Works in progress can be seen and commented on at http://test.firehol.org/

Requirements:

• tutorials for FireQOS and IPv6 FireHOL
• intermediate topical information for FireQOS and FireHOL

I have a server with a public IP and a virtual machine (virtualbox). On the virtual machine I have a webserver with http on port 8080 and https 8443. I want to map the port 80 and 443 on the server to 8080 and 8443 on the virtual machine without opening the additional ports on the server (8080 and 8443).

I have a working configuration with additional port 8080 and 8443 on the server:

==============

Firehol configuration 1

version 5

FIREHOL_LOG_PREFIX="firehol: "
FIREHOL_LOG_MODE="LOG"
FIREHOL_LOG_LEVEL=7
FIREHOL_LOG_FREQUENCY="1/second"
FIREHOL_LOG_BURST="5"
DEFAULT_INTERFACE_POLICY="DROP"

FIREHOL_DEBUGGING="Y"

nat

nat redirect-to 8080 inface eth0 src any proto tcp dport 80
nat redirect-to 8443 inface eth0 src any proto tcp dport 443

interfaces

interface eth0 internet
protection strong
policy drop

server custom nginx "tcp/8080" default accept
server custom nginx-ssl "tcp/8443" default accept
server ssh accept

client "http https ssh dns" accept

interface lo local
policy accept
server all accept
client all accept

interface vboxnet+ vbox
policy accept
server all accept
client all accept

==============

I tried this to only open 80 and 443 on the server but it does not work. Any hints to help me?

========

Firehol configuration 2

version 5

FIREHOL_LOG_PREFIX="firehol: "
FIREHOL_LOG_MODE="LOG"
FIREHOL_LOG_LEVEL=7
FIREHOL_LOG_FREQUENCY="1/second"
FIREHOL_LOG_BURST="5"
DEFAULT_INTERFACE_POLICY="DROP"

FIREHOL_DEBUGGING="Y"

SERVER_IPS="x.x.x.x"
VBOX_NET="192.168.33.0/24"

dnat to 192.168.33.11:8080 inface eth0 dst "${SERVER_IPS}" proto tcp dport 80
dnat to 192.168.33.11:8443 inface eth0 dst "${SERVER_IPS}" proto tcp dport 443

interfaces

interface eth0 internet
protection strong
policy drop

server ssh accept
client "http https ssh dns" accept

interface lo local src "127.0.0.1" dst "127.0.0.1"
policy accept
server all accept
client all accept

interface vboxnet+ vbox src "${VBOX_NET}"
policy accept
server all accept
client all accept

route vbox to internet

router "vbox2internet" inface "vboxnet+" outface "eth0"
masquerade
route all accept

route vbox to vbox

router "vbox2vbox" inface "vboxnet+" outface "vboxnet+"
route all accept

route DNAT ports

router "internet2vbox" inface "eth0" outface "vboxnet+"
route "http https" accept dst "${VBOX_NET}"

=========

My current network configuration (public IP comment out):
eth0 Link encap:Ethernet HWaddr x:x:x:x:x:x
inet addr:x.x.x.x Bcast:x.x.x.x Mask:255.255.255.224
inet6 addr: x::x:x:x:x/64 Scope:Link
inet6 addr: x:x:x:x::x/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:643253 errors:0 dropped:0 overruns:0 frame:0
TX packets:316875 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:737592696 (703.4 MiB) TX bytes:36481945 (34.7 MiB)
Interrupt:42 Base address:0x2000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5292 errors:0 dropped:0 overruns:0 frame:0
TX packets:5292 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:577969 (564.4 KiB) TX bytes:577969 (564.4 KiB)

vboxnet0 Link encap:Ethernet HWaddr 0a:00:27:00:00:00
inet addr:192.168.33.1 Bcast:192.168.33.255 Mask:255.255.255.0
inet6 addr: fe80::800:27ff:fe00:0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:1626 (1.5 KiB)

Only using programs from /bin would help out those that mount /usr over the network, for instance.

