<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Shorewall Version 4</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id257527"></a>Shorewall Version 4</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2007 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id292634"></a><p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation
License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dt><span class="section"><a href="#Install">Installing Shorewall Version 4</a></span></dt><dt><span class="section"><a href="#Prereqs">Prerequisites for using the Shorewall Version 4 Perl-based
Compiler</a></span></dt><dt><span class="section"><a href="#Incompatibilities">Incompatibilities Introduced in the Shorewall Version 4 Perl-based
Compiler</a></span></dt><dt><span class="section"><a href="#Compatibility">Package Compatibility Matrix</a></span></dt><dt><span class="section"><a href="#CompilerSelection">Compiler Selection</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>Shorewall version 4 represents a substantial shift in direction for
Shorewall. Up to now</p><div class="itemizedlist"><ul type="disc"><li><p>Shorewall has been written entirely in Bourne Shell.</p></li><li><p>Shorewall has run the <span class="command"><strong>iptables</strong></span> utility to add
each Netfilter rule.</p></li></ul></div><p>Shorewall version 4 offers you a choice. You can continue to use the
existing shell-based implementation or you can use a new implementation of
the Shorewall compiler written in the Perl programming language. The new
compiler:</p><div class="itemizedlist"><ul type="disc"><li><p>has a small disk footprint</p></li><li><p>is very fast.</p></li><li><p>generates a firewall script that uses
<span class="command"><strong>iptables-restore</strong></span>; so the script is very
fast.</p></li><li><p>generates better and more consistent error messages.</p></li><li><p>does a much more thorough job of checking the configuration to
avoid run-time errors.</p></li></ul></div><p>Both compilers may be installed on your system and you can use
whichever one suits you in a particular case.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Install"></a>Installing Shorewall Version 4</h2></div></div></div><p>Shorewall 4 contains four packages:</p><div class="itemizedlist"><ul type="disc"><li><p>Shorewall-shell - the old shell-based compiler and related
components.</p></li><li><p>Shorewall-perl - the new Perl-based compiler.</p></li><li><p>Shorewall-common - the part of Shorewall common to both
compilers.</p></li><li><p>Shorewall-lite- same as the 3.4 version of Shorewall Lite. Can
run scripts generated by either Shorewall-perl or
Shorewall-shell.</p></li></ul></div><p>If you upgrade to Shorewall Version 4, you must install
Shorewall-shell and/or Shorewall-perl; in fact, if you are using the
tarball for your installation, you must install Shorewall-shell and/or
Shorewall-perl <span class="bold"><strong>before</strong></span> you upgrade
Shorewall. See the <a class="ulink" href="upgrade_issues.htm" target="_self">upgrade issues</a>
for details.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Prereqs"></a>Prerequisites for using the Shorewall Version 4 Perl-based
Compiler</h2></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Perl (I use Perl 5.8.8 but other 5.8 versions should work
fine)</p></li><li><p>Perl Cwd Module</p></li><li><p>Perl File::Basename Module</p></li><li><p>Perl File::Temp Module</p></li><li><p>Perl Getopt::Long Module</p></li><li><p>Perl Carp Module</p></li><li><p>Perl FindBin Module (Shorewall 4.0.3 and later)</p></li></ul></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Incompatibilities"></a>Incompatibilities Introduced in the Shorewall Version 4 Perl-based
Compiler</h2></div></div></div><p>The Shorewall-perl compiler is not 100% compatible with the
Shorewall-shell version. See <a class="ulink" href="Shorewall-perl.html" target="_self">this
document</a> for details.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Compatibility"></a>Package Compatibility Matrix</h2></div></div></div><p>The following table indicates which versions of the compilers are
supported by each version of Shorewall-common.</p><div class="informaltable"><table border="1"><colgroup><col /><col /><col /></colgroup><tbody><tr><td align="center"><span class="bold"><strong>Package</strong></span></td><td colspan="2" align="center" valign="middle"><span class="bold"><strong>Compatible
With</strong></span></td></tr><tr><td>Shorewall-common 4.0.0-RC1</td><td>Shorewall-shell 4.0.0-RC1</td><td>Shorewall-perl 4.0.0-RC1</td></tr><tr><td rowspan="2" valign="middle">Shorewall-common
