'\" t
.nh
.\" Automatically generated by Pandoc 3.1.3
.\"
.\" Define V font for inline verbatim, using C font in formats
.\" that render this, and otherwise B font.
.ie "\f[CB]x\f[]"x" \{\
. ftr V B
. ftr VI BI
. ftr VB B
. ftr VBI BI
.\}
.el \{\
. ftr V CR
. ftr VI CI
. ftr VB CB
. ftr VBI CBI
.\}
.TH "firehol-defaults.conf" "5" "Built 30 Mar 2024" "FireHOL Reference" "3.1.7"
.hy
.SH NAME
.PP
firehol-defaults.conf - control variables for FireHOL
.SH SYNOPSIS
.PP
Defaults in \f[V]/etc/firehol/firehol-defaults.conf\f[R]:
.IP \[bu] 2
DEFAULT_INTERFACE_POLICY=\[lq]DROP\[rq]
.IP \[bu] 2
DEFAULT_ROUTER_POLICY=\[lq]RETURN\[rq]
.IP \[bu] 2
UNMATCHED_INPUT_POLICY=\[lq]DROP\[rq]
.IP \[bu] 2
UNMATCHED_OUTPUT_POLICY=\[lq]DROP\[rq]
.IP \[bu] 2
UNMATCHED_FORWARD_POLICY=\[lq]DROP\[rq]
.IP \[bu] 2
FIREHOL_INPUT_ACTIVATION_POLICY=\[lq]ACCEPT\[rq]
.IP \[bu] 2
FIREHOL_OUTPUT_ACTIVATION_POLICY=\[lq]ACCEPT\[rq]
.IP \[bu] 2
FIREHOL_FORWARD_ACTIVATION_POLICY=\[lq]ACCEPT\[rq]
.IP \[bu] 2
FIREHOL_LOG_MODE=\[lq]LOG\[rq]
.IP \[bu] 2
FIREHOL_LOG_LEVEL=\f[I]see notes\f[R]
.IP \[bu] 2
FIREHOL_LOG_OPTIONS=\[lq]\[en]log-level warning\[rq]
.IP \[bu] 2
FIREHOL_LOG_FREQUENCY=\[lq]1/second\[rq]
.IP \[bu] 2
FIREHOL_LOG_BURST=\[lq]5\[rq]
.IP \[bu] 2
FIREHOL_LOG_PREFIX=\[lq]\[rq]
.IP \[bu] 2
FIREHOL_DROP_INVALID=\[lq]0\[rq]
.IP \[bu] 2
DEFAULT_CLIENT_PORTS=\[lq]1000:65535\[rq]
.IP \[bu] 2
FIREHOL_NAT=\[lq]0\[rq]
.IP \[bu] 2
FIREHOL_ROUTING=\[lq]0\[rq]
.IP \[bu] 2
FIREHOL_AUTOSAVE=\f[I]see notes\f[R]
.IP \[bu] 2
FIREHOL_AUTOSAVE6=\f[I]see notes\f[R]
.IP \[bu] 2
FIREHOL_LOAD_KERNEL_MODULES=\[lq]1\[rq]
.IP \[bu] 2
FIREHOL_TRUST_LOOPBACK=\[lq]1\[rq]
.IP \[bu] 2
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN=\[lq]1\[rq]
.IP \[bu] 2
FIREHOL_DROP_ORPHAN_TCP_ACK_RST=\[lq]1\[rq]
.IP \[bu] 2
FIREHOL_DROP_ORPHAN_TCP_ACK=\[lq]1\[rq]
.IP \[bu] 2
FIREHOL_DROP_ORPHAN_TCP_RST=\[lq]1\[rq]
.IP \[bu] 2
FIREHOL_DROP_ORPHAN_IPV4_ICMP_TYPE3=\[lq]1\[rq]
.IP \[bu] 2
WAIT_FOR_IFACE=\[lq]\[rq]
.SH DESCRIPTION
.PP
From FireHOL 3 upwards, variables which control FireHOL behaviour are
held in a separate file: \f[V]/etc/firehol/firehol-defaults.conf\f[R].
.PP
Some variables can also be set in the main firehol.conf file but that is
not recommended, since they may be used before the main configuration is
processed.
.PP
FireHOL also sets some variables before processing the configuration
file which you can use as part of your configuration.
These are described in firehol.conf(5).
.SH VARIABLES
.TP
DEFAULT_INTERFACE_POLICY
This variable controls the default action to be taken on traffic not
matched by any rule within an interface.
It can be overridden using firehol-policy(5).
.RS
.PP
Packets that reach the end of an interface without an action of return
or accept are logged.
You can control the frequency of this logging by altering
FIREHOL_LOG_FREQUENCY.
.PP
Example:
.IP
.nf
\f[C]