I expect that a subset of functionality (e.g. helpme) could continue to require /usr programs since they will not be required during a system boot.

A quick peruse shows the following (on Debian, at least) are the programs in use that are under /usr/bin (whether used by the wizard only or not):
/usr/bin/{g,}awk - required - not sure if it can be easily eliminated
/usr/bin/cut - required - might be possible to eliminate
/usr/bin/expr - required - should be possible to eliminate
/usr/bin/find - required - could be made optional
/usr/bin/fold - required - could probably be made optional
/usr/bin/head - required - could probably be made optional
/usr/bin/flock - required - would need fallback to be made optional
/usr/bin/logger - required - how to log to syslog without logger?
/usr/bin/pager - optional
/usr/bin/less - optional
/usr/bin/renice - optional
/usr/bin/sort - required - not sure if it can be easily eliminated
/usr/bin/touch - required - could probably be replaced
/usr/bin/tr - required - could probable be replaced
/usr/bin/uniq - required - not sure if it can be easily eliminated

Quite a few of these programs could probably be replaced by sed. sort and uniq may be problematic but depending on volumes, creating and listing temporary files might work.

connmark has several issues.

• mark, save and restore are executed on every packet, while mark and save should be applied to new packets and restore on established and related packets.
• saving and restoring is very confusing. We should add rules at the beginning and the end of the firewall, if a connmark command has been used.
• when load balancing multiple interfaces, the commands used are again cryptic. The user has to connmark on the PREROUTING with inface and on POSTROUTING with outface.

Hi,

Port knocking seems partially broken in firehol 2.0.0 rc2, because of the knock chain not being added for IPv6 traffic. I.e., using server ssh accept with knock admin, I get the following error:

WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : line 38 of /etc/firehol/firehol.conf
COMMAND : /sbin/ip6tables -t filter -A in_world_ssh_s7 -p tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW\,ESTABLISHED -j knock_admin 
OUTPUT  : 

ip6tables v1.4.14: Couldn't load target `knock_admin':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.

Which is explained by examining the debug output: firehol only adds the knock_admin chain using iptables, and not using ip6tables

# CONF: 38>>>           server ssh accept with knock admin 


# INFO>>> Preparing for service 'ssh' of type 'server' under interface 'world'

# INFO>>> Creating chain 'in_world_ssh_s7' under 'in_world' in table 'filter'
/sbin/iptables -t filter -N in_world_ssh_s7 
/sbin/ip6tables -t filter -N in_world_ssh_s7 
/sbin/iptables -t filter -A in_world -j in_world_ssh_s7 
/sbin/ip6tables -t filter -A in_world -j in_world_ssh_s7 

# INFO>>> Creating chain 'out_world_ssh_s7' under 'out_world' in table 'filter'
/sbin/iptables -t filter -N out_world_ssh_s7 
/sbin/ip6tables -t filter -N out_world_ssh_s7 
/sbin/iptables -t filter -A out_world -j out_world_ssh_s7 
/sbin/ip6tables -t filter -A out_world -j out_world_ssh_s7 

We should be detecting if there are IPv4 and/or IPv6 addresses for each interface and setting things up appropriately, rather than doing IPv4 only.

i.e. we should be able to produce interface4, interface6 and interface46 at the appropritate times. Likewise with routers.

Probably not much else to say here

NFTables (http://netfilter.org/projects/nftables/) will be in Linux 3.13. I believe that it will include iptables support for the forseeable future but it may present new opportunities.

Some more info:

• https://home.regit.org/netfilter-en/nftables-quick-howto/
• http://lwn.net/Articles/564095/

Firehol needs a new home, not on sourceforge.

When domain is transferred I will set this up with the same host as provides the sanewall hosting since this includes a full shell, which helps enormously with scripting release processes etc.

In the interim GitHub pages works on the new gh-pages branch which I have started with a slightly-edited copy of the original site. Currently here: http://ktsaou.github.io/firehol/ but once domain transfer is complete can make it appear as http://firehol.org/

I don't seem to be able to remove the mailing lists from sourceforge.

