What is it?
The Shoreline Firewall, more commonly known as "Shorewall", is
a Netfilter (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.
This program is free software; you can redistribute it and/or modify
it
under the terms of Version 2 of the
GNU General Public License as published by the Free Software
Foundation.
This
program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See
the GNU General Public License for more details.
You
should have received a copy of the GNU General
Public License along with this program;
if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139,
USA
Copyright 2001, 2002, 2003 Thomas M. Eastep
Getting Started with Shorewall
New to Shorewall? Start by selecting the QuickStart Guide that most closely
match your environment and follow the step by step instructions.
News
5/10/2003 - Shorewall Mirror in Asia
Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
5/8/2003 - Shorewall Mirror in Chile
Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.
4/26/2003 - lists.shorewall.net Downtime
The list server will be down this morning for upgrade to RH9.0.
4/21/2003 - Samples updated for Shorewall version 1.4.2
Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.
4/12/2002 - Greater Seattle Linux Users Group Presentation
This morning, I gave a
Shorewall presentation to GSLUG. The presentation is in
HTML format but was generated from Microsoft PowerPoint and is best viewed
using Internet Explorer (although Konqueror also seems to work reasonably
well as does Opera 7.1.0). Neither Opera 6 nor Netscape work well to view
the presentation.
4/9/2003 - Shorewall 1.4.2
Problems Corrected:
- TCP connection requests rejected out of the
common chain are now properly rejected with TCP
RST; previously, some of these requests were rejected with an ICMP
port-unreachable response.
- 'traceroute -I' from behind the firewall previously
timed out on the first hop (e.g., to the firewall). This has been
worked around.
New Features:
- Where an entry in the/etc/shorewall/hosts file
specifies a particular host or network, Shorewall now creates an intermediate
chain for handling input from the related zone. This can substantially
reduce the number of rules traversed by connections requests from such
zones.
- Any file may include an INCLUDE directive. An
INCLUDE directive consists of the word INCLUDE followed by a file
name and causes the contents of the named file to be logically included
into the file containing the INCLUDE. File names given in an INCLUDE
directive are assumed to reside in /etc/shorewall or in an alternate
configuration directory if one has been specified for the command.
Examples:
shorewall/params.mgmt:
MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
TIME_SERVERS=4.4.4.4
BACKUP_SERVERS=5.5.5.5
----- end params.mgmt -----
shorewall/params:
# Shorewall 1.3 /etc/shorewall/params
[..]
#######################################
INCLUDE params.mgmt
# params unique to this host here
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT
REMOVE
----- end params -----
shorewall/rules.mgmt:
ACCEPT net:$MGMT_SERVERS $FW tcp 22
ACCEPT $FW net:$TIME_SERVERS udp 123
ACCEPT $FW net:$BACKUP_SERVERS tcp 22
----- end rules.mgmt -----
shorewall/rules:
# Shorewall version 1.3 - Rules File
[..]
#######################################
INCLUDE rules.mgmt
# rules unique to this host here
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE
----- end rules -----
INCLUDE's may be nested to a level of 3 -- further nested
INCLUDE directives are ignored with a warning message.
- Routing traffic from an interface back out that
interface continues to be a problem. While I firmly believe that
this should never happen, people continue to want to do it. To limit
the damage that such nonsense produces, I have added a new 'routeback'
option in /etc/shorewall/interfaces and /etc/shorewall/hosts. When
used in /etc/shorewall/interfaces, the 'ZONE' column may not contain
'-'; in other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on individual
group entries in /etc/shorewall/hosts.
The 'routeback' option is similar to the old 'multi' option
with two exceptions:
a) The option pertains to a particular zone,interface,address
tuple.
b) The option only created infrastructure to pass traffic
from (zone,interface,address) tuples back to themselves (the 'multi'
option affected all (zone,interface,address) tuples associated with
the given 'interface').
See the 'Upgrade Issues'
for information about how this new option may affect your configuration.
More News
Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called Bering that
features Shorewall-1.3.14 and Kernel-2.4.20.
You can find their work at: http://leaf.sourceforge.net/devel/jnilo
Congratulations to Jacques and Eric on the recent release of Bering
1.2!!!
Donations
|
Extended Search
|