Man Linux: Main Page and Category List


       firehol - An easy to use but powerful iptables stateful firewall



       firehol configfile [start|debug|try]

       firehol nothing


       firehol is an iptables firewall generator producing  stateful  iptables
       packet  filtering firewalls, on Linux hosts and routers with any number
       of network interfaces, any number of routes,  any  number  of  services
       served,  any  number  of  complexity between variations of the services
       (including positive and negative expressions).

       firehol is a language to express firewalling rules, not just  a  script
       that produces some kind of a firewall.

       The goals of firehol are:

       · Being as easy as possible
           Independently  of the security skills he/she has, firehol allows to
           create and understand complex firewalls in just a few seconds.  The
           configuration files are very easy to type and read.

       · Being as secure as possible.
           By  allowing  explicitly  only  the  wanted traffic to flow firehol
           secures your  system.  firehol  produces  stateful  rules  for  any
           service or protocol, in both directions of the firewall.

       · Being as open as possible.
           Althoug  firehol  is pre-configured for a large number of services,
           you can configure any service you like and  firehol  will  turn  it
           into a client, a server, or a router.

       · Being as flexible as possible.
           firehol  can be used by end users and guru administrators requiring
           extremely complex firewalls. firehol configuration files  are  BASH
           scripts;  you  can  write  in them anything BASH accepts, including
           variables, pipes, loops, conditions, calls  to  external  programs,
           run other BASH scripts with firehol directives in them, etc.

       · Being as simple as possible.
           firehol  is  easy  to  install on any modern Linux system; only one
           file is required, no compilations involved.


           Activates the firewall configuration. The configuration is expected
           to be found in /etc/firehol/firehol.conf.

       try Activates  the  firewall,  but  waits until the user types the word
           commit.  If this word is not typed within 30 seconds, the  previous
           firewall is restored.

           Stops  a  running iptables firewall by running /etc/init.d/iptables
           stop.  This will allow all traffic to pass unchecked.

           This is an alias for start and  is  given  for  compatibility  with

           Starts  the  firehol  firewall only if it is not already active. It
           does not detect a modified configuration file, only  verifies  that
           firehol has been started in the past and not stopped yet.

           Shows the running firewall, as in /sbin/iptables -nxvL | less

           It  removes  all  rules from the running firewall and then it DROPs
           all traffic on all iptables tables (mangle, nat, filter)  and  pre-
           defined  chains  (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING),
           thus blocking all IP communication. DROPing is not done by changing
           the  default  policy  to  DROP,  but  by  adding  just one rule per
           table/chain to drop  all  traffic,  because  the  default  iptables
           scripts  supplied by many systems (including RedHat 8) do not reset
           all the  chains  to  ACCEPT  when  starting  (firehol  resets  them

           When activating panic mode, firehol checks for the existance of the
           SSH_CLIENT shell environment variable (set  by  SSH).  If  it  find
           this,  then  panic  mode  will allow the established SSH connection
           specified in this variable to operate. Notice  that  in  order  for
           this  to work, you should have su without the minus (-) sign, since
           su - overwrites the shell variables and  therefore  the  SSH_CLIENT
           variable is lost.

           Alternativelly,  after  the  panic  argument  you can specify an IP
           address in which case all established connections between  this  IP
           address and the host in panic will be allowed.

           Start  the  firewall  and then save it using /sbin/iptables-save to

           Since v1.64, this is  not  implemented  using  /etc/init.d/iptables
           save  because there is a bug in some versions of iptables-save that
           save invalid commands (! --uid-owner A is saved as --uid-owner  !A)
           which cannot be restored. firehol fixes this problem (by saving it,
           and then replacing --uid-owner ! with ! --uid-owner).

           Note that not all firehol firewalls will  work  if  restored  with:
           /etc/init.d/iptables  start  because FireHOL handles kernel modules
           and might have queried RPC servers (used by the NFS service) before
           starting  the  firewall. Also, firehol automatically checks current
           kernel configuration for client  ports  range.  If  you  restore  a
           firewall  using  the iptables service your firewall may not work as

           Parses the configuration file but  instead  of  activating  it,  it
           shows the generated iptables statements.

           Enters  an  interactive  mode where it accepts normal configuration
           commands and presents the generated iptables commands for  each  of
           them,  together  with some reasoning for its purpose. Additionally,
           it automatically generates a  configuration  script  based  on  the
           successfull commands given.

           When in directive mode, firehol has the following special commands:

           · help
               Present some help
           · show
               Present the generated firehol configuration
           · quit
               Exit interactive mode and quit firehol

           Tries to guess the firehol configuration  needed  for  the  current
           machine.  firehol  will not stop or alter the running firewall. The
           configuration file is given in the standard output of firehol, thus

            /etc/init.d/firehol helpme >/tmp/firehol.conf

           will produce the output in /tmp/firehol.conf.

           The  generated  firehol  configuration  should  and  must be edited
           before used  on  your  systems.  You  are  required  to  take  many
           decisions  and the comments of the generated file will instruct you
           for many of them.

           A different configuration file. If no other argument is given,  the
           configuration  file  will  be  tried (default = try). Otherwise the
           argument next to the filename can be one of start, debug, try.

           Presents help about firehol usage.




       firehol written by Costa Tsaousis <>.

       Man page written by Marc Brockschmidt <>.


       firehol.conf(5), iptables(8), bash(1)