Shorewall has become a major pain since sometime in the 8.2 - 9.0 timeframe when somebody decided to make the default setting "pass absolutely nothing". Before that, I used to install and enable it just to see whether my firewall was doing a good job. Since then, I install it, but disable it, because I'm not willing to do the work to re-research which ports ought to be open and which oughtn't.I think shorewall does something strange on update. I had shorewall installed on a box, but not active. After an update with urpmi, the updated package auto activated itself
It's interesting that when you use the MDK configuration tool for Shorewall and select "pass everything", MDK disables Shorewall completely. You can see this by selecting Shorewall during install and then selecting "pass everything" during Summary configuration. When you get back to Summary, you'll see "Firewall disabled", and the drakservices menu will show Shorewall with the "Start on Boot" checkbox unchecked.
Frankly, if I want a firewall, then I want it configured with some intelligent choices which I can use as a base from which to work. I don't want to have to redo the research the authors did just to figure out what can be safely re-enabled.
Just FYI, I've always used Standard security level, both before and after Shorewall became unusable out-of-the-box.
