Shorewall Download

Finding Updates that Correct Known Problems

2012-11-26

Package Information

Before trying to install, we strongly urge you to read and print a copy of the Shorewall QuickStart Guide for the configuration that most closely matches your own.

The documentation in both XML and HTML formats is available for download from the Download Sites listed in the table below.

NOTICE: There are three current Shorewall Release Series:

The STABLE release series is 4.5. Choose this release if you value stability and good documentation.
The prior STABLE release series is 4.4. We release updates to this series to correct problems but usually don't make enhancements to it.
The Development release is generally a 4.5.x Beta; see the Home Page. Chose this release if you want to help shake out the next Shorewall stable release. The Developement release is found in the 'development/4.5' directory on the download sites.

For additional information, see this article about the Shorewall Release Model.

In Shorewall version 4.5.*, the common Shell libraries have been segregated into a separate Shorewall-core package. With Shorewall 4.5 onward, there are six packages:

Shorewall-core -- Required to install Shorewall, Shorewall6, Shorewall-lite or Shorewall6-lite.
Shorewall -- Together with Shorewall-core, includes everything needed to create an IPv4 firewall.
Shorewall6 -- Requires the Shorewall package and adds the capability to create an IPv6 firewall.
Shorewall-lite -- a light-weight Shorewall version that will run compiled firewall scripts generated on a system with Shorewall installed.
Shorewall6-lite -- a light-weight Shorewall6 version that will run compiled firewall scripts generated on a system with Shorewall6 installed.
Shorewall-init -- an add-on to any of the above packages that allows the firewall state to be altered in reaction to interfaces coming up and going down. Where Upstart is not being used, this package can also be configured to place the firewall in a safe state prior to bringing up the network interfaces.

In Shorewall version 4.4.*, the Shorewall-common, Shorewall-shell and Shorewall-perl packages are discontinued and replaced with a single Shorewall package which combines the functions of Shorewall-common and Shorewall-perl. The shell-based compiler is retired. With Shorewall 4.4, there are five packages:

Shorewall -- Includes everything needed to create an IPv4 firewall.
Shorewall6 -- Requires the Shorewall package and adds the capability to create an IPv6 firewall.
Shorewall-lite -- a light-weight Shorewall version that will run compiled firewall scripts generated on a system with Shorewall installed.
Shorewall6-lite -- a light-weight Shorewall6 version that will run compiled firewall scripts generated on a system with Shorewall6 installed.
Shorewall-init -- an add-on to any of the above packages that allows the firewall state to be altered in reaction to interfaces coming up and going down. Where Upstart is not being used, this package can also be configured to place the firewall in a safe state prior to bringing up the network interfaces.

In Shorewall version 4.2.*, there are six packages:

Shorewall-shell -- the legacy Shorewall configuration compiler written in Bourne Shell. Not recommended for new installations.
Shorewall-perl -- an implementation of the Shorewall configuration compiler written in the Perl programming language. This compiler is much faster than Shorewall-shell and produces a firewall script that runs faster. It is the preferred compiler for new Shorewall installations.
Shorewall-common -- A base package required by both Shorewall-shell and Shorewall-perl.
Shorewall-lite -- a light-weight Shorewall version that will run compiled firewall scripts generated on a system with one of the compiler packages installed.
Shorewall6 -- Provides /sbin/shorewall6 for controlling an IPv6 firewall. Requires Shorewall-common and Shorewall-perl, 4.2.4 or later.
Shorewall6-lite -- a light-weight Shorewall6 version that will run compiled firewall scripts generated on a system with Shorewall6 installed.

To summarize:

If you are installing Shorewall 4.4 or later:
- On at least one system in your network, you must install the Shorewall package. If you need IPv6 firewalls then you must also install the Shorewall6 package.
- If you have a single firewall, then that system should be your firewall system.
- If you have more than one firewall, you may wish to install Shorewall (and possibly Shorewall6) on a single administrative system and install Shorewall-lite and/or Shorewall6-lite on the firewalls. Doing so will allow for centralized administration and configuration of the firewalls.
If you are installing Shorewall 4.2 or earlier:
- On at least one system in your network, you must install one or both of the compilers (Shorewall-shell and/or Shorewall-perl; Shorewall-perl is highly recommended), the Shorewall-common package and possibly the Shorewall6 package.
- If you only have a single firewall, then that system should be your firewall system.
- If you have more than one firewall, you may wish to install one or both of the compilers on a single administrative system and install Shorewall-lite and/or Shorewall6-lite on the firewalls. Doing so will allow for centralized administration and configuration of the firewalls.
- When RPM is used to install Shorewall, the compiler (shorewall-shell and/or shorewall-perl) and shorewall-common must be installed in a single execution of the rpm utility.