Although I have rights to pretty much everything, this is one thing it seems to prevent me doing.

@ktsaou could you do the delete whenever it is convenient? This should be the correct page:
https://sourceforge.net/p/firehol/admin/mailman/

@philwhineray

I suggest to have a set of configurations which will be used for testing all tools prior to release.

For example,

1. we keep a folder of firehol, fireqos and link-balancer config files.
2. we write a script which calls each tool to generate the final statements for all config files
3. this script compares the newly generated statements to the statements that were generated using the previous release (or the previous commit).
4. it reports any differences it finds in file that is also committed to git (so that we will have a log of the differences for every commit)

I hope that this way we will be able to find corner cases in our code quickly and easily.

What do you think?

iptables v1.4.12
FireHOL 2.0.0
Ubuntu 12.04.5 LTS

The following conf block yields a >= 29 char jump label:

interface eth0 alias_eth0_0 dst <...>
<...>
server cvspserver accept

As a workaround, I cloned the cvspserver service rules under a shorter name (e.g. 'cvspserve')

To make this short, in IPv6 settings, Squid is capable of transparent proxying in a fashion which does not rely on NAT, by using this mechanism: http://wiki.squid-cache.org/Features/Tproxy4 -- example usage with IPv6 can be seen at http://version6.ru/tproxy

Currently, FireHOL does not appear to support generating such statements, and it would be very nice if it could do this, since I'm completely out of my depth attempting to do this manually.

As far as I know this bug is still present in the current development branch:
https://sourceforge.net/p/firehol/patches/10/

diff --git a/firehol.sh b/firehol.sh
index a56ecb3..8d51dec 100755
--- a/firehol.sh
+++ b/firehol.sh
@@ -5732,7 +5732,7 @@ if [ -z "${IPTABLES_CMD}" -o ! -x "${IPTABLES_CMD}" ]; then
 fi

 KERNELMAJ=`${UNAME_CMD} -r | ${SED_CMD}                   -e 's,\..*,,'`
-KERNELMIN=`${UNAME_CMD} -r | ${SED_CMD} -e 's,[^\.]*\.,,' -e 's,\..*,,'`
+KERNELMIN=`${UNAME_CMD} -r | ${SED_CMD} -e 's,[^\.]*\.,,' -e 's,[.-].*,,'`

 if [ "$KERNELMAJ" -lt 2 ] ; then
    echo >&2 "FireHOL requires a kernel version higher than 2.3."

ULOG does not work with ip6tables.
I think we should removed it completely.

ulogd v2 supports NFLOG, which is also supported by firehol.

   FIREHOL_LOG_MODE="LOG"; # LOG means syslog, other possible value is ULOG (directly to a file)
    FIREHOL_LOG_LEVEL="debug"; # Lowest priority. Should also ignore it in RSyslog
    FIREHOL_LOG_PREFIX="FIREHOL: ";
    FIREHOL_LOG_FREQUENCY="1/second"; # Maximum frequency of a match occuring in a log
    FIREHOL_LOG_BURST="5"; # max initial number of packets to match

cat firehol.conf

:msg, contains, "FIREHOL:" -/dev/null

:msg, contains, "FIREHOL:" -/var/log/firehol.log
& ~

:msg, contains, "FIREHL" -/var/log/firehol.log
& ~

:msg, contains, "FIRHOL" -/var/log/firehol.log
& ~

:msg, contains, "FRHL" -/var/log/firehol.log
& ~

:msg, contains, "IEO" -/var/log/firehol.log

A question based on the netfilter flow diagram - would it make more sense to do --save-mark with -t filter -A INPUT rather than -t mangle? As -t filter is processed later it would ensure the mark is saved after all other processing.

I would also quite like to consider a stateless option to the mark helpers. This is because I want to mark connections based on physdev but this will only be available when packets originate from that device. The stateful implementation means that only outgoing connections will have a mark set.

