Provided by: firehol_1.297-1_all bug

NAME

       firehol - An easy to use but powerful iptables stateful firewall

SYNOPSIS

       firehol start|try|stop|restart|condrestart|status|panic|save|debug|helpme

       firehol configfile [start|debug|try]

       firehol nothing

DESCRIPTION

       firehol  is  an  iptables  firewall generator producing stateful iptables packet filtering
       firewalls, on Linux hosts and routers with any number of network interfaces, any number of
       routes,  any number of services served, any number of complexity between variations of the
       services (including positive and negative expressions).

       firehol is a language to express firewalling rules, not just a script that  produces  some
       kind of a firewall.

       The goals of firehol are:

       · Being as easy as possible
           Independently  of  the  security  skills  he/she has, firehol allows one to create and
           understand complex firewalls in just a few seconds.  The configuration files are  very
           easy to type and read.

       · Being as secure as possible.
           By  allowing  explicitly  only the wanted traffic to flow firehol secures your system.
           firehol produces stateful rules for any service or protocol, in both directions of the
           firewall.

       · Being as open as possible.
           Althoug  firehol  is  pre-configured for a large number of services, you can configure
           any service you like and firehol will turn it into a client, a server, or a router.

       · Being as flexible as possible.
           firehol can be used by end users and guru administrators requiring  extremely  complex
           firewalls.  firehol  configuration  files  are  BASH  scripts;  you  can write in them
           anything BASH  accepts,  including  variables,  pipes,  loops,  conditions,  calls  to
           external programs, run other BASH scripts with firehol directives in them, etc.

       · Being as simple as possible.
           firehol  is  easy to install on any modern Linux system; only one file is required, no
           compilations involved.

Options

       start
           Activates the firewall configuration. The configuration is expected  to  be  found  in
           /etc/firehol/firehol.conf.

       try Activates  the firewall, but waits until the user types the word commit.  If this word
           is not typed within 30 seconds, the previous firewall is restored.

       stop
           Stops a running iptables firewall by running `/etc/init.d/iptables stop'.   This  will
           allow all traffic to pass unchecked.

       restart
           This is an alias for start and is given for compatibility with /etc/init.d/iptables.

       condrestart
           Starts  the  firehol  firewall  only if it is not already active. It does not detect a
           modified configuration file, only verifies that firehol has been started in  the  past
           and not stopped yet.

       status
           Shows the running firewall, as in `/sbin/iptables -nxvL | less'

       panic
           It  removes  all  rules from the running firewall and then it DROPs all traffic on all
           iptables tables (mangle, nat,  filter)  and  pre-defined  chains  (PREROUTING,  INPUT,
           FORWARD, OUTPUT, POSTROUTING), thus blocking all IP communication. DROPing is not done
           by changing the default policy to DROP, but by adding just one rule per table/chain to
           drop  all  traffic,  because  the  default  iptables  scripts supplied by many systems
           (including RedHat 8) do not reset all the chains  to  ACCEPT  when  starting  (firehol
           resets them correctly).

           When  activating  panic mode, firehol checks for the existance of the SSH_CLIENT shell
           environment variable (set by SSH). If it find this, then panic  mode  will  allow  the
           established SSH connection specified in this variable to operate. Notice that in order
           for this to work, you should have su without the minus (-) sign, since su - overwrites
           the shell variables and therefore the SSH_CLIENT variable is lost.

           Alternativelly,  after  the panic argument you can specify an IP address in which case
           all established connections between this IP address and the  host  in  panic  will  be
           allowed.

       save
           Start    the    firewall    and    then   save   it   using   /sbin/iptables-save   to
           /etc/sysconfig/iptables.

           Since v1.64, this is not implemented using `/etc/init.d/iptables save'  because  there
           is  a bug in some versions of iptables-save that save invalid commands (`! --uid-owner
           A' is saved as `--uid-owner !A') which cannot be restored. firehol fixes this  problem
           (by saving it, and then replacing `--uid-owner !' with `! --uid-owner').

           Note  that not all firehol firewalls will work if restored with: `/etc/init.d/iptables
           start' because FireHOL handles kernel modules and might have queried RPC servers (used
           by  the  NFS service) before starting the firewall. Also, firehol automatically checks
           current kernel configuration for client ports range. If you restore a  firewall  using
           the iptables service your firewall may not work as expected.

       debug
           Parses  the  configuration  file  but instead of activating it, it shows the generated
           iptables statements.

       explain
           Enters an interactive mode where it accepts normal configuration commands and presents
           the generated iptables commands for each of them, together with some reasoning for its
           purpose. Additionally, it automatically generates a configuration script based on  the
           successfull commands given.

           When in directive mode, firehol has the following special commands:

           · help
               Present some help
           · show
               Present the generated firehol configuration
           · quit
               Exit interactive mode and quit firehol

       helpme
           Tries  to guess the firehol configuration needed for the current machine. firehol will
           not stop or alter the running  firewall.  The  configuration  file  is  given  in  the
           standard output of firehol, thus

            `/etc/init.d/firehol helpme > /tmp/firehol.conf'

           will produce the output in /tmp/firehol.conf.

           The  generated  firehol  configuration  should  and must be edited before used on your
           systems. You are required to take many decisions and the  comments  of  the  generated
           file will instruct you for many of them.

       configfile
           A  different configuration file. If no other argument is given, the configuration file
           will be ``tried'' (default = ``try''). Otherwise the argument next to the filename can
           be one of ``start'', ``debug'', ``try''.

       nothing
           Presents help about firehol usage.

FILES

           /etc/firehol/firehol.conf

AUTHOR

       firehol written by Costa Tsaousis <costa@tsaousis.gr>.

       Man page written by Marc Brockschmidt <marc@marcbrockschmidt.de>.

SEE ALSO

       firehol.conf(5), iptables(8), bash(1)

                                            2003-04-30                                 FIREHOL(1)