firehol - an easy to use but powerful iptables stateful firewall
firehol
sudo -E firehol panic [ IP ]
firehol command [ – conf-arg… ]
firehol CONFIGFILE [start|debug|try] [– conf-arg… ]
Running firehol invokes iptables(8) to manipulate your
firewall.
Run without any arguments, firehol will present some
help on usage.
When given CONFIGFILE, firehol will use the
named file instead of /etc/firehol/firehol.conf as its
configuration. If no command is given, firehol
assumes try.
It is possible to pass arguments for use by the configuration file
separating any conf-arg values from the rest of the arguments with
--. The arguments are accessible in the configuration using
standard bash(1) syntax e.g. $1, $2, etc.
To block all communication, invoke firehol with the
panic command.
FireHOL removes all rules from the running firewall and then DROPs all traffic on all iptables(8) tables (mangle, nat, filter) and pre-defined chains (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING).
DROPing is not done by changing the default policy to DROP, but by adding one rule per table/chain to drop all traffic. This allows systems which do not reset all the chains to ACCEPT when starting to function correctly.
When activating panic mode, FireHOL checks for the existence of the SSH_CLIENT shell environment variable, which is set by ssh(1). If it finds this, then panic mode will allow the established SSH connection specified in this variable to operate.
Note
In order for FireHOL to see the environment variable you must ensure that it is preserved. For sudo(8) use the
-Eand for su(1) omit the-(minus sign).
If SSH_CLIENT is not set, the IP after the panic argument allows you to give an IP address for which all established connections between the IP address and the host in panic will be allowed to continue.
Activates the firewall using
/etc/firehol/firehol.conf.
Use of the term restart is allowed for compatibility
with common init implementations.
commit. If this word is not typed within 30 seconds, the
previous firewall is restored.
/sbin/iptables -nxvL | less.
Start the firewall and then save it using iptables-save(8) to the location given by FIREHOL_AUTOSAVE. See firehol-defaults.conf(5) for more information.
The required kernel modules are saved to an executable shell script
/var/spool/firehol/last_save_modules.sh, which can be
called during boot if a firewall is to be restored.
Note
External changes may cause a firewall restored after a reboot to not work as intended where starting the firewall with FireHOL will work.
This is because as part of starting a firewall, FireHOL checks some changeable values. For instance the current kernel configuration is checked (for client port ranges), and RPC servers are queried (to allow correct functioning of the NFS service).
Enters an interactive mode where FireHOL accepts normal configuration commands and presents the generated iptables(8) commands for each of them, together with some reasoning for its purpose.
Additionally, FireHOL automatically generates a configuration script based on the successful commands given.
Some extra commands are available in explain mode.
Tries to guess the FireHOL configuration needed for the current machine.
FireHOL will not stop or alter the running firewall. The
configuration file is given in the standard output of firehol, thus
firehol helpme > /tmp/firehol.conf will produce the
output in /tmp/firehol.conf.
The generated FireHOL configuration must be edited before use on your systems. You are required to take a number of decisions; the comments in the generated file will instruct you in the choices you must make.
/etc/firehol/firehol.conf