Provided by: firehol_3.1.7+ds-2_all bug


       firehol - an easy to use but powerful iptables stateful firewall



       sudo -E firehol panic [ IP ]

       firehol command [ – conf-arg... ]

       firehol CONFIGFILE [start|debug|try] [– conf-arg... ]


       Running firehol invokes iptables(8) to manipulate your firewall.

       Run without any arguments, firehol will present some help on usage.

       When    given    CONFIGFILE,    firehol    will    use   the   named   file   instead   of
       /etc/firehol/firehol.conf as its configuration.  If no command is given,  firehol  assumes

       It is possible to pass arguments for use by the configuration file separating any conf-arg
       values from the rest of the arguments with  --.   The  arguments  are  accessible  in  the
       configuration using standard bash(1) syntax e.g. $1, $2, etc.

       To block all communication, invoke firehol with the panic command.

       FireHOL  removes  all  rules  from  the running firewall and then DROPs all traffic on all
       iptables(8) tables (mangle,  nat,  filter)  and  pre-defined  chains  (PREROUTING,  INPUT,

       DROPing  is  not  done  by changing the default policy to DROP, but by adding one rule per
       table/chain to drop all traffic.  This allows systems which do not reset all the chains to
       ACCEPT when starting to function correctly.

       When  activating  panic  mode,  FireHOL  checks  for the existence of the SSH_CLIENT shell
       environment variable, which is set by ssh(1).  If it finds  this,  then  panic  mode  will
       allow the established SSH connection specified in this variable to operate.


              In  order  for  FireHOL  to see the environment variable you must ensure that it is
              preserved.  For sudo(8) use the -E and for su(1) omit the - (minus sign).

       If SSH_CLIENT is not set, the IP after the panic argument allows you to give an IP address
       for which all established connections between the IP address and the host in panic will be
       allowed to continue.


       start; restart
              Activates the firewall using /etc/firehol/firehol.conf.

              Use  of  the  term  restart  is  allowed  for  compatibility   with   common   init

       try    Activates the firewall, waiting for the user to type the word commit.  If this word
              is not typed within 30 seconds, the previous firewall is restored.

       stop   Stops a running iptables(8) firewall by clearing all of the tables and  chains  and
              setting  the  default  policies  to  ACCEPT.   This  will allow all traffic to pass

              Restarts the FireHOL firewall only if it is already active.  This is the  generally
              expected behaviour (but opposite to FireHOL prior to 2.0.0-pre4).

       status Shows the running firewall, using /sbin/iptables -nxvL | less.

       save   Start the firewall and then save it using iptables-save(8) to the location given by
              FIREHOL_AUTOSAVE.  See firehol-defaults.conf(5) for more information.

              The  required  kernel  modules  are   saved   to   an   executable   shell   script
              /var/spool/firehol/,  which  can  be  called  during  boot if a
              firewall is to be restored.


                     External changes may cause a firewall restored after a reboot to not work as
                     intended where starting the firewall with FireHOL will work.

                     This  is  because  as  part  of  starting  a  firewall,  FireHOL checks some
                     changeable values.  For instance the current kernel configuration is checked
                     (for  client  port  ranges),  and  RPC servers are queried (to allow correct
                     functioning of the NFS service).

       debug  Parses the configuration file but instead  of  activating  it,  FireHOL  shows  the
              generated iptables(8) statements.

              Enters  an interactive mode where FireHOL accepts normal configuration commands and
              presents the generated iptables(8) commands for each of them,  together  with  some
              reasoning for its purpose.

              Additionally,  FireHOL  automatically generates a configuration script based on the
              successful commands given.

              Some extra commands are available in explain mode.

              help   Present some help

              show   Present the generated configuration

              quit   Exit interactive mode and quit

       helpme; wizard
              Tries to guess the FireHOL configuration needed for the current machine.

              FireHOL will not stop or alter the running firewall.   The  configuration  file  is
              given  in  the  standard output of firehol, thus firehol helpme > /tmp/firehol.conf
              will produce the output in /tmp/firehol.conf.

              The generated FireHOL configuration must be edited before use on your systems.  You
              are required to take a number of decisions; the comments in the generated file will
              instruct you in the choices you must make.




       · firehol.conf(5) - FireHOL configuration

       · firehol-defaults.conf(5) - control variables

       · FireHOL Website (

       · FireHOL Online PDF Manual (

       · FireHOL Online Documentation (


       FireHOL Team; Original man page by Marc Brockschmidt.