firehol(8)
NAME
- firehol - An easy to use but powerful iptables stateful
- firewall
SYNOPSIS
firehol start|try|stop|restart|condrestart|status|panic|save|debug|helpme firehol configfile [start|debug|try] firehol nothing
DESCRIPTION
- firehol is an iptables firewall generator producing state
- ful iptables packet filtering firewalls, on Linux hosts and
- routers with any number of network interfaces, any number of
- routes, any number of services served, any number of complexity
- between variations of the services (including positive and nega
- tive expressions).
- firehol is a language to express firewalling rules, not
- just a script that produces some kind of a firewall.
- The goals of firehol are:
- · Being as easy as possible
- Independently of the security skills he/she has,
- firehol allows to create and understand complex firewalls in just
- a few seconds. The configuration files are very easy to type and
- read.
- · Being as secure as possible.
- By allowing explicitly only the wanted traffic to flow
- firehol secures your system. firehol produces stateful rules for
- any service or protocol, in both directions of the firewall.
- · Being as open as possible.
- Althoug firehol is pre-configured for a large number
- of services, you can configure any service you like and firehol
- will turn it into a client, a server, or a router.
- · Being as flexible as possible.
- firehol can be used by end users and guru administra
- tors requiring extremely complex firewalls. firehol configuration
- files are BASH scripts; you can write in them anything BASH ac
- cepts, including variables, pipes, loops, conditions, calls to
- external programs, run other BASH scripts with firehol directives
- in them, etc.
- · Being as simple as possible.
- firehol is easy to install on any modern Linux system;
- only one file is required, no compilations involved.
Options
- start
- Activates the firewall configuration. The configura
- tion is expected to be found in /etc/firehol/firehol.conf.
- try Activates the firewall, but waits until the user types
- the word commit. If this word is not typed within 30 seconds,
- the previous firewall is restored.
- stop
- Stops a running iptables firewall by running
- /etc/init.d/iptables stop. This will allow all traffic to pass
- unchecked.
- restart
- This is an alias for start and is given for compati
- bility with /etc/init.d/iptables.
- condrestart
- Starts the firehol firewall only if it is not already
- active. It does not detect a modified configuration file, only
- verifies that firehol has been started in the past and not
- stopped yet.
- status
- Shows the running firewall, as in /sbin/iptables -nxvL
- | less
- panic
- It removes all rules from the running firewall and
- then it DROPs all traffic on all iptables tables (mangle, nat,
- filter) and pre-defined chains (PREROUTING, INPUT, FORWARD, OUT
- PUT, POSTROUTING), thus blocking all IP communication. DROPing is
- not done by changing the default policy to DROP, but by adding
- just one rule per table/chain to drop all traffic, because the
- default iptables scripts supplied by many systems (including Red
- Hat 8) do not reset all the chains to ACCEPT when starting
- (firehol resets them correctly).
- When activating panic mode, firehol checks for the ex
- istance of the SSH_CLIENT shell environment variable (set by
- SSH). If it find this, then panic mode will allow the established
- SSH connection specified in this variable to operate. Notice that
- in order for this to work, you should have su without the minus
- (-) sign, since su - overwrites the shell variables and therefore
- the SSH_CLIENT variable is lost.
- Alternativelly, after the panic argument you can spec
- ify an IP address in which case all established connections be
- tween this IP address and the host in panic will be allowed.
- save
- Start the firewall and then save it using
- /sbin/iptables-save to /etc/sysconfig/iptables.
- Since v1.64, this is not implemented using
- /etc/init.d/iptables save because there is a bug in some versions
- of iptables-save that save invalid commands (! --uid-owner A is
- saved as --uid-owner !A) which cannot be restored. firehol fixes
- this problem (by saving it, and then replacing --uid-owner ! with
- ! --uid-owner).
- Note that not all firehol firewalls will work if re
- stored with: /etc/init.d/iptables start because FireHOL handles
- kernel modules and might have queried RPC servers (used by the
- NFS service) before starting the firewall. Also, firehol automat
- ically checks current kernel configuration for client ports
- range. If you restore a firewall using the iptables service your
- firewall may not work as expected.
- debug
- Parses the configuration file but instead of activat
- ing it, it shows the generated iptables statements.
- explain
- Enters an interactive mode where it accepts normal
- configuration commands and presents the generated iptables com
- mands for each of them, together with some reasoning for its pur
- pose. Additionally, it automatically generates a configuration
- script based on the successfull commands given.
- When in directive mode, firehol has the following spe
- cial commands:
- · help
Present some help
- · show
Present the generated firehol configuration
- · quit
Exit interactive mode and quit firehol
- helpme
- Tries to guess the firehol configuration needed for
- the current machine. firehol will not stop or alter the running
- firewall. The configuration file is given in the standard output
- of firehol, thus
/etc/init.d/firehol helpme >/tmp/firehol.conf - will produce the output in /tmp/firehol.conf.
- The generated firehol configuration should and must be
- edited before used on your systems. You are required to take many
- decisions and the comments of the generated file will instruct
- you for many of them.
- configfile
- A different configuration file. If no other argument
- is given, the configuration file will be tried (default = try).
- Otherwise the argument next to the filename can be one of start,
- debug, try.
- nothing
- Presents help about firehol usage.
FILES
/etc/firehol/firehol.conf
AUTHOR
firehol written by Costa Tsaousis <costa@tsaousis.gr>.
- Man page written by Marc Brockschmidt <marc@mar
- cbrockschmidt.de>.
SEE ALSO
- firehol.conf(5), iptables(8), bash(1)
- 2003-04-30