Tom Eastep | 7 Jul 22:59 2015

Shorewall 4.6.11

Shorewall 4.6.11 is now available for download.

Problems Corrected:

1.  This release includes defect repair up to and including Shorewall

2.  Previously, when the -c option was given to the 'compile' command,
    the progress message "Compiling..." was issued before it was
    determined if compilation was necessary.  Now, that message is
    suppressed when re-compilation is not required.

3.  Previously, when the -c option was given to the 'compile' command,
    the 'postcompile' extension script was executed even when there was
    no (re-)compilation. Now, the 'postcompile' script is only invoked
    when a new script is generated.

4.  If CONFDIR was other than /etc, then ordinary users would not 
    receive a clear error message when they attempted to execute one of
    the commands that change the firewall state.

5.  Previously, IPv4 DHCP client broadcasts were blocked by the
    'rpfilter' interface option. That has been corrected.

6)  The 'update' command incorrectly added the INLINE_MATCHES option
    to shorewall6.conf with a default value of 'Yes'. This caused
    'start' to fail with invalid ip6tables rules when the alternate
    input format using ';' is used.

    Note: This last issue is not documented in the release notes included
(Continue reading)

Cyril Lashkevich | 2 Jul 22:38 2015

Problem with DHCP when rpfilter is enabled


I have a DHCP server running on the firewall. But DHCP requests are
dropped by rpfilter, when this option is enabled for loc interface:

net     enp5s0 rpfilter,dhcp,nosmurfs,logmartians,sourceroute=0
loc enp6s0 rpfilter,dhcp,nosmurfs,logmartians

Jul 02 23:21:03 Sardegna kernel: Shorewall:rplog:DROP:IN=enp6s0 OUT=
MAC=ff:ff:ff:ff:ff:ff:78:97:68:45:0d:7f:08:00 SRC=
DST= LEN=375 TOS=0x00 PREC=0x00 TTL=64 ID=51364
Jul 02 23:21:07 Sardegna kernel: Shorewall:rplog:DROP:IN=enp6s0 OUT=
MAC=ff:ff:ff:ff:ff:ff:78:97:68:45:0d:7f:08:00 SRC=
DST= LEN=375 TOS=0x00 PREC=0x00 TTL=64 ID=58639
Jul 02 23:21:15 Sardegna kernel: Shorewall:rplog:DROP:IN=enp6s0 OUT=
MAC=ff:ff:ff:ff:ff:ff:78:97:68:45:0d:7f:08:00 SRC=
DST= LEN=375 TOS=0x00 PREC=0x00 TTL=64 ID=59979

DHCP works as expected without rpfilter option for the loc interface.

Is it possible to use rpfilter on interfaces, on which DHCP server is listening?
`shorewall dump` is attached.

(Continue reading)

Eddie | 1 Jul 18:57 2015

Error running shorewall in an OpenVPN --up script


I'm trying to run shorewall inside an OpenVPN --up script to account for 
the just created tun interface.  This is failing with the following, 
from the OpenVPM log:

Wed Jul  1 09:29:07 2015 /etc/openvpn/ tun1 1500 1546 init
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Can't exec "lsmod": No such file or directory at 
/usr/share/perl5/vendor_perl/Shorewall/ line 3823.
    ERROR: Can't run lsmod /usr/share/shorewall/modules (line 1)
Wed Jul  1 09:29:07 2015 WARNING: Failed running command (--up/--down): 
external program exited with error status: 2

The equivalent shorewall log has:

Jul  1  9:29:07 Processing /etc/shorewall/params ...
Jul  1  9:29:07 Processing /etc/shorewall/shorewall.conf...
Jul  1  9:29:07 Loading Modules...
Jul  1 09:29:07    ERROR: Can't run lsmod /usr/share/shorewall/modules 
(line 1)

And this is the script:


(Continue reading)

PGNd | 17 Jun 16:57 2015

multiisp providers' routing tables vanish after pkg-manager version upgrade?

I finally found an intermittent 'culprit' that's been causing some grief -- the process of pkg-upgrading
shorewall* in a MultiISP setup.