Here are the installation instructions.

Distribution-specific Download Sites

Once you've printed the appropriate QuickStart Guide, download the appropriate Packages:

If you want to install using a tarball (no compilation required) or if you want a generic RPM, then use the Standard Sites.
If you run Debian and would like a .deb package, Shorewall is included in the Debian Stable Branch, the Debian Testing Branch and the Debian Unstable Branch.

Additionally, packages for the current Debian stable release are available from the package maintainer's personal page. Those packages are almost always more up-to-date than the ones in the Debian Stable Branch.
Simon Matter provides RPMs tailored for Redhat and Fedora. You can download them from his site.
If you run Ubuntu, Benjamin Montgomery maintains a repository for Hardy Heron and Jaunty Jackalope.
If you run OpenSuSE starting with the 12.1 version of openSUSE shorewall is included in the distro. For the uptodate RPMs of shorewall the following repositories are available:

http://download.opensuse.org/repositories/security:/netfilter/openSUSE_11.4

http://download.opensuse.org/repositories/security:/netfilter/openSUSE_12.1

http://download.opensuse.org/repositories/security:/netfilter/openSUSE_Factory
If you run a SuSE, Linux PPC, Trustix or TurboLinux distribution with a 2.4 or 2.6 kernel, you can use the standard RPM version (note: the RPM should also work with other distributions that store init scripts in /etc/init.d and that include chkconfig or insserv). If you find that it works in other cases, let me know so that I can mention them here (Note: the standard RPM is known to work on Redhat, Fedora and Mandriva with issues ranging from trivial (Redhat and Fedora) to moderate (Mandriva)). See the Installation Instructions if you have problems installing the RPM.
Mandriva users may install Shorewall using the command 'urpmi shorewall' ('urmpi shorewall6, etc.).
Gentoo users can install Shorewall using the command 'emerge shorewall'.

A Shorewall-lite package is available for OpenWRT (Open firmware for Linksys® WRT54G, etc.). You can download it from this site.
jMCg provides a package for Arch Linux. You can download it from the Arch Linux site
If you run LEAF/Bering or one if it's derivatives, you can download a .lrp file from the Leaf site.

From the LEAF Bering-uClibc Team:

We try to provide the latest stable version shortly after release, but we also want to do some internal tests before making it available. So we may be behind sometimes. But better be sure that the new version is running on LEAF, than being too fast...

I know it's not obvious for newbies where to find the lrp on our pages.

Shorewall packages are on the packages page:

http://leaf.sourceforge.net/bering-uclibc/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=13&MMN_position=33:33

They are also available from the Git repository:

http://leaf.git.sourceforge.net/git/gitweb.cgi?p=leaf/packages;a=summary
Shorewall packages for Slackware are available at http://slackbuilds.org/result/?search=shorewall&sv=.
, download the appropriate tarballs (.tgz or tar.bz2) from one of the standard download sites below.

You will probably also want to download the HTML version of the documentation for easy reference.

Standard Download Sites

Use the sites below to download the tarball, the documentation and the standard RPM for (SUSE, Power PPC, Trustix and TurboLinux).

Packages are GPG signed, please verify the integrity of the files using our public key https://lists.shorewall.net/shorewall.gpg.key

Note that each of the tarballs are available in both tgz and tar.bz2 compression format.

