70 lines
2.1 KiB
Plaintext
70 lines
2.1 KiB
Plaintext
firehol is an easy to use but powerful iptables stateful firewall
|
|
for humans.
|
|
|
|
FireHOL uses an extremely simple but powerfull way to define firewall
|
|
rules which it turns into complete stateful iptables firewalls.
|
|
FireHOL is a generic firewall generator, meaning that you can design
|
|
any kind of local or routing stateful packet filtering firewalls with
|
|
ease.
|
|
|
|
You can run FireHOL with the 'helpme' argument, to get a configuration
|
|
file for the system run, which you can modify according to your needs.
|
|
|
|
You can find example config files in
|
|
/usr/doc/firehol-<ver>/examples. This directory contains examples from
|
|
a simple client machine, to a lan-wan gateway or an office server.
|
|
|
|
The default config file in the package contains only a note about
|
|
where to find config file examples (/usr/doc/firehol-<ver>/examples),
|
|
because it is empty it is not handled as a usual config file. If a
|
|
user has a real one, this "example" is simply deleted.
|
|
|
|
There is a get-iana.sh script to fetch reserved IPs from iana, It is
|
|
renamed to firehol-get-iana, and placed to /usr/sbin. You have to run
|
|
it at least once, to silence firehol startup warnings about missing
|
|
files.
|
|
|
|
There is an adblock.sh script to fetch the IPs of popular add servers,
|
|
which can be blacklisted, see the file for the details. It is renamed to
|
|
firehol-adblock and it is in /usr/sbin.
|
|
|
|
In addition to the man pages there is a full html documentation in
|
|
/usr/doc/firehol-<ver>/html
|
|
|
|
---
|
|
|
|
For example this is a sample firewall for simple home machine with samba
|
|
and ssh:
|
|
|
|
>version 5
|
|
>
|
|
>interface any world
|
|
> policy reject
|
|
>
|
|
> server dns accept
|
|
> server dhcp accept
|
|
> server icmp accept
|
|
> server ssh accept
|
|
> server samba accept
|
|
>
|
|
> client all accept
|
|
|
|
---
|
|
|
|
This is a stripped down home server and router configuration (for a
|
|
sophisticated version of this file see /usr/doc/firehol)
|
|
|
|
>version 5
|
|
>
|
|
>interface eth0 home
|
|
> server "dns ftp samba squid dhcp http ssh icmp" accept
|
|
> client "samba icmp" accept
|
|
>
|
|
>interface ppp+ internet
|
|
> server "smtp http ftp" accept
|
|
> client allaccept
|
|
>
|
|
>router home2internet inface eth0 outface ppp+
|
|
> route all accept
|
|
|