The FireHOL flame haze
InternetI’ve really been spoiled by pf on the BSDs. By comparison, Linux’s iptables are complex and nasty enough to have spawned dozens of tools for indirect maniplation, such that you don’t have to write them yourself.
The one I’ve used most frequently is Canonical’s ufw. An alternative I’m coming around to is FireHOL, which is carefully advertised as a firewall language, rather than a script frontend.
The first gotcha was in enabling it on Debian. I’m very much used to /etc/default
configuration files being immutable defaults, hence the directory name. If you want to define non-default configuration, you create a separate file to override these settings. For FireHol, you have to enable it from within its /etc/default/firehol
file:
#To enable firehol at startup set START_FIREHOL=YES START_FIREHOL=YES #If you want to have firehol wait for an iface to be up add it here WAIT_FOR_IFACE=""
Then you can define rules in /etc/firehol/firehol.conf
. As an example, this box will only accept the following incoming (server
) and outgoing (client
) services. The protection
option provides sane defaults for flood and malformed packet protection:
## Crazy basic FireHOL configuration version 5 interface "eth0" internet protection strong server "ping ssh" accept client "dns http https ntp ssh" accept
It looks as though the quotes are optional in this case, but I think they render user settings and commands easier to distinguish. Regardless, the Reference Manual lists all the options.
Problem existed between keyboard and chair
So far, the only option I’ve had issues with is ipv4
. It says I should be able to do this:
interface "eth0" public-net [..] ipv4 server "ping ssh" accept
But doing so results in an error:
[....] Restarting Firewall configuration:[..] line 17: ipv4: command not found
UPDATE: This appears to only work in the context of defining rules for both ipv4 and ipv6. The modifiers page lists examples:
interface eth0 myboth src4 192.0.2.0/24 src6 2001:DB8::/24 ipv4 server http accept ipv4 client http accept
Shakugan no Shana screenshot by J.C.Staff Co., Ltd. (株式会社ジェー・シー・スタッフ).