If you haven't done so already, please read and print a copy of the Shorewall Documentation.
Install using RPM
Install
using tarball
Upgrade using RPM
Upgrade
using tarball
Configuration Files
Uninstall/Fallback
To install Shorewall using the RPM:
If you have RedHat 7.2 and are running iptables version 1.2.3 (at a shell prompt, type "/sbin/iptables --version"), you must upgrade to version 1.2.4 either from the RedHat update site or from the Shorewall Errata page before attempting to start Shorewall.
![]() | Install the RPM (rpm -ivh <shorewall rpm>). |
![]() | Edit the configuration files to match your configuration. |
![]() | Start the firewall by typing "shorewall start" |
To install Shorewall using the tarball and install script:
![]() | unpack the tarball |
![]() | cd to the shorewall directory (the version is encoded in the directory name as in "shorewall-1.1.10"). |
![]() | If you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian then type "./install.sh" |
![]() | If you are using SuSe then type "./install.sh /etc/init.d" |
![]() | If your distribution has directory /etc/rc.d/init.d or /etc/init.d then type "./install.sh" |
![]() | For other distributions, determine where your distribution installs init scripts and type "./install.sh <init script directory> |
![]() | Edit the configuration files to match your configuration. |
![]() | Start the firewall by typing "shorewall start" |
![]() | If the install script was unable to configure Shorewall to be started automatically at boot, see these instructions. |
If you already have the Shorewall RPM installed and are upgrading to a new version:
![]() | Upgrade the RPM (rpm -Uvh <shorewall rpm file>) Note: If you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g., "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). |
![]() | Restart the firewall (shorewall restart). |
If you already have Shorewall installed and are upgrading to a new version using the tarball:
![]() | unpack the tarball |
![]() | cd to the shorewall directory (the version is encoded in the directory name as in "shorewall-3.0.1"). |
![]() | If you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian then type "./install.sh" |
![]() | If you are using SuSe then type "./install.sh /etc/init.d" |
![]() | If your distribution has directory /etc/rc.d/init.d or /etc/init.d then type "./install.sh" |
![]() | For other distributions, determine where your distribution installs init scripts and type "./install.sh <init script directory> |
![]() | Restart the firewall by typing "shorewall restart" |
There are a number of configuration files that need to be edited to configure the firewall. Details are in the Shorewall Documentation.
If you have a common firewall setup (standalone, masquerading firewall or masquerading firewall with DMZ), you may be able to use one of the parameter-driver sample configurations. Otherwise, you will need to edit the configuration files to match your setup.
![]() | /etc/shorewall/shorewall.conf - used to set several firewall parameters. |
![]() | /etc/shorewall/params - use this file to set shell variables that you will expand in other files. |
![]() | /etc/shorewall/zones - partition the firewall's view of the world into zones. |
![]() | /etc/shorewall/policy - establishes firewall high-level policy. |
![]() | /etc/shorewall/interfaces - describes the interfaces on the firewall system. |
![]() | /etc/shorewall/hosts - allows defining zones in terms of individual hosts and subnetworks. |
![]() | /etc/shorewall/masq - directs the firewall where to use many-to-one (dynamic) NAT a.k.a. Masquerading. |
![]() | /etc/shorewall/modules - directs the firewall to load kernel modules. |
![]() | /etc/shorewall/rules - defines rules that are exceptions to the overall policies established in /etc/shorewall/policy. |
![]() | /etc/shorewall/nat - defines static NAT rules. |
![]() | /etc/shorewall/proxyarp - defines use of Proxy ARP. |
![]() | /etc/shorewall/tcrules - defines marking of packets for later use by traffic control/shaping. |
![]() | /etc/shorewall/tos - defines rules for setting the TOS field in packet headers. |
![]() | /etc/shorewall/tunnels - defines IPSEC tunnels with end-points on the firewall system. |
![]() | /etc/shorewall/blacklist - lists blacklisted IP/subnet addresses. |
Updated 2/13/2002 - Tom Eastep