.de Sp .if t .sp .5v .if n .sp .. .hy 0 .IX Title "FIREHOL 1" .TH FIREHOL 1 "2003-04-30" .SH "NAME" firehol \- An easy to use but powerful iptables stateful firewall .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBfirehol\fR start|try|stop|restart|condrestart|status|panic|save|debug|helpme .PP \&\fBfirehol\fR \fIconfigfile\fR [start|debug|try] .PP \&\fBfirehol\fR \fInothing\fR .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fBfirehol\fR is an \fBiptables\fR firewall generator producing stateful \&\fBiptables\fR packet filtering firewalls, on Linux hosts and routers with any number of network interfaces, any number of routes, any number of services served, any number of complexity between variations of the services (including positive and negative expressions). .PP \&\fBfirehol\fR is a language to express firewalling rules, not just a script that produces some kind of a firewall. .PP The goals of \fBfirehol\fR are: .IP "\(bu Being as easy as possible" 4 .IX Item "Being as easy as possible" Independently of the security skills he/she has, \fBfirehol\fR allows one to create and understand complex firewalls in just a few seconds. The configuration files are very easy to type and read. .IP "\(bu Being as secure as possible." 4 .IX Item "Being as secure as possible." By allowing explicitly only the wanted traffic to flow \fBfirehol\fR secures your system. \fBfirehol\fR produces stateful rules for any service or protocol, in both directions of the firewall. .IP "\(bu Being as open as possible." 4 .IX Item "Being as open as possible." Althoug \fBfirehol\fR is pre-configured for a large number of services, you can configure any service you like and \fBfirehol\fR will turn it into a client, a server, or a router. .IP "\(bu Being as flexible as possible." 4 .IX Item "Being as flexible as possible." \&\fBfirehol\fR can be used by end users and guru administrators requiring extremely complex firewalls. \fBfirehol\fR configuration files are \s-1BASH\s0 scripts; you can write in them anything \s-1BASH\s0 accepts, including variables, pipes, loops, conditions, calls to external programs, run other \s-1BASH\s0 scripts with \fBfirehol\fR directives in them, etc. .IP "\(bu Being as simple as possible." 4 .IX Item "Being as simple as possible." \&\fBfirehol\fR is easy to install on any modern Linux system; only one file is required, no compilations involved. .SH "Options" .IX Header "Options" .IP "start" 4 .IX Item "start" Activates the firewall configuration. The configuration is expected to be found in \fI/etc/firehol/firehol.conf\fR. .IP "try" 4 .IX Item "try" Activates the firewall, but waits until the user types the word commit. If this word is not typed within 30 seconds, the previous firewall is restored. .IP "stop" 4 .IX Item "stop" Stops a running \fBiptables\fR firewall by running \f(CW\`/etc/init.d/iptables stop'\fR. This will allow all traffic to pass unchecked. .IP "restart" 4 .IX Item "restart" This is an alias for start and is given for compatibility with \&\fB/etc/init.d/iptables\fR. .IP "condrestart" 4 .IX Item "condrestart" Starts the \fBfirehol\fR firewall only if it is not already active. It does not detect a modified configuration file, only verifies that \&\fBfirehol\fR has been started in the past and not stopped yet. .IP "status" 4 .IX Item "status" Shows the running firewall, as in \f(CW\`/sbin/iptables \-nxvL | less'\fR .IP "panic" 4 .IX Item "panic" It removes all rules from the running firewall and then it DROPs all traffic on all \fBiptables\fR tables (mangle, nat, filter) and pre-defined chains (\s-1PREROUTING\s0, \s-1INPUT\s0, \s-1FORWARD\s0, \s-1OUTPUT\s0, \s-1POSTROUTING\s0), thus blocking all \s-1IP\s0 communication. DROPing is not done by changing the default policy to \s-1DROP\s0, but by adding just one rule per table/chain to drop all