Recent changes to feature-requests

Use https://github.com/ktsaou/firehol/issues

Phil Whineray — Mon, 02 Mar 2015 07:44:29 -0000

Use https://github.com/ktsaou/firehol/issues for feature requests

Snort integration

Nutterpc — Sun, 13 Feb 2011 23:02:54 -0000

Hey hey all,
Just first off, been trying multiple firewalls out there, not really seen anything as easy to get up and running as this

AAAAAAAAnyways, onto the request

Is it going to be at all possible, or it may even be alrdy in firehol, i dont know, to integrate Snort with firehol?

Ive been wondering this for a while, as IMO, i think having snort integration with firehol would make it perfect

Let me know what you think

Nutterpc

Protection against multiple restarts

Anonymous — Tue, 16 Mar 2010 11:02:06 -0000

When multiple admins are editing a firehol config and run '/etc/init.d/firehol restart', they both get a bunch of errors about existing chains etc.
It would be nice to have a simple protection against this.

At the start, save the PID of the script and check if it already exists in the process table. If not, run a restart, else block the restart.

[man] list entries in alphabetical order

Jari Aalto — Tue, 17 Nov 2009 08:15:57 -0000

Cf. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=556575

Please list entries in the major section of manual page in
alphabetical order for easier reading and searching:

Subcommands
<alphabetical order>
Helper commands
<alphabetical order>
Optional Rule Parameters
<alphabetical order>
Actions
...etc
Optional Rule Parameters
...etc
Variables that control FireHOL
...etc
Variables that FireHOL offers
...etc

nmap -A -v: please list port in numeric order

Jari Aalto — Fri, 06 Nov 2009 18:56:52 -0000

Please list found ports in numeric order. This would be easier to inspect.

$ nmap -A -v

Discovered open port 80/tcp on 192.168.1.2
Discovered open port 111/tcp on 192.168.1.2
Discovered open port 139/tcp on 192.168.1.2
Discovered open port 445/tcp on 192.168.1.2
Discovered open port 22/tcp on 192.168.1.2
Discovered open port 21/tcp on 192.168.1.2
Discovered open port 993/tcp on 192.168.1.2
Discovered open port 443/tcp on 192.168.1.2
Discovered open port 143/tcp on 192.168.1.2
Discovered open port 2401/tcp on 192.168.1.2
Discovered open port 2222/tcp on 192.168.1.2
Discovered open port 3690/tcp on 192.168.1.2
Discovered open port 8001/tcp on 192.168.1.2
Discovered open port 2049/tcp on 192.168.1.2

Starting firehol with unreachable host

LeonB — Sun, 29 Jun 2008 21:48:57 -0000

I'm running firehol on a couple of servers and it's really nice! I have a fairly big onfig file with 30 or so hosts. But sometimes a host isn't reachable. Then when I restart firehol it fails with an error. For example:

--------------------------------------------------------------------------------
ERROR : # 12.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line INIT of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_world_ssh_c13 -p tcp -s www.crmexcellence.nl --sport 22 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
OUTPUT :

I thought about making a wrapper script that checks the hosts, but it would be nice if firehol did this.

Support for SANE scanner service

JoJo — Tue, 19 Feb 2008 15:15:35 -0000

Hi Kostas,

please could you add support for the SANE sevice used to connect to remote flatbed scanners via LAN?

The protocol listens to tcp/6566 and a port above 1024, much like FTP. Latest releases of Linux include a connection tracking helper module named NF_CONNTRACK_SANE, thus support should be a breeze to add in the next release.

Thanks,

Stefano

IPSEC + L2TP

Stefano — Thu, 16 Aug 2007 09:05:07 -0000

Hello!
Sorry for my bad english!
For IPSec VPN i need to add

# for IPSec NAT-Traversal
server_natt_ports="udp/4500"
client_natt_ports="any"
(more routers they apply port address translation)
#L2TP
server_l2tp_ports="udp/1701"
client_l2tp_ports="any"
(Windows 98, Mac OSX use random client port :
XP use fixed client port 1701 )

to firehol.conf
and change

client_isakmp_ports="500"

client_isakmp_ports="any"
(more router they apply port address translation)

in firehol.sh.

Is it possible include these in firehol.sh ?

Thanks!

Stefano

P.S.: sorry for repost. But "feature requests" is more adapted.

Protection Rule

fireholuser — Sun, 12 Aug 2007 20:37:28 -0000

Hi,

I see that protection rules are applied in such a way that INVALID packets are dropped even before them being identified as bad-packets (xmas, NULL,etc).

Shouldn't the bad-packets being tracked before?

Therefore, INVALID chain should appear at the bottom.

i.e. after "fragments new-tcp-w/o-syn icmp-floods syn-floods malformed-xmas malformed-null malformed-bad"

Please correct me if I'm wrong?

With the current default firehol settings, I see no hits on chains for malformed-* packets.

Thanks in advance.

fiu.

IPtables -Bad packets

fireholuser — Sun, 12 Aug 2007 20:27:27 -0000

Hi,

Shouldn't tcp flags be "FIN,PSH,URG FIN,PSH,URG" instead of "ALL ALL" ?

#######

malformed-xmas|MALFORMED-XMAS)
local mychain="${pre}_${work_name}_malxmas"
create_chain filter "${mychain}" "${in}_${work_name}" in proto tcp custom "--tcp-flags ALL ALL" || return 1

#######