DEFAULT_INTERFACE_POLICY=\[dq]REJECT\[dq]
\f[R]
.fi
.RE
.TP
DEFAULT_ROUTER_POLICY
This variable controls the default action to be taken on traffic not
matched by any rule within a router.
It can be overridden using firehol-policy(5).
.RS
.PP
Packets that reach the end of a router without an action of return or
accept are logged.
You can control the frequency of this logging by altering
FIREHOL_LOG_FREQUENCY.
.PP
Example:
.IP
.nf
\f[C]

DEFAULT_ROUTER_POLICY=\[dq]REJECT\[dq]
\f[R]
.fi
.RE
.TP
UNMATCHED_{INPUT|OUTPUT|FORWARD}_POLICY
These variables control the default action to be taken on traffic not
matched by any interface or router definition that was incoming,
outgoing or for forwarding respectively.
Any supported value from firehol-actions(5) may be set.
.RS
.PP
All packets that reach the end of a chain are logged, regardless of
these settings.
You can control the frequency of this logging by altering
FIREHOL_LOG_FREQUENCY.
.PP
Example:
.IP
.nf
\f[C]

UNMATCHED_INPUT_POLICY=\[dq]REJECT\[dq]
UNMATCHED_OUTPUT_POLICY=\[dq]REJECT\[dq]
UNMATCHED_FORWARD_POLICY=\[dq]REJECT\[dq]
\f[R]
.fi
.RE
.TP
FIREHOL_{INPUT|OUTPUT|FORWARD}_ACTIVATION_POLICY
These variables control the default action to be taken on traffic during
firewall activation for incoming, outgoing and forwarding respectively.
Acceptable values are \f[V]ACCEPT\f[R], \f[V]DROP\f[R] and
\f[V]REJECT\f[R].
.RS
.PP
FireHOL defaults all values to \f[V]ACCEPT\f[R] so that your
communications continue to work uninterrupted.
.PP
If you wish to prevent connections whilst the new firewall is
activating, set these values to \f[V]DROP\f[R].
This is important to do if you are using \f[V]all\f[R] or \f[V]any\f[R]
to match traffic; connections established during activation will
continue even if they would not be allowed once the firewall is
established.
.PP
Example:
.IP
.nf
\f[C]

FIREHOL_INPUT_ACTIVATION_POLICY=\[dq]DROP\[dq]
FIREHOL_OUTPUT_ACTIVATION_POLICY=\[dq]DROP\[dq]
FIREHOL_FORWARD_ACTIVATION_POLICY=\[dq]DROP\[dq]
\f[R]
.fi
.RE
.TP
FIREHOL_LOG_MODE
This variable controls method that FireHOL uses for logging.
.RS
.PP
Acceptable values are \f[V]LOG\f[R] (normal syslog) and \f[V]ULOG\f[R]
(netfilter ulogd).
When \f[V]ULOG\f[R] is selected, FIREHOL_LOG_LEVEL is ignored.
.PP
Example:
.IP
.nf
\f[C]

FIREHOL_LOG_MODE=\[dq]ULOG\[dq]
\f[R]
.fi
.PP
To see the available options run: \f[V]/sbin/iptables -j LOG --help\f[R]
or \f[V]/sbin/iptables -j ULOG --help\f[R]
.RE
.TP
FIREHOL_LOG_LEVEL
This variable controls the level at which events will be logged to
syslog.
.RS
.PP
To avoid packet logs appearing on your console you should ensure klogd
only logs traffic that is more important than that produced by FireHOL.
.PP
Use the following option to choose an iptables(8) log level (alpha or
numeric) which is higher than the \f[V]-c\f[R] of klogd.
.PP
iptables/klogd levels
.TS
tab(@);
l l l.
T{
iptables
T}@T{
klogd
T}@T{
description
T}
_
T{
emerg (0)
T}@T{
0
T}@T{
system is unusable
T}
T{
alert (1)
T}@T{
1
T}@T{
action must be taken immediately
T}
T{
crit (2)
T}@T{
2
T}@T{
critical conditions
T}
T{
error (3)
T}@T{
3
T}@T{
error conditions
T}
T{
warning (4)
T}@T{
4
T}@T{
warning conditions
T}
T{
notice (5)
T}@T{
5
T}@T{
normal but significant condition
T}
T{
info (6)
T}@T{
6
T}@T{
informational
T}
T{
debug (7)
T}@T{
7
T}@T{
debug-level messages
T}
.TE
.RS
.PP
\f[B]Note\f[R]
.PP
The default for klogd is generally to log everything (7 and lower) and
the default level for iptables(4) is to log as warning (4).
.RE
.RE
.TP
FIREHOL_LOG_OPTIONS
This variable controls the way in which events will be logged to syslog.
.RS
.PP
Example:
.IP
.nf
\f[C]