If the match is stateless then connections starting outside will be matched, just the first packet will be missed. Obviously the mark can be applied with the iptables helper:

wlanmark="$(mark_value qosmark 1)"
iptables -t mangle -A PREROUTING -m physdev --physdev-in wlan0 -j MARK --set-mark ${wlanmark}

I think it would be nice to provide an option though, something like custommark anystate qosmark 1 FORWARD physin wlan0.

The problem is that either method will have the mark overwritten by the save/restore code, since the old value will be restored on egress.

I don't know if always saving/restoring marks is slower than first testing the state. If there is not much difference then we could just always save and restore. If there is a significant difference then we could either:

• Change save/restore behaviour when an anystate mark was made or on an option
• Change the code so that it saves only if the mark is non-zero and the connmark is zero, rather than by connection tracker state.
• Explicitly save to connmark after an anystate mark to ensure it is consistent.

An advantage of changing the save/restore behaviour for everything would be that it would allow for the possibility of changing the mark on a connection. The current code guarantees that once set to the connection the same value will always be restored even if the user tries to change it.

Branched from #23
Modularization moved to #48

This is about optimizing firehol.

It appears that groups and interface46 does not get along on my Ubuntu 14.04 LTS server.

interface4

interface4 eth0 lan-out output rate 1Gbit ethernet
    class group mygroup commit 10%
        match all
    class group end

Applies ok.

interface6

interface6 eth0 lan-out output rate 1Gbit ethernet
    class group mygroup commit 10%
        match all
    class group end

Applies ok.

interface46

interface46 eth0 lan-out output rate 1Gbit ethernet
    class group mygroup commit 10%
        match all
    class group end

This crashes with the following:

: interface eth0 lan-out output rate 1Gbit ethernet (eth0, 1000000kbit, MTU 1500, quantum 1500)
:       class mygroup commit 10% (1:11, 100000kbit, prio 0)
:               class default (1:5011, 10000kbit, prio 0)
Error: argument "65536" is wrong: invalid priority value



ERROR:
tc failed with error 255, while executing the command:
/sbin/tc filter add dev eth0 parent 1:11 protocol ipv6 prio 65536 u32 match ip6 protocol 0 0x00 flowid 1:5011


FAILED TO ACTIVATE TRAFFIC CONTROL.

Clearing failed interface: lan-out (eth0 output => eth0)...

             eth0: cleared traffic control output

No traffic control is operational by FireQOS.

(2.0.0-pre8)

When an interface has more than 10 classes (1 the parent, + 9 user classes), class priorities are not respected so strictly. The classes that should get all spare bandwidth are not getting it all.

In this example that there is traffic not matched by the match statement that fills the interface.

Then, while the interface is full, we start a download which is matched by the match statement.

If the input interface has up to 9 classes, the default class will be shaped to its committed rate as soon as the download starts.

If the input interface has more than 9 classes, the spare bandwidth will be spread among the default class the class having the download.

DEVICE=dsl0
INPUT_SPEED=8Mbit
OUTPUT_SPEED=800kbit
LINKTYPE="adsl local pppoe-llc"

interface $DEVICE world-in input rate $INPUT_SPEED $LINKTYPE
        for x in 1 2 3 4 5 6 7 8 9 10 11 12 13 14
        do
                class C$x
        done

        class default

       # add the download to the last class we added (just before the default)
        match sports 0:1023 class C$x



interface $DEVICE world-out output rate $OUTPUT_SPEED $LINKTYPE
        class C1
                match dports 0:1023

        class default

To make things oven more complicated, if the match statement classifies to class C1, instead of class C$x, traffc in the C1 class always shapes the default class to its committed rate.

Reading the manual of HTB (http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm#prio) does not help to figure out what is happening.

Hello,
I have severel systems without IPv6 support ang firehol produce annoing warning messages about disabled IPv6.
So i have been added small checks for preventing these warnings.
I think its good idea to add this patch to upstream.

Small patch see below.
diff -Nur b/sbin/firehol.in a/sbin/firehol.in
--- b/sbin/firehol.in 2014-10-17 05:00:30.662916495 +0300
+++ a/sbin/firehol.in 2014-10-17 04:37:59.223008046 +0300
@@ -255,6 +255,14 @@
ENABLE_IPV6=0
fi

+# IPV6 tables modules checking...

+if [ lsmod | grep -c ip6_tables -gt 0 ]; then

•    ENABLE_IPV6=1  
  

  +else

•    ENABLE_IPV6=0  
  

  +fi

• Special commands

  pager_cmd() {
  if [ -z "${LESS_CMD}" ]
  @@ -377,11 +385,13 @@
  ENABLE_IPV4=0
  fi

-${IP6TABLES_CMD} -nxvL >/dev/null 2>&1
-if [ $? -ne 0 ]
-then

•   echo >&2 " WARNING: error initializing ip6tables: IPv6 disabled"  
  

•   ENABLE_IPV6=0  
  

  +if [ $ENABLE_IPV6 -eq 1 ]; then

•    ${IP6TABLES_CMD} -nxvL >/dev/null 2>&1  
  

•    if [ $? -ne 0 ]  
  

•    then  
  

•            echo >&2 " WARNING: error initializing ip6tables: IPv6 disabled"  
  

•            ENABLE_IPV6=0  
  

•    fi                                                                                                                                                                                                                                  
  

  fi

  if [ $ENABLE_IPV4 -eq 0 -a $ENABLE_IPV6 -eq 0 ]
  @@ -8320,7 +8330,9 @@
  firehol_filter6_chains=
  initialize_firewall() {
  load_kernel_module ip_tables

•   load_kernel_module ip6_tables  
  

•    if [ $ENABLE_IPV6 -eq 1 ]; then  
  

•            load_kernel_module ip6_tables  
  

•    fi                                                                                                                                                                                                                                  
  load_kernel_module nf_conntrack                                                                                                                                                                                                      
  
  for m in ${FIREHOL_KERNEL_MODULES}                                                                                                                                                                                                   
  

In fast activation mode, if it fails it should at least print the offending line that broke the firewall.

iptables-restore does provide the line number.

I missed the fact that this does not work in the docs. I do not get an error and just spent an age researching! Perhaps we could add a warning?

So as to not lose all of the research and because it may be someday possible, I include everything below.

I eventually reduced my configuration down to the following, on my desktop:

sudo firehol stop
sudo iptables -t mangle -A PREROUTING -j MARK --set-mark 0x1/0x1
sudo iptables -t mangle -A POSTROUTING -j MARK --set-mark 0x1/0x1

Then a fireqos minimal.conf start where minimal.conf is:

interface wlan0 world-in input rate 11077kbit adsl local pppoe-llc mtu 1492
   class public
      match rawmark 1/1

   class default

interface wlan0 world-out output rate 995kbit adsl local pppoe-llc mtu 1492
   class public
      match rawmark 1/1

   class default

Output is classified as public, as expected fireqos status world-out:

 Class Utilization on world-out (wlan0 output => wlan0) - values in Kbit/s
 TOTAL public defaul 
     1      1      - 
     -      -      - 
    36     36      - 
   230    230      - 
   103    103      - 

Input always goes to default fireqos status world-in:

 Class Utilization on world-in (wlan0 input => wlan0-ifb) - values in Kbit/s
 TOTAL public defaul 
     4      -      4 
     -      -      - 
     1      -      1 
     8      -      8 

Now, there is all sorts of difficult to comprehend (mis)information on the net, but I think the default way in which things work means that this is not normally possible because the ingress traffic control happens before even the first of the netfilter tables, see netfilter flow diagram.

Here we see someone claim it is possible. I tried the handle 1 fw type match and it does not work on ingress. I didn't try egress since the u32 match is better anyway. Perhaps it used to work back when it was ipchains not iptables.

On the netfilter mailing list someone asked a similar question recently, using xt actions in the tc filter. There is no definitive answer as to what should be done or if it can work. In any case, this syntax does not work for me - it causes a segfault. Most likely down to a too-old version of tc. If the xt action hooks back to netfilter then this might work on new enough setups.

