Posts Tagged “firehol”
Apr 7, 2020
If you have a computer connected to the internet, eg. a server/VPS in some hosting company, you are receiving lots of attacks from randos on the internet. It’s a very good idea to have a firewall because chances are that at some point someone will reach your server with an exploit that you haven’t had time to patch yet. Like, it’s a matter of when and not if. But, what if you aren’t really the sysadmin type and you have no idea about iptables or any of those incantations needed to protect yourself? Don’t fret, because FireHOL has you covered.
On Debian (and probably Ubuntu?), you can install it by typing:
sudo apt install firehol && \ sudo systemctl stop firehol && \ sudo systemctl disable firehol
systemctlcalls are VERY IMPORTANT because of a current bug in the package, which will leave your server inaccessible! After it’s installed (and disabled), add
server all acceptto the default config file
/etc/firehol/firehol.confso that it ends up like this (skipping the initial comment block):
version 6 # Accept all client traffic on any interface interface any world client all accept server all accept
At this point you can set
/etc/default/firehol, and then run:
sudo systemctl enable firehol && sudo systemctl start firehol
That will give you a running FireHOL that won’t filter anything. So, same as you had before you even installed FireHOL. But at least now you can start…
There are two kinds of things you will want to block with FireHOL: ports/services, and IPs. The first is very easy. The second is not too hard but you need to learn a thing or two to make it sustainable (ie. use lists maintained by others).
More than blocking ports, you specify which ports/services you want open, and everything else is closed by default. Instead of saying
server all accept, you put lines like this in its place:
server http accept server https accept server ssh accept
Maintaining IP lists
The easiest way to filter bad IPs (malware, spammers, etc.) is to download IP lists and blacklist them from the FireHOL configuration. There’s a tool called
update-ipsets(available in the
firehol-toolspackage in Debian) that you can use to download them. You can run
update-ipsetsto see the available lists (and update them, if enough time has passed) and
update-ipsets enable <listname>to enable them. For example, you can run this command to enable the
sudo update-ipsets enable spamhaus_drop spamhaus_edrop && \ sudo update-ipsets
This will download the lists under
/etc/firehol/ipsets. Once they are there, you can add these lines to your configuration file (before the
interfacedefinitions) to block incoming connections from any of the IPs and networks mentioned by the lists above:
ipv4 ipset create badnets hash:net for list in spamhaus_drop spamhaus_edrop; do ipv4 ipset addfile badnets ipsets/$list.netset done ipv4 blacklist ipset:badnets
Trying your changes
You can use the
firehol trycommand to try changes: it will automatically revert in 30 seconds unless you type
commitin a terminal.
Keeping your logs clean
By default, FireHOL will send log data (including every single dropped connection!) to syslog. If you want to keep your syslog clean and send FireHOL logs to a different file, you can do the following:
- Install the
sudo apt install firehol-doc.
FIREHOL_LOG_PREFIX=FireHOL:at the top of
- Use the provided example files (see below).
To use the example rsyslog configuration and the example logrotate configuration, run the following commands (the latter is so that the FireHOL log files don’t grow forever):
sudo cp /usr/share/doc/firehol/examples/rsyslog/rsyslog_d-firehol.conf \ /etc/rsyslog.d/firehol.conf sudo cp /usr/share/doc/firehol/examples/rsyslog/logrotate_d-firehol \ /etc/logrotate.d/firehol
Once you follow these steps you will have the FireHOL logs under
FireHOL is a great tool to make firewalls easily without having to learn arcane syntax or command-line options. Even if you don’t have advanced sysadmin knowledge, it’s easy to get started and secure your servers. I hope this little guide was useful!
- Install the