I’ve been investigating Firehol over the last few days, and I’m pretty impressed. It seems to do exactly what it says on the tin and is easy to configure. I’ve got a great big book on iptables and whilst it is interesting to know all the details of firewalling and how it works, configuring a firewall for a server shouldn’t involve hand-crafting your firewall script from scratch.
Firehol was developed to meet the need of system administrators who have to configure and maintain firewalls on a large number of systems. It has a number of neat little features, like the “try” mode, which reverts to the previous settings after 30 seconds. It also has a very simple configuration file which make it easy to see which services are allowed to run from the system.
The only thing I had slight difficulty with was getting Firehol to play with virtual interfaces (i.e. where you have eth0, eth0:0, eth0:1, etc.) It turns out that it’s a limitation of iptables, rather than Firehol. Whereas for two physical interfaces you would have
interface eth0 ip0 interface eth1 ip1
for virtual interfaces you have to have:
interface eth0 ip0 dst 192.168.0.35 interface eth0 ip1 dst 192.168.0.36
for example. If you don’t specify the IP address of each interface the firewalling rules for eth0 apply to eth0 and eth0:0. If you specify eth0:0 instead of eth0 on the second line, then you are unable to connect to any servers listening on eth0:0. I got this tip from this mailing list post.
Happy New Year!Pin It