Slackware-13.1-Hacks-FireHOL
Posted 05-09-2011 at 11:36 PM by arniekat
FireHOL Firewall
FireHOL 1.273 (Current Version) is an iptables firewall generator producing stateful iptables packet filtering firewalls, on Linux hosts and routers with any number of network interfaces, any number of routes, any number of services served, any number of complexity between variations of the services (including positive and negative expressions). FireHOL is a language to express firewalling rules, not just a script that produces some kind of a firewall.
Grab the Slack.Build and source code from SlackBuilds.org for the FireHOL Version 1.273. Install the package after compilation.
Change /etc/rc.d/rc.firehol so it is executable:
# chmod +x /etc/rc.d/rc.firehol
Create a soft-link to /etc/rc.d/rc.firehol called /etc/rc.d/rc.firewall
# cd /etc/rc.d
# ln -s rc.firehol rc.firewall
Run the /usr/sbin/firehol-get-iana to get a list from the Internet of Non-routable addresses.
/sbin/firehol-get-iana
Since this does not work, you will have to create a file called /etc/firehol/RESERVED_IPS with the Non-routable addresses contained within. You can get the information at:
http://www.iana.org/assignments/ipv4...ress-space.xml
Here is what the current file /etc/firehol/RESERVED_IPS (May 9, 2011) looks like:
# This file is the /etc/firehol/RESERVED_IPS
# If FireHOL complains about this file, update it manually from info at
# http://www.iana.org/assignments/ipv4...ress-space.xml
# It contains only RESERVED and UNALLOCATED entries from the website.
# The ownership should be set to root:root
# The permissions should be set to 0644
# This file was last updated May 9, 2011
0.0.0.0/8
10.0.0.0/8
127.0.0.0/8
224.0.0.0/8
225.0.0.0/8
226.0.0.0/8
227.0.0.0/8
228.0.0.0/8
229.0.0.0/8
230.0.0.0/8
231.0.0.0/8
232.0.0.0/8
233.0.0.0/8
234.0.0.0/8
235.0.0.0/8
236.0.0.0/8
237.0.0.0/8
238.0.0.0/8
239.0.0.0/8
240.0.0.0/8
241.0.0.0/8
242.0.0.0/8
243.0.0.0/8
244.0.0.0/8
245.0.0.0/8
246.0.0.0/8
247.0.0.0/8
248.0.0.0/8
249.0.0.0/8
250.0.0.0/8
251.0.0.0/8
252.0.0.0/8
253.0.0.0/8
254.0.0.0/8
255.0.0.0/8
Be sure to turn off any services you don't want running, since the FireHol configuration helper script will detect the services and create a rule that allows others to connect to this service! You can check what services are running by:
# netstat -lundt
tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN
Anything with “LISTEN” at the end is a service waiting for a connection! To find out what these services are:
# cat /etc/services | grep 37
time 37/tcp timserver
time 37/udp timserver
This service can be turned off by editing /etc/inetd.conf and commenting-out (i.e. adding a # (hash) the following lines, like so:
#time stream tcp nowait root internal
#time dgram udp wait root internal
Save the file and exit. Either reboot or you can restart inetd with the command:
# kill -HUP $(cat /var/run/inetd.pid)
Now when you run the netstat command:
# netstat -lundt
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN
To create a configuration file using your current services:
firehol helpme > /etc/firehol/firehol.conf
: firehol.sh,v 1.273 2008/07/31 00:46:41 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
Home Page: http://firehol.sourceforge.net
--------------------------------------------------------------------------------
FireHOL controls your firewall. You should want to get updates quickly.
Subscribe (at the home page) to get notified of new releases.
--------------------------------------------------------------------------------
FireHOL will now try to figure out its configuration file on this system.
Please have all the services and network interfaces on this system running.
Your running firewall will not be stopped or altered.
