Differences between revisions 1 and 12 (spanning 11 versions)
Revision 1 as of 2017-06-05 03:02:01
Size: 420
Editor: PieterSmit
Comment:
Revision 12 as of 2022-07-12 10:44:53
Size: 2471
Editor: PieterSmit
Comment:
Deletions are marked like this. Additions are marked like this.
Line 4: Line 4:
 * Links: [[SecurityFirewall]] [[linux/firewall]]  * Note: 2022-07 Start using [[Linux/NfTablesFirewall]] "nftfw package builds firewalls for nftables"
 * Note: 2022-06 loved Fireholl for iptables management, but now '''moving on''' as it does not support nftables.
   * [[Linux/NfTablesFirewall]] can be managed with nft tool that can execute scripts.

 * Links: [[SecurityFirewall]] , [[linux/firewall]] , [[Firewall/Rules]]
Line 7: Line 11:
   * Very compact syntax, easy to read.   * Very compact syntax, easy to read.
Line 11: Line 15:
   * Easy to extend , and supports multi uplink loadbalancing.    * Easy to extend , and supports multi up-link load-balancing.

== Install Latest ==
 * 2022 - install from git - https://github.com/firehol/firehol
 * Download debian SID/TESTing .deb packages
 * Firehol
   * download packages 201706
     * wget http://ftp.us.debian.org/debian/pool/main/f/firehol/firehol_3.1.1+ds-1_all.deb
     * wget http://ftp.us.debian.org/debian/pool/main/f/firehol/firehol-common_3.1.1+ds-1_all.deb
     * wget http://ftp.us.debian.org/debian/pool/main/f/firehol/firehol-doc_3.1.1+ds-1_all.deb
     * wget http://ftp.us.debian.org/debian/pool/main/i/iprange/iprange_1.0.3+ds-1_amd64.deb
     * wget http://ftp.us.debian.org/debian/pool/main/f/firehol/firehol-tools_3.1.1+ds-1_all.deb
     * wget http://ftp.us.debian.org/debian/pool/main/f/firehol/firehol-tools-doc_3.1.1+ds-1_all.deb
   * sudo apt install whois jq nfacct traceroute graphviz ipset iprange tcpdump
   * sudo dpkg -i iprange_1.0.3+ds-1_amd64.deb firehol-common_3.1.1+ds-1_all.deb firehol_3.1.1+ds-1_all.deb firehol-doc_3.1.1+ds-1_all.deb
 * Firehol-tools
   * sudo apt install curl wget git unzip screen
   * sudo dpkg -i firehol-tools_3.1.1+ds-1_all.deb firehol-tools-doc_3.1.1+ds-1_all.deb

== IPSET ==
 * Install tool
   * $ sudo apt install ipset
 * Install tool
   * $ sudo apt install iprange
 * Add iptables support
   * $ sudo apt install xtables-addons-common

= Firehol rule examples =
== Allow mosh ssh connections ==
 * {{{
server_mosh_ports="udp/60000:61000"
client_mosh_ports="default"

# Accept all client traffic on any interface
interface any world
        client all accept
        server "ssh ping dns" accept
        server "mosh" accept
        server "dhcp" accept
        client "dhcp" accept

}}}
Line 14: Line 59:
----
CategorySecurity

FireHol - Firewall

  • Note: 2022-07 Start using Linux/NfTablesFirewall "nftfw package builds firewalls for nftables"

  • Note: 2022-06 loved Fireholl for iptables management, but now moving on as it does not support nftables.

  • Links: SecurityFirewall , linux/firewall , Firewall/Rules

  • A great tool to manage Linux iptables firewall rules
    • Simple bash interpreter.
      • Very compact syntax, easy to read.
    • Support IPv4 and IPv6
    • Same syntax used for QOS rules.
    • Integrates with IPSET for black listing etc.
    • Easy to extend , and supports multi up-link load-balancing.

Install Latest

IPSET

  • Install tool
    • $ sudo apt install ipset
  • Install tool
    • $ sudo apt install iprange
  • Add iptables support
    • $ sudo apt install xtables-addons-common

Firehol rule examples

Allow mosh ssh connections

  • server_mosh_ports="udp/60000:61000"
client_mosh_ports="default"

# Accept all client traffic on any interface
interface any world
        client all accept
        server "ssh ping dns" accept
        server "mosh" accept
        server "dhcp" accept
        client "dhcp" accept

...

CategorySecurity

Linux/FireHol (last edited 2022-07-12 10:44:53 by PieterSmit)