Hacker News new | past | comments | ask | show | jobs | submit login
Shorewall – The End of the Road (sourceforge.net)
242 points by esaym 31 days ago | hide | past | web | favorite | 68 comments

Shorewall is one of those rare well-designed, well-documented programs that lets you go from no knowledge, to reading documentation, to implementing the final solution seemlessly.

When thinking about how to create IPtables rules for a tricky virtual server environment, I stumbled upon Shorewall. After following along with the documentation, creating the config files as I went, I was able to flip the switch to turn Shorewall on and my firewall behaved exactly as I intended, no trial and error required.

Thank you for all the hard work on this project, I sincerely hope it continues to be supported by the community. Enjoy your travels Tom!

I've used Shorewall for years. Even after being confident enough in iptables to do it myself I have continued to use it to save time and because it just works the way I intend it to. I deeply appreciate his work and I hope he enjoys his retirement.

On that note...

"I am now departing on an extended trip to visit some of the places in the world that I have always dreamed of seeing."

People, don't wait until you are retiring to do this. Make the time now. If you think you cant, re-evaluate that thinking. I have been fortunate enough to travel to many places around the world. Some through work, others because they were places we wanted to go. I carry the experience and memories of these adventures with me and they are precious beyond measure. It makes me sad to think that some people wait until their lives are behind them to have these valuable experiences. Plan that trip now, for next month, next year, it doesn't matter. You will be happy you did for the rest of your life.

Very impressive that this software was built and maintained by a mostly solo developer into their 70's.

Talk about software lifecycle.

I wonder if there is much of a community around this software and if there is someone who may take over the future direction, much like how Emacs' head maintainership was recently (relatively) given up by RMS.

Just think about the networking changes that have happened in the last 50 years. This guy is insane to have lived through, and engineered against soo many changes in computer networking. I mean... If you are looking back at this guy's career, you need to realize, to this guy, Linux is a young whipper snapper of an OS. Megabit-speed networks werent even really a thing until this guy was like in his late forties or something. I hope that I am able to have a fraction of longevity and impact as this guy did on the computing industry.

It's just a wrapper around iptables...

Wrapper or not, building a wrapper that works for as many use cases for as long a time as Shorewall has is something.

Frankly, it sounds like your suggesting that because he didn't invent the underlying network stack, or network protocols, that makes it a quick and dirty half day or so project. 99.9% of development work in recent years hasn't been inventing new stuff, it's been building wrappers. Wrappers that compose other well though out tech (which are hard choices to make), while maintaining the flexibility to actually be useful for more than a single project and a short period of time.

I know you said none of those things, however, that's what I read between the lines of a putdown comment like "It's just a wrapper...".

All software is built on abstractions. I’m sure IPTablss is a giant “wrapper” around the Linux OS networking stack.

Nothing wrong with a wrapper of the underlying system has had the real world field testing, longetivity, and adoption that IPTablws has.

wrote this last night when I was half asleep. I do know how to type "IPTables" :p

Exactly :)

And a computer is just a thing that allows assholes to broadcast their opinions.

Yes, and penicillin is just a pill that kills some bacteria.

C is just a wrapper around assembly.

He's been working on it for over 20 years...

How is it impressive because of age?

Because it goes against the rhetorical that tech is a "young persons" game that many of the large tech companies seem to imply.

On a side note whilst many people fail to deliver a side project they have spent a few months developing this man has been released and developing his for 20 years which I believe is praise worthy

Yes this is a wrapper and it persisted iptables well. But for anyone that says shorewall is just a wrapper, probably just skimmed a manual and don’t understand the real genius here.

what shorewall really did was make iptables feel like a polished usable firewall. iptables on its own is shit to work with. shorewall made it easy to use in so many cases.

congrats on your retirement and thanks for a great tool that I used for many years.

Not to shit on the author of shorewall, but i have to disagree: iptables is not shit to work on. Nor is iproute2. Or any of the low-level tools. They all have a place in the world.

Shorewall is probably nice tool but I have to agree. iptables (and netfilter thereof) are good to work with. In larger setups we used fwbuilder for generating the policy but it always boils down to understand iptables & netfilter.

A project of this popularity and maturity essentially announcing they're shuttering because a single long-term contributor is retiring.. if ever there was a damning indictment of modern consumption-driven open source, I don't know what is

I feel like many non-open-source projects are like that, too. I've worked on more than one corporate project where the original programmer was the only person who really understood how half of it worked, and still wrote most of the code. When he left, the project died.

Was that supposed to be an irony or you didn't really check those links? All those projects have tons of commits and activity going on, by multiple people (35 in the case of Django!).

