Provided by: firehol-doc_2.0.3+ds-1_all bug

NAME

       firehol-variables - control variables for FireHOL

SYNOPSIS

       Defaults:

       • DEFAULT_INTERFACE_POLICY="DROP"

       • DEFAULT_ROUTER_POLICY="RETURN"

       • UNMATCHED_INPUT_POLICY="DROP"

       • UNMATCHED_OUTPUT_POLICY="DROP"

       • UNMATCHED_FORWARD_POLICY="DROP"

       • FIREHOL_INPUT_ACTIVATION_POLICY="ACCEPT"

       • FIREHOL_OUTPUT_ACTIVATION_POLICY="ACCEPT"

       • FIREHOL_FORWARD_ACTIVATION_POLICY="ACCEPT"

       • FIREHOL_LOG_MODE="LOG"

       • FIREHOL_LOG_LEVEL=see notes

       • FIREHOL_LOG_OPTIONS="--log-level warning"

       • FIREHOL_LOG_FREQUENCY="1/second"

       • FIREHOL_LOG_BURST="5"

       • FIREHOL_LOG_PREFIX=""

       • FIREHOL_DROP_INVALID="0"

       • DEFAULT_CLIENT_PORTS="1000:65535"

       • FIREHOL_NAT="0"

       • FIREHOL_ROUTING="0"

       • FIREHOL_AUTOSAVE=see notes

       • FIREHOL_AUTOSAVE6=see notes

       • FIREHOL_LOAD_KERNEL_MODULES="1"

       • FIREHOL_TRUST_LOOPBACK="1"

       • FIREHOL_DROP_ORPHAN_TCP_ACK_FIN="0"

       • FIREHOL_DEBUGGING=""

       • WAIT_FOR_IFACE=""

DESCRIPTION

       There are a number of variables that control the behaviour of FireHOL.

       All variables may be set in the main FireHOL configuration file /etc/firehol/firehol.conf.

       Variables  which  affect  the  runtime  but  not  the  created firewall may also be set as
       environment variables before running firehol(1).  These can change the default values  but
       will  be overwritten by values set in the configuration file.  If a variable can be set by
       an environment variable it is specified below.

       FireHOL also sets some variables before processing the configuration file  which  you  can
       use as part of your configuration.  These are described in firehol.conf(5).

VARIABLES

       DEFAULT_INTERFACE_POLICY
              This variable controls the default action to be taken on traffic not matched by any
              rule within an interface.  It can be overridden using firehol-policy(5).

              Packets that reach the end of an interface without an action of  return  or  accept
              are   logged.    You  can  control  the  frequency  of  this  logging  by  altering
              FIREHOL_LOG_FREQUENCY.

              Example:

                     DEFAULT_INTERFACE_POLICY="REJECT"

       DEFAULT_ROUTER_POLICY
              This variable controls the default action to be taken on traffic not matched by any
              rule within a router.  It can be overridden using firehol-policy(5).

              Packets  that  reach  the end of a router without an action of return or accept are
              logged.   You  can  control   the   frequency   of   this   logging   by   altering
              FIREHOL_LOG_FREQUENCY.

              Example:

                     DEFAULT_ROUTER_POLICY="REJECT"

       UNMATCHED_{INPUT|OUTPUT|FORWARD}_POLICY
              These  variables  control  the default action to be taken on traffic not matched by
              any interface or router definition that was incoming, outgoing  or  for  forwarding
              respectively.  Any supported value from firehol-actions(5) may be set.

              All packets that reach the end of a chain are logged, regardless of these settings.
              You can control the frequency of this logging by altering FIREHOL_LOG_FREQUENCY.

              Example:

                     UNMATCHED_INPUT_POLICY="REJECT"
                     UNMATCHED_OUTPUT_POLICY="REJECT"
                     UNMATCHED_FORWARD_POLICY="REJECT"

       FIREHOL_{INPUT|OUTPUT|FORWARD}_ACTIVATION_POLICY
              These variables control the default action to be taken on traffic  during  firewall
              activation  for  incoming, outgoing and forwarding respectively.  Acceptable values
              are ACCEPT, DROP and REJECT.  They may be set as environment variables.