FIREHOL_LOG_OPTIONS=\[dq]--log-level info \[rs]
                     --log-tcp-options --log-ip-options\[dq]
\f[R]
.fi
.PP
To see the available options run: \f[V]/sbin/iptables -j LOG --help\f[R]
.RE
.TP
FIREHOL_LOG_FREQUENCY; FIREHOL_LOG_BURST
These variables control the frequency that each logging rule will write
events to syslog.
FIREHOL_LOG_FREQUENCY is set to the maximum average frequency and
FIREHOL_LOG_BURST specifies the maximum initial number.
.RS
.PP
Example:
.IP
.nf
\f[C]

FIREHOL_LOG_FREQUENCY=\[dq]30/minute\[dq]
FIREHOL_LOG_BURST=\[dq]2\[dq]
\f[R]
.fi
.PP
To see the available options run:
\f[V]/sbin/iptables -m limit --help\f[R]
.RE
.TP
FIREHOL_LOG_PREFIX
This value is added to the contents of each logged line for easy
detection of FireHOL lines in the system logs.
By default it is empty.
.RS
.PP
Example:
.IP
.nf
\f[C]

FIREHOL_LOG_PREFIX=\[dq]FIREHOL:\[dq]
\f[R]
.fi
.RE
.TP
FIREHOL_DROP_INVALID
If set to 1, this variable causes FireHOL to drop all packets matched as
\f[V]INVALID\f[R] in the iptables(8) connection tracker.
.RS
.PP
You may be better off using firehol-protection(5) to control matching of
\f[V]INVALID\f[R] packets and others on a per-interface and per-router
basis.
.RS
.PP
\f[B]Note\f[R]
.PP
Care must be taken on IPv6 interfaces, since ICMPv6 packets such as
Neighbour Discovery are not tracked, meaning they are marked as INVALID.
.RE
.PP
Example:
.IP
.nf
\f[C]

FIREHOL_DROP_INVALID=\[dq]1\[dq]
\f[R]
.fi
.RE
.TP
DEFAULT_CLIENT_PORTS
This variable controls the port range that is used when a remote client
is specified.
For clients on the local host, FireHOL finds the exact client ports by
querying the kernel options.
.RS
.PP
Example:
.IP
.nf
\f[C]

DEFAULT_CLIENT_PORTS=\[dq]0:65535\[dq]
\f[R]
.fi
.RE
.TP
FIREHOL_NAT
If set to 1, this variable causes FireHOL to load the NAT kernel
modules.
If you make use of the NAT helper commands, the variable will be set to
1 automatically.
.RS
.PP
Example:
.IP
.nf
\f[C]

FIREHOL_NAT=\[dq]1\[dq]
\f[R]
.fi
.RE
.TP
FIREHOL_ROUTING
If set to 1, this variable causes FireHOL to enable routing in the
kernel.
If you make use of \f[V]router\f[R] definitions or certain helper
commands the variable will be set to 1 automatically.
.RS
.PP
Example:
.IP
.nf
\f[C]

FIREHOL_ROUTING=\[dq]1\[dq]
\f[R]
.fi
.RE
.TP
FIREHOL_AUTOSAVE; FIREHOL_AUTOSAVE6
These variables specify the file of IPv4/IPv6 rules that will be created
when firehol(1) is called with the \f[V]save\f[R] argument.
.RS
.PP
If the variable is not set, a system-specific value is used which was
defined at configure-time.
If no value was chosen then the save fails.
.PP
Example:
.IP
.nf
\f[C]

FIREHOL_AUTOSAVE=\[dq]/tmp/firehol-saved-ipv4.txt\[dq]
FIREHOL_AUTOSAVE6=\[dq]/tmp/firehol-saved-ipv6.txt\[dq]
\f[R]
.fi
.RE
.TP
FIREHOL_LOAD_KERNEL_MODULES
If set to 0, this variable forces FireHOL to not load any kernel
modules.
It is needed only if the kernel has modules statically included and in
the rare event that FireHOL cannot access the kernel configuration.
.RS
.PP
Example:
.IP
.nf
\f[C]

