Tom Eastep | 22 Nov 16:44 2014


Shorewall is available for download.

Problems Corrected:

1)  LOG_BACKEND=LOG failed at run-time for all but the most recent

1)  The generated script can now detect an gateway address assigned by
    later versions of that program (Alan Barrett).

2)  In 4.6.5, the bash-based configure script would issue the following
    diagnostic if SERVICEDIR was not specified in the shorewallrc

      ./configure: line 199: [SERVICEDIR]=: command not found

    This was compounded by the fact that all of the released
    shorewallrc files still specified SYSTEMDDIR rather than SERVICEDIR
    (Evangelos Foutras)

3)  The shorewallrc.archlinux file now reflects a change in SBINDIR
    that occurred in Arch Linux in mid 2013 (Evangelos Foutras).

Thank you for using Shorewall,

(Continue reading)

Philip Le Riche | 18 Nov 10:12 2014

Shorewall not starting n boot - eth0 not up yet

I'm using Shorewall to protect a school network from a classroom network
of Raspberry Pis, which are operated headless from school network PCs using VNC or PuTTy.

All was working fine, starting up successfully on boot until I did the
Installed isc-dhcp-server to serve dhcp to guest Pis
Installed Apache2 and a cgi script to report DHCP leases
Added 8 more fixed IP addresses to the school NIC and 8 more DNAT rules
(bringing it to 16) mapping them to classroom IP addresses
Installed OpenSSH for firewall maintenance
Added Shorewall ACCEPT rules with destination $FW for the above.

Now Shorewall doesn't start on boot, and neither does sshd, but both
start successfully if you log in and type shorewall start and service
sshd start. (Apache and dhcp-server start up ok.)

The problem seems to be that eth0 is still not up by the time the
Shorewall and sshd init scripts get run. In shorewall-init.log there are
messages "Can't determine the IP address of eth0" and in
/var/log/auth.log there are sshd messages "Cannot bind any address".

Shorewall is running under Linux Mint 16.

It may be arguable whether the Shorewall (and sshd) init scripts are at
fault or whether the fault lies with networking startup, but it must be
an issue other people round here have hit. Is there a recognised fix,
either to delay startup of Shorewall (and sshd), or to ensure networking
runs to completion before dependant init scripts are run? Googling for
the sshd half of the problem only seems to come up with sticking plaster
(Continue reading) | 18 Nov 00:09 2014

Re-ordering of UDP packets with QoS


  UDP packets are re-ordered when using QoS.  QoS is using HTB although
as far as I understand it, the output of the HTB is given to SFQs and
there a re-ordering can happen.  This messes up multimedia streams.  Is
there a way to configure QoS in Shorewall so that no UDP packet
re-ordering is taking place ?

Thank you very much for comments and suggestions.

Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
Tom Eastep | 15 Nov 02:21 2014

Shorewall 4.6.5

The Shorewall team is pleased to announce the availability of Shorewall

Problems Corrected:

1)  This release includes defect repair through release

2)  On kernel 3.17, LOG_BACKEND=LOG previously failed with the

      Setting up log backend
      /var/lib/shorewall/.restart: line 2075: echo: write error:
              No such file or directory
      WARNING: Unable to set log backend to ipt_LOG

3)  A number of corrections have been made to the manpages (Thomas D).

4)  Previously, if $OPTIONS was set in /etc/sysconfig/shorewall-init,
    then servicd failed to start/stop Shorewall-init.

New Features:

1)  The configure scripts and installers now support SERVICEDIR as an
    alternative to SYSTEMD. For compatability, SERVICED is an alias

2)  The installers now offer a choice of .service files, selected by
    the SERVICEFILE option. The default remains $PRODUCT.service. Each
    product supplying a .service file now supplies a .service.214. The
    differences between the standard .service files and the service.214
(Continue reading)

PGNd | 13 Nov 01:14 2014

diagnosing IPv6 connection loss -- why's this ping6 failing?

I'm starting to troubleshoot loss of tunnelbroker-provided IPv6 on an edge, shorewall6-lite box; need a hand.

On the shorewall machine,  <at> eth0, the external interface,

	ifconfig eth0 | grep "inet6 addr" | grep "Scope:Global"
		inet6 addr: 2001:XXX:XXX4:XXX::2/64 Scope:Global


	shorewall6-lite show routing | egrep "^2001|^default"
		2001:XXX:XXX5:XXX::/64 dev eth1 proto kernel metric 256
		2001:XXX:XXX4:XXX::/64 dev sit1 proto kernel metric 256
		2001:XXX:XXX4:XXX::/64 dev eth0 proto kernel metric 256
		default via 2001:XXX:XXX4:XXX::1 dev sit1 metric 1024

