From LQWiki
Jump to: navigation, search

Shorewall Firewall

Shoreline firewall more commonly known as Shorewall is a high level tool for configuring Netfilter in the Linux 2.4/2.6 kernels. You describe your firewall/gateway requirements in a set of configuration files and with the help of iptables utility, shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-functional gateway/router/server or on a standalone GNU/Linux system. If you are looking for a Linux firewall solution that can handle complex and fast changing network environments then Shorewall is a logical choice.

Shorewall Concepts

The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple setups, you will only need to deal with a few of them.

Shorewall configuration files are all contained inside the /etc/shorewall/ and are the followings:

  • params - can be used to establish the values of shell variables for use in other files.
  • interfaces - used to describe the interfaces on the firewall system.
  • rules - used to express firewall rules that are exceptions to the high-level policies established in /etc/shorewall/policy.
  • zones - defines a network partitioning into "zones"
  • hosts - used to describe individual hosts or subnetworks in zones.
  • policy - establishes overall firewall policy.
  • shorwall.conf - is used to set several firewall parameters.
  • accounting - used to define traffic accounting rules.
  • blacklist - used to list blacklisted IP/subnet/MAC addresses.

Shorewall views the network where it is running as being composed of a set of zones. Shorewall Concepts

Shorewall Features

One of the shorewall features is that it scales well, it uses netfilers so is a true open solution. Shorewall is easy to manage and it connects to webmin.

Shorewall zones ease up the manageability of large networks and make it more flexible. Proof of that is the ability to implement different manageability and routing parameters on the same implementations this includes:

  • Masquerading SNAT
  • Port forwarding DNAT
  • One-to-One NAT
  • Multiple ISP support

Other featueres includes, blacklisting, VPN support, traffic and control shaping, MAC verification, traffic accounting and more.

See also

This article is a stub and needs to be finished. Plunge forward and help it grow!