Shorewall - "iptables made easy"

 

What is it?

Shorewall is an iptables based firewall that can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone Linux system. 

This program is free software; you can redistribute it and/or modify it under the terms of Version 2 of the GNU General Public License as published by the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

Copyright 2001, 2002 Thomas M. Eastep

News

4/20/2002 - Shorewall 1.2.12 is Available

bulletThe 'try' command works again
bulletThere is now a single RPM that also works with SuSE.

4/17/2002 - Shorewall Debian News

Lorenzo Marignoni reports that:

bulletShorewall 1.2.10 is in the Debian Testing Branch
bulletShorewall 1.2.11 is in the Debian Unstable Branch

Thanks, Lorenzo!

4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE

Thanks to Stefan Mohr, there is now a Shorewall 1.2.11 SuSE RPM available.

4/13/2002 - Shorewall 1.2.11 Available

In this version:

bulletThe 'try' command now accepts an optional timeout. If the timeout is given in the command, the standard configuration will automatically be restarted after the new configuration has been running for that length of time. This prevents a remote admin from being locked out of the firewall in the case where the new configuration starts but prevents access.
bulletKernel route filtering may now be enabled globally using the new ROUTE_FILTER parameter in /etc/shorewall/shorewall.conf.
bulletIndividual IP source addresses and/or subnets may now be excluded from masquerading/SNAT.
bulletSimple "Yes/No" and "On/Off" values are now case-insensitive in /etc/shorewall/shorewall.conf.

4/13/2002 - Hamburg Mirror now has FTP

Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall.  Thanks Stefan!

4/12/2002 - New Mirror in Hamburg

Thanks to Stefan Mohr, there is now a mirror of the Shorewall website in Hamburg, Germany at http://germany.shorewall.net.

4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available

Version 1.1 of the QuickStart Guide is now available. Thanks to those who have read version 1.0 and offered their suggestions. Corrections have also been made to the sample scripts.

4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available

Version 1.0 of the QuickStart Guide is now available. This Guide and its accompanying sample configurations are expected to provide a replacement for the recently withdrawn parameterized samples.

4/8/2002 - Parameterized Samples Withdrawn

Although the parameterized samples have allowed people to get a firewall up and running quickly, they have unfortunately set the wrong level of expectation among those who have used them. I am therefore withdrawing support for the samples and I am recommending that they not be used in new Shorewall installations.

4/2/2002 - Updated Log Parser

John Lodge has provided an updated version of his CGI-based log parser with corrected date handling.

3/30/2002 - Shorewall Website Search Improvements

The quick search on the home page now excludes the mailing list archives. The Extended Search allows excluding the archives or restricting the search to just the archives. An archive search form is also available on the mailing list information page.

3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)

bulletThe 1.2.10 Debian Package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
bulletShorewall 1.2.9 is now in the Debian Unstable Distribution.

3/25/2002 - Log Parser Available

John Lodge has provided a CGI-based log parser for Shorewall. Thanks John.

3/20/2002 - Shorewall 1.2.10 Released

In this version:

bulletA "shorewall try" command has been added (syntax: shorewall try <configuration directory>). This command attempts "shorewall -c <configuration directory> start" and if that results in the firewall being stopped due to an error, a "shorewall start" command is executed. The 'try' command allows you to create a new configuration and attempt to start it; if there is an error that leaves your firewall in the stopped state, it will automatically be restarted using the default configuration (in /etc/shorewall).
bulletA new variable ADD_SNAT_ALIASES has been added to /etc/shorewall/shorewall.conf. If this variable is set to "Yes", Shorewall will automatically add IP addresses listed in the third column of the /etc/shorewall/masq file.
bulletCopyright notices have been added to the documenation.

3/19/2002 - Step by Step Instructions available

Scott Merrill has written a set of step-by-step instructions for Installing a "Belt and Suspenders" Firewall Configuration under RedHat 7.2. Thanks Scott!

3/11/2002 - Shorewall 1.2.9 Released

In this version:

bulletFiltering by MAC address has been added. MAC addresses may be used as the source address in:
bulletFiltering rules (/etc/shorewall/rules)
bulletTraffic Control Classification Rules (/etc/shorewall/tcrules)
bulletTOS Rules (/etc/shorewall/tos)
bulletBlacklist (/etc/shorewall/blacklist)
bulletSeveral bugs have been fixed
bulletThe 1.2.9 Debian Package is also available at http://security.dsi.unimi.it/~lorenzo/debian.html.

3/1/2002 - 1.2.8 Debian Package is Available

See http://security.dsi.unimi.it/~lorenzo/debian.html

2/25/2002 - New Two-interface Sample

I've enhanced the two interface sample to allow access from the firewall to servers in the local zone - http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

2/23/2002 - Shorewall 1.2.8 Released

Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects problems associated with the lock file used to prevent multiple state-changing operations from occuring simultaneously. My apologies for any inconvenience my carelessness may have caused.

2/22/2002 - Shorewall 1.2.7 Released

In this version:

bulletUPnP probes (UDP destination port 1900) are now silently dropped in the common chain
bulletRFC 1918 checking in the mangle table has been streamlined to no longer require packet marking. RFC 1918 checking in the filter table has been changed to require half as many rules as previously.
bulletA 'shorewall check' command has been added that does a cursory validation of the zones, interfaces, hosts, rules and policy files.

More News

Updated 4/20/2002 - Tom Eastep

SourceForge Logo