When thinking about how to create IPtables rules for a tricky virtual server environment, I stumbled upon Shorewall. After following along with the documentation, creating the config files as I went, I was able to flip the switch to turn Shorewall on and my firewall behaved exactly as I intended, no trial and error required.
Thank you for all the hard work on this project, I sincerely hope it continues to be supported by the community. Enjoy your travels Tom!
On that note...
"I am now departing on an extended trip to visit some of the places in the world that I have always dreamed of seeing."
People, don't wait until you are retiring to do this. Make the time now. If you think you cant, re-evaluate that thinking. I have been fortunate enough to travel to many places around the world. Some through work, others because they were places we wanted to go. I carry the experience and memories of these adventures with me and they are precious beyond measure. It makes me sad to think that some people wait until their lives are behind them to have these valuable experiences. Plan that trip now, for next month, next year, it doesn't matter. You will be happy you did for the rest of your life.
Talk about software lifecycle.
I wonder if there is much of a community around this software and if there is someone who may take over the future direction, much like how Emacs' head maintainership was recently (relatively) given up by RMS.
Frankly, it sounds like your suggesting that because he didn't invent the underlying network stack, or network protocols, that makes it a quick and dirty half day or so project. 99.9% of development work in recent years hasn't been inventing new stuff, it's been building wrappers. Wrappers that compose other well though out tech (which are hard choices to make), while maintaining the flexibility to actually be useful for more than a single project and a short period of time.
I know you said none of those things, however, that's what I read between the lines of a putdown comment like "It's just a wrapper...".
Nothing wrong with a wrapper of the underlying system has had the real world field testing, longetivity, and adoption that IPTablws has.
On a side note whilst many people fail to deliver a side project they have spent a few months developing this man has been released and developing his for 20 years which I believe is praise worthy
what shorewall really did was make iptables feel like a polished usable firewall. iptables on its own is shit to work with. shorewall made it easy to use in so many cases.
congrats on your retirement and thanks for a great tool that I used for many years.
Check the "Contributors" page -- Redis has probably 95% of commits/code-volume from 2009 to 2019 by antirez himself. Yes there are other contributors but they make up a minority share.
BTW, what's the general recommendation for people looking to migrate to another Linux firewall package?
The cool thing is that /etc/iptables/rules.v4 and /etc/iptables/rules.v6 get loaded at bootup. So if you're living dangerously, you just use /etc/iptables/test-rules.v4 or whatever. If you get locked out, just reboot the server. Or have it rebooted, if you don't have a management console.
Why do you need a wrapper at all? I looked at shorewall ten years ago and it just made everything more complicated than just doing it raw.
Term is also nice because it still uses iptables syntax.
I do agree on the iptables vs wrapper issue. I started out using Shorewall, and then ufw. But once I started learning iptables, I decided that it was simpler to just use it.
the ip6 section needs some further development though - I have no need for it in my scenario at the moment.
I definitely remember screwing up rules which caused me to have to drive to the data center about 15 miles from my house after kicking myself out of machines I was SSH'd into.
I'd be SSHd in and restart the rules, then the SSH session would hang. I was actively modifying rules and hey look I was a noobie sysadmin!
I made dumb mistakes back then. I believe that's when I made a catch all rule for my home IP on ssh in and out.
Regardless, thanks Tom!
I still remember my first 'ifconfig eth0 down' over ssh!
It fits the balance I need between powerful and ease of use (to my limited skill level). UFW seems too simplistic, straight IP Tables to cumbersome.
Either the community picks up the batton and I can still use Shorewall for years to come or I will have to start to try some of the alternatives :|
Thank you mr Eastep, and enjoy your trip.
Not sure what happened back then but he must have had a change of heart?
I'm not looking forward to changing this setup.
Have you given any thought about what you might do with respect to Shorewall, given the this news?
The Arch Wiki is pretty awesome, generally, and I used this pretty heavily as a reference. I will say, this was not 100% perfect and I had to use some other outside sources, but most of the info is here.
I did consider writing my own step-by-step post (if for no other reason than for me to not have to remember it), but haven't gotten around to it yet.
My original impetus for using it was to "re-learn Linux" after a hiatus out of college, and because it's not as bloated as something like a full Ubuntu install, but doesn't require the full compiling of packages like Gentoo, it seemed like a good choice. Unless I want a GUI right out of the box, I don't use anything else.
As you noted, the wiki is fantastic as well.
github certainly has its problems (feature bloat), but gitlab and bitbucket are options - as well as the new sourcehut
i have tried sourceforge a few times over the years and its just absolute garbage - from the forums to the issues to the source code - the only parts thats worth a damn is the binary downloads - and you can you bintray or a number of other places for that
any project that uses sourceforge for ANYTHING these days - even just docs - i dont touch unless i absolutely have to.
If anyone adopts the project as their own, though, I hope they move to a platform where it's easier for others to contribute.
I think you're missing the point of his announcement and nowhere has Tom complained about visibility, contributor pool etc. The maintainer is in his 70's and likely kinda done with the project and fancies a change of pace, as evidenced by:
"I am now departing on an extended trip to visit some of the places in the world
that I have always dreamed of seeing."
Not all projects need to level up to GitHub and the unwashed masses blasting you with issues and pull requests. SourceForge, despite its past transgressions, likely suited his cadence of work.