firehol - An easy to use but powerful iptables stateful firewall
firehol configfile [start|debug|try]
firehol is an iptables firewall generator producing stateful iptables
packet filtering firewalls, on Linux hosts and routers with any number
of network interfaces, any number of routes, any number of services
served, any number of complexity between variations of the services
(including positive and negative expressions).
firehol is a language to express firewalling rules, not just a script
that produces some kind of a firewall.
The goals of firehol are:
· Being as easy as possible
Independently of the security skills he/she has, firehol allows to
create and understand complex firewalls in just a few seconds. The
configuration files are very easy to type and read.
· Being as secure as possible.
By allowing explicitly only the wanted traffic to flow firehol
secures your system. firehol produces stateful rules for any
service or protocol, in both directions of the firewall.
· Being as open as possible.
Althoug firehol is pre-configured for a large number of services,
you can configure any service you like and firehol will turn it
into a client, a server, or a router.
· Being as flexible as possible.
firehol can be used by end users and guru administrators requiring
extremely complex firewalls. firehol configuration files are BASH
scripts; you can write in them anything BASH accepts, including
variables, pipes, loops, conditions, calls to external programs,
run other BASH scripts with firehol directives in them, etc.
· Being as simple as possible.
firehol is easy to install on any modern Linux system; only one
file is required, no compilations involved.
Activates the firewall configuration. The configuration is expected
to be found in /etc/firehol/firehol.conf.
try Activates the firewall, but waits until the user types the word
commit. If this word is not typed within 30 seconds, the previous
firewall is restored.
Stops a running iptables firewall by running /etc/init.d/iptables
stop. This will allow all traffic to pass unchecked.
This is an alias for start and is given for compatibility with
Starts the firehol firewall only if it is not already active. It
does not detect a modified configuration file, only verifies that
firehol has been started in the past and not stopped yet.
Shows the running firewall, as in /sbin/iptables -nxvL | less
It removes all rules from the running firewall and then it DROPs
all traffic on all iptables tables (mangle, nat, filter) and pre-
defined chains (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING),
thus blocking all IP communication. DROPing is not done by changing
the default policy to DROP, but by adding just one rule per
table/chain to drop all traffic, because the default iptables
scripts supplied by many systems (including RedHat 8) do not reset
all the chains to ACCEPT when starting (firehol resets them
When activating panic mode, firehol checks for the existance of the
SSH_CLIENT shell environment variable (set by SSH). If it find
this, then panic mode will allow the established SSH connection
specified in this variable to operate. Notice that in order for
this to work, you should have su without the minus (-) sign, since
su - overwrites the shell variables and therefore the SSH_CLIENT
variable is lost.
Alternativelly, after the panic argument you can specify an IP
address in which case all established connections between this IP
address and the host in panic will be allowed.
Start the firewall and then save it using /sbin/iptables-save to
Since v1.64, this is not implemented using /etc/init.d/iptables
save because there is a bug in some versions of iptables-save that
save invalid commands (! --uid-owner A is saved as --uid-owner !A)
which cannot be restored. firehol fixes this problem (by saving it,
and then replacing --uid-owner ! with ! --uid-owner).
Note that not all firehol firewalls will work if restored with:
/etc/init.d/iptables start because FireHOL handles kernel modules
and might have queried RPC servers (used by the NFS service) before
starting the firewall. Also, firehol automatically checks current
kernel configuration for client ports range. If you restore a
firewall using the iptables service your firewall may not work as
Parses the configuration file but instead of activating it, it
shows the generated iptables statements.
Enters an interactive mode where it accepts normal configuration
commands and presents the generated iptables commands for each of
them, together with some reasoning for its purpose. Additionally,
it automatically generates a configuration script based on the
successfull commands given.
When in directive mode, firehol has the following special commands:
Present some help
Present the generated firehol configuration
Exit interactive mode and quit firehol
Tries to guess the firehol configuration needed for the current
machine. firehol will not stop or alter the running firewall. The
configuration file is given in the standard output of firehol, thus
/etc/init.d/firehol helpme >/tmp/firehol.conf
will produce the output in /tmp/firehol.conf.
The generated firehol configuration should and must be edited
before used on your systems. You are required to take many
decisions and the comments of the generated file will instruct you
for many of them.
A different configuration file. If no other argument is given, the
configuration file will be tried (default = try). Otherwise the
argument next to the filename can be one of start, debug, try.
Presents help about firehol usage.
firehol written by Costa Tsaousis <firstname.lastname@example.org>.
Man page written by Marc Brockschmidt <email@example.com>.
firehol.conf(5), iptables(8), bash(1)