Shana and her... firewall!

I’ve really been spoiled by pf on the BSDs. By comparison, Linux’s iptables are complex and nasty enough to have spawned dozens of tools for indirect maniplation, such that you don’t have to write them yourself.

The one I’ve used most frequently is Canonical’s ufw. An alternative I’m coming around to is FireHOL, which is carefully advertised as a firewall language, rather than a script frontend.

The first gotcha was in enabling it on Debian. I’m very much used to /etc/default configuration files being immutable defaults, hence the directory name. If you want to define non-default configuration, you create a separate file to override these settings. For FireHol, you have to enable it from within its /etc/default/firehol file:

#To enable firehol at startup set START_FIREHOL=YES
START_FIREHOL=YES
#If you want to have firehol wait for an iface to be up add it here
WAIT_FOR_IFACE=""

Then you can define rules in /etc/firehol/firehol.conf. As an example, this box will only accept the following incoming (server) and outgoing (client) services. The protection option provides sane defaults for flood and malformed packet protection:

## Crazy basic FireHOL configuration
version 5
interface "eth0" internet
    protection strong
    server "ping ssh" accept
    client "dns http https ntp ssh" accept

It looks as though the quotes are optional in this case, but I think they render user settings and commands easier to distinguish. Regardless, the Reference Manual lists all the options.

Problem existed between keyboard and chair

So far, the only option I’ve had issues with is ipv4. It says I should be able to do this:

interface "eth0" public-net
    [..]
    ipv4 server "ping ssh" accept

But doing so results in an error:

[....] Restarting Firewall configuration:[..]
line 17: ipv4: command not found

UPDATE: This appears to only work in the context of defining rules for both ipv4 and ipv6. The modifiers page lists examples:

interface eth0 myboth src4 192.0.2.0/24 src6 2001:DB8::/24
    ipv4 server http accept
    ipv4 client http accept

Shakugan no Shana screenshot by J.C.Staff Co., Ltd. (株式会社ジェー・シー・スタッフ).