Redis page is a good example, the other 2 not so much..

Check the "Contributors" page -- Redis has probably 95% of commits/code-volume from 2009 to 2019 by antirez himself. Yes there are other contributors but they make up a minority share.


I don't understand. Everything you linked has multiple authors/contributors. It's the opposite of a sole author.

It is possible the maintainers of the various OS distribution packages will band together and maintain development.

BTW, what's the general recommendation for people looking to migrate to another Linux firewall package?

fwbuilder will export rules from its GUI to a whole bunch of different firewalls. When you change firewalls, just re-export/compile.


iptables-persistent on Debian. Or iptables-services on redhat

Bleah, iptables is rather hostile. Sure, you have a webserver, add a rule to allow TCP over 80. Later you revisit, decide you need to add 443. So you do the obvious and change "80" to "80,443". Which fails. Turns out there's a completely different way to match multiple ports. Or you could write a rule per port... making mistakes much more likely and much harder to spot.

I love it, but it's not a wrapper. It's just a dead-simple mechanism for making iptables persistent.

The cool thing is that /etc/iptables/rules.v4 and /etc/iptables/rules.v6 get loaded at bootup. So if you're living dangerously, you just use /etc/iptables/test-rules.v4 or whatever. If you get locked out, just reboot the server. Or have it rebooted, if you don't have a management console.

Test with the live iptables state. Then you can save it with iptables-save > rules.v4

Why do you need a wrapper at all? I looked at shorewall ten years ago and it just made everything more complicated than just doing it raw.

Term is also nice because it still uses iptables syntax.

I'm sure that there are other ways to manage multiple sets of iptables rules. I've just found iptables-persistent to be the easiest.

I do agree on the iptables vs wrapper issue. I started out using Shorewall, and then ufw. But once I started learning iptables, I decided that it was simpler to just use it.

personally I use a script I developed a while ago for doing iptables directly, using awk to parse some txt files to apply the firewall config and then adding a script to execute the iptables script on boot:


the ip6 section needs some further development though - I have no need for it in my scenario at the moment.

What’s modern about it? The guy has been at it for twenty years. And it’s always been this way.

Man I think I used this software back when I was working out of my closet back in 2004 trying to finish school. This was a nice abstraction on top of IPTables.

I definitely remember screwing up rules which caused me to have to drive to the data center about 15 miles from my house after kicking myself out of machines I was SSH'd into.

You're giving me flashbacks to working on ASAs and issuing a "reboot 15" before making config changes, so that the device would reboot into the last config if you locked yourself out. And those were still in the same building!

How would it reboot on the old config if you had just changed it?

Cisco devices have a "running config" in volatile memory and a "startup config" on persistent storage. You can modify the running config without committing the change to the startup config.

Because iptables changes aren't persistent unless you write them to some file that gets loaded at bootup.

Been a long time, but doesn't `write conf` write the config to NVRAM?

If I recall correctly he added a safety net that I setup after doing this a few time.

I'd be SSHd in and restart the rules, then the SSH session would hang. I was actively modifying rules and hey look I was a noobie sysadmin!

I made dumb mistakes back then. I believe that's when I made a catch all rule for my home IP on ssh in and out.

Regardless, thanks Tom!

>after kicking myself out of machines I was SSH'd into

I still remember my first 'ifconfig eth0 down' over ssh!

I bet you learned to give yourself alternatives back in right.

First thing on shorewall was always to set ADMINISABSENTMINDED=Yes :)

Shorewall has been my goto firewall for years and still is. If any of you have ever followed my postfix howto [1] and others over the years, Shorewall has always been since 2005 the first thing to install and configure.

It fits the balance I need between powerful and ease of use (to my limited skill level). UFW seems too simplistic, straight IP Tables to cumbersome.

Either the community picks up the batton and I can still use Shorewall for years to come or I will have to start to try some of the alternatives :|

Thank you mr Eastep, and enjoy your trip.

[1] http://flurdy.com/docs/postfix/#config-simple-firewall

One alternative which I really like (I prefer it actually to Shorewall) is https://firehol.org .

Though it seems Mr Eastep did also end development of Shorewall back in 2005:


Not sure what happened back then but he must have had a change of heart?

I am very happy using shorewall. Thanks a lot Mr.Eastep for your time spending on this awesome software. we need to migrate the project to github or gitlab and maybe submitting the project in codeshelter.co to find collaborators.

Welp. I recently completed an Arch-linux and PCEngines-based DIY router build and stumbled upon Shorewall as an alternative to straight-up IP tables...