Finally Arch and openwrt appear to have a bespoke solution with a patched tc which provides an action connmark whose job is to restore the mark during ingress. I will try to see if this works on my openwrt router soon but I guess even if it does it is not general. Maybe we can add a parameter to enable it - it will certainly make my life easier.

all NAT related helpers should be statically made ipv4 only

helpme currently only works to detect IPv4 IP addresses etc. however its output has not been changed to say interface4 and router4, so it needs further manual modification was in the past.

Eventually helpme will need to emit IPv6 rules as well as IPv4 rules but in the meantime it should create IPv4 only interfaces etc. and include links to the help pages for setting up dual IPv4/IPv6 syntax.

Is the fireqos.sh stable enough that you would like me to merge it to master?

I think this is the best place to do most work unless it is experimental. Most people will assume master is where the most up-to-date work is. Also, the website will automatically build these versions so packaged tar files will be available straight away.

To create stable releases we can create branches from master, and tag from that for individual versions.

Let me know and if you agree I will do the merge and let you know when it is ready to pull.

I have a simple configuration with some custom iptables rules to set-up some services (more specifically; torrents with -j NOTRACK). For example:

version 6

interface enp0s25 world
        client all accept
        server all reject

iptables -I INPUT -i enp0s25 -p tcp --dport 40000 -j ACCEPT
iptables -I INPUT -i enp0s25 -p udp --dport 40000 -j ACCEPT

If I apply this configuration using firehol start, only the tcp rule exists in my iptables chain:

# iptables -L -n | grep 40000
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:40000

Strangely, if I manually clear all chains, export the iptables commands using firehol debug, and execute that script, both rules exist:

# firehol debug > dump.sh
# bash clear_iptables.sh
# bash dump.sh
# iptables -L -n | grep 40000
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:40000
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:40000

This is using Firehol v2.0.0 on both Arch Linux and Debian.

Also should have aliases group4, group6, group46.

@ktsaou could you add a service hook to the firehol repository? I do not have the rights to do so myself.

For this, all you do is:

• Navigate to the project:
• Choose "Settings" on the right hand side
• Choose "Service Hooks" on the left hand side
• Click "WebHook URLs (0)"
• Insert the URL: http://vps.firehol.org/github-hook.php
• Click Update Settings

I can then start to tie together the calls to the process which will automatically build tar-files.

Cheers
Phil

Probably we should update this too:

http://en.wikipedia.org/wiki/FireHOL

I like the new firehol restore function. Would it be made even better by saving the config file or a checksum to the spool directory during the initial start? Then when a later firehol start is executed, if everything still matches we just run restore, that way everyone gets the functionality by default.

It would also mean we can check for dynamic rules such as rpc during the save, and create a file to disable the autorestore, so a user will always get an up-to-date firewall: fast if possible, slow if necessary.

Using custom one can pass arbitrary arguments to iptables. I wanted to use this using the geopip module to restrict certain services to clients from specific countries, but for that I need to add the --src-cc $COUNTRY flag to the iptables command line.

As the name suggests, --src-cc only serves to match incoming traffic. In the current state, custom passes options to both the in_ and out_ chain, which doesn't work in case of geoip. I would need to add --dst-cc to the output rules instead.

It would be nice if one could specify different custom options for both the input and output chain of a certain rule (custom_in and custom_out?).

Alternatively, can I implement a country option which selects the proper option automatically? I don't know how modular firehol is.

When a group class has a different linklayer, the kernel respects the rates and ceilings of its subclasses, but does not respect their priorities.

I have submitted a question at lartc:
http://www.spinics.net/lists/lartc/msg22865.html

No solution so far.

Hi!

I thought that it may make sense to do something to support tcpcrypt (down for me right now, see their github repo?

I don't know if is appropriate, but I figured it would be nice, for simplicity, if it could be done syntactically similar to masquerade, you just say "tcpcrypt" for a certain interface, and it will use tcpcrypt on traffic leaving and entering that interface if the peer supports it too.

It seems that "accept with limit" does not work correctly because the generated name is too long.

