/usr/share/doc/firehol/html/invoking.html is in firehol 1.297-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<link rel="stylesheet" type="text/css" href="css.css">
<TITLE>FireHOL, How to start FireHOL.</TITLE>
<meta name="author" content="Costa Tsaousis">
<meta name="description" content="
Home for FireHOL, an iptables stateful packet filtering firewall builder for Linux (kernel 2.4),
supporting NAT, SNAT, DNAT, REDIRECT, MASQUERADE, DMZ, dual-homed, multi-homed and router setups,
protecting and securing hosts and LANs in all kinds of topologies. Configuration is done using
simple client and server statements while it can detect (and produce) its configuration
automatically. FireHOL is extremely easy to understand, configure and audit.
">
<meta name="keywords" content="iptables, netfilter, filter, firewall, stateful, port, secure, security, NAT, DMZ, DNAT, DSL, SNAT, redirect, router, rule, rules, automated, bash, block, builder, cable, complex, configuration, dual-homed, easy, easy configuration, example, fast, features, flexible, forward, free, gpl, helpme mode, human, intuitive, language, linux, masquerade, modem, multi-homed, open source, packet, panic mode, protect, script, service, system administration, wizard">
<meta http-equiv="Expires" content="Wed, 19 Mar 2003 00:00:01 GMT">
</HEAD>
<BODY bgcolor="#FFFFFF">
<center>
</center>
</p>
FireHOL has been designed to be a startup service. As such, FireHOL accepts all the command line arguments
/etc/init.d/iptables plus a few more. Bellow is a list of the currently supported command line arguments:
<p>
<center>
<table border=0 cellpadding=3 cellspacing=5 width="70%">
<tr><th bgcolor="#000000"><font color="white">Parameter</th><th bgcolor="#000000"><font color="white">Description</th></tr>
<tr> <td valign=top><b>start</td>
<td> Activates the firewall configuration.
<br>The configuration is expected to be found in <b>/etc/firehol/firehol.conf</b>
</td>
</tr>
<tr> <td valign=top bgcolor="#EEEEEE"><b>try</td>
<td bgcolor="#EEEEEE"> Activates the firewall, but waits until
the user types the word <b>commit</b>. If this word
is not typed within 30 seconds, the previous
firewall is restored.
</td>
</tr>
<tr> <td valign=top><b>stop</td>
<td> Stops a running iptables firewall.
This will allow all traffic to pass unchecked.
</td>
</tr>
<tr> <td valign=top bgcolor="#EEEEEE"><b>restart</td>
<td bgcolor="#EEEEEE"> this is an alias for <b>start</b> and is given for
compatibility with <b>/etc/init.d/iptables</b>.
</td>
</tr>
<tr> <td valign=top><b>condrestart</td>
<td> Starts the FireHOL firewall only if it is not
already active. It does not detect a modified
configuration file, only verifies that FireHOL has been started
in the past and not stopped yet.
</td>
</tr>
<tr> <td valign=top bgcolor="#EEEEEE"><b>status</td>
<td bgcolor="#EEEEEE"> Shows the running firewall, as in
<b>/sbin/iptables -nxvL | less</b>
</td>
</tr>
<tr> <td valign=top><b>panic</td>
<td> It removes all rules from the running firewall and then it DROPs all
traffic on all iptables tables (mangle, nat, filter) and pre-defined chains
(PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING), thus blocking all IP
communication. DROPing is not done by changing the default policy to DROP, but
by adding just one rule per table/chain to drop all traffic, because the default
iptables scripts supplied by many systems (including RedHat 8) do not reset
all the chains to ACCEPT when starting (FireHOL resets them correctly).
<p>
When activating panic mode, FireHOL checks for the existance of the SSH_CLIENT shell
environment variable (set by SSH). If it find this, then panic mode will allow the established
SSH connection specified in this variable to operate. Notice that in order for this
to work, you should have <b>su</b> without the minus (-) sign, since <b>su -</b>
overwrites the shell variables and therefore the SSH_CLIENT variable is lost.
<p>
Alternativelly, after the <b>panic</b> argument you can specify an IP address
in which case all <u>established</u> connections between this IP address and the host
in panic will be allowed.
</td>
</tr>
<tr> <td valign=top bgcolor="#EEEEEE"><b>save</td>
<td bgcolor="#EEEEEE"> Start the firewall and then save it using
<b>/sbin/iptables-save</b> to <b>/etc/sysconfig/iptables</b>.
<p>
Since v1.64, this is not implemented using <b>/etc/init.d/iptables save</b>
because there is a bug in some versions of iptables-save that save
invalid commands
(<b>! --uid-owner A</b> is saved as <b>--uid-owner !A</b>) which
cannot be restored. FireHOL fixes this problem (by saving it, and
then replacing <b>--uid-owner !</b> with <b>! --uid-owner </b>).
<p>
Note that not all FireHOL firewalls will work if
restored with: <b>/etc/init.d/iptables start</b>
because FireHOL handles kernel modules and might have queried
RPC servers (used by the NFS service) before starting the firewall.
Also, FireHOL automatically checks current kernel configuration for
client ports range. If you restore a firewall using the iptables service
your firewall may not work as expected.
