lammert - 6:16 pm on Feb 25, 2012 (gmt 0)

Shorewall works mainly on the packet level. It inspects source and destination IPs, ports and a few other things on the packet level to decide what to do with it.

Fail2ban on the other hand works on a much higher level. It inspects log files and looks for suspicious patterns. It then creates (temporary) firewall rules to ban specific IPs which behave in a non standard way.

As an example, fail2ban is capable of checking the log files for IPs which access your server over an SSH connection and enter an invalid password a number of times. It then blocks that specific IP. Shorewall can also block access to SSH ports, but it is not capable of making those decisions based on what happens in the application layer, like failed passwords.