FIREHOL_LOAD_KERNEL_MODULES=\[dq]0\[dq]
\f[R]
.fi
.RE
.TP
FIREHOL_TRUST_LOOPBACK
If set to 0, the loopback device \[lq]lo\[rq] will not be trusted and
you can write standard firewall rules for it.
.RS
.RS
.PP
\f[B]Warning\f[R]
.PP
If you do not set up appropriate rules, local processes will not be able
to communicate with each other which can result in serious breakages.
.RE
.PP
By default \[lq]lo\[rq] is trusted and all \f[V]INPUT\f[R] and
\f[V]OUTPUT\f[R] traffic is accepted (forwarding is not included).
.PP
Example:
.IP
.nf
\f[C]

FIREHOL_TRUST_LOOPBACK=\[dq]0\[dq]
\f[R]
.fi
.RE
.TP
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN
If set to 1, FireHOL will drop all orphan such packets without logging
them.
.RS
.PP
In busy environments the iptables(8) connection tracker removes
connection tracking list entries as soon as it receives a FIN.
This makes the ACK FIN appear as an invalid packet which will normally
be logged by FireHOL.
.PP
Example:
.IP
.nf
\f[C]

FIREHOL_DROP_ORPHAN_TCP_ACK_FIN=\[dq]1\[dq]
\f[R]
.fi
.RE
.TP
FIREHOL_DROP_ORPHAN_TCP_ACK_RST
If set to 1, FireHOL will drop all orphan such packets without logging
them.
.RS
.PP
In busy environments the iptables(8) connection tracker removes
connection tracking list entries as soon as it receives a RST.
This makes the ACK RST appear as an invalid packet which will normally
be logged by FireHOL.
.PP
Example:
.IP
.nf
\f[C]

FIREHOL_DROP_ORPHAN_TCP_ACK_RST=\[dq]1\[dq]
\f[R]
.fi
.RE
.TP
FIREHOL_DROP_ORPHAN_TCP_ACK
If set to 1, FireHOL will drop all orphan such packets without logging
them.
.RS
.PP
In busy environments the iptables(8) connection tracker removes unneeded
connection tracking list entries.
This makes ACK packets appear as an invalid packet which will normally
be logged by FireHOL.
.PP
Example:
.IP
.nf
\f[C]

FIREHOL_DROP_ORPHAN_TCP_ACK=\[dq]1\[dq]
\f[R]
.fi
.RE
.TP
FIREHOL_DROP_ORPHAN_TCP_RST
If set to 1, FireHOL will drop all orphan such packets without logging
them.
.RS
.PP
In busy environments the iptables(8) connection tracker removes unneeded
connection tracking list entries.
This makes RST packets appear as an invalid packet which will normally
be logged by FireHOL.
.PP
Example:
.IP
.nf
\f[C]

FIREHOL_DROP_ORPHAN_TCP_RST=\[dq]1\[dq]
\f[R]
.fi
.RE
.TP
FIREHOL_DROP_ORPHAN_IPV4_ICMP_TYPE3
If set to 1, FireHOL will drop all orphan ICMP destination unreachable
packets without logging them.
.RS
.PP
In busy environments the iptables(8) connection tracker removes unneeded
connection tracking list entries.
This makes ICMP destination unreachable appear as an invalid packet
which will normally be logged by FireHOL.
.PP
Example:
.IP
.nf
\f[C]

FIREHOL_DROP_ORPHAN_IPV4_ICMP_TYPE3=\[dq]1\[dq]
\f[R]
.fi
.RE
.TP
WAIT_FOR_IFACE
If set to the name of a network device (e.g.\ eth0), FireHOL will wait
until the device is up (or until 60 seconds have elapsed) before
continuing.
.RS
.PP
A device does not need to be up in order to have firewall rules created
for it, so this option should only be used if you have a specific need
to wait (e.g.\ the network must be queried to determine the hosts or
ports which will be firewalled).
.PP
Example:
.IP
.nf
\f[C]

WAIT_FOR_IFACE=\[dq]eth0\[dq]
\f[R]
.fi
.RE
.SH SEE ALSO
.IP \[bu] 2
firehol(1) - FireHOL program
.IP \[bu] 2
firehol.conf(5) - FireHOL configuration
.IP \[bu] 2
firehol-nat(5) - nat, snat, dnat, redirect helpers
.IP \[bu] 2
firehol-actions(5) - actions for rules
.IP \[bu] 2
iptables(8) (http://ipset.netfilter.org/iptables.man.html) -
administration tool for IPv4 firewalls
.IP \[bu] 2
ip6tables(8) (http://ipset.netfilter.org/ip6tables.man.html) -
administration tool for IPv6 firewalls
.IP \[bu] 2
FireHOL Website (http://firehol.org/)
.IP \[bu] 2
FireHOL Online PDF Manual (http://firehol.org/firehol-manual.pdf)
.IP \[bu] 2
FireHOL Online Documentation (http://firehol.org/documentation/)
.SH AUTHORS
FireHOL Team.