This is an Open Source Software project with no ties to Seawall, Incorporated.
This site is hosted by the generous folks at
The Seattle firewall is an ipchains based firewall that can be used on a dedicated masquerading firewall machine (including LRP), a multi-function masquerade gateway/server or on a standalone Linux system.
This program is free software; you can redistribute it and/or modify it under the terms of Version 2 of the GNU General Public License as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USACopyright 2001, Thomas M. Eastep <teastep@users.sourceforge.net>
All rights reserved.
- Customizable using configuration files and with explicit ipchains rules without modifying the released Seattle Firewall scripts.
- Supports status monitoring with an audible alarm when an "interesting" packet is detected.
- Supports VPN via ipip tunnels, IPSec (Seattle Firewall version 3.1 or later required) and PPTP (ipip tunnels require iproute2, PPTP masquerading requires John Hardin's VPN Masquerade patches and IPSec gateways on the firewall system itself require FreeS/WAN).
- Supports masqueraded PPTP servers, including PoPToP (requires John Hardin's patch, ipmasqadm and ipfwd).
- Beginning with release 3.0, Seattle Firewall supports masqueraded servers (requires ipmasqadm).
- Beginning with release 3.0, Seattle Firewall support running PoPToP on a Linux gateway/firewall.
- In release 3.0, Seattle Firewall includes limited support for a DMZ.
- Version 3.0 and later include an easy installation script.
- Version 3.1 and later include a fallback script that backs out the installation of the most recent version of Seattle Firewall.
- Version 3.1 and later include an uninstall script.
- Beginning with version 3.1, an RPM module is available (thanks go to Simon Piette for creating the RPM).
- Beginning with version 3.2.2, a Coyote LRP module is available.
- Beginning with version 4.0, Static NAT is supported.
- Beginning with version 4.0, Proxy ARP is supported.
- Beginning with version 4.0, PPTP primary internet interfaces (such as Austrian-Telekom) are supported.
- In version 4.0, much fuller DMZ functionality is supported.
I have personally used Seattle Firewall with RedHat 6.0-RH7, Caldera 2.4, TurboLinux 6.0, SuSE 6.2, Slackware 7.0, Mandrake 7.0 and with LRP. The only real requirements are that you have a Bourne shell and that your kernel supports ipchains.
Seattle Firewall does not work with iptables and most of its features don't work with the 2.4 Kernel's ipchains compatibility module (ipchains.o). Seattle Firewall will refuse to start if you are running a 2.4 kernel. I have developed Shorewall, a firewall for use with Kernel version 2.4 and iptables. Be warned that Shorewall does not have all of the features found in Seattle Firewall (because the 2.4 kernel's are missing a lot of those features) but for many applications, Shorewall may be more appropriate.
I strongly urge you to read and print a copy of the Seattle Firewall Documentation. Once you've done that go to the Seattle Firewall Project Page at Sourceforge to download one of the modules:
- If you run a RedHat, Mandrake, Linux PPC or TurboLinux distribution that includes a 2.2 kernel, you can use the RPM version (note: the RPM should also work with other distributions that store init scripts in /etc/rc.d/init.d and that include chkconfig but it has only been tested on RH6.1, RH6.2, RH7, Mandrake 7.0, LinuxPPC 2000 and TurboLinux 6.0). If you find that it works in other cases, let me know so that I can add those cases to the above list.
- If you run LRP, download the seawall-lrp module and see the Seattle Firewall LRP documentation.
- If you run Coyote, download the seawall-coyote module and see the Seattle Firewall LRP documentation.
- Otherwise, download the seawall module (tarball).
Also check the errata to see if there are updates that apply to the version that you have downloaded.
If you haven't done so already, please read and print a copy of the Seattle Firewall Documentation.
If you have an older version of Seattle Firewall installed, see the Upgrade Instructions below.
If you downloaded the rpm version, install the RPM. If yours is a standalone system with either a dynamic or static IP address on a single ethernet adapter, the configuration, apps, servers and tunnels files distributed with 3.1 and later versions of Seattle Firewall may be installed "as is" and then modified as your needs become clearer.
With versions 3.0 and later, to install Seattle Firewall using the tarball and install script:
- unpack the tarball
- cd to the seawall directory (beginning with version 3.0.1, the version is encoded in the directory name as in "seawall-3.0.1").
- Edit the files configuration, apps and servers to fit your environment. If yours is a standalone system with either a dynamic or static IP address on a single ethernet adapter, the seawall.conf, apps, servers and tunnels files distributed with 3.1 and later versions of Seattle Firewall may be installed "as is" and then modified as your needs become clearer.
- If you are using Caldera, RedHat, Mandrake, Corel, Slackware, SuSE or Debian then type "./install.sh"
- If your distribution has directory /etc/rc.d/init.d or /etc/init.d then type "./install.sh"
- For other distributions, determine where your distribution installs init scripts and type "./install.sh <init script directory>
- Start the firewall by typing "seawall start"
- If the install script was unable to configure Seattle Firewall to be started automatically at boot, see these instructions.
First check the Errata. It lists common gotchas as well as known problems and restrictions and has links to download updated components. There's also a mailing list at seawall-user@lists.sourceforge.net (the author regularly monitors this list).
Most firewall parameters can be set by editing the file /etc/seawall.conf and by modifying the files /etc/seawall/apps and /etc/seawall/servers. For customization beyond what is provided by editing these files, additional rules can be defined in other files in the /etc/seawall directory.
NOTE: If you already have Seattle Firewall installed and you want to begin using the RPM version, it is a good idea to first upgrade to the current version using the install script THEN install the RPM. By doing so, you preserve the option to fall back to your current version of Seattle Firewall using the fallback script. Subsequent upgrades may be done with just the rpm since you can always use RPM to fall back to your previous version.
I have Seattle Firewall 2.x -- How do I upgrade to the latest Version?
- You should begin by taking a look at the differences between 2.x and 3.x. and the release notes (below)
- Run the install script or install the RPM (neither will overwrite your /etc/seawall.conf file).
- Edit your /etc/seawall.conf file and remove the firewall variable assignment (it's no longer used).
- If you've added files in /etc/seawall or if you have IPIP tunnels, you will need to review the documentation regarding /etc/seawall/apps, /etc/seawall/servers and/or IPIP tunnels to see if you need to delete files in /etc/seawall/, change your seawall.conf file or add entries to the new files.
- Type "seawall restart".
I have Seattle Firewall 3.x -- How do I upgrade to the latest Version?
I suggest that you first look at the Release Notes for the version up to and including the one that you are going to install:
- You can safely install the rpm (or update if you have an earlier rpm. Note that after upgrading to versions up to and including rpm 3.2-2, you will need to type "chkconfig --add firewall" after completing the upgrade to ensure that your firewall starts automatically at boot ). If you are not using the rpm, simply unpack the tarball, cd to the seawall-version directory (example: version 3.1 unpacks to a directory called "seawall-3.1"), and run the install.sh script (type ./install.sh).
- If you have IPIP tunnels and are upgrading from a version prior to 3.1 to version 3.1 or later, you will need to review the new documentation, remove your tunnel definitions from seawall.conf and add them to /etc/seawall/tunnels.
- Restart the firewall by typing "seawall restart".
If a version of Seattle Firewall 3.1 or later doesn't work for you and you installed the version using "install.sh", you can fall back to the version you were previously running using the fallback script.
Updated 4/19/2002 - Tom Eastep