FAQ

FireHOL - Frequently Asked Questions

Installation

Running

General

How do I install? What are the prerequisites?

Please see the standard installation instructions. These cover both installation from distribution-specific packages and downloads from this site.

^ top

How do I build from the repository?

Please see the source installation documentation. This covers downloading from the repository and the extra steps needed to perform a build (./autogen.sh && ./configure --enable-maintainer-mode).

^ top

I installed FireHOL but where is it located? I cannot run it!

FireHOL has been designed to be a startup service. Its exact location depends on the distribution you are using. Most probably you will find FireHOL in /etc/init.d and in RedHat systems you can also access it with the service command.

On Debian or Ubuntu, become root and modify /etc/default/firehol to have START_FIREHOL=YES, then, as root, start it with:

/etc/init.d/firehol start

To make it start automatically run:

update-rc.d firehol defaults

^ top

How do I debug my configuration?

If you want to investigate why some traffic is being blocked, the best place to start may be with the troubleshooting guide.

To get a listing of the actions FireHOL would take based on your configuration, you can run:

firehol debug

In the event of an unexpected problem, FireHOL will leave behind its temporary files (and let you know where they are located) in order to help you diagnose the problem.

FireHOL runs as a bash script so if you need detailed information about what is going on internally you can add these lines to your configuration:

set -x
set -v

^ top

How do I match virtual interfaces such as eth0:1?

eth0:1 is not really a virtual Ethernet device. The eth0:1 is just a naming convention for tools such as ifconfig to be able to use multiple IP addresses on a single interface.

If you have interfaces with these names, it is for the purpose of having multiple IP addresses on an interface. Netfilter does not recognise the aliases. You cannot use them in your firewall and must match on the IP address instead.

In practice, iptables does not prevent you creating rules to try to match eth0:1. However, when running, the incoming packets will be seen as from eth0 and will match only the eth0 rules. FireHOL inherits this behaviour.

Note that VLAN interfaces such as eth0.1 are genuine interfaces that will work as expected within firewall rules.

^ top

I really need help designing the configuration. Could you help?

To get a configuration file quickly, you can run:

firehol helpme

The helpme feature reads various system parameters of your system and generates a configuration file especially for the host it runs. Helpme is safe to use: it does not alter your running firewall, it does not modify anything on your system.

In general, I will try to avoid helping you on manual configuring your specific firewall; I commit however to making helpme detect correctly every single case. I believe, this will benefit all the community, not just you.

In any case, I guess I have done a good job in designing FireHOL the way you expect it to work, and that the documentation is helpful enough, since all the support tools are pretty silent. Of course you are welcome to ask anything you might need regarding FireHOL.

^ top

How can I mangle the packets (set TOS, MARK, etc)?

For MARKing packets, you can use the mark helper. For all the other iptables features that FireHOL does not support directly, you can put normal iptables statements anywhere in the configuration file, using the iptables helper.

^ top

Why I cannot use the service definitions in helpers?

As you have noted, the service definitions cannot be used in helper statements (mainly NAT). The reason is that currently FireHOL's core logic is limited to one iptables table (filter). To extend this to all iptables tables a new core logic is needed that should be based on something that can be shared across all iptables tables. The only such thing today is MARKs. MARKs are also used for QoS unifying all major traffic management applications.

I have made a few experiments with MARKs but I stuck because there are bugs in the iptables logic when using MARKs. These bugs exist in most kernels distributed today with the main Linux distributions.

^ top

How do I stop my syslog getting filled up with dropped packets?

By default, FireHOL logs all dropped packets (subject to rate limiting) via standard iptables commands.

We are often asked how to stop FireHOL logging so much, even after the logging of invalid packets is silenced.

First consider a Switch to NFLOG.

If you decide NFLOG is no good for you and you are sure you want to go ahead (it will make things harder if you later want to debug a connection), there are a couple of options:

  1. Use syslog rules
  2. Introduce explicit rules to match your policy

Switch to NFLOG

If you then set FIREHOL_LOG_MODE="NFLOG" in /etc/firehol/firehol-defaults.conf then FireHOL will use NFLOG with iptables, rather than the output going to normal syslog.

If you really don't want any logs, then you could stop here.

We recommend capturing NFLOG output, though, by installing ulogd 2.x. Most distributions provide a package.

The default ulogd configuration logs to a user-controllable file in a syslog style. It uses a system of plugins and is highly configurable.

Use syslog rules

Most modern syslog setups allow you to control what is logged and where. Here are some detailed suggestions for rsyslog, including lg rotation of the output

Introduce explicit rules to match your policy

So long as a rule is hit, FireHOL won't log anything (unless that rule is one that you have attached the log target to, of course!)

If you want to ignore certain packet drops, just set up an explicit rule, e.g. to not log ssh connection packets:

interface first eth0
  policy drop
  client all accept
  server ssh drop

Note we match the policy, so the behaviour is unchanged, except we never reach the default logging rules.

If you really want to get rid of everything, finish each interface and add a final router (if you have any) as follows:

interface first eth0
  policy drop

  ...

  server anystateless nolog drop # Prevent logging

interface second eth1
  policy drop

  ...

  server anystateless nolog drop # Prevent logging

# more interfaces / routers

# Only add this if you have other routers
router nolog
  server anystateless nolog drop # Prevent logging

This will catch all default locations for logging of unmatched packets and has the advantages of being explicit about what you are trying to achieve and more fine-grained than a global variable.

Important:
This approach is not recommended in versions 3.0.x as FireHOL generates some default rules for ICMP at the end of the interface; if the packet is dropped before it reaches them it can interfere with your networking. Versions prior to 3 and from 3.1.0 onwards do not have this problem.