You can re-run the same command with output redirection to get the config to a file. Example:
/usr/sbin/firehol helpme >/tmp/firehol.conf
Building list of known services.
Please wait...
Press RETURN to start. [continue] >
--- snip --- snip --- snip --- snip ---
Now edit the configuration file to check that everything is OK:
vi /etc/firehol/firehol.conf
Here is the file /etc/firehol/firehol.conf from my box with a Static IP of 192.168.0.13. I had to comment-out the udp/512, udp/5353 and udp/38485 lines in the configuration file:
#!/usr/sbin/firehol
# : firehol.sh,v 1.273 2008/07/31 00:46:41 ktsaou Exp $
# This config will have the same effect as NO PROTECTION!
# Everything that found to be running, is allowed.
# YOU SHOULD NEVER USE THIS CONFIG AS-IS.
# Date: Mon May 9 21:01:03 PDT 2011 on host Slackdev
# IMPORTANT:
# The TODOs bellow, are *YOUR* to-dos!
# INFO: Processing interface 'eth0'
# INFO: Processing IP 192.168.0.13 of interface 'eth0'
# INFO: Is 192.168.0.13 part of network 192.168.0.0/24? yes
# Interface No 1.
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP 192.168.0.13 (net: "192.168.0.0/24").
# TODO: Change "interface1" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst 192.168.0.13' if this is dynamically assigned.
interface eth0 interface1 src "192.168.0.0/24" dst 192.168.0.13
# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop
# If you don't trust the clients behind eth0 (net "192.168.0.0/24"),
# add something like this.
# > protection strong
# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server ICMP accept
server ident accept
# The following eth0 services are not known by FireHOL:
# udp/38485 udp/512 udp/5353
# Custom service definitions for the above unknown services.
# server custom if1_udp_38485 udp/38485 any accept
# server custom if1_udp_512 udp/512 any accept
# server custom if1_udp_5353 udp/5353 any accept
# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept
# INFO: Is 192.168.0.1 part of network 192.168.0.0/24? yes
# INFO: Default gateway 192.168.0.1 is part of network 192.168.0.0/24
# Interface No 2.
# The purpose of this interface is to control the traffic
# from/to unknown networks behind the default gateway 192.168.0.1 .
# TODO: Change "interface2" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst 192.168.0.13' if this is dynamically assigned.
interface eth0 interface2 src not "${UNROUTABLE_IPS} 192.168.0.0/24" dst 192.168.0.13
# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop
# If you don't trust the clients behind eth0 (net not "${UNROUTABLE_IPS} 192.168.0.0/24"),
# add something like this.
# > protection strong
# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server ICMP accept
server ident accept
# The following eth0 services are not known by FireHOL:
# udp/38485 udp/512 udp/5353
# Custom service definitions for the above unknown services.
# server custom if2_udp_38485 udp/38485 any accept
# server custom if2_udp_512 udp/512 any accept
# server custom if2_udp_5353 udp/5353 any accept
# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept
# The above 2 interfaces were found active at this moment.
# Add more interfaces that can potentially be activated in the future.
# FireHOL will not complain if you setup a firewall on an interface that is
# not active when you activate the firewall.
# If you don't setup an interface, FireHOL will drop all traffic from or to
# this interface, if and when it becomes available.
# Also, if an interface name dynamically changes (i.e. ppp0 may become ppp1)
# you can use the plus (+) character to match all of them (i.e. ppp+).
# No router statements have been produced, because your server
# is not configured for forwarding traffic.
To start the firewall, type:
# firehol start
FireHOL: Saving your old firewall to a temporary file: [ OK ]
FireHOL: Processing file /etc/firehol/firehol.conf: [ OK ]
FireHOL: Activating new firewall (181 rules): [ OK ]
Now, open a Web Browser and see if you have Internet access. To actually see that it is working type this command and it will list all the firewall parameters for the currently running firewall.
# firehol status
Now you will get a huge list of IPTables rules.
