FireHOL has been designed to be a startup service. As such, FireHOL accepts all the command line arguments /etc/init.d/iptables plus a few more. Bellow is a list of the currently supported command line arguments:

ParameterDescription
start Activates the firewall configuration.
The configuration is expected to be found in /etc/firehol/firehol.conf
try Activates the firewall, but waits until the user types the word commit. If this word is not typed within 30 seconds, the previous firewall is restored.
stop Stops a running iptables firewall. This will allow all traffic to pass unchecked.
restart this is an alias for start and is given for compatibility with /etc/init.d/iptables.
condrestart Starts the FireHOL firewall only if it is not already active. It does not detect a modified configuration file, only verifies that FireHOL has been started in the past and not stopped yet.
status Shows the running firewall, as in /sbin/iptables -nxvL | less
panic It removes all rules from the running firewall and then it DROPs all traffic on all iptables tables (mangle, nat, filter) and pre-defined chains (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING), thus blocking all IP communication. DROPing is not done by changing the default policy to DROP, but by adding just one rule per table/chain to drop all traffic, because the default iptables scripts supplied by many systems (including RedHat 8) do not reset all the chains to ACCEPT when starting (FireHOL resets them correctly).

When activating panic mode, FireHOL checks for the existance of the SSH_CLIENT shell environment variable (set by SSH). If it find this, then panic mode will allow the established SSH connection specified in this variable to operate. Notice that in order for this to work, you should have su without the minus (-) sign, since su - overwrites the shell variables and therefore the SSH_CLIENT variable is lost.

Alternativelly, after the panic argument you can specify an IP address in which case all established connections between this IP address and the host in panic will be allowed.

save Start the firewall and then save it using /sbin/iptables-save to /etc/sysconfig/iptables.

Since v1.64, this is not implemented using /etc/init.d/iptables save because there is a bug in some versions of iptables-save that save invalid commands (! --uid-owner A is saved as --uid-owner !A) which cannot be restored. FireHOL fixes this problem (by saving it, and then replacing --uid-owner ! with ! --uid-owner ).

Note that not all FireHOL firewalls will work if restored with: /etc/init.d/iptables start because FireHOL handles kernel modules and might have queried RPC servers (used by the NFS service) before starting the firewall. Also, FireHOL automatically checks current kernel configuration for client ports range. If you restore a firewall using the iptables service your firewall may not work as expected.

Since v1.258 FireHOL also saves the required kernel modules in an executable shell script in /var/spool/firehol/last_save_modules.sh. This script can be called during boot to restore the required kernel modules for the firewall saved using this command.

debug Parses the configuration file but instead of activating it, it shows the generated iptables statements.
explain Enters an interactive mode where it accepts normal configuration commands and presents the generated iptables commands for each of them, together with some reasoning for its purpose. Additionally, it automatically generates a configuration script based on the successfull commands given.

When in directive mode, FireHOL has the following special commands:

  • help to present some help
  • show to present the generated FireHOL configuration
  • quit to exit interactive mode and quit FireHOL
helpme Tries to guess the FireHOL configuration needed for the current machine.
FireHOL will not stop or alter the running firewall. The configuration file is given in the standard output of FireHOL, thus

/etc/init.d/firehol helpme >/tmp/firehol.conf

will produce the output in /tmp/firehol.conf.

The generated FireHOL configuration should and must be edited before used on your systems. You are required to take many decisions and the comments of the generated file will instruct you for many of them.

<a filename> a different configuration file. If no other argument is given, the configuration file will be "tried" (default = try). Otherwise the argument next to the filename can be one of start, debug, try.
<nothing> Presents help about FireHOL usage.

Since version 1.45 of FireHOL, configuration files can accept command line arguments. These commands line arguments are given to FireHOL which passes them to the configuration file. All the above FireHOL parameters support this feature. To activate it, add a double dash (--) as the command line argument to FireHOL and then just give parameters to be passed to the configuration file.

What happens when FireHOL runs?

FireHOL is a BASH script. To run its configuration file, FireHOL first defines a set of functions and variables and then it "sources" (runs inline) its configuration file to be executed by BASH.

The keywords interface, client, server, router, etc. are all BASH functions that are executed by BASH when and if they appear in the configuration file. Using shared variables these functions share some state information that allows them to know, for example, that a client command appears within an interface and not within a router and that the name given to an interface has not been used before.

Instead of running iptables commands directly, each of these functions (i.e. FireHOL) just writes the generated iptables commands to a temporary file. This is done to prevent altering a running firewall before ensuring that the syntax of the configuration file is correct. So, a complete run of the configuration file actually produces all the iptables commands for the firewall, written to a temporary file (script).  Even the iptables commands given within the configuration file use the same concept (they just generate iptables commands in this script).

Finally, this script (the generated iptables commands) has to be run, but before doing so, FireHOL saves the running firewall to another temporary file. The saved firewall will be automatically restored if some of the generated iptables commands produces an error. Such an error is possible when for example, you specify an invalid IP address or hostname, or an invalid argument to some  parameter that gets passed to iptables as-is.

It is important to understand that during the run of the generated iptables script (including the possible restoration of the old firewall), FireHOL allows all traffic to reach its destination. This has been done to prevent a possible lock-out situation where you are SSHing to the server to alter its firewall, and suddenly you loose the connection (although this can still happen if your new firewall doesn't allow the connection).

If no error has been seen, FireHOL deletes all temporary files generated and exits.

In case there was an error, FireHOL will make the most to restore your previous firewall and will present you details about the error and its line number in the original configuration file.


SourceForge Logo $Id: invoking.html,v 1.20 2007/07/20 21:16:59 ktsaou Exp $

FireHOL, a firewall for humans...
© Copyright 2004 Costa Tsaousis <costa@tsaousis.gr>