Provided by: firehol-doc_3.1.7+ds-4_all
NAME
firehol.conf - FireHOL configuration
DESCRIPTION
/etc/firehol/firehol.conf is the default configuration file for firehol(1). It defines the stateful firewall that will be produced. A configuration file starts with an optional version indicator which looks like this: version 6 See firehol-version(1) for full details. A configuration file contains one or more interface definitions, which look like this: interface eth0 lan client all accept # This host can access any remote service server ssh accept # Remote hosts can access SSH on local server # ... The above definition has name “lan” and specifies a network interface (eth0). A definition may contain zero or more subcommands. See firehol-interface(5) for full details. By default FireHOL will try to create both IPv4 and IPv6 rules for each interface. To make this explicit or restrict which rules are created write both interface, ipv4 interface or ipv6 interface. Note that IPv6 will be disabled silently if your system is not configured to use it. You can test this by looking for the file /proc/net/if_inet6. The IPv6 HOWTO (http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/systemcheck-kernel.html) has more information. A configuration file contains zero or more router definitions, which look like this: DMZ_IF=eth0 WAN_IF=eth1 router wan2dmz inface ${WAN_IF} outface ${DMZ_IF} route http accept # Hosts on WAN may access HTTP on hosts in DMZ server ssh accept # Hosts on WAN may access SSH on hosts in DMZ client pop3 accept # Hosts in DMZ may access POP3 on hosts on WAN # ... The above definition has name “wan2dmz” and specifies incoming and outgoing network interfaces (eth1 and eth0) using variables. A definition may contain zero or more subcommands. Note that a router is not required to specify network interfaces to operate on. See firehol-router(5) for full details. By default FireHOL will try to create both IPv4 and IPv6 rules for each router. To make this explicit or restrict which rules are created write both router, ipv4 router or ipv6 router. It is simple to add extra service definitions which can then be used in the same way as those provided as standard. See ADDING SERVICES. The configuration file is parsed as a bash(1) script, allowing you to set up and use variables, flow control and external commands. Special control variables may be set up and used outside of any definition, see firehol- defaults.conf(5) as can the functions in CONFIGURATION HELPER COMMANDS and HELPER COMMANDS.
VARIABLES AVAILABLE
The following variables are made available in the FireHOL configuration file and can be accessed as ${VARIABLE}. UNROUTABLE_IPS This variable includes the IPs from both PRIVATE_IPS and RESERVED_IPS. It is useful to restrict traffic on interfaces and routers accepting Internet traffic, for example: interface eth0 internet src not "${UNROUTABLE_IPS}" PRIVATE_IPS This variable includes all the IP addresses defined as Private or Test by RFC 3330 (https://tools.ietf.org/html/rfc3330). You can override the default values by creating a file called /etc/firehol/PRIVATE_IPS. RESERVED_IPS This variable includes all the IP addresses defined by IANA (http://www.iana.org/) as reserved. You can override the default values by creating a file called /etc/firehol/RESERVED_IPS. Now that IPv4 address space has all been allocated there is very little reason that this value will need to change in future. MULTICAST_IPS This variable includes all the IP addresses defined as Multicast by RFC 3330 (https://tools.ietf.org/html/rfc3330). You can override the default values by creating a file called /etc/firehol/MULTICAST_IPS.
ADDING SERVICES
To define new services you add the appropriate lines before using them later in the configuration file. The following are required: server_myservice_ports=“proto/sports” client_myservice_ports=“cports” proto is anything iptables(8) accepts e.g. “tcp”, “udp”, “icmp”, including numeric protocol values. sports is the ports the server is listening at. It is a space-separated list of port numbers, names and ranges (from:to). The keyword any will match any server port. cports is the ports the client may use to initiate a connection. It is a space-separated list of port numbers, names and ranges (from:to). The keyword any will match any client port. The keyword default will match default client ports. For the local machine (e.g. a client within an interface) it resolves to sysctl(8) variable net.ipv4.ip_local_port_range (or /proc/sys/net/ipv4/ip_local_port_range). For a remote machine (e.g. a client within an interface or anything in a router) it resolves to the variable DEFAULT_CLIENT_PORTS (see firehol-defaults.conf(5)). The following are optional: require_myservice_modules=“modules” require_myservice_nat_modules=“nat-modules” The named kernel modules will be loaded when the definition is used. The NAT modules will only be loaded if FIREHOL_NAT is non-zero (see firehol-defaults.conf(5)). For example, for a service named daftnet that listens at two ports, port 1234 TCP and 1234 UDP where the expected client ports are the default random ports a system may choose, plus the same port numbers the server listens at, with further dynamic ports requiring kernel modules to be loaded: # Setup service server_daftnet_ports="tcp/1234 udp/1234" client_daftnet_ports="default 1234" require_daftnet_modules="ip_conntrack_daftnet" require_daftnet_nat_modules="ip_nat_daftnet interface eth0 lan0 server daftnet accept interface eth1 lan1 client daftnet reject router lan2lan inface eth0 outface eth1 route daftnet accept Where multiple ports are provides (as per the example), FireHOL simply determines all of the combinations of client and server ports and generates multiple iptables(8) statements to match them. To create more complex rules, or stateless rules, you will need to create a bash function prefixed rules_ e.g. rules_myservice. The best reference is the many such functions in the main firehol(1) script. When adding a service which uses modules, or via a custom function, you may also wish to include the following: ALL_SHOULD_ALSO_RUN=“${ALL_SHOULD_ALSO_RUN} myservice” which will ensure your service is set-up correctly as part of the all service. Note To allow definitions to be shared you can instead create files and install them in the /etc/firehol/services directory with a .conf extension. The first line must read: #FHVER: 1:213 1 is the service definition API version. It will be changed if the API is ever modified. The 213 originally referred to a FireHOL 1.x minor version but is no longer checked. FireHOL will refuse to run if the API version does not match the expected one.
DEFINITIONS
• firehol-interface(5) - interface definition • firehol-router(5) - router definition
SUBCOMMANDS
• firehol-policy(5) - policy command • firehol-protection(5) - protection command • firehol-server(5) - server, route commands • firehol-client(5) - client command • firehol-group(5) - group command
HELPER COMMANDS
These helpers can be used in interface and router definitions as well as before them: • firehol-iptables(5) - iptables helper • firehol-masquerade(5) - masquerade helper This helper can be used in router definitions as well as before any router or interface: • firehol-tcpmss(5) - tcpmss helper
CONFIGURATION HELPER COMMANDS
These helpers should only be used outside of interface and router definitions (i.e. before the first interface is defined). • firehol-version(5) - version config helper • firehol-action(5) - action config helper • firehol-blacklist(5) - blacklist config helper • firehol-classify(5) - classify config helper • firehol-connmark(5) - connmark config helper • firehol-dscp(5) - dscp config helper • firehol-mac(5) - mac config helper • firehol-mark(5) - mark config helper • firehol-nat(5) - nat, snat, dnat, redirect helpers • firehol-proxy(5) - transparent proxy/squid helpers • firehol-tos(5) - tos config helper • firehol-tosfix(5) - tosfix config helper
SEE ALSO
• firehol(1) - FireHOL program • firehol-defaults.conf(5) - control variables • firehol-services(5) - services list • firehol-actions(5) - actions for rules • FireHOL Website (http://firehol.org/) • FireHOL Online PDF Manual (http://firehol.org/firehol-manual.pdf) • FireHOL Online Documentation (http://firehol.org/documentation/)
AUTHORS
FireHOL Team.