By default, Firehol generates rules for both IPv4 and IPv6. This can be changed in the configuration file firehol-defaults.conf by setting the variables ENABLE_IPV4 and ENABLE_IPV6 to either 0 or 1 as needed.
Installing and configuring Firehol
Install Firehol on Debian and Ubuntu with:
sudo apt install firehol
Configure it through the file firehol.conf in the /etc/firehol/ directory. You can open it with:
sudo nano firehol.conf
Editing the firehol.conf configuration file
/etc/default/firehol
START_FIREHOL=YES
sudo /etc/init.d/firehol start
Keep in mind that the service might be installed in a different directory. To enable autostart for the service use this command:
sudo update-rc.d firehol defaults
Firehol QuickStart
To quickly configure a functional firewall, you can generate a sample configuration with the most important functions:
sudo firehol helpme > /tmp/firehol.conf
Firehol reads the local system services and adjusts the configuration accordingly.
Generating basic configuration for Firehol
firehol-defaults.co
/etc/firehol
The options in firehol-default.conf come into play when no rule or variable is set in firehol.conf. This is useful, for example, for logging.
Firehol operates as a stateful olution
Firehol effectively matches both requests and responses. This is possible because the Linux kernel is aware of all active connections and consequently determines expected packets from those that are not. Firehol’s usage of the In-Kernel-Connection-Tracker allows it to automatically dispose of all packets considered invalid.
Setting a new rule using Firehol means focusing mainly on the requests. Through this, the tool automatically generates the matching answer or reply in the iptables.
Maintenance of individual rules occurs through simple commands inside firehol.conf. For illustration, if there is an active HTTP service on the server, merely typing the command into the file will do:
server http accept
To allow HTTP client requests, use this command:
client http accept
To filter traffic, it’s not necessary to define every service. However, you can also create your own services, for example with these commands:
server_myhttp_ports="tcp/80,443"client_myhttp_ports="default"
Then, you can allow packets through the server:
server myhttp acceptclient myhttp accept
It’s also possible to use multiple ports:
server_emule_ports="tcp/4662,64397,7037,23213,25286 udp/4672"client_emule_ports="default"
Using multiple protocols for all ports can be configured this way:
server_sip_ports="tcp,udp/5060"client_sip_ports="default"
Defining Rules with Firehol
In principle, the firewall applies rules to all packets entering the system. For example, if the server smtp accept is entered in firehol.conf, the firewall allows SMTP packets.
However, it’s possible to create additional rules for Requests using parameters. These are explained in detail in the documentation. For example, to match all SMTP requests from IP address 1.1.1.1 to SMTP server 2.2.2.2, use this command:
server smtp accept src 1.1.1.1 dst 2.2.2.2
Troubleshooting with Firehol: Syslog and NFLOG
It may happen that the firewall blocks packets, disrupting communication. The documentation provides guidelines on how to troubleshoot.
Firehol records its events in the system log, which can be utilized for analysis. It’s located in the /var/log/messages or /var/log/syslog directory.
In there, you can see which packets Firehol implicitly discards, that is, without a rule in the config file. Hence, it’s also useful to set up logging in advance.
The developers of Firehol suggest using NFLOG for logging firewall actions. To accomplish this, add the line in the file /etc/firehol/firehol-defaults.conf:
FIREHOL_LOG_MODE="NFLOG"
This relieves the system log.
With this command, the firewall shows which actions it performs based on the current configuration:
firehol debug
This helps identify problems. Since Firehol runs as a bash script, additional information can be logged by adding the following lines to the configuration: