FireHOL — Iptables Firewall Generator

FireHOL is an iptables firewall generator producing stateful iptables packet filtering firewalls, on Linux hosts and routers with any number of network interfaces, any number of routes, any number of services served, any number of complexity between variations of the services (including positive and negative expressions).

FireHOL an iptables stateful packet filtering firewall for humans!

[adsense size='1']

The goals:

• Make firewalling an easy, straight forward task for everyone, independently of the security skills he/she has.FireHOL configuration files are very easy to type and read. To understand a complex firewall you will need just a few seconds.Take a look bellow for an example configuration.
• Be as secure as possible by allowing explicitly only the wanted traffic to flow.FireHOL produces stateful rules for any service or protocol, in both directions of the firewall.
• Be a resource of knowledge around services and their peculiarities, as far as firewalling is concerned.Check the services list.
• Be open enough for any firewalling need. Although tool is pre-configured for a large number of services, you can configure any service you like and Fire HOL will turn it into a client, a server, or a router.
• Be flexible enough to be used by end users and guru administrators requiring extremely complex firewalls. Configuration files are BASH scripts; you can write in them anything BASH accepts, including variables, pipes, loops, conditions, calls to external programs, run other BASH scripts with tools directives in them, etc.
• Be simple to install on any modern Linux system; only one file is required, no compilations involved.

FireHOL is secure because it has been designed with the right firewall concept: deny everything, then allow only what is needed.

Also, it produces stateful iptables packet filtering firewalls (and possibly, the only generic tool today that does that for all services in both directions of the firewall).

Iptables Firewall Generator

Stateful means that traffic allowed to pass is part of a valid connection that has been initiated the right way. Stateful also means that you can have control based on who initiated the traffic. For example: you can choose to be able to ping anyone on the internet, but no one to be able to ping you. If for example you don’t need to run a server on your Linux host, you can easily achieve a situation where you are able to do anything to anyone, but as far as the rest of world is concerned, you do not exist!

[adsense size='2']

FireHOL has been designed to allow you configure your firewall the same way you think of it. Its language is extremely simple. Basically you have to learn four commands:

• interface, to setup a firewall on a network interface
• router, to setup a firewall on traffic routed from one network interface to another
• server, to setup a listening service within an interface or router. The same command can be used as route within routers.
• client, to setup a service client within an interface or router

Client and server commands have exactly the same syntax. Interface has two mandatory arguments and router has only one (and this is the same with one of the two interface requires). All the optional parameters are the same to all of them

Fire HOL handles firewalls protecting one host on all its interfaces and any combination of stateful firewalls routing traffic from one interface to another. There are no limitations on the number of interfaces or on the number of routing routes (except the ones iptables has, if any).

Tool still lacks a few features: QoS for example is not supported directly. You are welcome to extend this and send your patches to authors to be integrate into next releases. In any case however, you can embed normal iptables commands in a FireHOL configuration to do whatever iptables supports.

Since it produces stateful commands, for every supported service it needs to know the flow of requests and replies. Today FireHOL supports the following services:

• Many single socket protocols, such as HTTP, NNTP, SMTP, POP3, IMAP4, RADIUS, SSH, LDAP, MySQL, Telnet, NTP, DNS, etc. There are a few dozens of such services defined in Fire HOL. Check this list. Even if something is missing, you can define it.

• Many complex protocols, such as FTP, NFS, SAMBA, PPTP, etc. If you need some complex protocol that is not present, you will have to program it (in simple BASH scripting – there are many commented examples on how this is done). Again, you will just create one BASH function with the rules of the protocol, and Fire HOL will turn it to a client, a server or a router.

Source && Download