<p>
Since v1.258 FireHOL also saves the required kernel modules in an
executable shell script in /var/spool/firehol/last_save_modules.sh.
This script can be called during boot to restore the required kernel
modules for the firewall saved using this command.
</td>
</tr>
<tr> <td valign=top><b>debug</td>
<td> Parses the configuration file but instead of
activating it, it shows the generated iptables
statements.
</td>
</tr>
<tr> <td valign=top bgcolor="#EEEEEE"><b>explain</td>
<td bgcolor="#EEEEEE"> Enters an interactive mode where it accepts normal configuration commands
and presents the generated iptables commands for each of them, together
with some reasoning for its purpose. Additionally, it automatically generates
a configuration script based on the successfull commands given.
<p>
When in directive mode, FireHOL has the following special commands:
<ul>
<li><b>help</b> to present some help</li>
<li><b>show</b> to present the generated FireHOL configuration</li>
<li><b>quit</b> to exit interactive mode and quit FireHOL</li>
</ul>
</td>
</tr>
<tr> <td valign=top><b>helpme</td>
<td> Tries to guess the FireHOL configuration needed for the current machine.
<br>
FireHOL will not stop or alter the running firewall. The configuration
file is given in the standard output of FireHOL, thus
<p>
<b>/etc/init.d/firehol helpme >/tmp/firehol.conf</b>
<p>
will produce the output in /tmp/firehol.conf.
<p>
The generated FireHOL configuration <b>should</b> and <b>must</b> be edited
before used on your systems. You are required to take many decisions and the
comments of the generated file will instruct you for many of them.
</td>
</tr>
<tr> <td valign=top bgcolor="#EEEEEE"><b><a filename></td>
<td bgcolor="#EEEEEE"> a different configuration file.
If no other argument is given, the configuration
file will be "tried" (default = try).
Otherwise the argument next to the filename can
be one of <b>start</b>, <b>debug</b>, <b>try</b>.
</td>
</tr>
<tr> <td valign=top><nothing></td>
<td>Presents help about FireHOL usage.</td>
</tr>
</table>
</center>
<p>
Since version 1.45 of FireHOL, configuration files can accept command line arguments. These commands line
arguments are given to FireHOL which passes them to the configuration file.
All the above FireHOL parameters support this feature. To activate it, add a double dash (--) as the
command line argument to FireHOL and then just give parameters to be passed to the configuration file.
<p>
<table border=0 cellpadding=10 cellspacing=0 width="100%">
<tr><td bgcolor="#EEEEEE"><b>What happens when FireHOL runs?</td></tr></table>
<br>
FireHOL is a <a href="http://www.gnu.org/software/bash/bash.html">BASH</a> script.
To run its configuration file, FireHOL
first defines a set of functions and variables and then it "sources"
(runs inline) its configuration file to be executed by <a href="http://www.gnu.org/software/bash/bash.html">BASH</a>.</p>
<p>
The keywords <b>interface</b>, <b>client</b>, <b>server</b>, <b>
router</b>, etc. are all <a href="http://www.gnu.org/software/bash/bash.html">BASH</a> functions that are executed by <a href="http://www.gnu.org/software/bash/bash.html">BASH</a> when
and if they appear in the configuration file. Using shared variables
these functions share some state information that allows them to know,
for example, that a <b>client</b> command appears within an <b>interface</b>
and not within a <b>router</b> and that the name given to an <b>
interface</b> has not been used before.
<p>
Instead of running iptables commands directly, each of these
functions (i.e. FireHOL) just writes the generated iptables commands to
a temporary file. This is done to prevent altering a running firewall
before ensuring that the syntax of the configuration file is correct.
So, a complete run of the configuration file actually produces all the
iptables commands for the firewall, written to a temporary file
(script). Even the <b>iptables</b> commands given within the
configuration file use the same concept (they just generate iptables
commands in this script).
<p>
Finally, this script (the generated iptables commands) has to be run,
but before doing so, FireHOL saves the running firewall to another
temporary file. The saved firewall will be automatically restored if
some of the generated iptables commands produces an error.
Such an error
is possible when for example, you specify an invalid IP address or
hostname, or an invalid argument to some parameter that gets passed to
iptables as-is.
<p>
It is important to understand that <b>during the run of the generated
iptables script (including the possible restoration of the old
firewall), FireHOL allows all traffic to reach its destination</b>. This
has been done to prevent a possible lock-out situation where you are
SSHing to the server to alter its firewall, and suddenly you loose the
connection (although this can still happen if your new firewall doesn't
allow the connection).
<p>
If no error has been seen, FireHOL deletes all temporary files
generated and exits.
<p>
In case there was an error, FireHOL will make the most to restore
your previous firewall and will present you details about the error and
its line number in the original configuration file.
<p>
<hr noshade size=1>
<table border=0 width="100%">
<tr><td align=center valign=middle>
</td><td align=center valign=middle>
<small>$Id: invoking.html,v 1.20 2007/07/20 21:16:59 ktsaou Exp $</small>
<p>
<b>FireHOL</b>, a firewall for humans...<br>
© Copyright 2004
Costa Tsaousis <a href="mailto: costa@tsaousis.gr"><costa@tsaousis.gr></a>
</body>
</html>
|