Shoreline Firewall Changelog

New in version 4.6.5

November 15th, 2014
  • The configure scripts and installers now support SERVICEDIR as an alternative to SYSTEMD. For compatability, SERVICED is an alias for SERVICEDIR.
  • The installers now offer a choice of .service files, selected by the SERVICEFILE option. The default remains $PRODUCT.service. Each product supplying a .service file now supplies a .service.214. The differences between the standard .service files and the service.214 files are: a) They specify '' rather than ''. b) The file shorewall-init.service.214 specifies '' rather than ''. That file requires serviced 214 or later, hence the names of the new files. Regardless of which file is selected, it is installed in $SERVICEDIR/$PRODUCT.service.
  • The RATE LIMIT column of the rules files now allows specification of both a per-source and per-destination limit. See shorewall[6]-rules(5) for details.
  • Previously, /bin/sh was used unconditionally to process the helper script 'getparams'. That shell script reads the params file and passes back the (variable,value) pairs to the compiler. Beginning with this release, $SHOREWALL_SHELL is used to process that script, unless the compilation is for export, in which case /bin/sh is still used. Note that the default value of $SHOREWALL_SHELL is /bin/sh, so unless your configuration sets that variable, this enhancement will have no effect. Similarly, on an administrative system, this enhancement has no effect on the processing of the 'compile -e', 'load', 'reload' and 'export' commands.
  • A -C option has been added to several commands to allow the ip[6]tables packet and byte counters to be preserved.

New in version (September 15th, 2014)

  • Including a PREROUTING SECTION in the accounting file unconditionally resulted in a fatal error: ERROR: The PREROUTING SECTION is not allowed when ACCOUNTING_TABLE=filter
  • Previously, the compiler could generate many superfluous rules to enforce the 'tcpflags', 'nosmurfs' and 'maclist' interface options.

New in version (February 8th, 2014)

  • When a non-terminating target specified logging, the compiler would erroneously generate a 'goto' (-g) iptables command rather than a 'jump' (-j) command. This caused the wrong set of rules to be traversed, usually the catchall 'REJECT' rule at the end of the INPUT or FORWARD chain. The compiler now generates a 'jump' rule in these cases.
  • When an interface containing a period (such as a VLAN interface) was used in an 'add' or 'delete' command, the wrong ipset name was generated, resulting in failure of the command.

New in version (December 20th, 2013)

  • A number of minor updates have been made to the documentation and manpages.
  • The 'postcompile' extension script is now documented at
  • The 'add' command previously failed if 'IPSET=' appeared in the shorewall.conf file. This has been corrected.

New in version (November 26th, 2013)

  • The Broadcast actions have been corrected:
  • --dst-type BROADCAST has been removed from the IPv6 version
  • A superfluous DROP rule in the IPv4 version has been suppressed.
  • Previously, if an HFSC class was specified with dmax but not umax, then the firewall would fail to start with the messages:
  • Nov 14 13:42:42 Setting up Traffic Control...
  • HFSC: Illegal "umax"
  • HFSC: Illegal "sc"
  • ERROR: Command "tc class add dev eth1 parent 1:1 classid 1:110 hfsc sc
  • umax b dmax 150ms rate 1575kbit ul rate 3150kbit" Failed
  • That problem has been corrected.

New in version 4.2.5 (January 28th, 2009)

  • In addition to correcting several problems, this release offers additional options for handling multiple WAN interfaces as well as providing transparent support for the xtables-addons version of ipp2p.

New in version 4.2.4 (January 2nd, 2009)

  • This release supports creation of IPv6 firewalls as well as IPv4.

New in version 4.2.1 (October 25th, 2008)

  • Added CONNBYTES to tcrules manpage. Flesh out description of HELPER.
  • Fixed minor CONNBYTES editing issue.
  • Add CONNLIMIT to policy and rules.
  • Allow use of iptables-1.4.1.
  • Add time match support.
  • Applied Lennart Sorensen's patch for length match.
  • Take advantage --ctorigdstport
  • Fix syntax error in 'export'