FireHOL - a firewall for ignoramuses in five minutes

This is not even an article or a full-fledged guide, but a small snippet that will help you in the shortest time possible to raise a well-protected and properly configured router to any GNU / Linux machine. And this is in the absence of the necessary knowledge of iptables.

Firehol, unlike shorewall , is not even a set of scripts, but just one bash script. Therefore, to use it, the need for perl and other interpreters is eliminated.

Firehol is closer to the good old narc (netfilter automatic rule configurator), but the latter has not been updated for 6 years and is a fairly simple script that is not compatible with the latest versions of iptables. Closer he is that allows you to write the rules almost in their native human language.

')

emerge or not apt-get?

For gentoo, this is always emerge -av net-firewall / firehol (do not forget to add ~ arch to /etc/portage/package.keywords or use ACCEPT_KEYWORDS = "~ arch")

After installation, get the file get-iana.sh from the firehol-1.273.tar.bz2 archive and run it. Perhaps in other distributions this file is copied to the system. In gentoo ebuild does not touch it to the left . The essence of the work of this script is to download reserved IP's directly from IANA.

The most common configuration.

Configuration example for a router in a small company. All outgoing connections are allowed, one incoming ssh on a non-standard port, in addition all http traffic will be wrapped on squid. To save space, I’ll leave out some comment blocks.

cat /etc/firehol/firehol.conf

# ----------------------------------------------------------------------------
#
# ----------------------------------------------------------------------------

server_ssh_ports="tcp/2202" # SSH 2202

# ----------------------------------------------------------------------------
#
# ----------------------------------------------------------------------------

# --- ---

HOME_MYIP="192.168.1.1" # IP
HOME_MYIF="eth1" #
HOME_BCAST="192.168.1.255" #
HOME_LAN="192.168.1.0/24" #
HOME_SERVICES="all" # ,

HOME_DHCP=1 # 1, DHCP
FIREHOL_LOG_MODE="LOG" #
FIREHOL_LOG_LEVEL="error" # :)

# --- ---

PUBLIC_MYIP="87.250.251.11" # , IP
PUBLIC_MYIF="eth0" #
PUBLIC_SERVICES="ssh" # , .

DIAL_ON_DEMAND=0 # 1,

# --- ---

TRUSTED_PCS="209.85.135.104" # IP
TRUSTED_SERVICES="ssh http" # ssh http .
# , http IP TRUSTED_PCS.

# --- ---

SQUID_PORT="3128" # ,
SQUID_USERS="squid" # ,
SQUID_EXCLUDE="192.168.1.1" # IP ,

# --- ---

blacklist="" # IP

# ----------------------------------------------------------------------------
# ( firehol)
# ----------------------------------------------------------------------------

if [ ! -z "${blacklist}" ]
then
blacklist full "${blacklist}"
fi

if [ ! -z "${SQUID_PORT}" ]
then
transparent_squid "${SQUID_PORT}" "${SQUID_USERS}" \
inface "${HOME_MYIF}" src "${HOME_LAN}" \
`test ! -z "${SQUID_EXCLUDE}" && echo "dst not ${SQUID_EXCLUDE}"`
fi

if [ ! -z "${PUBLIC_MYIP}" ]
then
snat to "${PUBLIC_MYIP}" \
outface "${PUBLIC_MYIF}" \
src "${HOME_LAN}" dst not "${UNROUTABLE_IPS}"
else
masquerade "${PUBLIC_MYIF}"
fi

interface "${HOME_MYIF}" home src "${HOME_LAN}" dst "${HOME_MYIP} ${HOME_BCAST}"
policy reject
server "${HOME_SERVICES}" accept

client all accept

if [ ${HOME_DHCP} -eq 1 ]
then
interface "${HOME_MYIF}" dhcp
server dhcp accept
fi

interface "${PUBLIC_MYIF}" internet \
src not "${UNROUTABLE_IPS}" \
`test ! -z "${PUBLIC_MYIP}" && echo "dst ${PUBLIC_MYIP}"`
protection strong
policy drop
if [ ! -z "${TRUSTED_PCS}" -a ! -z "${TRUSTED_SERVICES}" ]
then
server "${TRUSTED_SERVICES}" accept src "${TRUSTED_PCS}"
fi
server "${PUBLIC_SERVICES}" accept

client all accept

if [ ${DIAL_ON_DEMAND} -eq 1 ]
then
interface "${PUBLIC_MYIF}" dialup
client all accept
fi

router internet2lan inface "${PUBLIC_MYIF}" outface "${HOME_MYIF}" \
src not "${UNROUTABLE_IPS}" dst "${HOME_LAN}"

client all accept


Forgot something to close / ban?

Firehol rule policy: ban everything, only allow explicitly specified.

The example above creates about 400 (!) Rules, including rules against flood or xmas attacks.

Yeah, this is the rule ... No-no-no!

With Firehol, you can also not be afraid to make any changes to the config, turning the remote server into a pile of non-responsive hardware. It will always leave your current ssh session open, even if you screwed up the rules with ssh settings! Secondly, the rc script has several useful parameters. Perhaps the most used of them is try .

Before the final application of the parameters you have the opportunity to test their performance. To do this, just call the script with the try parameter: /etc/init.d/firehol try

Firehol will download the newly updated configuration files and will wait for the commit word from you. If it does not arrive within thirty seconds, the previous operational parameters will be restored.

In addition to the standard start, stop, restart and just described try there are three more:
status - displays the current iptables rules
save - saves current iptables rules
panic - used for intrusion detection, ALL contacts with the outside world, including the internal network, overlap.

Himmemoa

If you are interested, you are welcome to the program's website , where you will find comprehensive documentation on this excellent product, as well as many examples of configurations from home NAT to an interoffice router with a DMZ, internal groups and other niceties.