The latest version of this manual is available online as a PDF, as single page HTML and also as multiple pages within the website.
FireHOL is started and stopped using the firehol script. The default firewall configuration is to be found in /etc/firehol/firehol.conf, with some behaviours governed by variables in /etc/firehol/firehol-defaults.conf.
These are the primary packet filtering building blocks. Below each of these, sub-commands can be added.
| command | 4/6/46 | forbidden params | description |
|---|---|---|---|
| interface | Y | inface outface physout | Define packet filtering blocks, protecting the firewall host itself. |
| router | Y | - | Define packet filtering blocks, protecting other hosts from routed traffic. |
A rule in an interface or router definition typically consists of a subcommand to apply to a service using one of the standard actions provided it matches certain optional rule parameters. e.g.
server ssh accept src 10.0.0.0/8The following sub-commands can be used below primary commands to form rules.
| command | 4/6/46 | forbidden params | description |
|---|---|---|---|
| client | Y | sport dport | Allow access to a client running on the interface or the protected router hosts. |
| group | Y | - | Define groups of commands that share optional rule parameters. Groups can be nested. |
| iptables ip6tables | N | all forbidden | A wrapper for the system iptables command, to add custom iptables statements to a FireHOL firewall. |
| masquerade | Y | inface outface | Change the source IP of packets leaving outface, with the IP of the interface they are using to leave. |
| policy | N | all forbidden | Define the action to be applied on packets not matched by any server or client statements in the interface or router. |
| protection | N | all forbidden | Examine incoming packets per interface or router and filter out bad packets or limit request frequency. |
| server | Y | sport dport | Allow access to a server running on the interface or the protected router hosts. |
| tcpmss | Y | all forbidden | Set the MSS (Maximum Segment Size) of TCP SYN packets routed through the firewall. |
The following commands are generally used to set things up before the first primary command. Some can be used below an interface or router and also appear in the subcommands table.
| command | 4/6/46 | forbidden params | description |
|---|---|---|---|
| action | Y | - | Define new actions that can differentiate the final action based on rules. action can be used to define traps. |
| blacklist | Y | - | Drop matching packets globally. |
| classify | Y | - | Put matching traffic into the specified traffic shaping class. |
| connmark | Y | - | Set a stateful mark from the connmark group. |
| cthelper | 4/6 | - | Control connection tracking helpers. |
| dscp | Y | - | Set the DSCP field of packets. |
| ipset | 4/6 | all forbidden | Define ipsets. A wrapper for the system ipset command to add ipsets to a FireHOL firewall. |
| iptables ip6tables | N | all forbidden | A wrapper for the system iptables command, to add custom iptables statements to a FireHOL firewall. |
| iptrap | 4/6 | - | Dynamically put IP addresses in an ipset. |
| mac | Y | all forbidden | Restricts an IP to a particular MAC address. |
| mark | Y | - | Set a stateful mark from the usermark group. |
| masquerade | Y | - | Change the source IP of packets leaving outface, with the IP of the interface they are using to leave. |
| dnat | Y | - | Change the destination IP or port of packets received, to fixed values or fixed ranges. dnat can be used to implement load balancers. |
| snat | Y | - | Change the source IP or port of packets leaving, to fixed values or fixed ranges. |
| redirect | Y | - | Redirect packets to the firewall host, possibly changing the destination port. Can support load balancers if multiple daemons run on localhost. |
| transparent_proxy | Y | see notes | Set up a transparent TCP, HTTP or squid proxy. |
| synproxy | Y | - | Configure synproxy. |
| tcpmss | Y | all forbidden | Set the MSS (Maximum Segment Size) of TCP SYN packets routed through the firewall. |
| tos | Y | - | Set the Type of Service (TOS) of packets. |
| tosfix | Y | all forbidden | Apply suggested TOS values to packets. |
| version | N | all forbidden | Specify a version number for the configuration file. |