Restart your box and check that your firewall loads on reboot and you are done.
FireHOL 1.273 (Current Version) is an iptables firewall generator producing stateful iptables packet filtering firewalls, on Linux hosts and routers with any number of network interfaces, any number of routes, any number of services served, any number of complexity between variations of the services (including positive and negative expressions). FireHOL is a language to express firewalling rules, not just a script that produces some kind of a firewall.
Grab the Slack.Build and source code from SlackBuilds.org for the FireHOL Version 1.273. Install the package after compilation.
Change /etc/rc.d/rc.firehol so it is executable:
# chmod +x /etc/rc.d/rc.firehol
Create a soft-link to /etc/rc.d/rc.firehol called /etc/rc.d/rc.firewall
# cd /etc/rc.d
# ln -s rc.firehol rc.firewall
Run the /usr/sbin/firehol-get-iana to get a list from the Internet of Non-routable addresses.
/sbin/firehol-get-iana
Since this does not work, you will have to create a file called /etc/firehol/RESERVED_IPS with the Non-routable addresses contained within. You can get the information at:
http://www.iana.org/assignments/ipv4...ress-space.xml
Here is what the current file /etc/firehol/RESERVED_IPS (May 9, 2011) looks like:
# This file is the /etc/firehol/RESERVED_IPS
# If FireHOL complains about this file, update it manually from info at
# http://www.iana.org/assignments/ipv4...ress-space.xml
# It contains only RESERVED and UNALLOCATED entries from the website.
# The ownership should be set to root:root
# The permissions should be set to 0644
# This file was last updated May 9, 2011
0.0.0.0/8
10.0.0.0/8
127.0.0.0/8
224.0.0.0/8
225.0.0.0/8
226.0.0.0/8
227.0.0.0/8
228.0.0.0/8
229.0.0.0/8
230.0.0.0/8
231.0.0.0/8
232.0.0.0/8
233.0.0.0/8
234.0.0.0/8
235.0.0.0/8
236.0.0.0/8
237.0.0.0/8
238.0.0.0/8
239.0.0.0/8
240.0.0.0/8
241.0.0.0/8
242.0.0.0/8
243.0.0.0/8
244.0.0.0/8
245.0.0.0/8
246.0.0.0/8
247.0.0.0/8
248.0.0.0/8
249.0.0.0/8
250.0.0.0/8
251.0.0.0/8
252.0.0.0/8
253.0.0.0/8
254.0.0.0/8
255.0.0.0/8
Be sure to turn off any services you don't want running, since the FireHol configuration helper script will detect the services and create a rule that allows others to connect to this service! You can check what services are running by:
# netstat -lundt
tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN
Anything with “LISTEN” at the end is a service waiting for a connection! To find out what these services are:
# cat /etc/services | grep 37
time 37/tcp timserver
time 37/udp timserver
This service can be turned off by editing /etc/inetd.conf and commenting-out (i.e. adding a # (hash) the following lines, like so:
#time stream tcp nowait root internal
#time dgram udp wait root internal
Save the file and exit. Either reboot or you can restart inetd with the command:
# kill -HUP $(cat /var/run/inetd.pid)
Now when you run the netstat command:
# netstat -lundt
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN
To create a configuration file using your current services:
firehol helpme > /etc/firehol/firehol.conf
: firehol.sh,v 1.273 2008/07/31 00:46:41 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
Home Page: http://firehol.sourceforge.net
--------------------------------------------------------------------------------
FireHOL controls your firewall. You should want to get updates quickly.
Subscribe (at the home page) to get notified of new releases.
--------------------------------------------------------------------------------
FireHOL will now try to figure out its configuration file on this system.
Please have all the services and network interfaces on this system running.
Your running firewall will not be stopped or altered.
You can re-run the same command with output redirection to get the config to a file. Example:
/usr/sbin/firehol helpme >/tmp/firehol.conf
Building list of known services.
Please wait...
Press RETURN to start. [continue] >
--- snip --- snip --- snip --- snip ---
Now edit the configuration file to check that everything is OK:
vi /etc/firehol/firehol.conf
Here is the file /etc/firehol/firehol.conf from my box with a Static IP of 192.168.0.13. I had to comment-out the udp/512, udp/5353 and udp/38485 lines in the configuration file:
#!/usr/sbin/firehol
# : firehol.sh,v 1.273 2008/07/31 00:46:41 ktsaou Exp $
# This config will have the same effect as NO PROTECTION!
# Everything that found to be running, is allowed.
# YOU SHOULD NEVER USE THIS CONFIG AS-IS.
# Date: Mon May 9 21:01:03 PDT 2011 on host Slackdev
# IMPORTANT:
# The TODOs bellow, are *YOUR* to-dos!
# INFO: Processing interface 'eth0'
# INFO: Processing IP 192.168.0.13 of interface 'eth0'
# INFO: Is 192.168.0.13 part of network 192.168.0.0/24? yes
# Interface No 1.
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP 192.168.0.13 (net: "192.168.0.0/24").
# TODO: Change "interface1" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst 192.168.0.13' if this is dynamically assigned.
interface eth0 interface1 src "192.168.0.0/24" dst 192.168.0.13
# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop
# If you don't trust the clients behind eth0 (net "192.168.0.0/24"),
# add something like this.
# > protection strong
# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server ICMP accept
server ident accept
# The following eth0 services are not known by FireHOL:
# udp/38485 udp/512 udp/5353
# Custom service definitions for the above unknown services.
# server custom if1_udp_38485 udp/38485 any accept
# server custom if1_udp_512 udp/512 any accept
# server custom if1_udp_5353 udp/5353 any accept
# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept
# INFO: Is 192.168.0.1 part of network 192.168.0.0/24? yes
# INFO: Default gateway 192.168.0.1 is part of network 192.168.0.0/24
# Interface No 2.
# The purpose of this interface is to control the traffic
# from/to unknown networks behind the default gateway 192.168.0.1 .
# TODO: Change "interface2" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst 192.168.0.13' if this is dynamically assigned.
interface eth0 interface2 src not "${UNROUTABLE_IPS} 192.168.0.0/24" dst 192.168.0.13
# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop
# If you don't trust the clients behind eth0 (net not "${UNROUTABLE_IPS} 192.168.0.0/24"),
# add something like this.
# > protection strong
# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server ICMP accept
server ident accept
# The following eth0 services are not known by FireHOL:
# udp/38485 udp/512 udp/5353
# Custom service definitions for the above unknown services.
# server custom if2_udp_38485 udp/38485 any accept
# server custom if2_udp_512 udp/512 any accept
# server custom if2_udp_5353 udp/5353 any accept
# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept
# The above 2 interfaces were found active at this moment.
# Add more interfaces that can potentially be activated in the future.
# FireHOL will not complain if you setup a firewall on an interface that is
# not active when you activate the firewall.
# If you don't setup an interface, FireHOL will drop all traffic from or to
# this interface, if and when it becomes available.
# Also, if an interface name dynamically changes (i.e. ppp0 may become ppp1)
# you can use the plus (+) character to match all of them (i.e. ppp+).
# No router statements have been produced, because your server
# is not configured for forwarding traffic.
To start the firewall, type:
# firehol start
FireHOL: Saving your old firewall to a temporary file: [ OK ]
FireHOL: Processing file /etc/firehol/firehol.conf: [ OK ]
FireHOL: Activating new firewall (181 rules): [ OK ]
Now, open a Web Browser and see if you have Internet access. To actually see that it is working type this command and it will list all the firewall parameters for the currently running firewall.
# firehol status
Now you will get a huge list of IPTables rules.
Restart your box and check that your firewall loads on reboot and you are done.
Total Comments 0
