Introduction to Shorewall
This is the Shorewall 1.4 Web Site
The information on this site applies only to 1.4.x releases of
Shorewall. For older versions:
Glossary
- Netfilter - the
packet filter facility built into the 2.4 and later Linux kernels.
- ipchains - the packet filter facility built into the 2.2
Linux kernels. Also the name of the utility program used to configure
and control that facility. Netfilter can be used in ipchains
compatibility mode.
- iptables - the utility program used to configure and
control Netfilter. The term 'iptables' is often used to refer to the
combination of iptables+Netfilter (with Netfilter not in ipchains
compatibility mode).
What is Shorewall?
The Shoreline Firewall, more commonly known as "Shorewall", is
high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of configuration
files. Shorewall reads those configuration files and with the help of
the iptables utility, Shorewall configures Netfilter to match your
requirements. Shorewall can be used on a dedicated firewall system, a
multi-function gateway/router/server or on a standalone GNU/Linux
system. Shorewall does not use Netfilter's ipchains compatibility mode
and can thus take advantage of Netfilter's connection state tracking
capabilities.
Shorewall is not a
daemon. Once Shorewall has configured Netfilter, it's job is complete
although the /sbin/shorewall
program can be used at any time to monitor the Netfilter firewall.
Getting Started with Shorewall
New to Shorewall? Start by selecting the QuickStart Guide that most
closely match your environment and follow the step by step instructions.
Looking for Information?
The Documentation
Index is a good place to start as is the Quick Search in the frame
above.
License
This program is free software; you can redistribute it and/or modify it
under the terms of Version
2 of the GNU General Public License as published by the Free
Software Foundation.
This program is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more detail.
You should have received a copy of the GNU General Public
License along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2 or
any later version published by the Free Software Foundation; with no
Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU Free
Documentation License".
Copyright © 2001-2003 Thomas M. Eastep
Running Shorewall on Mandrake with a two-interface setup?
If so, the documentation on this site will not apply directly
to your setup. If you want to use the documentation that you find here,
you will want to consider uninstalling what you have and installing a
setup that matches the documentation on this site. See the Two-interface QuickStart Guide for
details.
News
12/29/2003 - Shorewall 1.4.9 Beta 2
Problems Corrected since version 1.4.8:
- There has been a low continuing level of confusion over the
terms "Source NAT" (SNAT) and "Static NAT". To avoid future confusion,
all instances of "Static NAT" have been replaced with "One-to-one NAT"
in the documentation and configuration files.
- The description of NEWNOTSYN in shorewall.conf has been
reworded for clarity.
- Wild-card rules (those involving "all" as SOURCE or DEST)
will no longer produce an error if they attempt to add a rule that
would override a NONE policy. The logic for expanding these wild-card
rules now simply skips those (SOURCE,DEST) pairs that have a NONE
policy.
- DNAT rules that also specified SNAT now work reliably.
Previously, there were cases where the SNAT specification was
effectively ignored.
Migration Issues:
None.
New Features:
- The documentation has been completely rebased to Docbook
XML. The documentation is now released as separate HTML and XML
packages.
- To cut down on the number of "Why are these ports closed
rather than stealthed?" questions, the SMB-related rules in
/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
- For easier identification, packets logged under the
'norfc1918' interface option are now logged out of chains named
'rfc1918'. Previously, such packets were logged under chains named
'logdrop'.
- Distributors and developers seem to be regularly inventing
new naming conventions for kernel modules. To avoid the need to change
Shorewall code for each new convention, the MODULE_SUFFIX option has
been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
for module names in your particular distribution. If MODULE_SUFFIX is
not set in shorewall.conf, Shorewall will use the list "o gz ko o.gz".
To see what suffix is used by your distribution:
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
All of the files listed should have the same suffix (extension). Set
MODULE_SUFFIX to that suffix.
Examples:
If all files end in ".kzo" then set
MODULE_SUFFIX="kzo"
If all files end in ".kz.o" then set
MODULE_SUFFIX="kz.o"
- Support for user defined rule ACTIONS has been implemented
through two new files:
/etc/shorewall/actions - used to list the user-defined ACTIONS.
/etc/shorewall/action.template - For each user defined <action>,
copy this file to /etc/shorewall/action.<action> and add the
appropriate rules for that <action>. Once an <action> has
been defined, it may be used like any of the builtin ACTIONS (ACCEPT,
DROP, etc.) in /etc/shorewall/rules.
Example: You want an action that logs a packet at the 'info' level and
accepts the connection.
In /etc/shorewall/actions, you would add:
LogAndAccept
You would then copy /etc/shorewall/action.template to
/etc/shorewall/LogAndAccept and in that file, you would add the two
rules:
LOG:info
ACCEPT
- The default value for NEWNOTSYN in shorewall.conf is now
"Yes" (non-syn TCP packets that are not part of an existing connection
are filtered according to the rules and policies rather than being
dropped). I have made this change for two reasons:
a) NEWNOTSYN=No tends to result in lots of "stuck" connections since
any timeout during TCP session tear down results in the firewall
dropping all of the retries.
b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
lots of confusing messages when a connection got "stuck". While I could
have changed the default value of LOGNEWNOTSYN to suppress logging, I
dislike defaults that silently throw away packets.
12/28/2003 - www.shorewall.net/ftp.shorewall.net Back
On-line
Our high-capacity server has been restored to service --
please let us know if you
find any problems.
12/03/2003 - Support Torch Passed
Effective today, I am reducing my participation in the day-to-day
support of Shorewall. As part of this shift to community-based
Shorewall support a new Shorewall
Newbies mailing list has been established to field questions and
problems from new users. I will not monitor that list personally. I
will continue my active development of Shorewall and will be available
via the development list to handle development issues -- Tom.
More News
Jacques Nilo and Eric Wolzak have a LEAF
(router/firewall/gateway on a floppy, CD or compact flash) distribution
called Bering that features Shorewall-1.4.2 and Kernel-2.4.20.
You can find their work at: http://leaf.sourceforge.net/devel/jnilo
Congratulations to Jacques and Eric on the recent release of
Bering 1.2!!!
Donations
Shorewall is free but if you try it and find it useful,
please consider making a donation to Starlight
Children's Foundation. Thanks!
|