              FireHOL defaults all values to ACCEPT so that your communications continue to  work
              uninterrupted.

              If you wish to prevent connections whilst the new firewall is activating, set these
              values to DROP.  This is important to do if you are  using  all  or  any  to  match
              traffic; connections established during activation will continue even if they would
              not be allowed once the firewall is established.

              Example:

                     FIREHOL_INPUT_ACTIVATION_POLICY="DROP"
                     FIREHOL_OUTPUT_ACTIVATION_POLICY="DROP"
                     FIREHOL_FORWARD_ACTIVATION_POLICY="DROP"

       FIREHOL_LOG_MODE
              This variable controls method that FireHOL uses for logging.

              Acceptable values are LOG (normal syslog) and ULOG (netfilter ulogd).  When ULOG is
              selected, FIREHOL_LOG_LEVEL is ignored.

              Example:

                     FIREHOL_LOG_MODE="ULOG"

              To    see    the    available    options   run:   /sbin/iptables -j LOG --help   or
              /sbin/iptables -j ULOG --help

       FIREHOL_LOG_LEVEL
              This variable controls the level at which events will be logged to syslog.

              To avoid packet logs appearing on your console you should ensure  klogd  only  logs
              traffic that is more important than that produced by FireHOL.

              Use  the  following  option  to  choose an iptables(8) log level (alpha or numeric)
              which is higher than the -c of klogd.

              iptables/klogd levels

              iptables      klogd   description
              ───────────────────────────────────────────────
              emerg (0)     0       system is unusable
              alert (1)     1       action  must  be   taken
                                    immediately
              crit (2)      2       critical conditions
              error (3)     3       error conditions
              warning (4)   4       warning conditions
              notice (5)    5       normal  but  significant
                                    condition
              info (6)      6       informational
              debug (7)     7       debug-level messages

                     Note

                     The default for klogd is generally to log everything (7 and lower)  and  the
                     default level for iptables(4) is to log as warning (4).

       FIREHOL_LOG_OPTIONS
              This variable controls the way in which events will be logged to syslog.

              Example:

                     FIREHOL_LOG_OPTIONS="--log-level info \
                                          --log-tcp-options --log-ip-options"

              To see the available options run: /sbin/iptables -j LOG --help

       FIREHOL_LOG_FREQUENCY; FIREHOL_LOG_BURST
              These  variables  control the frequency that each logging rule will write events to
              syslog.   FIREHOL_LOG_FREQUENCY  is  set  to  the  maximum  average  frequency  and
              FIREHOL_LOG_BURST specifies the maximum initial number.

              Example:

                     FIREHOL_LOG_FREQUENCY="30/minute"
                     FIREHOL_LOG_BURST="2"

              To see the available options run: /sbin/iptables -m limit --help

       FIREHOL_LOG_PREFIX
              This  value  is  added  to  the  contents of each logged line for easy detection of
              FireHOL lines in the system logs.  By default it is empty.

              Example:

                     FIREHOL_LOG_PREFIX="FIREHOL:"

       FIREHOL_DROP_INVALID
              If set to 1, this variable causes FireHOL to drop all packets matched as INVALID in
              the iptables(8) connection tracker.

              You  may  be  better off using firehol-protection(5) to control matching of INVALID
              packets and others on a per-interface and per-router basis.

                     Note

                     Care must be  taken  on  IPv6  interfaces,  since  ICMPv6  packets  such  as
                     Neighbour Discovery are not tracked, meaning they are marked as INVALID.

              Example:

                     FIREHOL_DROP_INVALID="1"

       DEFAULT_CLIENT_PORTS
              This  variable  controls  the  port  range  that  is  used  when a remote client is
              specified.  For clients on the local host, FireHOL finds the exact client ports  by
              querying the kernel options.

              Example:

                     DEFAULT_CLIENT_PORTS="0:65535"

       FIREHOL_NAT
              If  set  to 1, this variable causes FireHOL to load the NAT kernel modules.  If you
              make use of the NAT helper commands, the variable will be set to  1  automatically.
              It may be set as an environment variable.

