End of the road for Shorewall firewall - Whats will be Nethserver's firewall replacement?

Feature
1

The Shorewall firewall developer, Mr Tom Eastep is finally calling it quits, and the next release will be his final one. Retiring in his mid 70s after years of developing this awesome software is something most of us would humbly understand and appreciate after years of dedication.

It appears that he was the sole developer of the Shorewall, and I wonder if the community will take over the project and continue with his great work.

How will Nethserver prepare for the transition ? What firewall alternatives could be considered ?

https://sourceforge.net/p/shorewall/mailman/message/36589783/

Clemo

6 Likes
2

But a group of core contributors are already planning on how to continue.

Cheers.

1 Like
3

A group of developers is already contributing to the project since a while.

By the way, we are also looking at https://firehol.org/, we already have the fireqos part.

1 Like
4

Good to know :ok_hand:
Could you please roughly explain us which are the differences with shorewall?

5

If it turns out that shorewall is not getting adopted by new devs, maybe APF is an option? Not sure if it is as featurerich as shorewall.

1 Like
6

It’s the same difference between buying a Maserati or a Ferrari. They both almost do the same things in different ways.

1 Like
7

They both are fast but I would prefer an Aston Martin… :stuck_out_tongue:

1 Like
8

Seems that @giacomo is not a real car guy…
Anyway…
The (possible) replacement will consider a ratelimiter as option? And maybe a GeoIP Interface for use Nations and ISPs as Firewall Objects?

9

:rofl:

I have absolutely no idea, we didn’t analyze it so deep.

IMHO, as long as the geoip is not shipped with the default kernel, it shouldn’t be included as iptables modules. Of course, we can emulate something like that using ipsets and black lists.

About rate-limiting, shorewall already supports it, but nobody else requested the feature: take a look to “Rate” section here: http://shorewall.net/manpages/shorewall-rules.html
Anyway, if you would like to try implementing it take a look to the relevant code: PRs are welcome!

10

psssst @pike… @giacomo is italian… you can’t blame him for that… :wink:

1 Like
11

I am Italian too, @robb.
But i know that Maserati is owned by Ferrari to make “cheaper and less extreme cars”. MC12 excluded.

1 Like