Hello everyone, well here I bring you a small and simple tutorial, to create a * firewall * using a simple program called ** Firehol **.
The reason for this is to provide our computers with a little more security in our Internet connections, which never hurts.
What is Firehol?
But first what is Firehol:
> Firehol, is a small application that helps us manage the firewall integrated into the kernel and its iptables tool. Firehol lacks a graphical interface, all configuration must be done through text files, but despite this, the configuration is still simple for novice users, or powerful for those looking for advanced options. All that Firehol does is simplify the creation of iptables rules as much as possible and enable a good firewall for our system.
With that introduction to what Firehol is and does, let's get into how to install it in our systems. Let's open a terminal and type:
Installing Firehol on Debian and derivatives
We open a terminal and put:
`sudo apt-get install firehol`
How to set up Firehol
Once firehol is installed, we proceed to open the firehol configuration file, located in * / etc / firehol / firehol.conf *, for this we can use the text editor of your choice (gedit, medit, leafpad)
`sudo nano / etc / firehol / firehol.conf`
Once & there, we can proceed to place the following content:
# $ Id: client-all.conf, v 1.2 2002/12/31 15:44:34 ktsaou Exp $ # # This configuration file will allow all requests originating from the # local machine to be send through all network interfaces. # # No requests are allowed to come from the network. The host will be # completely stealthed! It will not respond to anything, and it will # not be pingable, although it will be able to originate anything # (even pings to other hosts). # version 5 # Accepts all incoming traffic from an interface interface any world # Access Policy, DROP, that is, reject all incoming packets policy drop # All active protection policies, helps to avoid attacks such as SYN Flood, Arp Poison , among others protection all # Server policies, Services that will work (Web, Mail, MSN, Irc, Jabber, P2P) # Only for servers, if you want to modify or create new services, associated ports and protocols # read the firehol manual . #server "http https" accept #server "imap imaps" accept #server "pop3 pop3s" accept #server "smtp smtps" accept #server irc accept #server jabber accept #server msn accept #server p2p accept # Client policies, all outgoing traffic is accepted client all accept
This simple code is more than enough for a basic protection of our computers, & so we save it and exit the text editor.
Now we have to make firehol start automatically in each boot, and for this we & go to the file * / etc / default / firehol *, where we will change a line with the following code:
`START_FIREHOL = yes`
We save the changes to the file, and now we execute:
`sudo / sbin / firehol start`
Ready!!! With this firehol has already been put into operation and has created the necessary firewall rules, and to see that it is like that, just run:
`sudo iptables -L`
For the paranoid, you can go to the ShieldUP page! and test your new firewall, they are sure to pass the test.
I hope it helps.
Excellent tutorial, simple and effective, one question, where can I see who tried to access or make a request to my computer, having firehol installed
https://blog.desdelinux.net/firehol-iptables-for-human-beings-arch/
For Arch 🙂
Sorry, but that's worse than editing iptables.
I understand the good intention but it is rubbish.
Greetings from the paranoid.
Aside from you being an iptables developer, which I would appreciate. A small graphical environment would not be bad. Although it is crappy as in python.
Thank you, sorry and best regards.
WE DO NOT WANT INSULTS, SPAM OR BAD MILK IN THIS BLOG !!!!
NO MORE!!!
Weren't they filtering the comments?
@sinnerman calm, in principle @ zetaka01's comment has not offended me, and I don't think it offends the original author of the post either. You have the right to express your opinion, even if you do not share it. If it really offends in any way, your comment will go to / dev / null. 😉
I do not find the comment bad milk. In RedHat I have seen that these interfaces exist. It is not that difficult to learn iptables, reading this blog a bit you will find scripts.
Worse than editing iptables? Well if that's what you think, I respect it. But I think it is undoubtedly better to write:
server "http https" accept
and have ports 80 and 443 open to be able to use apache or any other web server, you have to write:
iptables -A INPUT -i eth0 -p tcp –dport 80 -m state –state NEW, ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp –dport 443 -m state –state NEW, ESTABLISHED -j ACCEPT
And even if you have the ports changed, it is just as easy to do the configuration in Firehol to make those changes.
Ah but with iptables you have much more flexibility. If what you want is something graphic for a client, you could use something like firestarter.
@Hugo with firehol you don't lose any of the iptables options, since at this moment it offers full support to all the iptables options, including IPv6.
Regarding flexibility, Firehol is very complete in this area, allowing NAT, DNAT, definition of explicit rules for each interface in the system, specific filtering of ports by IP and MAC addresses, allows you to do QOS, establish DMZ, transparent cache , clear traffic classification, and even manipulate the total traffic of the different connections you have.
In a nutshell; Firehol is powerful, and it certainly lacks an interface, but it is mostly aimed at the server sector where X's are not necessary or advanced users who do not want to carry a graphical firewall.
For those who use Debian Jessie, the beloved / hated systemd takes over by starting the firehol script properly (sometimes it takes a whopping 30 seconds just by starting the firewall), so I recommend deactivating the daemon with systemctl disable firehol, and install the iptables-persistent package, and save the firewall configuration using this method.
Excellent post ... Elav, the guide is valid for Ubuntu derivatives? A post from FIREWALL (PF) for the FreeBSD system that is also textual would be good.
Firehol works on Debian and derivatives perfectly.