1
2FIREHOL(1) General Commands Manual FIREHOL(1)
3
4
5
7 firehol - An easy to use but powerful iptables stateful firewall
8
10 firehol start|try|stop|restart|condrestart|sta‐
11 tus|panic|save|debug|helpme
12
13 firehol configfile [start|debug|try]
14
15 firehol nothing
16
18 firehol is an iptables firewall generator producing stateful iptables
19 packet filtering firewalls, on Linux hosts and routers with any number
20 of network interfaces, any number of routes, any number of services
21 served, any number of complexity between variations of the services
22 (including positive and negative expressions).
23
24 firehol is a language to express firewalling rules, not just a script
25 that produces some kind of a firewall.
26
27 The goals of firehol are:
28
29 · Being as easy as possible
30 Independently of the security skills he/she has, firehol allows to
31 create and understand complex firewalls in just a few seconds. The
32 configuration files are very easy to type and read.
33
34 · Being as secure as possible.
35 By allowing explicitly only the wanted traffic to flow firehol
36 secures your system. firehol produces stateful rules for any ser‐
37 vice or protocol, in both directions of the firewall.
38
39 · Being as open as possible.
40 Althoug firehol is pre-configured for a large number of services,
41 you can configure any service you like and firehol will turn it
42 into a client, a server, or a router.
43
44 · Being as flexible as possible.
45 firehol can be used by end users and guru administrators requiring
46 extremely complex firewalls. firehol configuration files are BASH
47 scripts; you can write in them anything BASH accepts, including
48 variables, pipes, loops, conditions, calls to external programs,
49 run other BASH scripts with firehol directives in them, etc.
50
51 · Being as simple as possible.
52 firehol is easy to install on any modern Linux system; only one
53 file is required, no compilations involved.
54
56 start
57 Activates the firewall configuration. The configuration is expected
58 to be found in /etc/firehol/firehol.conf.
59
60 try Activates the firewall, but waits until the user types the word
61 commit. If this word is not typed within 30 seconds, the previous
62 firewall is restored.
63
64 stop
65 Stops a running iptables firewall by running /etc/init.d/iptables
66 stop. This will allow all traffic to pass unchecked.
67
68 restart
69 This is an alias for start and is given for compatibility with
70 /etc/init.d/iptables.
71
72 condrestart
73 Starts the firehol firewall only if it is not already active. It
74 does not detect a modified configuration file, only verifies that
75 firehol has been started in the past and not stopped yet.
76
77 status
78 Shows the running firewall, as in /sbin/iptables -nxvL | less
79
80 panic
81 It removes all rules from the running firewall and then it DROPs
82 all traffic on all iptables tables (mangle, nat, filter) and pre-
83 defined chains (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING),
84 thus blocking all IP communication. DROPing is not done by changing
85 the default policy to DROP, but by adding just one rule per ta‐
86 ble/chain to drop all traffic, because the default iptables scripts
87 supplied by many systems (including RedHat 8) do not reset all the
88 chains to ACCEPT when starting (firehol resets them correctly).
89
90 When activating panic mode, firehol checks for the existance of the
91 SSH_CLIENT shell environment variable (set by SSH). If it find
92 this, then panic mode will allow the established SSH connection
93 specified in this variable to operate. Notice that in order for
94 this to work, you should have su without the minus (-) sign, since
95 su - overwrites the shell variables and therefore the SSH_CLIENT
96 variable is lost.
97
98 Alternativelly, after the panic argument you can specify an IP
99 address in which case all established connections between this IP
100 address and the host in panic will be allowed.
101
102 save
103 Start the firewall and then save it using /sbin/iptables-save to
104 /etc/sysconfig/iptables.
105
106 Since v1.64, this is not implemented using /etc/init.d/iptables
107 save because there is a bug in some versions of iptables-save that
108 save invalid commands (! --uid-owner A is saved as --uid-owner !A)
109 which cannot be restored. firehol fixes this problem (by saving it,
110 and then replacing --uid-owner ! with ! --uid-owner).
111
112 Note that not all firehol firewalls will work if restored with:
113 /etc/init.d/iptables start because FireHOL handles kernel modules
114 and might have queried RPC servers (used by the NFS service) before
115 starting the firewall. Also, firehol automatically checks current
116 kernel configuration for client ports range. If you restore a fire‐
117 wall using the iptables service your firewall may not work as
118 expected.
119
120 debug
121 Parses the configuration file but instead of activating it, it
122 shows the generated iptables statements.
123
124 explain
125 Enters an interactive mode where it accepts normal configuration
126 commands and presents the generated iptables commands for each of
127 them, together with some reasoning for its purpose. Additionally,
128 it automatically generates a configuration script based on the suc‐
129 cessfull commands given.
130
131 When in directive mode, firehol has the following special commands:
132
133 · help
134 Present some help
135 · show
136 Present the generated firehol configuration
137 · quit
138 Exit interactive mode and quit firehol
139
140 helpme
141 Tries to guess the firehol configuration needed for the current
142 machine. firehol will not stop or alter the running firewall. The
143 configuration file is given in the standard output of firehol, thus
144
145 /etc/init.d/firehol helpme >/tmp/firehol.conf
146
147 will produce the output in /tmp/firehol.conf.
148
149 The generated firehol configuration should and must be edited
150 before used on your systems. You are required to take many deci‐
151 sions and the comments of the generated file will instruct you for
152 many of them.
153
154 configfile
155 A different configuration file. If no other argument is given, the
156 configuration file will be tried (default = try). Otherwise the
157 argument next to the filename can be one of start, debug, try.
158
159 nothing
160 Presents help about firehol usage.
161
163 /etc/firehol/firehol.conf
164
166 firehol written by Costa Tsaousis <costa@tsaousis.gr>.
167
168 Man page written by Marc Brockschmidt <marc@marcbrockschmidt.de>.
169
171 firehol.conf(5), iptables(8), bash(1)
172
173
174
175 2003-04-30 FIREHOL(1)