Re: [RULE] Shorewall - the perfect Firewall for Slinky-installed Systems

[Rodolfo J. Paiz]

At 10:23 12/29/2003, you wrote:
> > I've been using Shorewall since version 1.2.7. It works beautifully, is
> > easy and simple to configure, and the author not only spends considerable
> > time improving it but also does a great job of providing (slightly grumpy)
> > support on the users' mailing list.
>
> Well, this is interesting to hear about.  Just so that I understand what's
> being referred to: shorewall is a program that runs as a background
> process on a standalone PC, providing firewalling protection for that PC.
> I mean, as opposed to a firewall distro, which basically takes over a PC
> and is the only program running on it (it, in turn, providing firewalling
> for a network, usually). Is this correct?

No, not really.

Shorewall is a set of shell scripts which read whatever you put in the 
/etc/shorewall configuration files (interfaces, policy, rules, etc.) and 
create iptables rules for you. It takes the same commands you use for a 
daemon (service shorewall start, stop, restart, etc.) but nothing is left 
running in memory. All the work is done by the iptables code in the kernel.

Shorewall runs on /all/ my Linux systems. On my desktops, it is simply 
configured to allow anything out and nothing in. On servers, of course, 
some incoming connections are allowed; and on router/firewall systems the 
fun really starts. Shorewall is easily able to do masquerading, one-to-one 
NAT (DNAT/SNAT), port forwarding and redirection, and a bunch of other 
stuff which would otherwise have taken me weeks or months to learn.

Oh, and the author's website has excellent documentation and even 
quick-start templates for each file in common scenarios so you can get 
started more easily. I had my first Shorewall system up in 15-20 minutes, 
and now a new server system (even a simple router/firewall) take less than 
2 minutes each.


--
Rodolfo J. Paiz
address@hidden
http://www.simpaticus.com