Shorewall is a very convenient gateway/firewall configuration tool developped and heavily maintained by Tom Eastep

I have been using shorewall-shell for years on my whiterussian openwrt system.
Shorewall-shell is not supported anymore, shorewall is now a perl program that cannot fit in the memory of my wrt54gl.
Tom developped Shorewall-lite wich allow compilation of the firewall rules on an administrative system and run them an target host system, openwrt kamikaze in this howto

I installed both shorewall-lite and shorewall6-lite on a linksys WRT54GL router running kamikaze 8.09.02
I installed a 2.6 kernel because I need full support for ipv6 firewalling (image files are the bcrm47xx ones).
Beware that the kamikaze 2.6 versions does not have full support for wireless networking on broadcom platforms (wrt54g for instance)

I decided to go with the last release of shorewall and I needed shorewall6, so I had to tweak it in order to run with openwrt.
I you dont want to go through all this stuff, then you will want to use the Fabio Longarai openwrt packages of shorewall (still in 4.0 and no shorewall6 port available)

For a good understanding of how shorewall-lite works, you should read http://www.shorewall.net/CompiledPrograms.html
I used the 4.4.8 version of shorewall.

1- Installing the shorewall administrative system:

Shorewall runs on linux and my PC runs windows, so I installed shorewall in a vmware debian virual machine.
You must have a working ssh from the administrative system to the openwrt system.
Get shorewall-4.4.8.tgz from any shorewall download mirror.
install (see http://www.shorewall.net/Install.htm)

Create the rules configuration directory for your firewall system.

mkdir /etc/shorewall/wrt

I was previously running shorewall-shell on my openwrt system.
So I copied its configuration files into the /etc/shorewall/wrt folder as a starting set of rules.
For this part you are on your own, there are very good howtos on the shorewall.net website.

2- Now install shorewall-lite onto the openwrt system:

Shorewall requires the ip utility

#opkg install ip

Shorewall-lite requires the iptable-restore program

#opkg install iptables-utils

Shorewall install.sh requires the coreutils install utility.
This program is missing in the standard openwrt installation.
Download the coreutil package from openwrt repository.
Dont even try to install this huge package, it will not fit in the tiny memory of the wrt54.
Extract the install program, copy it to /usr/bin

Get shorewall-lite-4.4.8.tgz from a shorewall mirror into the /tmp folder of you openwrt device and install it

# cd /tmp
# wget http://www1.shorewall.net/pub/shorewall/4.4/shorewall-4.4.8/shorewall-lite-4.4.8.tgz
# tar xzf shorewall-lite-4.4.8.tgz
# cd shorewall-lite-4.4.8
# root@wrt:/tmp/shorewall-lite-4.4.8# ./install.sh

You can now remove the install utility from /usr/bin and the installation files from /tmp
openwrt does not support man, so you should remove the man files (disk space is very precious on embedded devices)
rm /usr/share/man/man5/shorewall-lite-vardir.5.gz /usr/share/man/man5/shorewall-lite.conf.5.gz /usr/share/man/man8/shorewall-lite.8.gz
If you do not have anything else in /usr/share/man, you can rm the directory.

On the openwrt system you should now run
/usr/share/shorewall-lite/shorecap > capabilities
and then copy the capabilities file onto the export directory of the administrative system (/etc/shorewall/wrt)
EDIT: I thik this step can safely be skipped knowing shorewall will do it when building the rules set.

Shorewall installs the compiled programs in /var/lib
On openwrt le /var directory is RAM fs, so on reboot it will be lost.
I chose to setup my shorewall directory in mkdir /lib/shorewall-lite

# mkdir /lib/shorewall-lite

Create a new file /etc/shorewall-lite/vardir containing this unique parameter
VARDIR=/lib/shorewall-lite

Rewrite the startup script /etc/init.d/shorewall-lite

#!/bin/sh /etc/rc.common
START=51
SHOREWALL_INIT_SCRIPT=1
start()
        {
        /sbin/shorewall-lite start
        }
stop()
        {
        /sbin/shorewall-lite stop
        }
restart()
        {
        /sbin/shorewall-lite $OPTIONS restart
        }

Enable it for startup

3- Now return to the administrative system:

I find the Tom Makefile very usefull since you dont have to remember any command line option and just use make or make install for compiling and restarting the firewall on the openwrt system.
http://www1.shorewall.net/pub/shorewall … e/Makefile
Dont forget to change the hostname. Its IP will work too.

# make install

And your new firewall is now running on your openwrt system.

For shorewall6, you have to follow the same steps.

TIP:
I use the webif2 interface for setting my openwrt router (http://www.xwrt.org)
There is a cool utility I use for reading and analizing the firewall logs
http://your_router/cgi-bin/webif/log-browse.sh
If you want a better history of your log, you can save your log onto a file instead of the memery circular buffer
http://your_router/cgi-bin/webif/log-setup.sh