I’ve been investigating Firehol over the last few days, and I’m pretty impressed. It seems to do exactly what it says on the tin and is easy to configure. I’ve got a great big book on iptables and whilst it is interesting to know all the details of firewalling and how it works, configuring a firewall for a server shouldn’t involve hand-crafting your firewall script from scratch.

Firehol was developed to meet the need of system administrators who have to configure and maintain firewalls on a large number of systems. It has a number of neat little features, like the “try” mode, which reverts to the previous settings after 30 seconds. It also has a very simple configuration file which make it easy to see which services are allowed to run from the system.

The only thing I had slight difficulty with was getting Firehol to play with virtual interfaces (i.e. where you have eth0, eth0:0, eth0:1, etc.) It turns out that it’s a limitation of iptables, rather than Firehol. Whereas for two physical interfaces you would have

interface eth0 ip0
interface eth1 ip1

for virtual interfaces you have to have:

interface eth0 ip0 dst
interface eth0 ip1 dst

for example. If you don’t specify the IP address of each interface the firewalling rules for eth0 apply to eth0 and eth0:0. If you specify eth0:0 instead of eth0 on the second line, then you are unable to connect to any servers listening on eth0:0. I got this tip from this mailing list post.

Happy New Year!

Be Sociable, Share!
    Pin It

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This blog is kept spam free by WP-SpamFree.