Up to Date Shorewall on Debian (and Debian derivatives)

  1. Up to Date Shorewall on Debian (and Debian derivatives)
    1. In Favor of Debian's Official Package
    2. Against Debian's Official Package
    3. In Favor of Shorewall's Official Release
    4. Against Shorewall's Official Release
    5. Differences in Behavior
    6. Conclusion

For a variety of reasons, running an up to date version of Shorewall on Debian (or Debian derivatives which try to keep in sync with Debian proper) presents a challenge to the system administrator. Shorewall's pace of development is very quick. Point releases, each of which nearly always contain a dozen or more substantial bug fixes and feature enhancements, occur approximately every four to eight weeks. The Debian release cycle, on the other hand, is considerably slower. This article will briefly discuss some of the issues that system administrators should consider in deciding how best to support running Shorewall on their Debian-based systems.

In Favor of Debian's Official Package

If you have many systems, then updates are automated with apt-get (or aptitude or cron-apt, or your tool of choice) extremely easily. This means that keeping all of your Debian systems on a single version of Shorewall is effortless. It also means that configurations can be easily standardized and moved from one machine to another when needed. When Debian makes a stable release, the Debian Security Team assumes responsibility (along with the help of the package maintainer) to provide security updates as needed. Additionally, if you restrict yourself to using Debian's stock kernels (or kernels based on sources included in Debian), you know for certain that compatibility between the kernel version and the Shorewall version will exist. If your top concerns are security and stability, then this is almost certainly what you want.

Furthermore, the latest Shorewall releases are always available in unstable. This means that  apt pinning (related  wiki article) can be used to run the latest Shorewall Debian packages on a system running Debian's stable release. Additionally, maintenance of the Debian Shorewall packages has been taken over by one of the upstream Shorewall developers and development of the Debian packages has been moved into Shorewall's SourceForge Subversion repository. Additionally, the maintainer makes "Built For Stable" backported packages available at his  personal homepage. These packages are identical to the official packages, except for the version number, are tested on the latest stable Debian and Ubuntu releases, and are updated usually within 24 hours of an upstream release.

Against Debian's Official Package

A consequence of Debian's release cycle and policies is that the version of Shorewall in Debian's stable release is considerably out of date. Debian's policy is that once the freeze is declared (this is done to prepare a testing release to become the next stable release) no new versions of existing packages are admitted to the distribution, except under the most extenuating circumstances. The freeze can last for quite some time. The freeze is followed by a stable release, at which point getting a new version of a package into Debian is about as likely as getting the congress and parliament of every nation on Earth to agree and enact the same law regarding something. So, by the time a stable release is made, the Debian version might be one or two point releases behind the latest Shorewall release. Over the course of the Debian stable release life cycle, this divergence becomes even greater. In fact there is nearly always at least one major Shorewall release (e.g., going from 3.2 to 3.4 or 3.4 to 4.0) during a Debian release cycle, putting Debian even further behind.

Additionally, if you are the sort of system administrator who keeps his systems on Debian stable and upgrades from one stable release to another, then the pain of upgrading Shorewall be can particularly bad. This is because Shorewall's configuration file formats occasionally change as needed during the development of Shorewall. This means that manual intervention of the system administrator may be needed in order to verify that the Shorewall configuration from a previous release is suitable for a newer release. From one point release to another, this is not usually a significant event. However, from one Debian stable release to another, the Shorewall version can change by many point releases, or even a major release, necessitating dramatic changes to the Shorewall configuration. This can be somewhat mitigated by using versions of Shorewall from backports.org. However, that service is not officially supported by Debian.

This also means that getting support from the Shorewall developers becomes more difficult. Please note, this does not mean that the Shorewall developers don't like you or don't like Debian. This simply means that remembering how something, which may have changed, was done two years ago in order to track down a bug is likely to be very challenging. As the Shorewall developers tend to focus on the more recent releases, you might be requested to upgrade to a later version in order to have your problem resolved, especially as it is very likely that any bug you encounter has been fixed in a more recent release which is not yet in Debian.

However, the packages in Debian's unstable branch (and to a certain extent the testing branch) stay up to date. Shorewall 4.0 packages were recently added to Debian and in the future it is planned that new upstream Shorewall releases will be uploaded to Debian within 24 hours of the upstream release announcement.

In Favor of Shorewall's Official Release

The latest Shorewall release has always received extensive testing from the Shorewall developers and also interested users who assist in the testing of development versions. This means that you can be reasonably sure that the latest release is of the highest possible quality. Of course, this does not mean that each release is entirely devoid of bugs. However, their occurrence is uncommon. Shorewall also ships with an installation script that installs Shorewall into FHS-compliant locations on the filesystem. There is also an uninstall script if you decide to remove Shorewall. If you require the use of the latest Linux kernel, this may be your best option, as older Shorewall releases may not support more recent changes made to the Linux kernel's netfilter code. Additionally, if you keep your system on Debian stable and want the latest Shorewall but are not comfortable using apt pinning to use Shorewall packages from unstable, this is likely the option you will want to choose.

Against Shorewall's Official Release

Due to the pace of development of both the Linux kernel and Shorewall, it is unlikely that the Shorewall developers will expend significant effort in making new versions of Shorewall work with very old Linux kernels or vice versa. Though, you are more than welcome to make these modifications yourself or hire someone to make them if they suit your needs. (If you choose to do this, please remember to contribute your changes back, as this helps the whole community.)

In any event, what this means is that Debian system administrators who use the official Shorewall releases are foregoing the convenience of Debian's package management and repository in order to run the latest version of Shorewall.

Differences in Behavior

To top off the discussion on the benefits of using upstream releases over Debian packages and vice-versa, there is the issue of differences in behavior. The Debian shorewall-common package includes an init script located at /etc/init.d/shorewall. This script does not behave in the same way as the shorewall command. That is, the commands /etc/init.d/shorewall stop and /sbin/shorewall stop have different meanings. To quote Andrew Suffield on the matter:

It's the fix to  #342609. The problem is that the required behaviour from "/etc/init.d/foo stop" on a Debian host is not the same thing as the expected behaviour from "shorewall stop". shorewall interprets "stop" as meaning "stop the firewall, so no traffic moves", while Debian interprets it as "stop the package, so my system behaves as if it wasn't installed". It's a question of whether you're thinking of the host as being a firewall, or as being a platform for various packages to run on.

There is no solution other than user education. Don't use the init script if you meant to say "shorewall stop". The word just doesn't mean the same thing in different contexts.

For more information on this, please see this  mailing list thread on the subject.

Conclusion

There is no single answer as to which is better. This article has attempted to address some of the issues surrounding the use of Debian Shorewall packages versus the use of Shorewall's Official releases. However, only the system administrator can decide which suits him and his situation best. In any event, Shorewall is software which has thousands of hours of development and testing effort behind it and the system administrator who chooses to use it is certain to come out ahead. Additionally, now that maintenance and development of the Debian packages of Shorewall has moved upstream, the situation promises to improve significantly for everyone involved. If you have any questions about using Shorewall on Debian which have not been answered by this article, then please send email to the Shorewall Users list, shorewall-users@…, or to the Shorewall Developers list, shorewall-devel@….