Copyright © 2001-2009 Thomas M Eastep
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.
2010/05/06
This article applies to Shorewall 4.3 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation for that release.
Uses Netfilter's connection tracking facilities for stateful packet filtering.
Can be used in a wide range of router/firewall/gateway applications .
Completely customizable using configuration files.
No limit on the number of network interfaces.
Allows you to partition the network into zones and gives you complete control over the connections permitted between each pair of zones.
Multiple interfaces per zone and multiple zones per interface permitted.
Supports nested and overlapping zones.
Supports centralized firewall administration.
Shorewall installed on a single administrative system. May be a Windows™ PC running Cygwin™ or an Apple MacIntosh™ running OS X (Mac support was added in Shorewall 4.4.9).
Centrally generated firewall scripts run on the firewalls under control of Shorewall-lite.
QuickStart Guides (HOWTOs) to help get your first firewall up and running quickly
A GUI is available via Webmin 1.060 and later (http://www.webmin.com)
Extensive documentation is available in both Docbook XML and HTML formats.
Flexible address management/routing support (and you can use all types in the same firewall):
NETMAP (requires a 2.6 kernel or a patched 2.4 kernel).
Blacklisting of individual IP addresses and subnetworks is supported.
Commands to start, stop and clear the firewall
Supports status monitoring with an audible alarm when an “interesting” packet is detected.
Wide variety of informational commands.
VPN Support.
PPTP clients and Servers.
Support for Traffic Control/Shaping.
Wide support for different GNU/Linux Distributions.
Includes automated install, upgrade and uninstall facilities for users who can't use or choose not to use the RPM or Debian packages.
Included as a standard part of LEAF/Bering (router/firewall on a floppy, CD or compact flash).