4.0.0-RC2</td><td>Shorewall-shell 4.0.0-RC1</td><td>Shorewall-perl 4.0.0-RC1</td></tr><tr><td>Shorewall-shell 4.0.0-RC2</td><td>Shorewall-perl 4.0.0-RC2</td></tr><tr><td valign="middle">Shorewall-common 4.0.0</td><td>Shorewall-shell 4.0.0 - 4.0.3</td><td>Shorewall-perl 4.0.0 - 4.0.2</td></tr><tr><td valign="middle">Shorewall-common 4.0.1</td><td>Shorewall-shell 4.0.0 - 4.0.3</td><td>Shorewall-perl 4.0.0 - 4.0.1</td></tr><tr><td valign="middle">Shorewall-common 4.0.2<sup>[<a id="id257571" href="#ftn.id257571" class="footnote">a</a>]</sup></td><td>Shorewall-shell 4.0.0 - 4.0.3</td><td>Shorewall-perl 4.0.0 - 4.0.2</td></tr><tr><td valign="middle">Shorewall-common 4.0.3</td><td>Shorewall-shell 4.0.0 - 4.0.3</td><td>Shorewall-perl 4.0.0 - 4.0.3<sup>[<a id="id257601" href="#ftn.id257601" class="footnote">b</a>]</sup></td></tr><tr><td valign="middle">Shorewall-common 4.0.4</td><td>Shorewall-shell 4.0.0 - 4.0.4</td><td>Shorewall-perl 4.0.0 - 4.0.4<sup>[<a id="id257624" href="#ftn.id257624" class="footnote">c</a>]</sup></td></tr><tr><td valign="middle">Shorewall-common 4.0.5</td><td>Shorewall-shell 4.0.5</td><td>Shorewall-perl 4.0.5<sup>[<a id="id257647" href="#ftn.id257647" class="footnote">d</a>]</sup></td></tr><tr><td valign="middle">Shorewall-common 4.0.6</td><td>Shorewall-shell 4.0.5 - 4.0.6</td><td>Shorewall-perl 4.0.5 - 4.0.6<sup>[<a id="id257670" href="#ftn.id257670" class="footnote">e</a>]</sup></td></tr><tr><td valign="middle">Shorewall-common 4.0.7</td><td>Shorewall-shell 4.0.5 - 4.0.9</td><td>Shorewall-perl 4.0.5 - 4.0.9<sup>[<a id="id301960" href="#ftn.id301960" class="footnote">f</a>]</sup></td></tr><tr><td valign="middle">Shorewall-common 4.0.8</td><td>Shorewall-shell 4.0.5 - 4.0.9</td><td>Shorewall-perl 4.0.5 - 4.0.9<sup>[<a id="id301981" href="#ftn.id301981" class="footnote">g</a>]</sup></td></tr><tr><td valign="middle">Shorewall-common 4.0.9-4.0.14</td><td>Shorewall-shell 4.0.5 - 4.0.14</td><td>Shorewall-perl 4.0.5 - 4.0.14<sup>[<a id="id302002" href="#ftn.id302002" class="footnote">h</a>]</sup></td></tr><tr><td valign="middle">Shorewall-common 4.2.0</td><td>Shorewall-shell 4.2.0 </td><td>Shorewall-perl 4.2.0</td></tr><tr><td valign="middle">Shorewall-common 4.2.1</td><td>Shorewall-shell 4.2.1</td><td>Shorewall-perl 4.2.1</td></tr><tr><td valign="middle">Shorewall-common 4.2.2</td><td>Shorewall-shell 4.2.2</td><td>Shorewall-perl 4.2.2</td></tr></tbody><tbody class="footnotes"><tr><td colspan="3"><div class="footnote"><p><sup>[<a id="ftn.id257571" href="#id257571" class="para">a</a>] </sup>Shorewall-common/lib.base should have
patch-common-4.0.2-1.diff applied.</p></div><div class="footnote"><p><sup>[<a id="ftn.id257601" href="#id257601" class="para">b</a>] </sup>Shorewall-perl 4.0.3 requires Shorewall-common 4.0.3 if
capabilities files are to be used. Shorewall-perl 4.0.3 also
requires Shorewall-lite 4.0.3.</p></div><div class="footnote"><p><sup>[<a id="ftn.id257624" href="#id257624" class="para">c</a>] </sup>Shorewall-perl 4.0.4 requires Shorewall-common 4.0.3 or
later if capabilities files are to be used. Shorewall-perl
4.0.4 also requires Shorewall-lite 4.0.3 or later.</p></div><div class="footnote"><p><sup>[<a id="ftn.id257647" href="#id257647" class="para">d</a>] </sup>Shorewall-perl 4.0.5 also requires Shorewall-lite
4.0.5.</p></div><div class="footnote"><p><sup>[<a id="ftn.id257670" href="#id257670" class="para">e</a>] </sup>Shorewall-perl 4.0.6 also requires Shorewall-lite
4.0.6.</p></div><div class="footnote"><p><sup>[<a id="ftn.id301960" href="#id301960" class="para">f</a>] </sup>Shorewall-perl 4.0.6 and later require Shorewall-lite
4.0.6 or later</p></div><div class="footnote"><p><sup>[<a id="ftn.id301981" href="#id301981" class="para">g</a>] </sup>Shorewall-perl 4.0.6 and later require Shorewall-lite
4.0.6 or later</p></div><div class="footnote"><p><sup>[<a id="ftn.id302002" href="#id302002" class="para">h</a>] </sup>Shorewall-perl 4.0.6 and later require Shorewall-lite
4.0.6 or later</p></div></td></tr></tbody></table></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="CompilerSelection"></a>Compiler Selection</h2></div></div></div><p>If you only install one compiler, then that compiler will be
used.</p><p>If you install both compilers, then the compiler actually used
depends on the SHOREWALL_COMPILER setting in
<code class="filename">shorewall.conf</code>.</p><p>The value of this new option can be either 'perl' or 'shell'.</p><p>If you add 'SHOREWALL_COMPILER=perl' to
<code class="filename">/etc/shorewall/shorewall.conf</code> then by default, the
new compiler will be used on the system. If you add it to
<code class="filename">shorewall.conf</code> in a separate directory (such as a
Shorewall-lite export directory) then the new compiler will only be used
when you compile from that directory.</p><p>If you only install one compiler, it is suggested that you do not
set SHOREWALL_COMPILER.</p><p>You can select the compiler to use on the command line using the 'C
option:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>'-C shell' means use the shell compiler</td></tr><tr><td>'-C perl' means use the perl compiler</td></tr></table><p>The -C option overrides the setting in
shorewall.conf.</p><p>Example:</p><pre class="programlisting"><span class="command"><strong>shorewall restart -C perl</strong></span></pre><p>When the Shorewall-perl compiler has been selected, the
<code class="filename">params</code> file is processed using the
<code class="option">-a</code> option which causes all variables set within the file
to be exported automatically by the shell. The Shorewall-perl compiler
uses the current environmental variables to perform variable expansion
within the other Shorewall configuration files.</p></div></div></body></html>
