[RULE] Shorewall - the perfect Firewall for Slinky-installed Systems

Rodolfo J. Paiz rpaiz at simpaticus.com
Mon Dec 29 22:46:46 EET 2003


At 10:23 12/29/2003, you wrote:
> > I've been using Shorewall since version 1.2.7. It works beautifully, is
> > easy and simple to configure, and the author not only spends considerable
> > time improving it but also does a great job of providing (slightly grumpy)
> > support on the users' mailing list.
>
>Well, this is interesting to hear about.  Just so that I understand what's
>being referred to: shorewall is a program that runs as a background
>process on a standalone PC, providing firewalling protection for that PC.
>I mean, as opposed to a firewall distro, which basically takes over a PC
>and is the only program running on it (it, in turn, providing firewalling
>for a network, usually). Is this correct?

No, not really.

Shorewall is a set of shell scripts which read whatever you put in the 
/etc/shorewall configuration files (interfaces, policy, rules, etc.) and 
create iptables rules for you. It takes the same commands you use for a 
daemon (service shorewall start, stop, restart, etc.) but nothing is left 
running in memory. All the work is done by the iptables code in the kernel.

Shorewall runs on /all/ my Linux systems. On my desktops, it is simply 
configured to allow anything out and nothing in. On servers, of course, 
some incoming connections are allowed; and on router/firewall systems the 
fun really starts. Shorewall is easily able to do masquerading, one-to-one 
NAT (DNAT/SNAT), port forwarding and redirection, and a bunch of other 
stuff which would otherwise have taken me weeks or months to learn.

Oh, and the author's website has excellent documentation and even 
quick-start templates for each file in common scenarios so you can get 
started more easily. I had my first Shorewall system up in 15-20 minutes, 
and now a new server system (even a simple router/firewall) take less than 
2 minutes each.


-- 
Rodolfo J. Paiz
rpaiz at simpaticus.com
http://www.simpaticus.com



_______________________________________________
Original home page of the RULE project: www.rule-project.org
Original Rule Development Site http://savannah.gnu.org/projects/rule/
Original RULE mailing list: Rule-list at nongnu.org, hosted at http://mail.nongnu.org/mailman/listinfo/rule-list




This full static mirror of the Run Up to Date Linux Everywhere Project mailing list, originally hosted at http://lists.hellug.gr/mailman/listinfo/rule-list, is kept online by Free Software popularizer, researcher and trainer Marco Fioretti. To know how you can support this archive, and Marco's work in general, please click here