[RULE] Shorewall - the perfect Firewall for Slinky-installed Systems
Rodolfo J. Paiz
rpaiz at simpaticus.com
Mon Dec 29 22:46:46 EET 2003
At 10:23 12/29/2003, you wrote:
> > I've been using Shorewall since version 1.2.7. It works beautifully, is
> > easy and simple to configure, and the author not only spends considerable
> > time improving it but also does a great job of providing (slightly grumpy)
> > support on the users' mailing list.
>
>Well, this is interesting to hear about. Just so that I understand what's
>being referred to: shorewall is a program that runs as a background
>process on a standalone PC, providing firewalling protection for that PC.
>I mean, as opposed to a firewall distro, which basically takes over a PC
>and is the only program running on it (it, in turn, providing firewalling
>for a network, usually). Is this correct?
No, not really.
Shorewall is a set of shell scripts which read whatever you put in the
/etc/shorewall configuration files (interfaces, policy, rules, etc.) and
create iptables rules for you. It takes the same commands you use for a
daemon (service shorewall start, stop, restart, etc.) but nothing is left
running in memory. All the work is done by the iptables code in the kernel.
Shorewall runs on /all/ my Linux systems. On my desktops, it is simply
configured to allow anything out and nothing in. On servers, of course,
some incoming connections are allowed; and on router/firewall systems the
fun really starts. Shorewall is easily able to do masquerading, one-to-one
NAT (DNAT/SNAT), port forwarding and redirection, and a bunch of other
stuff which would otherwise have taken me weeks or months to learn.
Oh, and the author's website has excellent documentation and even
quick-start templates for each file in common scenarios so you can get
started more easily. I had my first Shorewall system up in 15-20 minutes,
and now a new server system (even a simple router/firewall) take less than
2 minutes each.
--
Rodolfo J. Paiz
rpaiz at simpaticus.com
http://www.simpaticus.com
_______________________________________________
Original home page of the RULE project: www.rule-project.org
Original Rule Development Site http://savannah.gnu.org/projects/rule/
Original RULE mailing list: Rule-list at nongnu.org, hosted at http://mail.nongnu.org/mailman/listinfo/rule-list
This full static mirror of the Run Up to Date Linux Everywhere Project mailing list, originally hosted at http://lists.hellug.gr/mailman/listinfo/rule-list, is kept online by Free Software popularizer, researcher and trainer Marco Fioretti. To know how you can support this archive, and Marco's work in general, please click here