LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Front page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

A turning point for shorewall

[Posted May 18, 2005 by corbet]

Shorewall is a front-end to the Linux netfilter system which makes it (relatively) easy to set up and maintain a firewall. It has a dedicated user community which appreciates Shorewall's flexibility and documentation, along with the ability to secure a system with a minimum of hassle. The current release is 2.2.4.

Unfortunately, that may be the last release for a while; Shorewall maintainer Tom Eastep has announced that he will no longer work on the project. Shorewall, it seems, has fallen victim to a common problem with smaller projects: developer burnout. Mr. Eastep has concluded that Shorewall development takes more of his time (and health) than he can afford to give.

There appears to be a couple of problems in how Shorewall is developed. The first is that nobody has stepped up to take on a significant part of the load, leaving Mr. Eastep to do all of the work himself:

Unlike the originators of other successful open source projects, I have not been able to attract a core of people who believe in Shorewall and who are willing to make sacrifices to ensure it's success. That is my weakness and I accept it. But is means that I have been left with trying to develop, document, and support Shorewall almost single-handedly. I cannot do it any more.

Without having followed the development process for this project, we would be ill-advised to say why things turned out this way. It could be that the Shorewall community did not feel the need to contribute to the project, or it could be that Mr. Eastep, in one way or another, discouraged that sort of involvement. But any project which is dependent on a single person in this way will always be at risk.

Mr. Eastep also notes:

And I just cannot deal with the support and documentation frustration any more -- support, the documentation and the web site consume an order of magnitude more of my time than does Shorewall development.

He was apparently unwilling to solve this problem the way many free software developers do: simply ignore support and documentation altogether. The documentation for Shorewall is extensive, to say the least; it clearly took a lot of time. Likewise with support; a reading of the Shorewall mailing list shows Mr. Eastep doing his best to answer most of the questions that were asked. It is not surprising that he got tired of carrying that load.

Shorewall is free software, and it almost certainly will not die. There are already some signs that members of the user community are beginning to step up to help ensure that the project continues. This is, of course, one of the strengths of free software; had Shorewall been proprietary, it would now be dead. But the other side of this coin is that the user community has to take an interest in the software it depends on. If users do not come forward over time to help with programming, documentation, and support, they may find themselves having to do it in a hurry when the primary maintainer departs.

(Thanks to Matt "Cyber Dog" LaPlante for the heads-up).

(Log in to post comments)

A turning point for shorewall

Posted May 19, 2005 2:35 UTC (Thu) by VictorR (guest, #8443) [Link]

Is it just me or are firewalls in general and netfilter in particular just a pain to really understand?

Shorewall apparently is a victim of its own success. The software and the excellent documentation made it almost too easy to throw together a basic firewall so why bother really understanding netfilter?

Hat tip to Tom Eastep for a great application. Tom, please resist any kind of pull to start in again. You've earned your retirement many times over.

A turning point for shorewall

Posted May 19, 2005 7:24 UTC (Thu) by eru (subscriber, #2753) [Link]

Is it just me or are firewalls in general and netfilter in particular just a pain to really understand?

It is not just you. I find one has to have a really good grasp of the details of TCP/IP networking to build a useful firewall with only the low-level tools. The front-ends are a must for 90% of Linux users. I, too, hope Shorewall survives.

A turning point for shorewall

Posted May 27, 2005 5:27 UTC (Fri) by mrness (guest, #8271) [Link]

Guess what! If you want to set a proper firewall you _need_ to understand TCP/IP!
If you can't understand notions like IP prefix or TCP port, how in Earth you wanna set a firewall?!? Do you expect a syntax like "iptables -A INPUT bad bad packets -j DROP" to work or what?

A turning point for shorewall

Posted May 19, 2005 9:50 UTC (Thu) by copsewood (subscriber, #199) [Link]

Shorewall is the only firewall I've suceeded in understanding the configuration procedure enough to achieve the level of detailed control that I've been particularly happy with. Even with shorewall I'd prefer a friendlier front end. Part of the problem is the generally high level of complexity surrounding networking and routing. I suspect the configuration could be made simpler by considering what the configuration was intended to achieve as an alternative to how it is intended to achieve it.

A turning point for shorewall

Posted May 19, 2005 9:54 UTC (Thu) by alspnost (guest, #2763) [Link]

I find firehol a good compromise on my machine - a quick look at a firehol config file tells you exactly what the firewall is trying to do. Firehol was yet another example of a gem that I picked up from the LWN comments!

http://firehol.sf.net

But yes, no chance of me writing IPtables rules by hand!

A turning point for shorewall

Posted May 19, 2005 12:57 UTC (Thu) by mtk77 (guest, #6040) [Link]

Plug time! I wrote a tool similar to FireHOL a while ago. It was taken over by Jamie Wilkinson after it reaached feature-completeness for my purposes of the time, and now lives at:

http://spacepants.org/src/filtergen/

A turning point for shorewall

Posted May 19, 2005 20:10 UTC (Thu) by erich (subscriber, #7127) [Link]

I didn't understand how to use shorewall for the rather complex situation I had at hand...
FireHOL was way to slow on that machine. Being heavy bash scripting, it just took ages to reinitialize the firewall.
So i ended up writing my own perl script to manage the firewall - by writing netfilter rules. It's not THAT difficult. If you have a plan its rather easy, actually.

A turning point for shorewall

Posted May 22, 2005 1:57 UTC (Sun) by kevinbsmith (guest, #4778) [Link]

"support, the documentation and the web site consume an order of magnitude more of my time than does Shorewall development."

Amen! When I was the lead on a free software project (a cross-platform gui library), support, docs, and testing were always big time drains. I keep trying to tell non-coders that they can contribute HUGELY to free software projects, but there still seems to be this myth out there that if you can't code, you can't make a substantial contribution.

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds