Provided by: firehol-doc_3.1.7+ds-2_all bug


       firehol-ipset - configure ipsets


       ipset command name options


       FireHOL has an ipset helper.  It is a wrapper around the real ipset command and is handled
       internally within FireHOL in such a way so that  the  ipset  collections  defined  in  the
       configuration will be activated before activating the firewall.

       FireHOL  is also smart enough to restore the ipsets after a reboot, before it restores the
       firewall, so that everything will work as seamlessly as possible.

       The ipset helper has the same syntax with the real ipset command.  So in FireHOL you  just
       add the ipset statements you need, and FireHOL will do the rest.

       Keep  in  mind that each ipset collection is either IPv4 or IPv6.  In FireHOL prefix ipset
       with either ipv4 or ipv6 and FireHOL will choose the  right  IP  version  (there  is  also
       ipset4 and ipset6).

       Also,  do not add -! to ipset statements given in firehol.conf.  FireHOL will batch import
       all ipsets and this option is not needed.

FireHOL ipset extensions

       The features below are extensions of ipset that can only be used from within firehol.conf.
       They will not work on a terminal.

       The  FireHOL helper allows mass import of ipset collections from files.  This is done with
       ipset addfile command.

       The ipset addfile command will get a filename, remove all comments (anything after a #  on
       the same line), trim any empty lines and spaces, and add all the remaining lines to ipset,
       as if each line of the file was run with ipset  add  COLLECTION_NAME  IP_FROM_FILE  [other

       The syntax of the ipset addfile command is:

               ipset addfile *name* [ip|net] *filename* [*other ipset add options*]

       name is the collection to add the IPs.

       ip is optional and will select all the lines of the file that do not contain a /.

       net is optional and will select all the lines of the file that contain a /.

       filename  is the filename to read.  You can give absolute filenames and relative filenames
       (to /etc/firehol).

       other ipset add options is whatever else ipset add supports, that you are willing to  give
       for each line.

       The  ipset  add  command  implemented  in  FireHOL  also  allows  you to give multiple IPs
       separated by comma or enclosed in quotes and separated by space.


               ipv4 ipset create badguys hash:ip
               ipv4 ipset add badguys
               ipv4 ipset addfile badguys file-with-the-bad-guys-ips.txt
               ipv4 blacklist full ipset:badguys

               # example with multiple IPs
               ipv4 ipset create badguys hash:ip
               ipv4 ipset add badguys,, # << comma separated
               ipv4 ipset add badguys ""  # << space separated in quotes

       ipsets with IP Lists for  abuse,  malware,  attacks,  proxies,  anonymizers,  etc  can  be
       downloaded  with  the  contrib/  script.   Information about the supported
       ipsets can be found at FireHOL IP Lists (


firehol(1) - FireHOL program

       • firehol.conf(5) - FireHOL configuration

       • firehol-interface(5) - interface definition

       • firehol-router(5) - router definition

       • firehol-params(5) - optional rule parameters

       • firehol-masquerade(5) - masquerade helper

       • FireHOL Website (

       • FireHOL Online PDF Manual (

       • FireHOL Online Documentation (

       • FireHOL IP Lists (

       • NAT HOWTO (

       • netfilter  flow  diagram  (


       FireHOL Team.