Firewalls with FireHOL

If you have a computer connected to the internet, eg. a server/VPS in some hosting company, you are receiving lots of attacks from randos on the internet. It’s a very good idea to have a firewall because chances are that at some point someone will reach your server with an exploit that you haven’t had time to patch yet. Like, it’s a matter of when and not if. But, what if you aren’t really the sysadmin type and you have no idea about iptables or any of those incantations needed to protect yourself? Don’t fret, because FireHOL has you covered.


On Debian (and probably Ubuntu?), you can install it by typing:

sudo apt install firehol && \
    sudo systemctl stop firehol && \
    sudo systemctl disable firehol

The systemctl calls are VERY IMPORTANT because of a current bug in the package, which will leave your server inaccessible! After it’s installed (and disabled), add server all accept to the default config file /etc/firehol/firehol.conf so that it ends up like this (skipping the initial comment block):

version 6

# Accept all client traffic on any interface
interface any world
    client all accept
    server all accept

At this point you can set START_FIREHOL=YES in /etc/default/firehol, and then run:

sudo systemctl enable firehol && sudo systemctl start firehol

That will give you a running FireHOL that won’t filter anything. So, same as you had before you even installed FireHOL. But at least now you can start…

Defining rules

There are two kinds of things you will want to block with FireHOL: ports/services, and IPs. The first is very easy. The second is not too hard but you need to learn a thing or two to make it sustainable (ie. use lists maintained by others).

Blocking ports

More than blocking ports, you specify which ports/services you want open, and everything else is closed by default. Instead of saying server all accept, you put lines like this in its place:

server http  accept
server https accept
server ssh   accept

Maintaining IP lists

The easiest way to filter bad IPs (malware, spammers, etc.) is to download IP lists and blacklist them from the FireHOL configuration. There’s a tool called update-ipsets (available in the firehol-tools package in Debian) that you can use to download them. You can run update-ipsets to see the available lists (and update them, if enough time has passed) and update-ipsets enable <listname> to enable them. For example, you can run this command to enable the spamhaus_drop and spamhaus_edrop IP lists:

sudo update-ipsets enable spamhaus_drop spamhaus_edrop && \
    sudo update-ipsets

This will download the lists under /etc/firehol/ipsets. Once they are there, you can add these lines to your configuration file (before the interface definitions) to block incoming connections from any of the IPs and networks mentioned by the lists above:

ipv4 ipset create badnets hash:net
for list in spamhaus_drop spamhaus_edrop; do
    ipv4 ipset addfile badnets ipsets/$list.netset
ipv4 blacklist ipset:badnets


Trying your changes

You can use the firehol try command to try changes: it will automatically revert in 30 seconds unless you type commit in a terminal.

Keeping your logs clean

By default, FireHOL will send log data (including every single dropped connection!) to syslog. If you want to keep your syslog clean and send FireHOL logs to a different file, you can do the following:

  1. Install the firehol-doc package with sudo apt install firehol-doc.
  2. Add FIREHOL_LOG_PREFIX=FireHOL: at the top of /etc/firehol/firehol.conf.
  3. Use the provided example files (see below).

To use the example rsyslog configuration and the example logrotate configuration, run the following commands (the latter is so that the FireHOL log files don’t grow forever):

sudo cp /usr/share/doc/firehol/examples/rsyslog/rsyslog_d-firehol.conf \
sudo cp /usr/share/doc/firehol/examples/rsyslog/logrotate_d-firehol \

Once you follow these steps you will have the FireHOL logs under /var/log/firehol.


FireHOL is a great tool to make firewalls easily without having to learn arcane syntax or command-line options. Even if you don’t have advanced sysadmin knowledge, it’s easy to get started and secure your servers. I hope this little guide was useful!