traffic, because the default iptables scripts supplied by many systems (including RedHat 8) do not reset all the chains to \s-1ACCEPT\s0 when starting (\fBfirehol\fR resets them correctly). .Sp When activating panic mode, \fBfirehol\fR checks for the existance of the \&\fB\s-1SSH_CLIENT\s0\fR shell environment variable (set by \s-1SSH\s0). If it find this, then panic mode will allow the established \s-1SSH\s0 connection specified in this variable to operate. Notice that in order for this to work, you should have su without the minus (\-) sign, since su \- overwrites the shell variables and therefore the \s-1SSH_CLIENT\s0 variable is lost. .Sp Alternativelly, after the panic argument you can specify an \s-1IP\s0 address in which case all established connections between this \s-1IP\s0 address and the host in panic will be allowed. .IP "save" 4 .IX Item "save" Start the firewall and then save it using \fB/sbin/iptables\-save\fR to \&\fI/etc/sysconfig/iptables\fR. .Sp Since v1.64, this is not implemented using \f(CW\`/etc/init.d/iptables save'\fR because there is a bug in some versions of iptables-save that save invalid commands (\f(CW\`! \-\-uid\-owner A'\fR is saved as \f(CW\`\-\-uid\-owner !A'\fR) which cannot be restored. \fBfirehol\fR fixes this problem (by saving it, and then replacing \f(CW\`\-\-uid\-owner !'\fR with \f(CW\`! \-\-uid\-owner'\fR). .Sp Note that not all \fBfirehol\fR firewalls will work if restored with: \&\f(CW\`/etc/init.d/iptables start'\fR because FireHOL handles kernel modules and might have queried \s-1RPC\s0 servers (used by the \s-1NFS\s0 service) before starting the firewall. Also, \fBfirehol\fR automatically checks current kernel configuration for client ports range. If you restore a firewall using the iptables service your firewall may not work as expected. .IP "debug" 4 .IX Item "debug" Parses the configuration file but instead of activating it, it shows the generated iptables statements. .IP "explain" 4 .IX Item "explain" Enters an interactive mode where it accepts normal configuration commands and presents the generated iptables commands for each of them, together with some reasoning for its purpose. Additionally, it automatically generates a configuration script based on the successfull commands given. .Sp When in directive mode, \fBfirehol\fR has the following special commands: .RS 4 .IP "\(bu help" 4 .IX Item "help" Present some help .PD 0 .IP "\(bu show" 4 .IX Item "show" Present the generated \fBfirehol\fR configuration .IP "\(bu quit" 4 .IX Item "quit" Exit interactive mode and quit \fBfirehol\fR .RE .IP "helpme" 4 .IX Item "helpme" .PD Tries to guess the \fBfirehol\fR configuration needed for the current machine. \fBfirehol\fR will not stop or alter the running firewall. The configuration file is given in the standard output of \fBfirehol\fR, thus .Sp \& \f(CW\`/etc/init.d/firehol helpme > /tmp/firehol.conf'\fR .Sp will produce the output in \fI/tmp/firehol.conf\fR. .Sp The generated \fBfirehol\fR configuration should and must be edited before used on your systems. You are required to take many decisions and the comments of the generated file will instruct you for many of them. .IP "\fIconfigfile\fR" 4 .IX Item "configfile" A different configuration file. If no other argument is given, the configuration file will be \`\`tried'' (default = \`\`try''). Otherwise the argument next to the filename can be one of \`\`start'', \`\`debug'', \&\`\`try''. .IP "\fInothing\fR" 4 .IX Item "nothing" Presents help about \fBfirehol\fR usage. .SH "FILES" .IX Header "FILES" .RS 4 .IP "\fI/etc/firehol/firehol.conf\fR" 4 .IX Item "/etc/firehol/firehol.conf" .RE .SH "AUTHOR" .IX Header "AUTHOR" \fBfirehol\fR written by Costa Tsaousis . Man page written by Marc Brockschmidt . .SH "SEE ALSO" .IX Header "SEE ALSO" firehol.conf(5), iptables(8), bash(1)