                        
                                                                        
                                                                        
                                       
      <p align="center"><font size="4" color="#ffffff"><br>
                <font size="+2"> Shorewall is free but if       you try it
 and   find   it useful, please consider making a donation              
                                                       to             <a
 href="http://www.starlight.org"><font color="#ffffff">Starlight    Children's
             Foundation.</font></a> Thanks!</font></font></p>
                                                                        
                       </td>
                                                                        
                 </tr>
                                                                        
                                                                        
                   
  </tbody>                                         
</table>
                                                                        
          
<p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a></font>
                                                                    <br>
</p>
</body>
</html>