Shorewall Installation

If you haven't done so already, please read and print a copy of the Shorewall Documentation.

Install using RPM
Install using tarball
Upgrade using RPM
Upgrade using tarball
Configuration Files
Uninstall/Fallback

To install Shorewall using the RPM:

If you have RedHat 7.2 and are running iptables version 1.2.3 (at a shell prompt, type "/sbin/iptables --version"), you must upgrade to version 1.2.4 either from the RedHat update site or from the Shorewall Errata page before attempting to start Shorewall.

bulletInstall the RPM (rpm -ivh <shorewall rpm>).
bulletEdit the configuration files to match your configuration.
bulletStart the firewall by typing "shorewall start"

To install Shorewall using the tarball and install script:

bulletunpack the tarball
bulletcd to the shorewall directory (the version is encoded in the directory name as in "shorewall-1.1.10").
bulletIf you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian then type "./install.sh"
bulletIf you are using SuSe then type "./install.sh /etc/init.d"
bulletIf your distribution has directory /etc/rc.d/init.d or /etc/init.d then type "./install.sh"
bulletFor other distributions, determine where your distribution installs init scripts and type "./install.sh <init script directory>
bulletEdit the configuration files to match your configuration.
bulletStart the firewall by typing "shorewall start"
bulletIf the install script was unable to configure Shorewall to be started automatically at boot, see these instructions.

If you already have the Shorewall RPM installed and are upgrading to a new version:

bulletUpgrade the RPM (rpm -Uvh <shorewall rpm file>) Note: If you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g., "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
bulletRestart the firewall (shorewall restart).

If you already have Shorewall installed and are upgrading to a new version using the tarball:

bulletunpack the tarball
bulletcd to the shorewall directory (the version is encoded in the directory name as in "shorewall-3.0.1").
bulletIf you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian then type "./install.sh"
bulletIf you are using SuSe then type "./install.sh /etc/init.d"
bulletIf your distribution has directory /etc/rc.d/init.d or /etc/init.d then type "./install.sh"
bulletFor other distributions, determine where your distribution installs init scripts and type "./install.sh <init script directory>
bulletRestart the firewall by typing "shorewall restart"

Configuration

There are a number of configuration files that need to be edited to configure the firewall.  Details are in the Shorewall Documentation.

If you have a common firewall setup (standalone, masquerading firewall or masquerading firewall with DMZ), you may be able to use one of the parameter-driver sample configurations. Otherwise, you will need to edit the configuration files to match your setup.

bullet/etc/shorewall/shorewall.conf - used to set several firewall parameters.
bullet/etc/shorewall/params - use this file to set shell variables that you will expand in other files.
bullet/etc/shorewall/zones - partition the firewall's view of the world into zones.
bullet/etc/shorewall/policy - establishes firewall high-level policy.
bullet/etc/shorewall/interfaces - describes the interfaces on the firewall system.
bullet/etc/shorewall/hosts - allows defining zones in terms of individual hosts and subnetworks.
bullet/etc/shorewall/masq - directs the firewall where to use many-to-one (dynamic) NAT a.k.a. Masquerading.
bullet/etc/shorewall/modules - directs the firewall to load kernel modules.
bullet/etc/shorewall/rules - defines rules that are exceptions to the overall policies established in /etc/shorewall/policy.
bullet/etc/shorewall/nat - defines static NAT rules.
bullet/etc/shorewall/proxyarp - defines use of Proxy ARP.
bullet/etc/shorewall/tcrules - defines marking of packets for later use by traffic control/shaping.
bullet/etc/shorewall/tos - defines rules for setting the TOS field in packet headers.
bullet/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on the firewall system.
bullet/etc/shorewall/blacklist - lists blacklisted IP/subnet addresses.

Updated 2/13/2002 - Tom Eastep