SERVER LOCATION	DOMAIN	HTTP	FTP
Seattle, Washington, USA	Shorewall.net	Browse	Browse
Baltimore, Maryland, USA	Shorewall.net	Browse	Browse
Bratislava, Slovakia	Shorewall.net	Browse	Browse
Espoo, Finland	Shorewall.fi	Browse	Browse
Frankfurt/Main, Germany	Shorewall.de	Browse	N/A
Moscow, Russia	Shorewall.ru	Browse	Browse
Norway	Shorewall.no	Browse	Browse
Shoreline, Wa, USA	Shorewall.net	Browse	Browse
Paris, France	Shorewall.net	Browse	Browse
Australia	Shorewall.com.au	Browse	N/A
Montreal, Quebec, Canada	Shorewall.net	Browse	Browse
Chicago, Illinois, USA (Incomplete)	Sourceforge.net	Browse	N/A

Finding Updates that Correct Known Problems

Beginning with Shorewall 4.0.6, updated packages that include fixes to known problems are made available.

Example:

ftp> cd pub/shorewall/4.0/shorewall-4.0.6
250 OK. Current directory is /pub/shorewall/4.0/shorewall-4.0.6
ftp> ls
200 PORT command successful
150 Connecting to port 36018
drwxr-sr-x    4 1006     8            4096 Dec  1 08:16 .
drwxr-sr-x    9 1006     8            4096 Nov 23 08:22 ..
-rw-r--r--    1 1006     8             194 Nov 24 07:38 4.0.6-2.md5sums
-rw-r--r--    1 1006     8             218 Nov 24 07:38 4.0.6-2.sha1sums
-rw-r--r--    1 1006     8             841 Nov 26 13:26 4.0.6.md5sums
-rw-r--r--    1 1006     8             945 Nov 26 13:26 4.0.6.sha1sums
-rw-r--r--    1 1006     8             322 Nov 26 08:35 README.txt
drwxr-xr-x    4 1006     8            4096 Nov 23 08:21 base
-rw-r--r--    1 1006     8            1570 Dec  1 08:16 known_problems.txt
-rw-r--r--    1 1006     8          148363 Nov 23 08:22 patch-4.0.6
-rw-r--r--    1 1006     8            4238 Nov 24 16:49 patch-perl-4.0.6.1
-rw-r--r--    1 1006     8            5249 Nov 29 07:38 patch-perl-4.0.6.2
...

-rw-r--r--    1 1006     8          102295 Nov 24 07:38 shorewall-perl-4.0.6-2.noarch.rpm   <=========
-rw-r--r--    1 1006     8           99884 Nov 24 07:38 shorewall-perl-4.0.6.2.tar.bz2      <=========  
-rw-r--r--    1 1006     8             300 Nov 24 07:38 shorewall-perl-4.0.6.2.tar.bz2.asc  <=========
-rw-r--r--    1 1006     8          124814 Nov 24 07:38 shorewall-perl-4.0.6.2.tgz          <=========
-rw-r--r--    1 1006     8             300 Nov 24 07:38 shorewall-perl-4.0.6.2.tgz.asc      <=========
-rw-r--r--    1 1006     8           59124 Nov 23 08:22 shorewall-shell-4.0.6-0base.noarch.rpm
-rw-r--r--    1 1006     8           76500 Nov 23 08:22 shorewall-shell-4.0.6.tar.bz2
-rw-r--r--    1 1006     8             300 Nov 23 08:22 shorewall-shell-4.0.6.tar.bz2.asc
-rw-r--r--    1 1006     8           95193 Nov 23 08:22 shorewall-shell-4.0.6.tgz
-rw-r--r--    1 1006     8             300 Nov 23 08:22 shorewall-shell-4.0.6.tgz.asc
drwxr-sr-x    2 1006     8            4096 Nov 26 08:33 superseded
226-Options: -a -l 
226 41 matches total
ftp

The lines flagged with <====== show that the Shorewall-perl package has been updated to include two bug fixes (note the "-2" and ".2" in the file names). The base tarballs for the release are found in the base directory. The unified diff files patch-4.0.6.* may be applied sequentially to the base (4.0.6) Shorewall-perl release (from the base directory) to produce 4.0.6.2. The patch- files are for use by distribution maintainers and should be ignored by end users.

The obsoleted 4.0.6 Shorewall-perl packages may be found in the superseded directory. The known_problems.txt file indicates which problems are fixed in each updated package.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.