Shorwall Logo (Shorewall Logo)

Shorewall 1.4 "iptables made easy"

What is it?

The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter (iptables) based firewall that can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system.

This program is free software; you can redistribute it and/or modify it under the terms of Version 2 of the GNU General Public License as published by the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

Copyright 2001, 2002, 2003 Thomas M. Eastep


Getting Started with Shorewall

New to Shorewall? Start by selecting the QuickStart Guide that most closely match your environment and follow the step by step instructions.

News

5/10/2003 - Shorewall Mirror in Asia (New)

Ed Greshko has established a mirror in Taiwan -- Thanks Ed!

5/8/2003 - Shorewall Mirror in Chile (New)  

Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.

4/26/2003 - lists.shorewall.net Downtime (New)

The list server will be down this morning for upgrade to RH9.0.

4/21/2003 - Samples updated for Shorewall version 1.4.2 (New)

Thanks to Francesca Smith, the sample configurations are now upgraded to Shorewall version 1.4.2.

4/12/2002 - Greater Seattle Linux Users Group Presentation (New)

This morning, I gave a Shorewall presentation to GSLUG. The presentation is in HTML format but was generated from Microsoft PowerPoint and is best viewed using Internet Explorer (although Konqueror also seems to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape work well to view the presentation.

4/9/2003 - Shorewall 1.4.2 (New)

Problems Corrected:

  1. TCP connection requests rejected out of the common chain are now properly rejected with TCP RST; previously, some of these requests were rejected with an ICMP port-unreachable response.
  2. 'traceroute -I' from behind the firewall previously timed out on the first hop (e.g., to the firewall). This has been worked around.

New Features:

  1. Where an entry in the/etc/shorewall/hosts file specifies a particular host or network, Shorewall now creates an intermediate chain for handling input from the related zone. This can substantially reduce the number of rules traversed by connections requests from such zones.

  2. Any file may include an INCLUDE directive. An INCLUDE directive consists of the word INCLUDE followed by a file name and causes the contents of the named file to be logically included into the file containing the INCLUDE. File names given in an INCLUDE directive are assumed to reside in /etc/shorewall or in an alternate configuration directory if one has been specified for the command.

    Examples:
    shorewall/params.mgmt:
    MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
    TIME_SERVERS=4.4.4.4
    BACKUP_SERVERS=5.5.5.5
    ----- end params.mgmt -----


    shorewall/params:
    # Shorewall 1.3 /etc/shorewall/params
    [..]
    #######################################

    INCLUDE params.mgmt

    # params unique to this host here
    #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
    ----- end params -----


    shorewall/rules.mgmt:
    ACCEPT net:$MGMT_SERVERS $FW tcp 22
    ACCEPT $FW net:$TIME_SERVERS udp 123
    ACCEPT $FW net:$BACKUP_SERVERS tcp 22
    ----- end rules.mgmt -----

    shorewall/rules:
    # Shorewall version 1.3 - Rules File
    [..]
    #######################################

    INCLUDE rules.mgmt

    # rules unique to this host here
    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
    ----- end rules -----

    INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives are ignored with a warning message.

  3. Routing traffic from an interface back out that interface continues to be a problem. While I firmly believe that this should never happen, people continue to want to do it. To limit the damage that such nonsense produces, I have added a new 'routeback' option in /etc/shorewall/interfaces and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the 'ZONE' column may not contain '-'; in other words, 'routeback' can't be used as an option for a multi-zone interface. The 'routeback' option CAN be specified however on individual group entries in /etc/shorewall/hosts.

    The 'routeback' option is similar to the old 'multi' option with two exceptions:

    a) The option pertains to a particular zone,interface,address tuple.

    b) The option only created infrastructure to pass traffic from (zone,interface,address) tuples back to themselves (the 'multi' option affected all (zone,interface,address) tuples associated with the given 'interface').

    See the 'Upgrade Issues' for information about how this new option may affect your configuration.

More News

(Leaf Logo) Jacques Nilo and Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD or compact flash) distribution called Bering that features Shorewall-1.3.14 and Kernel-2.4.20. You can find their work at: http://leaf.sourceforge.net/devel/jnilo

Congratulations to Jacques and Eric on the recent release of Bering 1.2!!!

Donations


Note:
Search is unavailable Daily 0200-0330 GMT.

Quick Search

Extended Search


Shorewall is free but if you try it and find it useful, please consider making a donation to Starlight Children's Foundation. Thanks!

Updated 5/12/2003 - Tom Eastep