GNU.WIKI: The GNU/Linux Knowledge Base

  [HOME] [PHP Manual] [HowTo] [ABS] [MAN1] [MAN2] [MAN3] [MAN4] [MAN5] [MAN6] [MAN7] [MAN8] [MAN9]

  [0-9] [Aa] [Bb] [Cc] [Dd] [Ee] [Ff] [Gg] [Hh] [Ii] [Jj] [Kk] [Ll] [Mm] [Nn] [Oo] [Pp] [Qq] [Rr] [Ss] [Tt] [Uu] [Vv] [Ww] [Xx] [Yy] [Zz]


       firehol - An easy to use but powerful iptables stateful firewall



       firehol configfile [start|debug|try]

       firehol nothing


       firehol is an iptables firewall generator producing  stateful  iptables
       packet  filtering firewalls, on Linux hosts and routers with any number
       of network interfaces, any number of routes,  any  number  of  services
       served,  any  number  of  complexity between variations of the services
       (including positive and negative expressions).

       firehol is a language to express firewalling rules, not just  a  script
       that produces some kind of a firewall.

       The goals of firehol are:

       · Being as easy as possible
           Independently of the security skills he/she has, firehol allows one
           to create and understand complex firewalls in just a  few  seconds.
           The configuration files are very easy to type and read.

       · Being as secure as possible.
           By  allowing  explicitly  only  the  wanted traffic to flow firehol
           secures your  system.  firehol  produces  stateful  rules  for  any
           service or protocol, in both directions of the firewall.

       · Being as open as possible.
           Althoug  firehol  is pre-configured for a large number of services,
           you can configure any service you like and  firehol  will  turn  it
           into a client, a server, or a router.

       · Being as flexible as possible.
           firehol  can be used by end users and guru administrators requiring
           extremely complex firewalls. firehol configuration files  are  BASH
           scripts;  you  can  write  in them anything BASH accepts, including
           variables, pipes, loops, conditions, calls  to  external  programs,
           run other BASH scripts with firehol directives in them, etc.

       · Being as simple as possible.
           firehol  is  easy  to  install on any modern Linux system; only one
           file is required, no compilations involved.


           Activates the firewall configuration. The configuration is expected
           to be found in /etc/firehol/firehol.conf.

       try Activates  the  firewall,  but  waits until the user types the word
           commit.  If this word is not typed within 30 seconds, the  previous
           firewall is restored.

           Stops  a running iptables firewall by running `/etc/init.d/iptables
           stop'.  This will allow all traffic to pass unchecked.

           This is an alias for start and  is  given  for  compatibility  with

           Starts  the  firehol  firewall only if it is not already active. It
           does not detect a modified configuration file, only  verifies  that
           firehol has been started in the past and not stopped yet.

           Shows the running firewall, as in `/sbin/iptables -nxvL | less'

           It  removes  all  rules from the running firewall and then it DROPs
           all traffic on all iptables tables (mangle, nat, filter)  and  pre-
           defined  chains  (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING),
           thus blocking all IP communication. DROPing is not done by changing
           the  default  policy  to  DROP,  but  by  adding  just one rule per
           table/chain to drop  all  traffic,  because  the  default  iptables
           scripts  supplied by many systems (including RedHat 8) do not reset
           all the  chains  to  ACCEPT  when  starting  (firehol  resets  them

           When activating panic mode, firehol checks for the existance of the
           SSH_CLIENT shell environment variable (set  by  SSH).  If  it  find
           this,  then  panic  mode  will allow the established SSH connection
           specified in this variable to operate. Notice  that  in  order  for
           this  to work, you should have su without the minus (-) sign, since
           su - overwrites the shell variables and  therefore  the  SSH_CLIENT
           variable is lost.

           Alternativelly,  after  the  panic  argument  you can specify an IP
           address in which case all established connections between  this  IP
           address and the host in panic will be allowed.

           Start  the  firewall  and then save it using /sbin/iptables-save to

           Since v1.64, this is not  implemented  using  `/etc/init.d/iptables
           save' because there is a bug in some versions of iptables-save that
           save invalid commands (`! --uid-owner A' is saved  as  `--uid-owner
           !A')  which  cannot  be  restored.  firehol  fixes this problem (by
           saving  it,  and   then   replacing   `--uid-owner   !'   with   `!

           Note  that  not  all  firehol firewalls will work if restored with:
           `/etc/init.d/iptables start' because FireHOL handles kernel modules
           and might have queried RPC servers (used by the NFS service) before
           starting the firewall. Also, firehol automatically  checks  current
           kernel  configuration  for  client  ports  range.  If you restore a
           firewall using the iptables service your firewall may not  work  as

           Parses  the  configuration  file  but  instead of activating it, it
           shows the generated iptables statements.

           Enters an interactive mode where it  accepts  normal  configuration
           commands  and  presents the generated iptables commands for each of
           them, together with some reasoning for its  purpose.  Additionally,
           it  automatically  generates  a  configuration  script based on the
           successfull commands given.

           When in directive mode, firehol has the following special commands:

           · help
               Present some help
           · show
               Present the generated firehol configuration
           · quit
               Exit interactive mode and quit firehol

           Tries to guess the firehol configuration  needed  for  the  current
           machine.  firehol  will not stop or alter the running firewall. The
           configuration file is given in the standard output of firehol, thus

            `/etc/init.d/firehol helpme > /tmp/firehol.conf'

           will produce the output in /tmp/firehol.conf.

           The generated firehol  configuration  should  and  must  be  edited
           before  used  on  your  systems.  You  are  required  to  take many
           decisions and the comments of the generated file will instruct  you
           for many of them.

           A  different configuration file. If no other argument is given, the
           configuration file will be ``tried'' (default = ``try''). Otherwise
           the  argument  next  to  the  filename  can  be  one  of ``start'',
           ``debug'', ``try''.

           Presents help about firehol usage.




       firehol written by Costa Tsaousis <>.

       Man page written by Marc Brockschmidt <>.


       firehol.conf(5), iptables(8), bash(1)

                                  2003-04-30                        FIREHOL(1)

  All copyrights belong to their respective owners. Other content (c) 2014-2017, GNU.WIKI. Please report site errors to
Page load time: 0.086 seconds. Last modified: November 09 2017 18:38:06.