^ top

How did you come with this idea?

When you have to manage several dozens of Linux systems and you have a team of engineers to do the job, then for the firewalling of all those you have to find solutions so that:

I believe that FireHOL solves all these problems in an ideal way. Of course there are many wonderful iptables generators out there, many of them with many more features than FireHOL, with GUIs, centralised configuration of many systems, etc. But consider the following:

For all the above, I consider FireHOL as the most functional way for working with iptables firewalls.

^ top

Who are you and why should I trust you for handling my firewall?

Well, don't trust us. We don't want you to do so and you are not supposed to do so. We have done the utmost to make it possible for you to audit the generated firewall.

You have the explain feature where FireHOL interactively produces iptables statements for the configuration directives you enter, the debug feature where FireHOL produces all the iptables statements for the entire configuration for you to examine, and extensive automatically generated documentation for all the services supported.

Ideally you should audit the results at least once to ensure you are happy with the rules produced. The rules that get output are extremely regular which should make the task fairly straightforward.

You should also read When FireHOL Runs in order to understand how FireHOL gets its results.

Please consider signing up to the support mailing list to ensure you are kept informed in the event that a security problem is discovered.

Overall it is your responsibility to ensure the final firewall produced behaves as you want it to. If in doubt we recommend that you seek help from a firewall/networking professional.

^ top

Is the produced iptables firewall optimised?

You have to understand that FireHOL is a generic tool. As such, you gain something and you loose something. Except the fact that all FireHOL configuration rules take one iptables chain (that is one "jump") the produced rules are fully optimised. In many cases, this "jump" optimises the firewall even further (for example in interface and router statements), while in other cases the "jumps" could be moved to a place where they are really necessary (it is not possible to avoid them). The good thing is that these "jumps" are not so expensive. So, although there is some room for improvement, I have reports from users saying that a huge FireHOL firewall did not introduce a noticeable increase in CPU utilisation compared to a hand made firewall, for the same traffic.

For the moment, I prefer to keep all the "jumps" there, since it makes the iptables rules a lot more clear and easy to understand. If you believe that I should work on this and you can prove that the "jumps" that could be moved deeper are really expensive at the place they are now, send me a note and I'll do my best.

If you are so interested about performance, you should know that FireHOL places all rules in the iptables firewall, in the same order they appear in the configuration file. So placing your most heavy interface at the top, and within this interface the most heavy service first will really save a lot of processing for iptables.

^ top

FireHOL is toooooooooo slow!

This is partially true and partially false. FireHOL runs in two phases: Configuration Processing and Firewall Activation.

Processing of FireHOL configuration files is somewhat slow since all processing is done by Bash (I have not programmed a parser, Bash runs the configuration as if it was a Bash script). This processing however, even if it takes several seconds, it does not affect your security, since the running firewall is not touched during this phase.

Firewall activation is again slow in a few situations, especially if you have lists of hosts that should be allowed or rejected (like UNROUTABLE IPS). During the processing phase, FireHOL produces a list of the iptables commands to be executed at the activation phase. This list of iptables commands, first clears the running firewall and then it runs iptables commands, one-by-one, until all have executed. As an example, my personal machine configuration file is about 50 lines. These 50 lines produce about 900 iptables statements. For Bash these 900 iptables statements are also followed by another statement to check if the command succeeded or failed, which totals to about 1800 Bash statements to be executed. In my machine these 1800 commands take about 8 seconds to be executed. During these 8 seconds the firewall is from totally empty (all traffic allowed) to simply incomplete (some traffic is allowed or dropped explicitly, all other is allowed to pass).

I have written FireHOL in such a way that you can restart the firewall any time you like without disrupting the running traffic. Try it. Start downloading a file, and in the middle of it, restart FireHOL. No change. The download proceeds without any disruption. The only chance for traffic disruption is when you have NAT rules. For just a fraction of the total activation time (normally less than a second, since NAT rules are the first to be executed - i.e. the first few of the huge iptables list) your system will run without them, meaning that no new NATed traffic will be accepted (established connections will work). Again, this will be just for a fraction of a second.

I see you now thinking: OK, but what happens if someone connects to my systems to unwanted services during the activation time? Well, FireHOL's beauty is that it explicitly allows the connections in both ways of the firewall. Most of the other iptables generators allow all established connections to pass unchecked. FireHOL doesn't. It allows the established connections that match the services you have allowed. Nothing more. This means that even if someone is lucky enough to connect to a non-allowed service during the activation time, he will simply be blocked as soon as the firewall activation completes. This gives a window of just a few seconds at which someone could be able to connect to and use private services. Even if he manages to get access within these few seconds, his socket will simply timeout after FireHOL completes.

If you would prefer to ensure no traffic passes whilst the firewall is being activated, read about the ACTIVATION variables, which are able to control this behaviour.

^ top

How do version numbers work in FireHOL and FireQOS

FireHOL and FireQOS share a common version number. Release numbers used follow the Semantic Versioning scheme (daily builds not).

Thus releases will be 3 digits e.g.:

3.0.0

Pre-release versions will have an additional identifier e.g.:

3.0.0-rc.5

Git checkouts and daily builds add a branch id to what will be the next release e.g.:

3.0.0_master

The _whatever indicates the version is prior to even the -rc.nn versions.

Oldler versions

Older daily builds used the commit id from which they were built:

$ sudo ./sbin/firehol
FireHOL commit-61d70a2

When checked out from git, the programs will report internal version numbers e.g.:

$ ./sbin/firehol.in
FireHOL $Id: 8c6fd57f0b7a3c76fe848dc118f0637cb853f1e4 $

Version 1 packages were in the form 1.xxx, which related to the CVS revision of the FireHOL script.

^ top