Home
Welcome to the firehol wiki!
We use this wiki for blogging or as a stage for writing documentation. The official FireHOL documentation is at http://firehol.org/
I started the development of FireHOL in 2002, when I realized that my engineers were not able to consistently write effective iptables rules. It started as a simple script that takes care of basic firewall configuration. My primary goals were:
- a firewall should be installed on all servers, even inside the DMZ, to control the trust among the servers
- firewall configuration should be very easy to read and understand, like plain English
- firewall configuration should be manageable even if the system has 20 DMZs, 50 VPNs and 10.000 rules
- firewall configuration should be scriptable, so that complex firewalls can be managed efficiently
FireHOL has grown over the years. At its first years it was constantly among the best rated open source applications at freshmeat.net (do you remember this?).
Now, it is a fully featured firewall manager for Linux, supporting even advanced features like DDoS mitigation, basic IDS functionality, etc.
In 2013, FireHOL got a brother: FireQOS. I was really frustrated by QoS in Linux, so I spent quite some time digging and testing QoS features. At the end, FireQOS was born, which I believe is still the only effective solution to manage QoS in Linux.
And I really believe QoS should be used on all servers too.
update-ipsets and http://iplists.firehol.org
In 2015, we decided to focus on the artifacts that could allow a layer-3 firewall react to cybercrime. update-ipsets, iprange and http://iplists.firehol.org were born.
update-ipsets is a tool that downloads and analyses security IP Feeds with a focus on cybercrime (no these are not IP Lists about spam). It already knows where to find 400+ IP Feeds related to attacks, abuse, malware, virus, command and control servers, etc.
update-ipsets can be used to update a running firewall (not specific to FireHOL - it will work with any iptables/ipsets based firewall), with the latest IP Lists. The IP Lists monitored can be used for blocking traffic, but can also influence the routing of traffic (redirect suspects to different servers, or change the certain limits on the firewall itself).
The site http://iplists.firehol.org, is just the "monitor" of update-ipsets. It is generated as static JSON and CSV files which once loaded present information about the IP Lists and the operation of update-ipsets.
Of course, the FireHOL suite includes a few more programs, like:
-
iprangea tool to efficiently manage large sets of ipsets. It is blazingly fast in manipulating ipsets in many ways. -
link-balancer, a tool that manages routing tables (with inheritance), balances routes and applies routing polices (ip rule ...) -
vnetbuild, a tool that manages network namespaces, without the complexity of containers
Our latest kid is netdata. A stunning real-time performance monitoring solution.
FireHOL installation
-
Install the whole FireHOL suite - An installer script to automatically install
iprange,firehol,fireqos,update-ipsets,vnetbuild,netdata -
FireHOL Dependencies
FireQOS
-
FireQOS reference page
-
FireQOS Tutorial - learn how to write your own
fireqos.conf -
FireQOS Use Scenarios - advanced QoS scenarios
Link Balancer - routing tables with inheritance, multiple balancing gateways, routing rules
- Link Balancer How-To
FireHOL & iptables marks
FireHOL & ipsets
- Working with IPSETs
- iprange: optimizing ipsets for iptables
- dnsbl-ipset.sh generate an ipset out of your firewall logs
FireHOL & SYNPROXY (DDoS mitigation)
FireHOL with basic IDS - just with plain iptables and ipsets