With any given version of Shorewall

  shorewall6-lite v4.6.9
  shorewall-core  v4.6.9
  shorewall-init  v4.6.9
  shorewall-lite  v4.6.9

installed on Opensuse 13.2,

on a multiISP install, before an upgrade, a running shorewall returns routing

	shorewall-lite show routing
		Routing Rules

		Table default:

		Table local:

		Table main:

		Table Prov1: <============

(Continue reading)

Иван Иванов | 17 Jun 06:44 2015

IPSec/L2TP client troubleshooting


I have remote server (Ubuntu 14.04, Shorewall 4.5.21) with one physical interface eth0. This server is IPSEC/L2TP client.
L2TP tunnel interface:
ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1410 qdisc pfifo_fast state UNKNOWN group default qlen 3
    inet peer scope global ppp0
       valid_lft forever preferred_lft forever

Shorewall config.
-       lo              ignore
net     eth0            dhcp,physical=+,routeback,optional,routefilter
l2tp    ppp0

fw              firewall
net             ipv4
vpn             ipsec
l2tp            ipv4

ipsec                   net     xx.xx.xx.xx                    vpn

vpn     eth0:

$FW     all     ACCEPT
vpn     net     NONE
net     vpn     NONE
l2tp    all     ACCEPT
net     all     DROP            info
all     all     REJECT          info

When l2tp tunnel is up, traffic through ppp0 counts as net2fw.
Jun 17 18:05:06 server kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=63204 DF PROTO=TCP SPT=57205 DPT=3128 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 17 18:05:06 server kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=49828 DF PROTO=TCP SPT=57207 DPT=3128 WINDOW=29200 RES=0x00 SYN URGP=0

I wonder what did i miss? Why ppp0 traffic does not belong l2tp zone (IN=ppp0, but net2fw chain)?
Brian J. Murrell | 16 Jun 23:20 2015

shorewall6 ULAs and multi-isp

So, I've been chasing an issue with IPv6 ULAs and preventing attempts to
connect to them across the border router.  The scenario is the unwitting
admin that accidentally puts his Internet machine's ULA address into the
global DNS.

Yes, left to their own devices, these connection attempts will timeout
but that's such a nasty failure scenario when those attempts can be
stopped immediately by your border router with an ENETUNREACH.

On OpenWRT, (where I am running Shorewall6-lite, this ULA
destination prevention is accomplished with Source-Destination routes
for the global addresses in the LAN.  i.e.:

default from 2001:470:aa:ccc::/64 dev 6in4-henet  proto static  metric 1024 
default from 2001:470:ab:ccc::/64 dev 6in4-henet  proto static  metric 1024 
default from 2002:aaaa:bbbb::/48 via :: dev 6to4-foo  proto static  metric 1024 
default from 2002::/16 via :: dev 6to4-foo  proto static  metric 1024 

But Shorewall6-{lite-,} is adding a non-source-address restricted route:

default via 2001:470:aa:ccc::1 dev 6in4-henet  metric 1024 

when it sets up a (fallback, not balanced) Multi-ISP configuration.
This is of course defeating the prevention (or quick refusal at least)
of connections to ULA addresses outside of one's site.

I wonder what the community's thoughts about this are.


Rob Ogle | 16 Jun 21:28 2015

masq causing issues with voip

Unable to make voip calls using Shoretel phone system when separated by LEAF firewall (uClibc- running Shorewall.

Phone on network cannot call phone on network, and vice versa.


Calls can only be made if the masq file is misconfigured.


Example: Browsing, pinging, email works- voip does not.



     Masq on eth0 is



Example: VOIP works- Browsing, pinging, email works does not.



     Masq on eth0 is


Have already referenced Shorewall FAQ #77.


For some reason, the commands do not work.

rmmod nf_nat_sip

rmmod: can't unload 'nf_nat_sip': unknown symbol in module, or unknown parameter


Adding the lines to the don’t load section results in this message when restarting shorewall.

/sbin/shorewall: /etc/shorewall/shorewall.conf: line 151: nf_conntrack_sip: not found

/sbin/shorewall: /etc/shorewall/shorewall.conf: line 151: nf_conntrack_sip: not found


However, when doing an lsmod, it shows

“nf_conntrack_sip 17949 2 - Live 0xf89c8000”


What is my next step to resolution?


