Latest News

Jan 07, 2013 FireHOL R5 v1.296 released.
Added support for NFLOG. Firehol now syslogs all important actions. Updated services amanda, ftp, pptp, tftp, h323, GRE, sip. Added support for CONNMARK and CLASSIFY. Fixed several issues.


July 31, 2008 FireHOL R5 v1.273 released.
Updated to parse the latest format of the IANA reservations page.

Added support for custom actions for services. This opens a way for allowing actions that can be controlled externally without restarting the firewall.
Fixed several minor issues (better NAT support for all services, handling for external pager command, kernel config parsing, config wizard, etc).

May 20, 2007 FireHOL R5 v1.255 released.
Fixed kernel 2.6.20+ compatibility issues, fixed BASH 3.2 compatibility issues, fixed various iptables compatibility issues.

FireHOL now supports external definitions of RESERVED_IPS, PRIVATE_IPS, MULTICAST_IPS, UNROUTABLE_IPS in /etc/firehol. Also, complains if RESERVED_IPS is older that 90 days.

Policy, now works on routers too.

Updated services: nfs, OSPF, sip, vmwareweb. Added protections: bad-packets, all-floods. Added actions: tarpit. Added support for the recent iptables module. Added addrtype (srctype, dsttype) support in optional rule parameters.

Added FIREHOL_DROP_ORPHAN_TCP_ACK_FIN for busy servers.
Added FIREHOL_LOG_PREFIX to improve logging.

Jan 30, 2005, FireHOL R5 v1.226 released.
This release fixes vulnerabilities where malicious local system users could use FireHOL's temporary files to overwrite arbitrary files on the system (See Secunia Advisory SA13970).

All users are advised to update to this version.

This release includes new service definitions: ANYSTATELESS, TIMESTAMP and DICT. The following helpers have been added: TRANSPARENT_PROXY. Also, added support for knockd as an argument to the accept action.


2003-2004 FireHOL remains as one of the BEST RATED open source applications.
FireHOL is ranked in TOP 20 BEST RATED of FreshMeat II. See the current rating rank at FireHOL's FreshMeat page (note that this page changes dynamically, so the rating might have changed).
I really thank you all for this...

Are you using FireHOL too? Tell us your opinion: rate it here.


May 3, 2004, Latest CVS tarballs available.
You can download a nightly-build CVS version of FireHOL at http://firehol.sf.net/firehol.tar.gz
Although I try to keep CVS versions fully operational, please keep in mind that this CVS version might have bugs.

You can always see what has changed using FireHOL's WebCVS Change Log viewer.

Testimonials
Date: Thu, Mar 30, 2006 19:21

FireHOL is an amazing tool. It leverages the incredible power of netfilter/iptables to turn Linux into a viable firewall solution, even for complex scenarios where people would think "Cisco PIX" or "Check Point FW-1".
Right now I'm using it on a box that filters the traffic passing between the public Internet, 4 VLANs, 1 DMZ and 2 VPN endpoints, with address forwardings (DNAT) thrown in for good measure. This amounts to over 3000 iptables rules (according to "iptables-save") and I still haven't lost my sanity!
Needless to say, I'm using it on all the other Linux servers too. :)

Carlos Rodrigues


Date: Wed, July 7, 2004 03:55

I want to thank you for making such a brilliant firewall configuration tool. I have just finished configuring a firewall with 5 ethernets (two office LANs, two DMZs and one ISP upstream with aliased IPs) for two companies with a shared broadband internet connection, and it works perfectly.
I still marvel at the shortness and simplicity of your configuration language contrasted against the completeness and tightness of the fully stateful iptables rules!

Brian Hoy


Date: Fri, October 31, 2003 21:39

After six hours of nothing but trouble, frustration and desperation with fwbuilder, I installed FireHOL and within minutes I got everything to work as desired. Once more: why making things complicate, when you can make it easy. Thanks a lot.

cassielix


Date: Sat, September 27, 2003 19:23

Hello, I just wanted to thank you for making FireHOL. Explaining firewalls to my girlfriend is, well, a tough thing to do. After getting your script configured and our new DSL connection working, she said "Wow that was fast", then the inevitable "What did you do?". I showed her the short script and she read it like it was english. I can't stop smiling.

Erik Peterson


Date: Thu, July 31, 2003 23:52

Just wanted to drop you a quick note to let you know that I just installed FireHOL 1.120 on my Linux router/firewall, and it worked like a champ!
Super-easy (your example on the FireHOL web page is a perfect starting point for setups like mine, which is a single PC doing NAT/MASQ and firewalling over DSL for an internal LAN) and much more effective than my old stateless firewall that it replaced (which wouldn't even let me ftp without shutting it down).
Just wanted to say thanks for a job well done, and for making your work available to the rest of us!

Scott Taylor
ALVE Technology Corporation

What is FireHOL?

FireHOL is... firewalling made easy:

	transparent_squid 8080 "squid root" inface eth0

interface eth0 mylan
policy accept

interface ppp+ internet
server smtp accept
server http accept
server ftp accept
server ssh accept src trusted.example.com

client all accept

router mylan2internet inface eth0 outface ppp+
masquerade route all accept
FireHOL is an iptables firewall generator producing stateful iptables packet filtering firewalls, on Linux hosts and routers with any number of network interfaces, any number of routes, any number of services served, any number of complexity between variations of the services (including positive and negative expressions).

FireHOL is a language to express firewalling rules, not just a script that produces some kind of a firewall.

The goals of FireHOL are:

Is it secure?

FireHOL is secure because it has been designed with the right firewalling concept: deny everything, then allow only what is needed.

Also, FireHOL produces stateful iptables packet filtering firewalls (and possibly, the only generic tool today that does that for all services in both directions of the firewall).

