3/19/2001 - The current version of Shorewall is 1.0.4. This version:
- Allows user-defined zones. Shorewall now has only one pre-defined zone (fw) with the remaining zones being defined in the new configuration file /etc/shorewall/zones. The /etc/shorewall/zones file released in this version provides behavior that is compatible with Shorewall 1.0.3.
- Adds the ability to specify logging in entries in the /etc/shorewall/rules file.
- Correct handling of the icmp-def chain so that only ICMP packets are sent through the chain.
- Compresses the output of "shorewall monitor" if awk is installed. Allows the command to work if awk isn't installed (although it's not pretty).
3/13/2001 - The Shorewall Website has now moved to Sourceforge! The current version of Shorewall is 1.0.3. This is a bug-fix release with no new features.
- The PATH variable in the firewall script now includes /usr/local/bin and /usr/local/sbin.
- DMZ-related chains are now correctly deleted if the DMZ is deleted.
- The interface OPTIONS for "gw" interfaces are no longer ignored.
3/8/2001 - The current version of Shorewall is 1.0.2. It supports an additional "gw" (gateway) zone for tunnels and it supports IPSEC tunnels with end-points on the firewall. There is also a .lrp available now.
The Shoreline Firewall (Shorewall) is an iptables based firewall that can be used on a dedicated firewall system, a multi-function masquerade gateway/server or on a standalone Linux system.
- Customizable using configuration files.
- Supports status monitoring with an audible alarm when an "interesting" packet is detected.
- Includes an easy installation script.
- Include a fallback script that backs out the installation of the most recent version of Shoreline Firewall and an uninstall script for completely uninstalling the firewall.
- An RPM module is available.
- Static NAT is supported.
- Proxy ARP is supported.
- Provides DMZ functionality.
- A kernel that supports netfilter. I've tested with 2.4.2-pre4 and 2.4.2
- iptables 1.2 or later
- Some features require iproute ("ip" utility)
- A Bourne shell or derivative such as bash or ash.
I strongly urge you to read and print a copy of the Shorewall Documentation. Once you've done that go to the Shorewall Download Page to download one of the modules:
- If you run a RedHat, Mandrake, Linux PPC or TurboLinux distribution upgraded to a 2.4 kernel, you can use the RPM version (note: the RPM should also work with other distributions that store init scripts in /etc/rc.d/init.d and that include chkconfig). If you find that it works in other cases, let me know so that I can mention them here.
- Otherwise, download the shorewall module (tarball).
Also check the errata to see if there are updates that apply to the version that you have downloaded.
If you haven't done so already, please read and print a copy of the Shorewall Documentation.
To install Shorewall using the tarball and install script:
- unpack the tarball
- cd to the shorewall directory (beginning with version 3.0.1, the version is encoded in the directory name as in "shorewall-3.0.1").
- Edit the configuration files to match your configuration.
- If you are using Caldera, RedHat, Mandrake, Corel, Slackware, SuSE or Debian then type "./install.sh"
- If your distribution has directory /etc/rc.d/init.d or /etc/init.d then type "./install.sh"
- For other distributions, determine where your distribution installs init scripts and type "./install.sh <init script directory>
- Start the firewall by typing "shorewall start"
- If the install script was unable to configure Shorewall to be started automatically at boot, see these instructions.
First check the Errata. It lists common gotchas as well as known problems and restrictions and has links to download updated components. If you can't solve your problem then contact the author.
There are a number of configuration files that need to be edited to configure the firewall.
- /etc/shorewall/shorewall.conf - used to set several firewall parameters.
- /etc/shorewall/policy - establishes firewall high-level policy.
- /etc/shorewall/interfaces - describes the interfaces on the firewall system.
- /etc/shorewall/masq - directs the firewall where to use many-to-one (dynamic) NAT a.k.a. Masquerading.
- /etc/shorewall/rules - defines rules that are exceptions to the overall policies established in /etc/shorewall/rules.
- /etc/shorewall/nat - defines static NAT rules.
- /etc/shorewall/proxyarp - defines use of Proxy ARP.
- /etc/shorewall/tunnels - defines IPSEC tunnels with end-points on the firewall system.
Updated 3/18/2001 - Tom Eastep