Tom Eastep | 11 Jun 00:07 2015


Shorewall is now available for download.

Problems Corrected:

1)  Indentation is now consistent in lib.core (Tuomo Soini).

2)  The first problem corrected in 4.6.10 below was incomplete. It is
    now complete (Tuomo Soini).

3)  Similarly, the second fix was also incomplete and is now completed
    (Tuomo Soini).

Thanks go to Tuomo Soini for providing these fixes.



Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car \________________________________________________

Alex Regan | 6 Jun 22:03 2015

Shorewall web-based management?


I have a shorewall-4.5.21 firewall configured on fedora20 that's become 
difficult to manage from the command-line due to the number of rules.

I'm looking for something to make it a bit easier to manage, as well as 
be able to more easily view the logs.

Does a web-based management front-end exist?

I could find nothing current or sophisticated in my searches.

Thanks for any ideas.

Chop Wow | 4 Jun 22:11 2015

VPN on Shorewall system - multiple possible?

Hi All,

I have Libreswan/Xl2tpd IPSec/L2TP VPN running on the firewall appliance.
As such I have the zones/interfaces/tunnel (see below) and standard rules associated with the VPN.

A user in the admx zone has acquired a hardware stack that requires IPSEC/L2tp connection to connect to it.  It has its own VPN/router. 

Can I define a second passthrough IPSEC tunnel to the user hardware and not affect my existing VPN on the Shorewall appliance? 



Shorewall version:

net     eth0            dhcp,tcpflags,nosmurfs,routefilter,sourceroute=0,blacklist
loc     eth1            tcpflags,nosmurfs,routefilter
l2tp    ppp+           
cpp     eth2            tcpflags,nosmurfs      
dc1     eth3            tcpflags,nosmurfs
admx   eth4            tcpflags,nosmurfs
ovpn    tun+

fw      firewall
net     ipv4
vpn     ipsec
l2tp    ipv4
loc     ipv4
cpp     ipv4
dc1     ipv4
admx    ipv4
ovpn    ipv4

ipsec         net           vpn
openvpnserver:tcp:443   net

Jean-Marc Liotier | 4 Jun 16:38 2015

6in4 tc nesting ?

Greetings, fellow Shorewall users ! After years of scripting ipfwadm, 
ipchains and iptables, I stumbled upon Shorewall and finally found a 
higher level tool to my liking... I now manage configurations more 
complicated than anything I could hope to keep control of with my own 
scripts - and I haven't looked back since then... So, for my first 
message here I'll start with a big thank you to the developers !

Now, I wish to take advantage of Shorewall's Traffic Control abilities 
to achieve something approaching what my old modified Wondershaper used 
to do... But meanwhile, IPv6 has become a large part of my traffic - so 
I have read the documentation and I think I mostly understand the simple 
configuration variant of shorewall & shorewall6 tc, except for one 
important detail: how these two interact... Hence my question:

The upstream interface for IPv4 is Ethernet, but the IPv6 one is a 6in4 
tunnel built over the IPv4 interface. How is Shorewall aware that the 
in-bandwidth of the IPv6 tunnel can't be defined because it is actually 
nested in the total in-bandwidth of the IPv4 interface ? The 'Combined 
IPv4/IPv6 Simple TC Configuration' seems to suppose that both IPv4 and 
IPv6 share a single physical interface. Is the definition of a 6in4 
tunnel in /etc/shorewall/tunnels with an IPv4 gateway what tells 
Shorewall that IPv4 bears IPv6 ? So is one supposed to eschew declaring 
the IPv6 interface in /etc/shorewall/tcdevices ? But then how is one 
supposed to express /etc/shorewall/tcclasses ? Only for the physical 
interface ?

If this scenario is not covered by Shorewall's current functionality, I 
have thought about a workaround: inserting a two-interface router 
between my main (eight-interface) router and the outside. That way, the 
6in4 tunnel would terminate on the two-interface router so that on the 
main router I would be able to configure the same outside Ethernet port 
for both IPv4 and Ipv6 - and therefore fall back into Shorewall's well 
documented IPv4/IPv6 tc use-case.

What do you people think ?