Stateful means that traffic allowed to pass is part of a valid connection that has been initiated the right way. Stateful also means that you can have control based on who initiated the traffic. For example: you can choose to be able to ping anyone on the internet, but no one to be able to ping you. If for example you don't need to run a server on your Linux host, you can easily achieve a situation where you are able to do anything to anyone, but as far as the rest of world is concerned, you do not exist!

Learn another language?

FireHOL has been designed to allow you configure your firewall the same way you think of it. Its language is extremely simple. Basically you have to learn four commands:

Client and server commands have exactly the same syntax. Interface has two mandatory arguments and router has only one (and this is the same with one of the two interface requires). All the optional parameters are the same to all of them. This sounds like just one command is to be learned...

Of course there are a few more commands defined, but all of them exist just to give you finer control on these four.

If you don't believe it is simple, consider this example:

Thoughts... In FireHOL
I have a Linux host with two network interfaces.
  • The first is eth0 that connects to my LAN  
  • The other is a PPP device that connects to the internet  

interface eth0 lan
		
interface ppp+ internet
		
To the internet my Linux provides:
  • a MAIL server  
  • a WEB server  
  • a FTP server  
  • a SSH server, but only for my office computer  
office="my-office-pc.example.com"

interface eth0 lan

interface ppp+ internet
	server smtp accept
	server http accept
	server ftp  accept
	server ssh  accept src $office
		
My Linux is also a workstation, I want to run any client I wish.
office="my-office-pc.example.com"

interface eth0 lan

interface ppp+ internet
server smtp accept
server http accept
server ftp accept
server ssh accept src "$office"
client all accept
My LAN is trusted.

If a server is running on my Linux I want my LAN PCs to use it.

office="my-office-pc.example.com"

interface eth0 lan policy accept interface ppp+ internet server smtp accept server http accept server ftp accept server ssh accept src "$office" client all accept
I would like my LAN PCs to use this Linux as a gateway for connecting, as clients, to the internet for all the services they wish.
office="my-office-pc.example.com"

interface eth0 lan
policy accept

interface ppp+ internet
server smtp accept
server http accept
server ftp accept
server ssh accept src "$office"

client all accept
router lan2internet inface eth0 outface ppp+ route all accept
My LAN PCs have private IPs, unroutable to the Internet.

I need to masquerade somehow their IP addresses for internet access.

office="my-office-pc.example.com"

interface eth0 lan
policy accept

interface ppp+ internet
server smtp accept
server http accept
server ftp accept
server ssh accept src "$office"

client all accept

router lan2internet inface eth0 outface ppp+
masquerade route all accept

This is it! The firewall is ready. I hope you have noticed that all the rules given match just one direction of the traffic: the request. They don't say anything about replies (see for example the src, inface or outface parameters). This is because FireHOL handles the replies automatically. You don't have to do anything about them: If a request is allowed, then the corresponding reply is also allowed. This also means that FireHOL produces the iptables statements to exactly match what is allowed in both directions and nothing more. If for example we remove the client all accept from the internet interface, our Linux will not be able to do anything with its PPP device except to send replies matching the server statements within this interface; no pings, no DNS, no web browsing, no nothing!

The complete configuration file (a little bit enriched) of the above example could be (all FireHOL directives are clickable):

	# Require release 5 of FireHOL configuration directives
	version 5

# A space separated list of all the IPs on the internet, I trust office="my-office-pc.example.com" # The IP address of this Linux and LAN for the rest of the world public_ip="1.2.3.4" # My LAN. Everything is allowed here. interface eth0 lan
policy accept # The default is 'drop'. # Make sure the traffic coming in, comes from valid Internet IPs,
# and that is targeting my public IP
interface ppp+ internet src not "$UNROUTABLE_IPS" dst "$public_ip"
# Protect me from various kinds of attacks. protection strong

# Public servers. server smtp accept
server http accept
server ftp accept
server ssh accept src "$office"

# Make sure idents do not timeout. server ident reject with tcp-reset

# This is also a workstation. client all accept


# Route the LAN requests to the internet. router lan2internet inface eth0 outface ppp+

# Masquerading on outface. masquerade # Route all requests from inface to outface
# and their replies back.
route all accept
FireHOL is completely dynamic, since with its language you can describe any firewall configuration you wish using simple commands.

Why?

As an IT executive, responsible for many dozens of Linux systems, I needed a firewalling solution that would allow me and my team to have a clear and simple view of what is happening on each server, as far as firewalling is concerned. I also needed a solution that will allow my team members to produce high quality and homogeneous firewalls independently of their security skills and knowledge. After searching for such a tool, I quickly concluded that no tool is flexible, open, easy, and simple enough for what I needed.

I decided to write FireHOL in a way that will allow me, or anyone else, to view, verify and audit the firewall of any linux server or linux router in seconds. FireHOL's configuration is extremely simple... you don't have to be an expert to design a complicated but secure firewall.

What features does it have?

FireHOL handles firewalls protecting one host on all its interfaces and any combination of stateful firewalls routing traffic from one interface to another. There are no limitations on the number of interfaces or on the number of routing routes (except the ones iptables has, if any).

FireHOL, still lacks a few features: QoS for example is not supported directly. You are welcome to extend FireHOL and send me your patches to integrate within FireHOL. In any case however, you can embed normal iptables commands in a FireHOL configuration to do whatever iptables supports.

Since FireHOL produces stateful commands, for every supported service it needs to know the flow of requests and replies. Today FireHOL supports the following services:


SourceForge Logo $Id: overview.html,v 1.38 2013/01/07 00:10:31 ktsaou Exp $

FireHOL, a firewall for humans...
© Copyright 2004 Costa Tsaousis <costa@tsaousis.gr>