In my shorewall6-lite rules, I have added

	Ping(ACCEPT)   net:[2001:XXX:XXX4:XXX::2]/64,[2001:XXX:XXX5:XXX::]/64   all
	Ping(ACCEPT)   net                                                      all   -   -   -   -   5/sec:100

On the shorewall machine, ping6 to self

	ping6 -c1 2001:XXX:XXX4:XXX::2
		PING 2001:XXX:XXX4:XXX::2(2001:XXX:XXX4:XXX::2) 56 data bytes
		64 bytes from 2001:XXX:XXX4:XXX::2: icmp_seq=1 ttl=64 time=0.157 ms

		--- 2001:XXX:XXX4:XXX::2 ping statistics ---
		1 packets transmitted, 1 received, 0% packet loss, time 0ms
		rtt min/avg/max/mdev = 0.157/0.157/0.157/0.000 ms

(Continue reading)

Francois Steyn | 4 Nov 12:52 2014

shoregen or something similar to manage multiple firewalls


Ive stumbled across shoregen via:

I see last code changes were made in 2009. Is this still the way to go 
or is there a newer version / other tool that does the same?

I had to make a couple of changes in shoregen to work with the newer 
keywords in the config files like "SECTION" / "?FORMAT" / "$FW".

However it doesnt work so well with the sections, one would have to 
merge the sections from the global rules file and a rules.machine 
specific file before writing it to the new rules file.

How are you guys managing multiple similar firewalls on a company level?

Any feedback or advice appreciated!

Kind Regards
Francois Steyn

Joshua J. Kugler | 30 Oct 01:54 2014

Shorewall Traffic Accounting Checkpoints?

Howdy -

We are using shorewall traffic accounting on our border router (home network). 
Works great, and gives us the info we need.  Sometimes, for various reasons, 
our border router experiences a (possibly accidental) reboot, and all our 
accounting information is lost.

Is there a way to do checkpoints (probably hourly would be enough) so if the 
box is rebooted, when it boots up, it will start its counters from where it 
last saved?


PH | 28 Oct 13:17 2014

Problem when using uTorrent



Using:      shorewall-

Incoming port for uTorrent:    53425

uTorrent running on:




ACCEPT                loc:~xx-xx-xx-xx-xx-xx  net                         all                            #

DNAT                    net                                         loc:       tcp          53425

DNAT                    net                                         loc:       udp        53425



I am seeing this in the logs:


Shorewall:loc2fw:REJECT:IN=p3p1 OUT= MAC=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx SRC= DST=’My External IP’ LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=9720 PROTO=UDP SPT=53425 DPT=53425 LEN=28

Shorewall:loc2fw:REJECT:IN=p3p1 OUT= MAC=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx SRC= DST=’My External IP’ LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=9721 DF PROTO=TCP SPT=55115 DPT=53425 WINDOW=8192 RES=0x00 SYN URGP=0


Have I missed something in configuring Shorewall.




Pepe Charli | 24 Oct 07:42 2014

Shorewall for openwrt


I think it would be interesting to keep a updated version of Shorewall
in the official repository

Someone with sufficient expertise are encouraged?


James Andrewartha | 24 Oct 04:12 2014

Shorewall-lite/translator for VyOS


This is a bit of a thought experiment, but how hard would it be to build
something similar to Shorewall-lite, but where the remote system is
running VyOS? For those not familiar, VyOS is a Linux-based network
operating system with routing, firewall and VPN functionality. However,
I find its firewalling to be much less straightforward than Shorewall.

So I was wondering if there could be a way to write Shorewall rules, but
have the output be VyOS commands. Shorewall-lite also came to mind, in
that it ships off the configuration to the firewall systems.



James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

Orlandinei Vujanski | 22 Oct 14:13 2014

error - The firewall will not be started / stopped the unless it is configured

People, good morning.
Could you help me? 

I installed Debian after Jessie and configure shorewall is giving the error below. 
Already do not know what to do. 

Thank you 

oot <at> EMPVL0114254: / etc / shorewall # systemctl status shorewall.service 
● shorewall.service - LSB: Configure the firewall at boot time 
    Loaded: loaded (/etc/init.d/shorewall) 
    Active: active (exited) since Tue 22/10/2014 10:07:32 EST; 1min 29s in August 

Oct 22 10:07:32 EMPVL0114254 shorewall [10916]: WARNING #### #### 
Oct 22 10:07:32 EMPVL0114254 shorewall [10916]: The firewall will not be started / stopped the unless it is configured 
Oct 22 10:07:32 EMPVL0114254 shorewall [10916]: Please read about Debian specific customization in 
Oct 22 10:07:32 EMPVL0114254 shorewall [10916]: /usr/share/doc/shorewall/README.Debian.gz. 
Oct 22 10:07:32 EMPVL0114254 shorewall [10916]: #################

Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.