If you’re anything like me, then the thought of having to dive into iptables rules and configuration if a harbinger of doom, often followed by hours of frustration as we consult the almighty google in the attempt to find our lost salvation. Fear not, for yesterday I discovered the almighty firehol, and I think it may have changed my life forever.
Firehol is a light weight package written in bash, which converts a simple, intelligible configuration file into rock solid iptables hell-speak. Moreover, it does a neat job of generating a foundation configuration for you, and the tutorials do a great job of explaining firewalling concepts to someone as naive as me.
Setting up a basic firewall configuration is pretty easy.. and goes something like this:
apt-get install firehol mv /etc/firehol/firehol.conf /etc/firehol/firehol.conf.backup firehol helpme > /etc/firehol/firehol.conf firehol try commit
Basically this examines your running services and opens ports for them. So you might say that this has just rendered your firewall absolutely useless, by simply opening everything. Having said that, if you have a look at /etc/firehol/firehol.conf, it’s pretty easy to see (and change) what’s going on.
There are a few things worth knowing however, that I will point out here. Firstly, if you’ve ever configured a firewall by remote ssh, then there’s a fair chance you’ve experienced the horror of setting a rule which blocks your own ssh accesses. Firehol deals with that nicely, the “firehol try” command converts your /etc/firehol/firehol.conf to iptables, and then reverts to the old configuration 30 seconds later. A nifty life saver if ever I saw one.
Secondly, if I run the default “firehol helpme” configuration, I get a raft of errors about “rule length being no greater than 29 characters”. There’s probably a better way to fix this, but in my own case I just renamed all my interfaces in the configuration file to if1, if2, if3 etc. The tutorial and manual suggest naming your interfaces something meaningful, but to be honest I’m not really sure why. I think it simply means that your iptables rules will be slightly more human readable, because they will all contain your arbitrary interface names. That said, iptables configurations have always been a mystery to me, so the rules are far from “human readable” regardless of the interface name. Of course, you can just comment your firehol.conf to explain what your interfaces are for.
That’s it! That’s all there is to it, happy firewalling kids!