Shoreline Firewall Changelog

New in version

February 7th, 2015
  • The compiler failed to parse the construct +[n] where n is an integer (e.g., +bad[2]).
  • Orion Paplawski has provided a patch that adds 'ko.xz' to the default MODULE_SUFFIX setting. This change deals with recent Fedora releases where the module names now end with ".ko.xz". In addition to Orion's patch, the sample configurations have been modified to specify MODULE_SUFFIX="ko ko.xz".

New in version 4.6.5 (November 15th, 2014)

  • The configure scripts and installers now support SERVICEDIR as an alternative to SYSTEMD. For compatability, SERVICED is an alias for SERVICEDIR.
  • The installers now offer a choice of .service files, selected by the SERVICEFILE option. The default remains $PRODUCT.service. Each product supplying a .service file now supplies a .service.214. The differences between the standard .service files and the service.214 files are: a) They specify '' rather than ''. b) The file shorewall-init.service.214 specifies '' rather than ''. That file requires serviced 214 or later, hence the names of the new files. Regardless of which file is selected, it is installed in $SERVICEDIR/$PRODUCT.service.
  • The RATE LIMIT column of the rules files now allows specification of both a per-source and per-destination limit. See shorewall[6]-rules(5) for details.
  • Previously, /bin/sh was used unconditionally to process the helper script 'getparams'. That shell script reads the params file and passes back the (variable,value) pairs to the compiler. Beginning with this release, $SHOREWALL_SHELL is used to process that script, unless the compilation is for export, in which case /bin/sh is still used. Note that the default value of $SHOREWALL_SHELL is /bin/sh, so unless your configuration sets that variable, this enhancement will have no effect. Similarly, on an administrative system, this enhancement has no effect on the processing of the 'compile -e', 'load', 'reload' and 'export' commands.
  • A -C option has been added to several commands to allow the ip[6]tables packet and byte counters to be preserved.

New in version (September 15th, 2014)

  • Including a PREROUTING SECTION in the accounting file unconditionally resulted in a fatal error: ERROR: The PREROUTING SECTION is not allowed when ACCOUNTING_TABLE=filter
  • Previously, the compiler could generate many superfluous rules to enforce the 'tcpflags', 'nosmurfs' and 'maclist' interface options.

New in version (February 8th, 2014)

  • When a non-terminating target specified logging, the compiler would erroneously generate a 'goto' (-g) iptables command rather than a 'jump' (-j) command. This caused the wrong set of rules to be traversed, usually the catchall 'REJECT' rule at the end of the INPUT or FORWARD chain. The compiler now generates a 'jump' rule in these cases.
  • When an interface containing a period (such as a VLAN interface) was used in an 'add' or 'delete' command, the wrong ipset name was generated, resulting in failure of the command.

New in version (December 20th, 2013)

  • A number of minor updates have been made to the documentation and manpages.
  • The 'postcompile' extension script is now documented at
  • The 'add' command previously failed if 'IPSET=' appeared in the shorewall.conf file. This has been corrected.

New in version (November 26th, 2013)

  • The Broadcast actions have been corrected:
  • --dst-type BROADCAST has been removed from the IPv6 version
  • A superfluous DROP rule in the IPv4 version has been suppressed.
  • Previously, if an HFSC class was specified with dmax but not umax, then the firewall would fail to start with the messages:
  • Nov 14 13:42:42 Setting up Traffic Control...
  • HFSC: Illegal "umax"
  • HFSC: Illegal "sc"
  • ERROR: Command "tc class add dev eth1 parent 1:1 classid 1:110 hfsc sc
  • umax b dmax 150ms rate 1575kbit ul rate 3150kbit" Failed
  • That problem has been corrected.

New in version 4.2.5 (January 28th, 2009)

  • In addition to correcting several problems, this release offers additional options for handling multiple WAN interfaces as well as providing transparent support for the xtables-addons version of ipp2p.

New in version 4.2.4 (January 2nd, 2009)

  • This release supports creation of IPv6 firewalls as well as IPv4.

New in version 4.2.1 (October 25th, 2008)

  • Added CONNBYTES to tcrules manpage. Flesh out description of HELPER.
  • Fixed minor CONNBYTES editing issue.
  • Add CONNLIMIT to policy and rules.
  • Allow use of iptables-1.4.1.
  • Add time match support.
  • Applied Lennart Sorensen's patch for length match.
  • Take advantage --ctorigdstport
  • Fix syntax error in 'export'