The Shoreline Firewall, more commonly known as “Shorewall”, is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables, iptables-restore, ip and tc utilities, Shorewall configures Netfilter and the Linux networking subsystem to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter’s ipchains compatibility mode and can thus take advantage of Netfilter’s connection state tracking capabilities.

shorewall (1)Shorewall is not a daemon. Once Shorewall has configured the Linux networking subsystem, its job is complete and there is no “Shorewall process” left running in your system.

Shorewall is not the easiest to use of the available iptables configuration tools but I believe that it is the most flexible and powerful. So if you are looking for a simple point-and-click set-and-forget Linux firewall solution that requires a minimum of networking knowledge.

Shorewall Firewall in Ubuntu has an empty set up. Simon Matter provides RPMs tailored for Redhat and Fedora. You can download them from his site.
If you run Ubuntu, Benjamin Montgomery maintains a repository for Hardy Heron and Jaunty Jackalope.


You can find the default values for Shorewall in /usr/share/doc/shorwall/default-config. And examples in /usr/share/doc/shorwall/examples.
We will create a basic set up.

First configure which network adapters we are accessing the net.
~# cp /usr/share/doc/shorewall/default-config/interfaces /etc/shorewall/
~# vi /etc/shorewall/interfaces
net eth0 detect dhcp,tcpflags,logmartians,nosmurfs

Then we will configure network zones
~# cp /usr/share/doc/shorewall/default-config/zones /etc/shorewall/
~# vi /etc/shorewall/zones
Add the firewall if not there and the internet as a zone.
fw firewall # loc ipv4 net ipv4

Then if needed to specify hosts you can do it in this file. E.g. If you wanto specify what is your home IP etc.
~# cp /usr/share/doc/shorewall/default-config/hosts /etc/shorewall/
~# vi /etc/shorewall/hosts
# loc eth0:192.168.0.0/24

Then set what is the default policy for firewall access.
~# cp /usr/share/doc/shorewall/default-config/policy /etc/shorewall/
~# vi /etc/shorewall/policy
$FW net ACCEPT
net $FW DROP info
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info

For safety in case it goes down.
~# cp /usr/share/doc/shorewall/default-config/routestopped /etc/shorewall/
~# vi /etc/shorewall/routestopped
eth0 0.0.0.0 routeback
You may put in a netmask of your ip range if you are more concerned.

Now for the main firewall rules. You can find predetermined macro rules for Shorewall in /usr/share/shorewall.
~# cp /usr/share/doc/shorewall/default-config/rules /etc/shorewall/
~# vi /etc/shorewall/rules
SSH/ACCEPT net $FW

Open for business
Once your server is working come back to this step and open up SMTP and Web access to others.
vi /etc/shorewall/rules
Ping/ACCEPT net $FW # Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW net icmp
# mail lines
SMTP/ACCEPT net $FW
SMTPS/ACCEPT net $FW
Submission/ACCEPT net $FW
IMAP/ACCEPT net $FW
IMAPS/ACCEPT net $FW
#web Web/ACCEPT net $FW

Firewall configuring is always risky business, as it is easy to lock yourself out. To test the setup syntax, run
~# shorewall check
Restart it with
~# /etc/init.d/shorewall restart

Then to switch it on during boot:
~# vi /etc/default/shorewall
startup=1


Content credit: mp3 skulls