Shorewall

The configuration takes place in text files (among others in / etc / shorewall /). Shorewall compiles from these files with the help of iptables netfilter rules, which regulate the IP data stream flowing through the kernel. Shorewall is not a daemon , it does not run continuously, but terminates after the rules are created. There is a Webmin - plug-in as a graphical front-end is available.

The iptables rules created by Shorewall work in OSI layer 3, i.e. the connection layer, even if it is possible to control other layers.

The strengths of Shorewall lie in the abstraction of the networks directly connected to the interfaces, which are referred to as "zones". The number of zones and their purpose can be freely defined. Shorewall has the following configuration templates for the three most important applications:

• Standalone connection with only one network interface and only one zone, intended for backing up individual PCs or servers
• Two-Interface - as a solution for a classic pass-through firewall with a hostile 'red' and friendly 'green' network
• Three interface - as a classic solution with a third network that is specially connected as a DMZ

Policies are to be defined between the zones, which define the standard behavior between the zones. These represent a fallback solution for the connections for which no explicit rules are defined in the rules. Shorewall is also capable of creating NAT , traffic shaping , bridges and much more.

Shorewall is more of a firewall for professional use and cannot be compared with a personal firewall (OSI layer 7).

Web links

• Official website (English)
• Linux Embedded Appliance Framework (LEAF) - router software that uses Shorewall

Individual evidence

1. ↑ Release notes. In: shorewall.org. Accessed March 31, 2020 (English).