Shoreline Firewall (Shorewall)'s Description
The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. Your firewall/gateway requirements are described using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode; as a consequence, Shorewall can take advantage of Netfilter's connection state tracking capabilities to create a stateful firewall.
Shorewall is not a daemon. Once Shorewall has configured Netfilter, it's job is complete and there is no Shorewall code left running in the system. The /sbin/shorewall program can be used at any time to monitor the Netfilter firewall.
Shorewall is not the easiest to use of the available iptables configuration tools but I believe that it is the most flexible and powerful.
Key features of "Shorewall"
- Uses Netfilter's connection tracking facilities for stateful packet filtering.
- Can be used in a wide range of router/firewall/gateway applications .
- Completely customizable using configuration files.
- No limit on the number of network interfaces.
- Allows you to partition the network into zones and gives you complete control over the connections permitted between each pair of zones.
- Multiple interfaces per zone and multiple zones per interface permitted.
- Supports nested and overlapping zones.
- QuickStart Guides (HOWTOs) to help get your first firewall up and running quickly
- A GUI is available via Webmin 1.060 and later (http://www.webmin.com)
- Extensive documentation in available in both XML and HTML formats.
- Flexible address management/routing support (and you can use all types in the same firewall):
- Port Forwarding (DNAT).
- One-to-one NAT.
- Proxy ARP.
- NETMAP (requires a 2.6 kernel or a patched 2.4 kernel).
- Multiple ISP support
- Blacklisting of individual IP addresses and subnetworks is supported.
- Operational Support.
- Commands to start, stop and clear the firewall
- Supports status monitoring with an audible alarm when an “interesting” packet is detected.
- Wide variety of informational commands.
- VPN Support.
- IPSEC, GRE, IPIP and OpenVPN Tunnels.
- PPTP clients and Servers.
- Support for Traffic Control/Shaping.
- Wide support for different GNU/Linux Distributions.
- RPM and Debian packages available.
- Includes automated install, upgrade, fallback and uninstall facilities for users who can't use or choose not to use the RPM or Debian packages.
- Included as a standard part of LEAF/Bering (router/firewall on a floppy, CD or compact flash).
- Media Access Control (MAC) Address Verification.
- Traffic Accounting.
- Bridge/Firewall support (requires a 2.6 kernel or a patched 2.4 kernel).