Shorwall Logo Shorewall 1.3 - "iptables made easy"

Shorewall 1.2 Site here

What is it?

The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter (iptables) based firewall that can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system.

This program is free software; you can redistribute it and/or modify it under the terms of Version 2 of the GNU General Public License as published by the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

Copyright 2001, 2002, 2003 Thomas M. Eastep

Jacques Nilo and Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD or compact flash) distribution called Bering that features Shorewall-1.3.10 and Kernel-2.4.18. You can find their work at: http://leaf.sourceforge.net/devel/jnilo

Congratulations to Jacques and Eric on the recent release of Bering 1.0 Final!!!

News

1/13/2003 - Shorewall 1.3.13 (New)

Just includes a few things that I had on the burner:

  1. A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules file. DNAT- is intended for advanced users who wish to minimize the number of rules that connection requests must traverse.

    A Shorewall DNAT rule actually generates two iptables rules: a header rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT- rule only generates the first of these rules. This is handy when you have several DNAT rules that would generate the same ACCEPT rule.

       Here are three rules from my previous rules file:

            DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178
            DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179
            ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...

       These three rules ended up generating _three_ copies of

             ACCEPT net  dmz:206.124.146.177 tcp smtp

       By writing the rules this way, I end up with only one copy of the ACCEPT rule.

            DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178
            DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179
            ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....

  2. The 'shorewall check' command now prints out the applicable policy between each pair of zones.

  3. A new CLEAR_TC option has been added to shorewall.conf. If this option is set to 'No' then Shorewall won't clear the current traffic control rules during [re]start. This setting is intended for use by people that prefer to configure traffic shaping when the network interfaces come up rather than when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way, your traffic shaping rules can still use the 'fwmark' classifier based on packet marking defined in /etc/shorewall/tcrules.

  4. A new SHARED_DIR variable has been added that allows distribution packagers to easily move the shared directory (default /usr/lib/shorewall). Users should never have a need to change the value of this shorewall.conf setting.

1/6/2003 - BURNOUT

Until further notice, I will not be involved in either Shorewall Development or Shorewall Support

-Tom Eastep

12/30/2002 - Shorewall Documentation in PDF Format

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation. the PDF may be downloaded from

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    http://slovakia.shorewall.net/pub/shorewall/pdf/

12/27/2002 - Shorewall 1.3.12 Released

Features include:

  1. "shorewall refresh" now reloads the traffic shaping rules (tcrules and tcstart).
  2. "shorewall debug [re]start" now turns off debugging after an error occurs. This places the point of the failure near the end of the trace rather than up in the middle of it.
  3. "shorewall [re]start" has been speeded up by more than 40% with my configuration. Your milage may vary.
  4. A "shorewall show classifiers" command has been added which shows the current packet classification filters. The output from this command is also added as a separate page in "shorewall monitor"
  5. ULOG (must be all caps) is now accepted as a valid syslog level and causes the subject packets to be logged using the ULOG target rather than the LOG target. This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) and log all Shorewall messages to a separate log file.
  6. If you are running a kernel that has a FORWARD chain in the mangle table ("shorewall show mangle" will show you the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows for marking input packets based on their destination even when you are using Masquerading or SNAT.
  7. I have cluttered up the /etc/shorewall directory with empty 'init', 'start', 'stop' and 'stopped' files. If you already have a file with one of these names, don't worry -- the upgrade process won't overwrite your file.
  8. I have added a new RFC1918_LOG_LEVEL variable to shorewall.conf. This variable specifies the syslog level at which packets are logged as a result of entries in the /etc/shorewall/rfc1918 file. Previously, these packets were always logged at the 'info' level.

12/20/2002 - Shorewall 1.3.12 Beta 3

This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would fail to start and "shorewall refresh" would also fail.

You may download the Beta from:

http://www.shorewall.net/pub/shorewall/Beta
ftp://ftp.shorewall.net/pub/shorewall/Beta

12/20/2002 - Shorewall 1.3.12 Beta 2

The first public Beta version of Shorewall 1.3.12 is now available (Beta 1 was made available only to a limited audience).

Features include:

  1. "shorewall refresh" now reloads the traffic shaping rules (tcrules and tcstart).
  2. "shorewall debug [re]start" now turns off debugging after an error occurs. This places the point of the failure near the end of the trace rather than up in the middle of it.
  3. "shorewall [re]start" has been speeded up by more than 40% with my configuration. Your milage may vary.
  4. A "shorewall show classifiers" command has been added which shows the current packet classification filters. The output from this command is also added as a separate page in "shorewall monitor"
  5. ULOG (must be all caps) is now accepted as a valid syslog level and causes the subject packets to be logged using the ULOG target rather than the LOG target. This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) and log all Shorewall messages to a separate log file.
  6. If you are running a kernel that has a FORWARD chain in the mangle table ("shorewall show mangle" will show you the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows for marking input packets based on their destination even when you are using Masquerading or SNAT.
  7. I have cluttered up the /etc/shorewall directory with empty 'init', 'start', 'stop' and 'stopped' files. If you already have a file with one of these names, don't worry -- the upgrade process won't overwrite your file.
You may download the Beta from:
http://www.shorewall.net/pub/shorewall/Beta
ftp://ftp.shorewall.net/pub/shorewall/Beta

12/12/2002 - Mandrake Multi Network Firewall Powered by Mandrake Linux

Shorewall is at the center of MandrakeSofts's recently-announced Multi Network Firewall (MNF) product. Here is the press release.

12/7/2002 - Shorewall Support for Mandrake 9.0

Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally delivered. I have installed 9.0 on one of my systems and I am now in a position to support Shorewall users who run Mandrake 9.0.

12/6/2002 -  Debian 1.3.11a Packages Available

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

12/3/2002 - Shorewall 1.3.11a

This is a bug-fix roll up which includes Roger Aich's fix for DNAT with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users who don't need rules of this type need not upgrade to 1.3.11.

11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 documenation. the PDF may be downloaded from

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    http://slovakia.shorewall.net/pub/shorewall/pdf/

11/24/2002 - Shorewall 1.3.11

In this version:

  • A 'tcpflags' option has been added to entries in /etc/shorewall/interfaces. This option causes Shorewall to make a set of sanity check on TCP packet header flags.
  • It is now allowed to use 'all' in the SOURCE or DEST column in a rule. When used, 'all' must appear by itself (in may not be qualified) and it does not enable intra-zone traffic. For example, the rule

        ACCEPT loc all tcp 80

    does not enable http traffic from 'loc' to 'loc'.
  • Shorewall's use of the 'echo' command is now compatible with bash clones such as ash and dash.
  • fw->fw policies now generate a startup error. fw->fw rules generate a warning and are ignored

11/14/2002 - Shorewall Documentation in PDF Format

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation. the PDF may be downloaded from

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    http://slovakia.shorewall.net/pub/shorewall/pdf/

More News

SourceForge Logo

This site is hosted by the generous folks at SourceForge.net

Donations

Shorewall is free but if you try it and find it useful, please consider making a donation to Starlight Children's Foundation. Thanks!

Updated 1/6/2003 - Tom Eastep