Shorewall and the 2.6 Linux Kernel

Tom Eastep

Copyright © 2003, 2004, 2005 Thomas M. Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

2005-01-14


Table of Contents

General
IPSEC

General

Shorewall is compatible with the Linux 2.6 kernel series and contains support for the following features that are added in that series:

  1. NETMAP Target Support.

  2. Bridge/Firewall Support (physdev match support).

  3. CLASSIFY Target Support.

IPSEC

The 2.6 Linux kernel introduces a new implementation of IPSEC which eliminates the ipsecN device names. Netfilter/iptables support for this new implementation is incomplete unless your kernel has been patched. For unpatched kernels, see the Shorewall IPSEC documentation (Shorewall support for IPSEC with unpatched 2.6 kernels is very limited). For patched 2.6 kernels (including those supplied with SuSE™ 9.2) see the Kernel 2.6 IPSEC documentation.