Jan 07, 2013 FireHOL R5 v1.296 released. Added support for NFLOG. Firehol now syslogs all important actions. Updated services amanda, ftp, pptp, tftp, h323, GRE, sip. Added support for CONNMARK and CLASSIFY. Fixed several issues. July 31, 2008 FireHOL R5 v1.273 released. Updated to parse the latest format of the IANA reservations page. Added support for custom actions for services. This opens a way for allowing actions that can be controlled externally without restarting the firewall. Fixed several minor issues (better NAT support for all services, handling for external pager command, kernel config parsing, config wizard, etc). May 20, 2007 FireHOL R5 v1.255 released. Fixed kernel 2.6.20+ compatibility issues, fixed BASH 3.2 compatibility issues, fixed various iptables compatibility issues. FireHOL now supports external definitions of RESERVED_IPS, PRIVATE_IPS, MULTICAST_IPS, UNROUTABLE_IPS in /etc/firehol. Also, complains if RESERVED_IPS is older that 90 days. Policy, now works on routers too. Updated services: nfs, OSPF, sip, vmwareweb. Added protections: bad-packets, all-floods. Added actions: tarpit. Added support for the recent iptables module. Added addrtype (srctype, dsttype) support in optional rule parameters. Added FIREHOL_DROP_ORPHAN_TCP_ACK_FIN for busy servers. Added FIREHOL_LOG_PREFIX to improve logging. Jan 30, 2005, FireHOL R5 v1.226 released. This release fixes vulnerabilities where malicious local system users could use FireHOL's temporary files to overwrite arbitrary files on the system (See Secunia Advisory SA13970). All users are advised to update to this version. This release includes new service definitions: ANYSTATELESS, TIMESTAMP and DICT. The following helpers have been added: TRANSPARENT_PROXY. Also, added support for knockd as an argument to the accept action. 2003-2004 FireHOL remains as one of the BEST RATED open source applications. FireHOL is ranked in TOP 20 BEST RATED of FreshMeat II. See the current rating rank at FireHOL's FreshMeat page (note that this page changes dynamically, so the rating might have changed). I really thank you all for this... Are you using FireHOL too? Tell us your opinion: rate it here. May 3, 2004, Latest CVS tarballs available. You can download a nightly-build CVS version of FireHOL at http://firehol.sf.net/firehol.tar.gz Although I try to keep CVS versions fully operational, please keep in mind that this CVS version might have bugs. You can always see what has changed using FireHOL's WebCVS Change Log viewer. |
FireHOL is an amazing tool. It leverages the incredible power of
netfilter/iptables to turn Linux into a viable firewall solution, even
for complex scenarios where people would think "Cisco PIX" or "Check
Point FW-1". Carlos Rodrigues Date: Wed, July 7, 2004 03:55
I want to thank you for making such a brilliant firewall configuration tool.
I have just finished configuring a firewall with 5 ethernets (two office LANs,
two DMZs and one ISP upstream with aliased IPs) for two companies with a
shared broadband internet connection, and it works perfectly. Brian Hoy Date: Fri, October 31, 2003 21:39 After six hours of nothing but trouble, frustration and desperation with fwbuilder, I installed FireHOL and within minutes I got everything to work as desired. Once more: why making things complicate, when you can make it easy. Thanks a lot. cassielix Date: Sat, September 27, 2003 19:23 Hello, I just wanted to thank you for making FireHOL. Explaining firewalls to my girlfriend is, well, a tough thing to do. After getting your script configured and our new DSL connection working, she said "Wow that was fast", then the inevitable "What did you do?". I showed her the short script and she read it like it was english. I can't stop smiling. Erik Peterson Date: Thu, July 31, 2003 23:52
Just wanted to drop you a quick note to let
you know that I just installed FireHOL 1.120
on my Linux router/firewall, and it worked like
a champ!
Scott Taylor |
What is FireHOL? |
transparent_squid 8080 "squid root" inface eth0 |
FireHOL is a language to express firewalling rules, not just a script that produces some kind of a firewall.
The goals of FireHOL are:
Is it secure? |
Also, FireHOL produces stateful iptables packet filtering firewalls (and possibly, the only generic tool today that does that for all services in both directions of the firewall).
Stateful means that traffic allowed to pass is part of a valid connection that has been initiated the right way. Stateful also means that you can have control based on who initiated the traffic. For example: you can choose to be able to ping anyone on the internet, but no one to be able to ping you. If for example you don't need to run a server on your Linux host, you can easily achieve a situation where you are able to do anything to anyone, but as far as the rest of world is concerned, you do not exist!
Learn another language? |
Of course there are a few more commands defined, but all of them exist just to give you finer control on these four.
If you don't believe it is simple, consider this example:
Thoughts... | In FireHOL |
---|---|
I have a Linux host with two network interfaces.
|
interface eth0 lan interface ppp+ internet |
To the internet my Linux provides:
|
office="my-office-pc.example.com" interface eth0 lan interface ppp+ internet server smtp accept server http accept server ftp accept server ssh accept src $office |
My Linux is also a workstation, I want to run any client I wish. |
office="my-office-pc.example.com" |
My LAN is trusted.
If a server is running on my Linux I want my LAN PCs to use it. |
office="my-office-pc.example.com" |
I would like my LAN PCs to use this Linux as a gateway for connecting, as clients, to the internet for all the services they wish. |
office="my-office-pc.example.com" |
My LAN PCs have private IPs, unroutable to the Internet.
I need to masquerade somehow their IP addresses for internet access. |
office="my-office-pc.example.com" |
This is it! The firewall is ready. I hope you have noticed that all the rules given match just one direction of the traffic: the request. They don't say anything about replies (see for example the src, inface or outface parameters). This is because FireHOL handles the replies automatically. You don't have to do anything about them: If a request is allowed, then the corresponding reply is also allowed. This also means that FireHOL produces the iptables statements to exactly match what is allowed in both directions and nothing more. If for example we remove the client all accept from the internet interface, our Linux will not be able to do anything with its PPP device except to send replies matching the server statements within this interface; no pings, no DNS, no web browsing, no nothing!
The complete configuration file (a little bit enriched) of the above example could be (all FireHOL directives are clickable):
# Require release 5 of FireHOL configuration directives version 5 |
Why? |
I decided to write FireHOL in a way that will allow me, or anyone else, to view, verify and audit the firewall of any linux server or linux router in seconds. FireHOL's configuration is extremely simple... you don't have to be an expert to design a complicated but secure firewall.
What features does it have? |
FireHOL, still lacks a few features: QoS for example is not supported directly. You are welcome to extend FireHOL and send me your patches to integrate within FireHOL. In any case however, you can embed normal iptables commands in a FireHOL configuration to do whatever iptables supports.
Since FireHOL produces stateful commands, for every supported service it needs to know the flow of requests and replies. Today FireHOL supports the following services:
|
$Id: overview.html,v 1.38 2013/01/07 00:10:31 ktsaou Exp $
FireHOL, a firewall for humans... |