Shorewall Conversion

Craig Setera craigjunk at
Sun Jul 5 18:36:41 BST 2020


I have used Shorewall for many years for a dual-NIC server.  In addition to
the dual NICs I have it configured with a bridge to connect up a virtual
machine running on the server.  All of this has worked well, but my
understanding is that the Shorewall maintainer is no longer going to
maintain the project, so I would like to switch to Firehol, but I'm having
trouble getting my configuration to work.

I started with the example dual NIC configuration and altered it to point
to my bridge as well as to use and ipset to track my external dynamic
address (using a separate shell script).  However, it seems to pretty much
break everything when active, but I'm not entirely sure how to proceed.
Are there any tools available to easily convert a Shorewall configuration
to a Firehole configuration?

My current Firehol configuration is below if anyone has any suggestions on
how to proceed.


# Require release 5 of FireHOL configuration directives
version 5

# Interface definitions

# Name of ipset providing access to the currently external IP address
# Make sure the ipset exists
ipset create "$external_ip_ipset" hash:ip

# My LAN. Everything is allowed here.
interface "$internal_iface" lan
policy accept # The default is 'drop'.

# Make sure the traffic coming in, comes from valid Internet IPs,
# and that is targeting my public IP
interface "$external_iface" internet src not "$UNROUTABLE_IPS" dst
# Protect me from various kinds of attacks.
protection strong
# Public servers.
server ssh accept
# Make sure idents do not timeout.
server ident reject with tcp-reset
# This is also a workstation.
client all accept
# Route the LAN requests to the internet.
router lan2internet inface "$internal_iface" outface "$external_iface"
# Masquerading on outface.
# Route all requests from inface to outface
# and their replies back.
route all accept

More information about the Firehol-support mailing list