1
2FIREHOL(1)                  General Commands Manual                 FIREHOL(1)
3
4
5

NAME

7       firehol - An easy to use but powerful iptables stateful firewall
8

SYNOPSIS

10       firehol                         start|try|stop|restart|condrestart|sta‐
11       tus|panic|save|debug|helpme
12
13       firehol configfile [start|debug|try]
14
15       firehol nothing
16

DESCRIPTION

18       firehol is an iptables firewall generator producing  stateful  iptables
19       packet  filtering firewalls, on Linux hosts and routers with any number
20       of network interfaces, any number of routes,  any  number  of  services
21       served,  any  number  of  complexity between variations of the services
22       (including positive and negative expressions).
23
24       firehol is a language to express firewalling rules, not just  a  script
25       that produces some kind of a firewall.
26
27       The goals of firehol are:
28
29       · Being as easy as possible
30           Independently  of the security skills he/she has, firehol allows to
31           create and understand complex firewalls in just a few seconds.  The
32           configuration files are very easy to type and read.
33
34       · Being as secure as possible.
35           By  allowing  explicitly  only  the  wanted traffic to flow firehol
36           secures your system. firehol produces stateful rules for  any  ser‐
37           vice or protocol, in both directions of the firewall.
38
39       · Being as open as possible.
40           Althoug  firehol  is pre-configured for a large number of services,
41           you can configure any service you like and  firehol  will  turn  it
42           into a client, a server, or a router.
43
44       · Being as flexible as possible.
45           firehol  can be used by end users and guru administrators requiring
46           extremely complex firewalls. firehol configuration files  are  BASH
47           scripts;  you  can  write  in them anything BASH accepts, including
48           variables, pipes, loops, conditions, calls  to  external  programs,
49           run other BASH scripts with firehol directives in them, etc.
50
51       · Being as simple as possible.
52           firehol  is  easy  to  install on any modern Linux system; only one
53           file is required, no compilations involved.
54

Options

56       start
57           Activates the firewall configuration. The configuration is expected
58           to be found in /etc/firehol/firehol.conf.
59
60       try Activates  the  firewall,  but  waits until the user types the word
61           commit.  If this word is not typed within 30 seconds, the  previous
62           firewall is restored.
63
64       stop
65           Stops  a  running iptables firewall by running /etc/init.d/iptables
66           stop.  This will allow all traffic to pass unchecked.
67
68       restart
69           This is an alias for start and  is  given  for  compatibility  with
70           /etc/init.d/iptables.
71
72       condrestart
73           Starts  the  firehol  firewall only if it is not already active. It
74           does not detect a modified configuration file, only  verifies  that
75           firehol has been started in the past and not stopped yet.
76
77       status
78           Shows the running firewall, as in /sbin/iptables -nxvL | less
79
80       panic
81           It  removes  all  rules from the running firewall and then it DROPs
82           all traffic on all iptables tables (mangle, nat, filter)  and  pre-
83           defined  chains  (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING),
84           thus blocking all IP communication. DROPing is not done by changing
85           the  default  policy  to  DROP, but by adding just one rule per ta‐
86           ble/chain to drop all traffic, because the default iptables scripts
87           supplied  by many systems (including RedHat 8) do not reset all the
88           chains to ACCEPT when starting (firehol resets them correctly).
89
90           When activating panic mode, firehol checks for the existance of the
91           SSH_CLIENT  shell  environment  variable  (set  by SSH). If it find
92           this, then panic mode will allow  the  established  SSH  connection
93           specified  in  this  variable  to operate. Notice that in order for
94           this to work, you should have su without the minus (-) sign,  since
95           su  -  overwrites  the shell variables and therefore the SSH_CLIENT
96           variable is lost.
97
98           Alternativelly, after the panic argument  you  can  specify  an  IP
99           address  in  which case all established connections between this IP
100           address and the host in panic will be allowed.
101
102       save
103           Start the firewall and then save it  using  /sbin/iptables-save  to
104           /etc/sysconfig/iptables.
105
106           Since  v1.64,  this  is  not implemented using /etc/init.d/iptables
107           save because there is a bug in some versions of iptables-save  that
108           save  invalid commands (! --uid-owner A is saved as --uid-owner !A)
109           which cannot be restored. firehol fixes this problem (by saving it,
110           and then replacing --uid-owner ! with ! --uid-owner).
111
112           Note  that  not  all  firehol firewalls will work if restored with:
113           /etc/init.d/iptables start because FireHOL handles  kernel  modules
114           and might have queried RPC servers (used by the NFS service) before
115           starting the firewall. Also, firehol automatically  checks  current
116           kernel configuration for client ports range. If you restore a fire‐
117           wall using the iptables service  your  firewall  may  not  work  as
118           expected.
119
120       debug
121           Parses  the  configuration  file  but  instead of activating it, it
122           shows the generated iptables statements.
123
124       explain
125           Enters an interactive mode where it  accepts  normal  configuration
126           commands  and  presents the generated iptables commands for each of
127           them, together with some reasoning for its  purpose.  Additionally,
128           it automatically generates a configuration script based on the suc‐
129           cessfull commands given.
130
131           When in directive mode, firehol has the following special commands:
132
133           · help
134               Present some help
135           · show
136               Present the generated firehol configuration
137           · quit
138               Exit interactive mode and quit firehol
139
140       helpme
141           Tries to guess the firehol configuration  needed  for  the  current
142           machine.  firehol  will not stop or alter the running firewall. The
143           configuration file is given in the standard output of firehol, thus
144
145            /etc/init.d/firehol helpme >/tmp/firehol.conf
146
147           will produce the output in /tmp/firehol.conf.
148
149           The generated firehol  configuration  should  and  must  be  edited
150           before  used  on  your systems. You are required to take many deci‐
151           sions and the comments of the generated file will instruct you  for
152           many of them.
153
154       configfile
155           A  different configuration file. If no other argument is given, the
156           configuration file will be tried (default  =  try).  Otherwise  the
157           argument next to the filename can be one of start, debug, try.
158
159       nothing
160           Presents help about firehol usage.
161

FILES

163           /etc/firehol/firehol.conf
164

AUTHOR

166       firehol written by Costa Tsaousis <costa@tsaousis.gr>.
167
168       Man page written by Marc Brockschmidt <marc@marcbrockschmidt.de>.
169

SEE ALSO

171       firehol.conf(5), iptables(8), bash(1)
172
173
174
175                                  2003-04-30                        FIREHOL(1)
Impressum