Ubuntu Manpage: firehol - An easy to use but powerful iptables stateful firewall

NAME

       firehol - An easy to use but powerful iptables stateful firewall

SYNOPSIS

       firehol start|try|stop|restart|condrestart|status|panic|save|debug|helpme

       firehol configfile [start|debug|try]

       firehol nothing

DESCRIPTION

firehol is an iptables firewall generator producing stateful iptables packet filtering
firewalls, on Linux hosts and routers with any number of network interfaces, any number of
routes, any number of services served, any number of complexity between variations of the
services (including positive and negative expressions).

firehol is a language to express firewalling rules, not just a script that produces some
kind of a firewall.

The goals of firehol are:

• Being as easy as possible
Independently of the security skills he/she has, firehol allows one to create and
understand complex firewalls in just a few seconds. The configuration files are very
easy to type and read.

• Being as secure as possible.
By allowing explicitly only the wanted traffic to flow firehol secures your system.
firehol produces stateful rules for any service or protocol, in both directions of the
firewall.

• Being as open as possible.
Althoug firehol is pre-configured for a large number of services, you can configure
any service you like and firehol will turn it into a client, a server, or a router.

• Being as flexible as possible.
firehol can be used by end users and guru administrators requiring extremely complex
firewalls. firehol configuration files are BASH scripts; you can write in them
anything BASH accepts, including variables, pipes, loops, conditions, calls to
external programs, run other BASH scripts with firehol directives in them, etc.

• Being as simple as possible.
firehol is easy to install on any modern Linux system; only one file is required, no
compilations involved.

Options

start
Activates the firewall configuration. The configuration is expected to be found in
/etc/firehol/firehol.conf.

try Activates the firewall, but waits until the user types the word commit. If this word
is not typed within 30 seconds, the previous firewall is restored.

stop
Stops a running iptables firewall by running `/etc/init.d/iptables stop'. This will
allow all traffic to pass unchecked.

restart
This is an alias for start and is given for compatibility with /etc/init.d/iptables.

condrestart
Starts the firehol firewall only if it is not already active. It does not detect a
modified configuration file, only verifies that firehol has been started in the past
and not stopped yet.

status
Shows the running firewall, as in `/sbin/iptables -nxvL | less'

panic
It removes all rules from the running firewall and then it DROPs all traffic on all
iptables tables (mangle, nat, filter) and pre-defined chains (PREROUTING, INPUT,
FORWARD, OUTPUT, POSTROUTING), thus blocking all IP communication. DROPing is not done
by changing the default policy to DROP, but by adding just one rule per table/chain to
drop all traffic, because the default iptables scripts supplied by many systems
(including RedHat 8) do not reset all the chains to ACCEPT when starting (firehol
resets them correctly).

When activating panic mode, firehol checks for the existance of the SSH_CLIENT shell
environment variable (set by SSH). If it find this, then panic mode will allow the
established SSH connection specified in this variable to operate. Notice that in order
for this to work, you should have su without the minus (-) sign, since su - overwrites
the shell variables and therefore the SSH_CLIENT variable is lost.

Alternativelly, after the panic argument you can specify an IP address in which case
all established connections between this IP address and the host in panic will be
allowed.

save
Start the firewall and then save it using /sbin/iptables-save to
/etc/sysconfig/iptables.

Since v1.64, this is not implemented using `/etc/init.d/iptables save' because there
is a bug in some versions of iptables-save that save invalid commands (`! --uid-owner
A' is saved as `--uid-owner !A') which cannot be restored. firehol fixes this problem
(by saving it, and then replacing `--uid-owner !' with `! --uid-owner').

Note that not all firehol firewalls will work if restored with: `/etc/init.d/iptables
start' because FireHOL handles kernel modules and might have queried RPC servers (used
by the NFS service) before starting the firewall. Also, firehol automatically checks
current kernel configuration for client ports range. If you restore a firewall using
the iptables service your firewall may not work as expected.

debug
Parses the configuration file but instead of activating it, it shows the generated
iptables statements.

explain
Enters an interactive mode where it accepts normal configuration commands and presents
the generated iptables commands for each of them, together with some reasoning for its
purpose. Additionally, it automatically generates a configuration script based on the
successfull commands given.

When in directive mode, firehol has the following special commands:

• help
Present some help
• show
Present the generated firehol configuration
• quit
Exit interactive mode and quit firehol

helpme
Tries to guess the firehol configuration needed for the current machine. firehol will
not stop or alter the running firewall. The configuration file is given in the
standard output of firehol, thus

`/etc/init.d/firehol helpme > /tmp/firehol.conf'

will produce the output in /tmp/firehol.conf.

The generated firehol configuration should and must be edited before used on your
systems. You are required to take many decisions and the comments of the generated
file will instruct you for many of them.

configfile
A different configuration file. If no other argument is given, the configuration file
will be ``tried'' (default = ``try''). Otherwise the argument next to the filename can
be one of ``start'', ``debug'', ``try''.

nothing
Presents help about firehol usage.

FILES

           /etc/firehol/firehol.conf

AUTHOR