I'm not looking forward to changing this setup.

I've been running basically this setup since 2015, and I don't think I'm any closer than you are to looking forward to changing this setup.

I stumbled across a blog post that used Arch and Shorewall to roll a diy router. Any chance you used a blog post for inspiration and if so do you have the link still? I have been trying to find it ever since...

Nice write-up. I have a very similar setup, only I didn't delve into the netflow montioring/traffic shaping because it seemed a bit overkill for my needs.

Have you given any thought about what you might do with respect to Shorewall, given the this news?

Even assuming the worst - that is, that Shorewall development completely stalls - the firewall is fully functional for me and I haven't hit any show-stopping bugs, so my plan is to continue using it until it breaks somewhere down the line. After the many years of development that've gone into Shorewall, the dividends it pays now are the years and years of hardening that have let it age into a solid, reliable tool. My needs aren't really pushing the envelope of what Shorewall can do (just a home network gateway), so my hope is that I won't bump into anything esoteric in the meantime.

That's a good point. I suppose as long as I'm careful with updates, I should be able to leave it alone until there's a long-lost security bug found.

I used your post, thanks for your hard work!

that's the one! much thanks

High likelihood it was this: https://wiki.archlinux.org/index.php/Router

The Arch Wiki is pretty awesome, generally, and I used this pretty heavily as a reference. I will say, this was not 100% perfect and I had to use some other outside sources, but most of the info is here.

I did consider writing my own step-by-step post (if for no other reason than for me to not have to remember it), but haven't gotten around to it yet.

I've never installed Arch and know virtually nothing about it but often the first link I click after googling is the arch one, their documentation is fabulous and pretty often bang up to date (Since I track Fedora N/N-1 the package versions are usually close enough).

I've been running Arch as my main home server for going on 11 years now. I love it. In that time span, the biggest hurdles have been the sysvinit/systemd transition and a handful of issues with mongodb feature deprecations that required manual intervention.

My original impetus for using it was to "re-learn Linux" after a hiatus out of college, and because it's not as bloated as something like a full Ubuntu install, but doesn't require the full compiling of packages like Gentoo, it seemed like a good choice. Unless I want a GUI right out of the box, I don't use anything else.

As you noted, the wiki is fantastic as well.

Yeah I know a bunch of programmers who love it, I use Fedora out of inertia, when I got the Ryzen at work it was very soon after they launched and they had better out of the box support so I switched to it from Xubuntu and liked it enough it stuck.

That's quite a somber read and end for his pet OSS project. EOL posts like this are going to become more frequent as the GitHub/OSS age starts eclipsing generations. Kind of sad he wasn't able to find someone to take on the mantle before pulling the plug on his decade old project.

It might be a good candidate for that project shelter which was on the front page a few days ago: https://news.ycombinator.com/item?id=19199647

With all due respect, maybe he would have had better luck moving the community to another site

github certainly has its problems (feature bloat), but gitlab and bitbucket are options - as well as the new sourcehut

i have tried sourceforge a few times over the years and its just absolute garbage - from the forums to the issues to the source code - the only parts thats worth a damn is the binary downloads - and you can you bintray or a number of other places for that

any project that uses sourceforge for ANYTHING these days - even just docs - i dont touch unless i absolutely have to.

Shorewall seems to use git for version control, in which case it doesn't really matter to the solo developer where the public repo is hosted. He's probably still on sourceforge because he doesn't want to give up nearly 20 years of messages he exchanged with his users. You can't migrate that to Github, can you?

If anyone adopts the project as their own, though, I hope they move to a platform where it's easier for others to contribute.

> With all due respect, maybe he would have had better luck moving the community to another site

I think you're missing the point of his announcement and nowhere has Tom complained about visibility, contributor pool etc. The maintainer is in his 70's and likely kinda done with the project and fancies a change of pace, as evidenced by:

"I am now departing on an extended trip to visit some of the places in the world that I have always dreamed of seeing."

Not all projects need to level up to GitHub and the unwashed masses blasting you with issues and pull requests. SourceForge, despite its past transgressions, likely suited his cadence of work.

I feel the same. When looking into some new linux distros out of curiosity, I'm noticing a trend that these new devs are putting it on source forge and immediately I am "turned off." Its not rampant but it has happened enough for me to hope this isn't going to be an escalating practice.

The timing is right seeing as bpf will be replacing iptables on Linux. A fantastic project that would have saved countless admins time and effort working with large firewall configs.

A real shame, so much nicer that firewalld on the command line / files, I believe firewalld has some usable GUIs now for people that are running it on the desktop though and of course BPF should make things better / easier.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact