Shorewall
Encyclopedia
Shorewall is an open source
firewall tool for Linux
that builds upon the Netfilter (iptables
/ipchains
) system built into the Linux kernel
, making it easier to manage more complex configuration schemes.
Using an analogy understandable to programmers: Shorewall is to iptables, what C
is to assembly
language. It provides a higher level of abstraction for describing rules using text files.
since it does not run continuously, but rather configures rules in the kernel that allow and disallow traffic through the system. Shorewall is configured through a group of plain-text configuration files and does not have a graphical user interface
, though a Webmin
module is available separately. A monitoring utility packaged with Shorewall can be used to watch the status of the system as it operates and assist in testing.
), since most of its strength lies in its ability to work with "zones", such as the DMZ
or a 'net' zone. Each zone would then have different rules, making it easy to have for example relaxed rules on the company intranet
, yet clamp down on traffic coming in from the Internet
.
The plain-text configuration files are usually well-commented and easy to use, though Shorewall may be more difficult for new users to handle than other firewall systems with graphical front-ends.
From version 4.4.3, Shorewall-shell has been removed and Shorewall-perl has been combined with Shorewall-common
Open-source software
Open-source software is computer software that is available in source code form: the source code and certain other rights normally reserved for copyright holders are provided under a software license that permits users to study, change, improve and at times also to distribute the software.Open...
firewall tool for Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
that builds upon the Netfilter (iptables
Iptables
iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores...
/ipchains
Ipchains
Linux IP Firewalling Chains, normally called ipchains, is free software to control the packet filter/firewall capabilities in the 2.2 series of Linux kernels. It superseded ipfwadm, but was replaced by iptables in the 2.4 series. Unlike iptables, ipchains is stateless.It is a rewrite of Linux's...
) system built into the Linux kernel
Linux kernel
The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....
, making it easier to manage more complex configuration schemes.
Using an analogy understandable to programmers: Shorewall is to iptables, what C
C (programming language)
C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
is to assembly
Assembly (programming)
An assembly is a runtime unit consisting of types and other resources. All types in an assembly have the same version number.Often, one assembly has only one namespace and is used by one program. But it can span over several namespaces. Also, one namespace can spread over several assemblies...
language. It provides a higher level of abstraction for describing rules using text files.
Configuration
It is not a daemonDaemon (computer software)
In Unix and other multitasking computer operating systems, a daemon is a computer program that runs as a background process, rather than being under the direct control of an interactive user...
since it does not run continuously, but rather configures rules in the kernel that allow and disallow traffic through the system. Shorewall is configured through a group of plain-text configuration files and does not have a graphical user interface
Graphical user interface
In computing, a graphical user interface is a type of user interface that allows users to interact with electronic devices with images rather than text commands. GUIs can be used in computers, hand-held devices such as MP3 players, portable media players or gaming devices, household appliances and...
, though a Webmin
Webmin
Webmin is a web-based system configuration tool for Unix-like systems, although recent versions can also be installed and run on Windows. With it, it is possible to configure operating system internals, such as users, disk quotas, services or configuration files, as well as modify and control open...
module is available separately. A monitoring utility packaged with Shorewall can be used to watch the status of the system as it operates and assist in testing.
Use
Shorewall is mainly used in network installations (as opposed to a personal computer firewallPersonal firewall
A personal firewall is an application which controls network traffic to and from a computer, permitting or denying communications based on a security policy. Typically it works as an application layer firewall....
), since most of its strength lies in its ability to work with "zones", such as the DMZ
Demilitarized zone (computing)
In computer security, a DMZ is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet...
or a 'net' zone. Each zone would then have different rules, making it easy to have for example relaxed rules on the company intranet
Intranet
An intranet is a computer network that uses Internet Protocol technology to securely share any part of an organization's information or network operating system within that organization. The term is used in contrast to internet, a network between organizations, and instead refers to a network...
, yet clamp down on traffic coming in from the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
.
The plain-text configuration files are usually well-commented and easy to use, though Shorewall may be more difficult for new users to handle than other firewall systems with graphical front-ends.
Current version
The most recent stable version is 4.4.21. Starting with version 4, Shorewall uses also a Perl-based compiler frontend; previously it used only a shell-based compiler frontend. Also, IPv6 is supported starting in version 4.4.3.From version 4.4.3, Shorewall-shell has been removed and Shorewall-perl has been combined with Shorewall-common