#format wiki #language en = FireHol - Firewall = * Note: 2022-07 Start using [[Linux/NfTablesFirewall]] "nftfw package builds firewalls for nftables" * Note: 2022-06 loved Fireholl for iptables management, but now '''moving on''' as it does not support nftables. * [[Linux/NfTablesFirewall]] can be managed with nft tool that can execute scripts. * Links: [[SecurityFirewall]] , [[linux/firewall]] , [[Firewall/Rules]] * A great tool to manage Linux iptables firewall rules * Simple bash interpreter. * Very compact syntax, easy to read. * Support IPv4 and IPv6 * Same syntax used for QOS rules. * Integrates with IPSET for black listing etc. * Easy to extend , and supports multi up-link load-balancing. == Install Latest == * 2022 - install from git - https://github.com/firehol/firehol * Download debian SID/TESTing .deb packages * Firehol * download packages 201706 * wget http://ftp.us.debian.org/debian/pool/main/f/firehol/firehol_3.1.1+ds-1_all.deb * wget http://ftp.us.debian.org/debian/pool/main/f/firehol/firehol-common_3.1.1+ds-1_all.deb * wget http://ftp.us.debian.org/debian/pool/main/f/firehol/firehol-doc_3.1.1+ds-1_all.deb * wget http://ftp.us.debian.org/debian/pool/main/i/iprange/iprange_1.0.3+ds-1_amd64.deb * wget http://ftp.us.debian.org/debian/pool/main/f/firehol/firehol-tools_3.1.1+ds-1_all.deb * wget http://ftp.us.debian.org/debian/pool/main/f/firehol/firehol-tools-doc_3.1.1+ds-1_all.deb * sudo apt install whois jq nfacct traceroute graphviz ipset iprange tcpdump * sudo dpkg -i iprange_1.0.3+ds-1_amd64.deb firehol-common_3.1.1+ds-1_all.deb firehol_3.1.1+ds-1_all.deb firehol-doc_3.1.1+ds-1_all.deb * Firehol-tools * sudo apt install curl wget git unzip screen * sudo dpkg -i firehol-tools_3.1.1+ds-1_all.deb firehol-tools-doc_3.1.1+ds-1_all.deb == IPSET == * Install tool * $ sudo apt install ipset * Install tool * $ sudo apt install iprange * Add iptables support * $ sudo apt install xtables-addons-common = Firehol rule examples = == Allow mosh ssh connections == * {{{ server_mosh_ports="udp/60000:61000" client_mosh_ports="default" # Accept all client traffic on any interface interface any world client all accept server "ssh ping dns" accept server "mosh" accept server "dhcp" accept client "dhcp" accept }}} ... ---- CategorySecurity