This is an Open Source Software project with no ties to Seawall, Incorporated.
The Seattle firewall is an ipchains based firewall that can be used on a dedicated masquerading firewall machine (including LRP), a multi-function masquerade gateway/server or on a standalone Linux system.
- Customizable using configuration files and with explicit ipchains rules without modifying the released Seattle Firewall scripts.
- Supports status monitoring with an audible alarm when an "interesting" packet is detected.
- Supports VPN via ipip tunnels, IPSec (Seattle Firewall version 3.1 or later required) and PPTP (ipip tunnels require iproute2, PPTP masquerading requires John Hardin's VPN Masquerade patches and ipsec gateways on the firewall system itself require FreeS/WAN).
- Supports masqueraded PPTP servers, including PoPToP (requires John Hardin's patch, ipmasqadm and ipfwd).
- Beginning with release 3.0, Seattle Firewall supports masqueraded servers (requires ipmasqadm).
- Beginning with release 3.0, Seattle Firewall support running PoPToP on a Linux gateway/firewall.
- In release 3.0, Seattle Firewall includes limited support for a DMZ.
- Version 3.0 and later include an easy installation script.
- Version 3.1 and later include a fallback script that backs out the installation of the most recent version of Seattle Firewall.
- Version 3.1 and later include an uninstall script.
- Beginning with version 3.1, an RPM module is available (thanks go to Simon Piette for creating the RPM).
I have personally used Seattle Firewall with RedHat 6.0, 6.1 and 6.2, Caldera 2.4, TurboLinux 6.0, SuSE 6.2, Slackware 7.0, Mandrake 7.0 and with LRP. The only real requirements are that you have a Bourne shell and that your kernel supports ipchains.
I strongly urge you to read and print a copy of the Seattle Firewall Documentation. Once you've done that go to the Seattle Firewall project page at Sourceforge to download one of the modules:
- If you run a RedHat, Mandrake, Linux PPC or TurboLinux distribution that includes a 2.2 kernel, you can use the RPM version (note: the RPM should also work with other distributions that store init scripts in /etc/rc.d/init.d and that include chkconfig but it has only been tested on RH6.1, RH6.2, Mandrake 7.0, LinuxPPC 2000 and TurboLinux 6.0).
- If you run LRP, download the seawall-lrp module and see the Seattle Firewall LRP documentation.
- Otherwise, download the seawall module (tarball).
If you haven't done so already, please read and print a copy of the Seattle Firewall Documentation.
If you have an older version of Seattle Firewall installed, see the Upgrade Instructions below.
If you downloaded the rpm version, install the RPM. If yours is a standalone system with either a dynamic or static IP address on a single ethernet adapter, the seawall.conf, apps, servers and tunnels files distributed with 3.1 and later versions of Seattle Firewall may be installed "as is" and then modified as your needs become clearer.
With versions 3.0 and later, to install Seattle Firewall using the tarball and install script:
- unpack the tarball
- cd to the seawall directory (beginning with version 3.0.1, the version is encoded in the directory name as in "seawall-3.0.1").
- Edit the files seawall.conf, apps and servers to fit your environment. If yours is a standalone system with either a dynamic or static IP address on a single ethernet adapter, the seawall.conf, apps, servers and tunnels files distributed with 3.1 and later versions of Seattle Firewall may be installed "as is" and then modified as your needs become clearer.
- If you are using Caldera, RedHat, Mandrake, Corel, Slackware, SuSe or Debian then type "./install.sh"
- If your distribution has directory /etc/rc.d/init.d or /etc/init.d then type "./install.sh"
- For other distributions, determine where your distribution installs init scripts and type "./install.sh <init script directory>
- Start the firewall by typing "seawall start"
- If the install script was unable to configure Seattle Firewall be started automatically at boot, see these instructions.
Most firewall parameters can be set by editing the file /etc/seawall.conf and by modifying the files /etc/seawall/apps and /etc/seawall/servers. For customization beyond what is provided by editing these files, additional rules can be defined in other files in the /etc/seawall directory.
NOTE: If you already have Seattle Firewall installed and you want to begin using the RPM version, it is a good idea to first upgrade to the current version using the install script THEN install the RPM. By doing so, you preserve the option to fall back to your current version of Seattle Firewall using the the fallback script. Subsequent upgrades may be done with just the rpm since you can always use RPM to fall back to your previous version.
I have Seattle Firewall 2.x -- How do I upgrade to the latest Version?
- You should begin by taking a look at the differences between 2.x and 3.x.
- Run the install script or install the RPM (neither will overwrite your /etc/seawall.conf file).
- Edit your /etc/seawall.conf file and remove the firewall variable assignment (it's no longer used).
- If you've added files in /etc/seawall or if you have IPIP tunnels, you will need to review the documentation regarding /etc/seawall/apps, /etc/seawall/servers and/or IPIP tunnels to see if you need to delete files in /etc/seawall/, change your seawall.conf file or add entries to the new files.
- Type "seawall restart".
I have Seattle Firewall 3.x -- How do I upgrade to the latest Version?
- You can safely install the rpm (or update if you have an earlier rpm) -- if you are not using the rpm, simply unpack the tarball, cd to the seawall-version directory (example: version 3.1 unpacks to a directory called "seawall-3.1"), and run the install.sh script (type ./install.sh).
- If you have IPIP tunnels and are upgrading from a version prior to 3.1 to version 3.1 or later, you will need to review the new documentation, remove your tunnel definitions from seawall.conf and add them to /etc/seawall/tunnels.
- Restart the firewall by typing "seawall restart".
If a version of Seattle Firewall 3.1 or later doesn't work for you and you installed the version using "install.sh", you can fall back to the version you were previously running using the fallback script.
There's a mailing list at seawall-user@lists.sourceforge.net (the author regularly monitors this list).
Updated 6/2/2000 - Tom Eastep