Skip to content
Costa Tsaousis edited this page Jan 21, 2017 · 31 revisions

Welcome to the firehol wiki!

We use this wiki for blogging or as a stage for writing documentation. The official FireHOL documentation is at

What is FireHOL?

I started the development of FireHOL in 2002, when I realized that my engineers were not able to consistently write effective iptables rules. It started as a simple script that takes care of basic firewall configuration. My primary goals were:

  • a firewall should be installed on all servers, even inside the DMZ, to control the trust among the servers
  • firewall configuration should be very easy to read and understand, like plain English
  • firewall configuration should be manageable even if the system has 20 DMZs, 50 VPNs and 10.000 rules
  • firewall configuration should be scriptable, so that complex firewalls can be managed efficiently

FireHOL has grown over the years. At its first years it was constantly among the best rated open source applications at (do you remember this?).

Now, it is a fully featured firewall manager for Linux, supporting even advanced features like DDoS mitigation, basic IDS functionality, etc.


In 2013, FireHOL got a brother: FireQOS. I was really frustrated by QoS in Linux, so I spent quite some time digging and testing QoS features. At the end, FireQOS was born, which I believe is still the only effective solution to manage QoS in Linux.

And I really believe QoS should be used on all servers too.

update-ipsets and

In 2015, we decided to focus on the artifacts that could allow a layer-3 firewall react to cybercrime. update-ipsets, iprange and were born.

update-ipsets is a tool that downloads and analyses security IP Feeds with a focus on cybercrime (no these are not IP Lists about spam). It already knows where to find 400+ IP Feeds related to attacks, abuse, malware, virus, command and control servers, etc.

update-ipsets can be used to update a running firewall (not specific to FireHOL - it will work with any iptables/ipsets based firewall), with the latest IP Lists. The IP Lists monitored can be used for blocking traffic, but can also influence the routing of traffic (redirect suspects to different servers, or change the certain limits on the firewall itself).

The site, is just the "monitor" of update-ipsets. It is generated as static JSON and CSV files which once loaded present information about the IP Lists and the operation of update-ipsets.

Other tools

Of course, the FireHOL suite includes a few more programs, like:

  • iprange a tool to efficiently manage large sets of ipsets. It is blazingly fast in manipulating ipsets in many ways.

  • link-balancer, a tool that manages routing tables (with inheritance), balances routes and applies routing polices (ip rule ...)

  • vnetbuild, a tool that manages network namespaces, without the complexity of containers


Our latest kid is netdata. A stunning real-time performance monitoring solution.

FireHOL installation


Link Balancer - routing tables with inheritance, multiple balancing gateways, routing rules

FireHOL & iptables marks

FireHOL & ipsets

FireHOL & SYNPROXY (DDoS mitigation)

FireHOL with basic IDS - just with plain iptables and ipsets

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.