Install using RPM
Install
using tarball
Upgrade using RPM
Upgrade
using tarball
Configuring Shorewall
Uninstall/Fallback
To install Shorewall using the RPM:
If you have RedHat 7.2 and are running iptables version 1.2.3 (at a shell prompt, type "/sbin/iptables --version"), you must upgrade to version 1.2.4 either from the RedHat update site or from the Shorewall Errata page before attempting to start Shorewall.
![]() | Install the RPM (rpm -ivh <shorewall rpm>). |
![]() | Edit the configuration files to match your configuration. WARNING - YOU CAN NOT SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY. |
![]() | Start the firewall by typing "shorewall start" |
To install Shorewall using the tarball and install script:
![]() | unpack the tarball |
![]() | cd to the shorewall directory (the version is encoded in the directory name as in "shorewall-1.1.10"). |
![]() | If you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian then type "./install.sh" |
![]() | If you are using SuSe then type "./install.sh /etc/init.d" |
![]() | If your distribution has directory /etc/rc.d/init.d or /etc/init.d then type "./install.sh" |
![]() | For other distributions, determine where your distribution installs init scripts and type "./install.sh <init script directory> |
![]() | Edit the configuration files to match your configuration. |
![]() | Start the firewall by typing "shorewall start" |
![]() | If the install script was unable to configure Shorewall to be started automatically at boot, see these instructions. |
If you already have the Shorewall RPM installed and are upgrading to a new version:
![]() | Upgrade the RPM (rpm -Uvh <shorewall rpm file>) Note: If you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g., "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). |
![]() | Restart the firewall (shorewall restart). |
If you already have Shorewall installed and are upgrading to a new version using the tarball:
![]() | unpack the tarball |
![]() | cd to the shorewall directory (the version is encoded in the directory name as in "shorewall-3.0.1"). |
![]() | If you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian then type "./install.sh" |
![]() | If you are using SuSe then type "./install.sh /etc/init.d" |
![]() | If your distribution has directory /etc/rc.d/init.d or /etc/init.d then type "./install.sh" |
![]() | For other distributions, determine where your distribution installs init scripts and type "./install.sh <init script directory> |
![]() | Restart the firewall by typing "shorewall restart" |
You will need to edit some or all of these configuration files to match your setup. In most cases, the Shorewall QuickStart Guide contains all of the information you will need to get your first firewall up and running. For advanced configuration topics, see the Shorewall Documentation.
![]() | /etc/shorewall/shorewall.conf - used to set several firewall parameters. |
![]() | /etc/shorewall/params - use this file to set shell variables that you will expand in other files. |
![]() | /etc/shorewall/zones - partition the firewall's view of the world into zones. |
![]() | /etc/shorewall/policy - establishes firewall high-level policy. |
![]() | /etc/shorewall/interfaces - describes the interfaces on the firewall system. |
![]() | /etc/shorewall/hosts - allows defining zones in terms of individual hosts and subnetworks. |
![]() | /etc/shorewall/masq - directs the firewall where to use many-to-one (dynamic) NAT a.k.a. Masquerading. |
![]() | /etc/shorewall/modules - directs the firewall to load kernel modules. |
![]() | /etc/shorewall/rules - defines rules that are exceptions to the overall policies established in /etc/shorewall/policy. |
![]() | /etc/shorewall/nat - defines static NAT rules. |
![]() | /etc/shorewall/proxyarp - defines use of Proxy ARP. |
![]() | /etc/shorewall/tcrules - defines marking of packets for later use by traffic control/shaping. |
![]() | /etc/shorewall/tos - defines rules for setting the TOS field in packet headers. |
![]() | /etc/shorewall/tunnels - defines IPSEC tunnels with end-points on the firewall system. |
![]() | /etc/shorewall/blacklist - lists blacklisted IP/subnet addresses. |
Updated 4/20/2002 - Tom Eastep