Results 1 to 4 of 4

Thread: FireHOL

  1. #1
    Senior Member
    Join Date
    Mar 2004



    Recently, I was looking for stateful packet firewalls and now stumbled across


    which seems to generate iptables rule-sets.
    Have you any experience with it, which you can share?

    The developer says
    "FireHOL is a stateful iptables packet filtering firewall configurator. It is abstracted, extensible,
    easy and powerful. It can handle any kind of firewall, but most importantly, it gives you the
    means to configure it, the same way you think of it."

    Another "source"[2] describes it very promisingly, but I always have my doubts here:
    "FireHOL a simple yet powerful way to configure stateful iptables firewalls. It can be used for
    almost any purpose, including control of any number of internal/external/virtual interfaces,
    control of any combination of routed traffic, setting up DMZ routers and servers, and all kinds of
    NAT. It provides strong protection (flooding, spoofing, etc.), transparent caches, source MAC
    verification, blacklists, whitelists, and more. Its goal is to be completely abstracted and powerful
    but also easy to use, audit, and understand. "

    /edit: Two reasons for this post:
    a) Is it worth the time to look at it in detail, or is it "better" to configure iptables directly
    (please define "better" in the context you want to understand it ) ?
    b) For those who never heard about FireHOL and have difficulties to confiure iptables properly,
    this might be a good starting point.

    Thanks &

    [1] http://sourceforge.net/projects/firehol/
    [2] http://www.astalavista.com/?section=...d=file&id=3175
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    I've never used FireHOL. But I will give it a try on the next test box I setup.
    (Probably this upcoming weekend.)

    I've been using fwbuilder for quite some time. It has everything I want, need and more!

    Firewall Builder consists of an object-oriented GUI and a set of policy compilers for various firewall platforms. In Firewall Builder, a firewall policy is a set of rules; each rule consists of abstract objects that represent real network objects and services (hosts, routers, firewalls, networks, protocols). Firewall Builder helps users maintain a database of objects and allows policy editing using simple drag-and-drop operations.

    Object databases are stored in XML format. The GUI and policy compilers are completely independent. The GUI requires only minimal changes in order to add support for a new firewall platform even though a new policy compiler must be written. This provides for a consistent abstract model and the same GUI for different firewall platforms. Standardized XML data format opens possibility for many user interfaces and policy compiler implementations, all interchangeable.

    We have policy compilers for the popular free firewalls iptables http://www.iptables.org/, ipfilter http://coombs.anu.edu.au/~avalon/, pf http://www.benzedrine.cx/pf.html. Because of the modular architecture, Firewall Builder can be used to manage firewalls built on a variety of platforms including, but not limited to, Linux using iptables, ipfilter on FreeBSD or Solaris and pf on OpenBSD.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Senior Member
    Join Date
    Mar 2004

    Phish, thanks for the provided information about fwbuilder.
    I heard about it, but never looked at it (I often use
    the same time-consuming approach of learning a thing
    as lepricaun does: Do everything from scratch ).

    I will give both a (maybe quick) try. But I don't feel competent
    to judge one after the other due to lack of experience.
    However, since you already know about the capabilities, advantages
    and disadvantages of fwbuilder, I would look forward to your remarks
    to fireHOL - if you find the time, of course.

    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  4. #4
    Senior Member
    Join Date
    Mar 2004

    I did take a look at iptables and the abstracted layers
    fireHOL and fwbuilder. Although I do not really feel
    competent, as I already have written, I still write
    my impressions for those who are interested. If only
    competent writers would post, most forums would be
    half-empty anyway

    iptables: iptables is a stateful packet firewall,
    essentially configureable doing a
    #load a new configuration
       iptables-restore < your_firewall_configuration_file
    #check status 
       iptables -L
    where in your_firewall_configuration_file there are
    the corresponding settings for that particular machine.
    If you are familiar with the needs and requirements of
    a firewall, the by-hand writing of these rules is not
    really difficult, just a bit laborious. A lot of stuff
    already is done[1].


    fireHOL is based on a simplified "language": fireHOL
    translates a meta description into iptables rules and
    adds some standard security configurations.
    FireHOL shows the iptables rules based on that
    metadescription using the command
       firehol debug


    fwbuilder is a GUI-based firewall-configuration tool,
    and offers much more than fireHOL. A connection to several
    types of firewalls (on different machines etc) can be
    established easily and automated.


    For those among us, who administer a stand-alone PC
    only, iptables is the best solution in my opinion.
    Check tips how to improve security, eg. starting here on AO[2].

    For those who have to administer larger networks,
    fwbuilder is a good option for sure.

    fireHOL is a nice tool. It might be worth to look
    at its output once (or twice) to learn some
    "security tweaks", but in my opinion, that's it.
    If you want to know in detail, what's going on,
    configure iptables manually. If you do not want to
    be bothered by these details, use fwbuilder.


    [1] eg. http://www.jalix.org/ressources/rese...-tutorial.html
    [2] http://www.antionline.com/showthread...hreadid=230338 and following.
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts