rule-list
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RULE] Shorewall - the perfect Firewall for Slinky-installed Systems


From: Rodolfo J. Paiz
Subject: Re: [RULE] Shorewall - the perfect Firewall for Slinky-installed Systems
Date: Mon, 29 Dec 2003 14:46:46 -0600

At 10:23 12/29/2003, you wrote:
> I've been using Shorewall since version 1.2.7. It works beautifully, is
> easy and simple to configure, and the author not only spends considerable
> time improving it but also does a great job of providing (slightly grumpy)
> support on the users' mailing list.

Well, this is interesting to hear about.  Just so that I understand what's
being referred to: shorewall is a program that runs as a background
process on a standalone PC, providing firewalling protection for that PC.
I mean, as opposed to a firewall distro, which basically takes over a PC
and is the only program running on it (it, in turn, providing firewalling
for a network, usually). Is this correct?

No, not really.

Shorewall is a set of shell scripts which read whatever you put in the /etc/shorewall configuration files (interfaces, policy, rules, etc.) and create iptables rules for you. It takes the same commands you use for a daemon (service shorewall start, stop, restart, etc.) but nothing is left running in memory. All the work is done by the iptables code in the kernel.

Shorewall runs on /all/ my Linux systems. On my desktops, it is simply configured to allow anything out and nothing in. On servers, of course, some incoming connections are allowed; and on router/firewall systems the fun really starts. Shorewall is easily able to do masquerading, one-to-one NAT (DNAT/SNAT), port forwarding and redirection, and a bunch of other stuff which would otherwise have taken me weeks or months to learn.

Oh, and the author's website has excellent documentation and even quick-start templates for each file in common scenarios so you can get started more easily. I had my first Shorewall system up in 15-20 minutes, and now a new server system (even a simple router/firewall) take less than 2 minutes each.


--
Rodolfo J. Paiz
address@hidden
http://www.simpaticus.com





reply via email to

[Prev in Thread] Current Thread [Next in Thread]