              Example:

                     FIREHOL_NAT="1"

       FIREHOL_ROUTING
              If  set to 1, this variable causes FireHOL to enable routing in the kernel.  If you
              make use of router definitions or certain helper commands the variable will be  set
              to 1 automatically.  It may be set as an environment variable.

              Example:

                     FIREHOL_ROUTING="1"

       FIREHOL_AUTOSAVE; FIREHOL_AUTOSAVE6
              These  variables  specify  the  file  of  IPv4/IPv6 rules that will be created when
              firehol(1) is called with the save argument.  It  may  be  set  as  an  environment
              variable.

              If  the  variable  is not set, a system-specific value is used which was defined at
              configure-time.  If no value was chosen then the save fails.

              Example:

                     FIREHOL_AUTOSAVE="/tmp/firehol-saved-ipv4.txt"
                     FIREHOL_AUTOSAVE6="/tmp/firehol-saved-ipv6.txt"

       FIREHOL_LOAD_KERNEL_MODULES
              If set to 0, this variable forces FireHOL to not load any kernel  modules.   It  is
              needed  only  if  the  kernel has modules statically included and in the rare event
              that FireHOL cannot  access  the  kernel  configuration.   It  may  be  set  as  an
              environment variable.

              Example:

                     FIREHOL_LOAD_KERNEL_MODULES="0"

       FIREHOL_TRUST_LOOPBACK
              If  set  to  0,  the  loopback  device  "lo"  will not be trusted and you can write
              standard firewall rules for it.

                     Warning

                     If you do not set up appropriate rules, local processes will not be able  to
                     communicate with each other which can result in serious breakages.

              By default "lo" is trusted and all INPUT and OUTPUT traffic is accepted (forwarding
              is not included).

              Example:

                     FIREHOL_TRUST_LOOPBACK="0"

       FIREHOL_DROP_ORPHAN_TCP_ACK_FIN
              If set to 1, FireHOL will drop all TCP connections with ACK FIN set without logging
              them.

              In busy environments the iptables(8) connection tracker removes connection tracking
              list entries as soon as it receives a FIN.  This makes the ACK  FIN  appear  as  an
              invalid packet which will normally be logged by FireHOL.

              Example:

                     FIREHOL_DROP_ORPHAN_TCP_ACK_FIN="1"

       FIREHOL_DEBUGGING
              If set to a non-empty value, switches on debug output so that it is possible to see
              what processing FireHOL is doing.

                     Note

                     This variable can only be set  as  an  environment  variable,  since  it  is
                     processed before any configuration files are read.

              Example:

                     FIREHOL_DEBUGGING="Y"

       WAIT_FOR_IFACE
              If  set  to  the name of a network device (e.g.  eth0), FireHOL will wait until the
              device is up (or until 60 seconds have elapsed) before continuing.

                     Note

                     This variable  can  only  be  set  as  an  environment  variable,  since  it
                     determines when the main configuration file will be processed.

              A  device does not need to be up in order to have firewall rules created for it, so
              this option should only be used if you have a specific  need  to  wait  (e.g.   the
              network must be queried to determine the hosts or ports which will be firewalled).

              Example:

                     WAIT_FOR_IFACE="eth0"

SEE ALSO

firehol(1) - FireHOL program

       • firehol.conf(5) - FireHOL configuration

       • firehol-nat(5) - nat, snat, dnat, redirect helpers

       • firehol-actions(5) - actions for rules

       • iptables(8)  (http://ipset.netfilter.org/iptables.man.html)  -  administration  tool for
         IPv4 firewalls

       • ip6tables(8) (http://ipset.netfilter.org/ip6tables.man.html) - administration  tool  for
         IPv6 firewalls

       • FireHOL Website (http://firehol.org/)

       • FireHOL Online PDF Manual (http://firehol.org/firehol-manual.pdf)

       • FireHOL Online HTML Manual (http://firehol.org/manual)

AUTHORS

       FireHOL Team.