Installing and configuring FireHOL

Linux / Network: Beginners guide to FireHOL.

NOTE: Content of this tutorial is probably outdated.

Part 1

Having firewall is one of the steps you can take to make sure that you machine is a little bit secure. This is achieved by opening access only to application or ports that you explicitly allow, and blocking the rest. This for me is a good practice, although some people might argue otherwise.

For my Linux machines, I prefer to use FireHOL. FireHOL is not a firewall on its own, but a shell wrapper for Linux iptables firewall. It allows you to configure iptables rules in a descriptive, easy to understand language.

For this tutorial’s purpose, we will assume that we want to setup a home router on a Linux machine, running Ubuntu. The machine have two network interface card (NIC), eth0 pointing to the Internet, and eth1 for local LAN.

1. First, make sure you have enabled the universe repository. The make things simple, your /etc/apt/sources.list file should look something like this:

deb http://archive.ubuntu.com/ubuntu/ dapper main restricted
deb http://archive.ubuntu.com/ubuntu/ dapper-updates main restricted
deb http://archive.ubuntu.com/ubuntu/ dapper universe multiverse
deb http://archive.ubuntu.com/ubuntu/ dapper-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu dapper-security main restricted
deb http://security.ubuntu.com/ubuntu dapper-security universe multiverse

If not, modify it (as root), and then run

sudo apt-get update

2. Install FireHOL by issuing the command:

sudo apt-get install firehol

3. Time to configure FireHOL. The configuration file is located at /etc/firehol/firehol.conf. As root, edit the /etc/firehol/firehol.conf file and update it with the following lines:

version 5
interface "eth0" Internet
         protection strong
        server "ssh" accept
        client all accept

interface "eth1" LAN
        policy accept
        client all accept

router lan2internet inface "eth1" outface "eth0"
        client all accept
        route all accept
        masquerade

What the rules does are define the two interfaces that we have as “LAN” for eth1 and “Internet” for eth0. For the eth0 interface, we only allows incoming ssh access (TCP port 22), and allow unrestricted outgoing access. For eth1, we accept all the traffic. Lastly, the router segment configuration tell FireHOL we want traffic from LAN (interface eth1) to be routed and masqueraded to the Internet (interface eth0). Again, we allow all services without restriction. Simple, and concise.

4. Lastly, we need to make sure FireHOL will be executed on every system startup. As root, edit the file /etc/default/firehol and change the line START_FIREHOL to YES. The file should looks like this:

START_FIREHOL=YES
WAIT_FOR_IFACE=””

Save the file.
5. Start FireHOL by issuing the command:

sudo /etc/init.d/firehol start

Pretty simple, eh?

Part 2

This is the second part of the introduction to FireHOL article. It covers more advanced topics that you might find useful, such as defining new services, selective filtering, and NAT. I suggest you read the first part of the article if you haven’t done so.

 

Expanding on your previous FireHOL configuration, let’s say that now we are trying to achieve several new things to our firewall configuration, namely:

  • defining new services and perform filtering on it
  • performing transparent HTTP proxy by redirecting all HTTP traffics to our Squid cache
  • map request to our internal machine

Defining New Services

FireHOL by default comes with a large number of predefined services, including http, https, dhcp, icmp, samba, snmp, syslog, telnet, ssh, and so on. A complete list can be found here. However, if run application that does not exists in FireHOL service list, it’s easy to add one.

There are two ways to achieve this. The first one is using service definition syntax. The second method is by using inline service definition syntax. We will look at the second options.

Based from our previous configuration, the Internet facing interface is eth0. We are now running OpenVPN service, and would like unrestricted access to OpenVPN port. To do this, as root, edit the FireHOL configuration file /etc/firehol/firehol.conf

. Under eth0 interface configuration, add the following line.

 

server custom openvpn "tcp/1194 udp/1194" default accept

Transparent HTTP Proxy

Another neat trick that you can do is performing real-time HTTP traffic redirection to your local proxy. To do this, you have to install and enable your HTTP proxy properly first. The most common HTTP proxy server in use for UNIX based system is Squid. There are a lot of benefits running this kind of setup, but you have to search for that as it will not be covered in this article.

After setting up your Squid proxy, simply edit your FireHOL configuration as root (/etc/firehol/firehol.conf), and put this line after the “version” directive:

transparent_squid 3128 "proxy proxy" inface eth0

Map request to internal machine

Mapping request to other machine is also known as Network Address Translation (NAT). Basically, it involves re-writing the source and/or destination addresses of IP packets as they pass through a router or firewall. Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet using a single public IP address. What we are trying to do here is sort of like a reverse masquerading.

Let say you run a web-server, and your web-server is located inside your LAN. It does not have any publicly accessible address, so accessing it from the Internet would be impossible. However, your firewall (running FireHOL of course) does not run any HTTP service, so you can forward request destined to the firewall’s HTTP port (TCP port 80) to the local machine. This kind of setup if frequently implemented to segregate machines into several “safe” segments, or usually called a DMZ setup.

For our example, let’s say our internal web-server IP address is 192.168.0.2, and we have a public IP address on the firewall machine (100.100.100.100) using interface eth0, and the local LAN segment is connected to firewall’s eth1 interface. Whenever request comes to the public firewall interface on eth0, we want the request to be redirected to our internal web-server at 192.168.0.2.

To do this, again as root, edit your FireHOL configuration file (/etc/firehol/firehol.conf), and add the following directive before the interface definitions:

nat to-destination 192.168.0.2 proto "tcp" dport "80" dst 100.100.100.100/32

Save the file, and exit your editor.

Conclusion

Your final FireHOL configuration should look something like this:

 

version 5
transparent_squid 3128 "proxy proxy" inface eth0
nat to-destination 192.168.0.2 proto "tcp" dport "80" dst 100.100.100.100/32

interface "eth0" Internet
         protection strong
         server "ssh" accept

server custom openvpn "tcp/1194 udp/1194" default accept
         client all accept

interface "eth1" LAN
         policy accept
         client all accept

router lan2internet inface "eth1" outface "eth0"
         client all accept
         route all accept
         masquerade

Your changes will only takes effect when your reload the firewall configuration. To reload, execute this command:

/etc/init.d/firehol restart

That is all for now. I hope you find this guide useful.