firehol.conf(5)
NAME
firehol.conf - FireHOL configuration
DESCRIPTION
/etc/firehol/firehol.conf is the default configuration file for firehol(1). It defines the stateful firewall that will be produced. A configuration file starts with an optional version indicator which looks like this: version 6 See firehol-version(1) for full details. A configuration file contains one or more interface definitions, which look like this: interface eth0 lan client all accept # This host can access any remote service server ssh accept # Remote hosts can access SSH on local server # ... The above definition has name "lan" and specifies a network interface (eth0). A definition may contain zero or more subcommands. See firehol-interface(5) for full details. By default FireHOL will try to create both IPv4 and IPv6 rules for each interface. To make this explicit or restrict which rules are created write both interface, ipv4 interface or ipv6 interface. Note that IPv6 will be disabled silently if your system is not configured to use it. You can test this by looking for the file /proc/net/if_inet6. The IPv6 HOWTO (http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/systemcheck-kernel.html) has more information. A configuration file contains zero or more router definitions, which look like this: DMZ_IF=eth0 WAN_IF=eth1 router wan2dmz inface ${WAN_IF} outface ${DMZ_IF} route http accept # Hosts on WAN may access HTTP on hosts in DMZ server ssh accept # Hosts on WAN may access SSH on hosts in DMZ client pop3 accept # Hosts in DMZ may access POP3 on hosts on WAN # ... The above definition has name "wan2dmz" and specifies incoming and outgoing network interfaces (eth1 and eth0) using variables. A definition may contain zero or more subcommands. Note that a router is not required to specify network interfaces to operate on. See firehol-router(5) for full details. By default FireHOL will try to create both IPv4 and IPv6 rules for each router. To make this explicit or restrict which rules are created write both router, ipv4 router or ipv6 router. It is simple to add extra service definitions which can then be used in the same way as those provided as standard. See ADDING SERVICES. The configuration file is parsed as a bash(1) script, allowing you to set up and use variables, flow control and external commands. Special control variables may be set up and used outside of any definition, see firehol-defaults.conf(5) as can the functions in CONFIGURATION HELPER COMMANDS and HELPER COMMANDS.
VARIABLES AVAILABLE
The following variables are made available in the FireHOL configuration
file and can be accessed as ${VARIABLE}.
UNROUTABLE_IPS
This variable includes the IPs from both PRIVATE_IPS and
RESERVED_IPS. It is useful to restrict traffic on interfaces
and routers accepting Internet traffic, for example:
interface eth0 internet src not "${UNROUTABLE_IPS}"
PRIVATE_IPS
This variable includes all the IP addresses defined as Private
or Test by RFC 3330 (https://tools.ietf.org/html/rfc3330).
You can override the default values by creating a file called
/etc/firehol/PRIVATE_IPS.
RESERVED_IPS
This variable includes all the IP addresses defined by IANA
(http://www.iana.org/) as reserved.
You can override the default values by creating a file called
/etc/firehol/RESERVED_IPS.
Now that IPv4 address space has all been allocated there is very
little reason that this value will need to change in future.
MULTICAST_IPS
This variable includes all the IP addresses defined as Multicast
by RFC 3330 (https://tools.ietf.org/html/rfc3330).
You can override the default values by creating a file called
/etc/firehol/MULTICAST_IPS.
ADDING SERVICES
To define new services you add the appropriate lines before using them
later in the configuration file.
The following are required:
server_myservice_ports="proto/sports"
client_myservice_ports="cports"
proto is anything iptables(8) accepts e.g. "tcp", "udp", "icmp",
including numeric protocol values.
sports is the ports the server is listening at. It is a
space-separated list of port numbers, names and ranges (from:to). The
keyword any will match any server port.
cports is the ports the client may use to initiate a connection. It is
a space-separated list of port numbers, names and ranges (from:to).
The keyword any will match any client port. The keyword default will
match default client ports. For the local machine (e.g. a client
within an interface) it resolves to sysctl(8) variable
net.ipv4.ip_local_port_range (or
/proc/sys/net/ipv4/ip_local_port_range). For a remote machine (e.g. a
client within an interface or anything in a router) it resolves to the
variable DEFAULT_CLIENT_PORTS (see firehol-defaults.conf(5)).
The following are optional:
require_myservice_modules="modules"
require_myservice_nat_modules="nat-modules"
The named kernel modules will be loaded when the definition is used.
The NAT modules will only be loaded if FIREHOL_NAT is non-zero (see
firehol-defaults.conf(5)).
For example, for a service named daftnet that listens at two ports,
port 1234 TCP and 1234 UDP where the expected client ports are the
default random ports a system may choose, plus the same port numbers
the server listens at, with further dynamic ports requiring kernel
modules to be loaded:
# Setup service
server_daftnet_ports="tcp/1234 udp/1234"
client_daftnet_ports="default 1234"
require_daftnet_modules="ip_conntrack_daftnet"
require_daftnet_nat_modules="ip_nat_daftnet
interface eth0 lan0
server daftnet accept
interface eth1 lan1
client daftnet reject
router lan2lan inface eth0 outface eth1
route daftnet accept
Where multiple ports are provides (as per the example), FireHOL simply
determines all of the combinations of client and server ports and
generates multiple iptables(8) statements to match them.
To create more complex rules, or stateless rules, you will need to
create a bash function prefixed rules_ e.g. rules_myservice. The best
reference is the many such functions in the main firehol(1) script.
When adding a service which uses modules, or via a custom function, you
may also wish to include the following:
ALL_SHOULD_ALSO_RUN="${ALL_SHOULD_ALSO_RUN} myservice"
which will ensure your service is set-up correctly as part of the all
service.
Note
To allow definitions to be shared you can instead create files
and install them in the /etc/firehol/services directory with a
.conf extension.
The first line must read:
#FHVER: 1:213
1 is the service definition API version. It will be changed if
the API is ever modified. The 213 originally referred to a
FireHOL 1.x minor version but is no longer checked.
FireHOL will refuse to run if the API version does not match the
expected one.
DEFINITIONS
· firehol-interface(5) - interface definition · firehol-router(5) - router definition
SUBCOMMANDS
· firehol-policy(5) - policy command · firehol-protection(5) - protection command · firehol-server(5) - server, route commands · firehol-client(5) - client command · firehol-group(5) - group command
HELPER COMMANDS
These helpers can be used in interface and router definitions as well as before them: · firehol-iptables(5) - iptables helper · firehol-masquerade(5) - masquerade helper This helper can be used in router definitions as well as before any router or interface: · firehol-tcpmss(5) - tcpmss helper
CONFIGURATION HELPER COMMANDS
These helpers should only be used outside of interface and router definitions (i.e. before the first interface is defined). · firehol-version(5) - version config helper · firehol-action(5) - action config helper · firehol-blacklist(5) - blacklist config helper · firehol-classify(5) - classify config helper · firehol-connmark(5) - connmark config helper · firehol-dscp(5) - dscp config helper · firehol-mac(5) - mac config helper · firehol-mark(5) - mark config helper · firehol-nat(5) - nat, snat, dnat, redirect helpers · firehol-proxy(5) - transparent proxy/squid helpers · firehol-tos(5) - tos config helper · firehol-tosfix(5) - tosfix config helper
SEE ALSO
· firehol(1) - FireHOL program · firehol-defaults.conf(5) - control variables · firehol-services(5) - services list · firehol-actions(5) - actions for rules · FireHOL Website (http://firehol.org/) · FireHOL Online PDF Manual (http://firehol.org/firehol-manual.pdf) · FireHOL Online Documentation (http://firehol.org/documentation/)
AUTHORS
FireHOL Team.
Opportunity
Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.
Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.
Free Software
Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.
Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.
Free Books
The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.
Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.
Education
Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.
Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.