Configuration (FireHOL 2.0.0rc2):

version 6
interface eth0 EXT
  server ssh accept with limit 10/sec 20
  client all accept

And this is the error output (only the first of 8 errors):

ERROR   : # 1.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : line 8 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -N ACCEPT_LIMIT_10_sec_20_REJECT 
OUTPUT  : 

iptables v1.4.21: chain name `ACCEPT_LIMIT_10_sec_20_REJECT' too long (must be under 29 chars)
Try `iptables -h' or 'iptables --help' for more information.

If you need further input please just ask.

Currently the user must write explicit allow entries on an interface before IPv6 is able to work at all.

Consider how this work might be alleviated without reducing security.

Some initial thoughts here: http://lists.firehol.org/pipermail/firehol-devs/2014-January/000175.html

Hi, first of all I must say I am totally impressed by your work!

One easy change that would be useful is to give the fireqos script the ability to stop all shaping (like it does with the stop parameter) but only for a specific interface (or a specific configuration file that defines rules for specific interfaces).

I have 2 ADSL connections, and I would like to start and stop shaping on the with ppp/ip-up.d scripts. It is possible to start shaping on each of the 2 separately using separate config files, but from what I see it is not possible to stop shaping just for 1 of the interfaces (it's either all or nothing).

I could always modify the script myself, but I am totally worthless in bash scripting and I would have to apply the patch on every update.

I think we should consider the following changes:

Modularize FireHOL so that it can support multiple backends.

iptables is one
nftables can be another
This modularization should keep the core logic of FireHOL, backend independent. To achieve that we will have to model how FireHOL will interact with its backends. Of course, this model should allow all service definitions to be backend indendent.

Re-write the core logic of FireHOL so that mangling and filtering should be merged, allowing filtering, traffic classification for QoS and routing decisions to be integrated into FireHOL itself.

Of course, FireHOL will not inegrate into its configuration FireQOS or Link-Balancer (they have completely diffent scopes and context), but it should cooperate with them.

For example FireHOL could support statements like: server smtp accept classify bulk route dsl2. Such a statement will just save information for FireQOS to send the specific smtp traffic to class bulk and for Link-Balancer to route the specific smtp traffic via routing table dsl2. It will be like saving a map of marks and contexts these marks should be used under the different tools.

In the process, we could also speed up FireHOL. FireHOL may be sped up significantly by re-writing the rule() function in C. Probably, this could also remove the BASH depedency, allowing FireHOL to be integrated in embedded projects. Now FireHOL cannot be embedded in appliances mainly because it depends on BASH for its arrays.

In the process we could also create a library of scripting functions shared among all programs, using common defaults, command line options, etc.

What if we write a 'check' function in firehol that runs a number of
checks in the system to identify possible issues? We could include a
check for this kernel option there.

A user will be able to execute 'firehol check' to run the checks and
possibly find suggestions to impove his system. The same check could
be run automatically if the execution stops due to an error.

There are already a number of checks spread in firehol to detect if
iptables is enabled in the kernel, if the required kernel modules are
present, if certain commands are present in the system, etc

We could have a file like /var/spool/firehol/system.conf with all the
results of the checks, which is sourced every time firehol runs (this
will also speed it a bit). If the file is not present, the check()
function will be run to generate it. If we detect a kernel version
change since the last time we executed check(), we could call it again
and so forth.

In guides/adding-services it says:

The first line must read:

FHVER 1:213

That's not quite right, what's required is:

FHVER: 1:213

with both the # and the : either side of FHVER.

I have followed this guide for mirroring the traffic: http://ldd6410.googlecode.com/svn/trunk/utils/iproute2/doc/actions/mirred-usage

When mirroring traffic for monitoring it, FireQOS does this:

ip link add dev fireqos_monitor name fireqos_monitor type dummy
ip link set dev fireqos_monitor up
tc filter add dev $DEVICE parent $QDISC_HANDLE protocol all prio 1 u32 match u32 0 0 flowid 1:9999 action mirred egress mirror dev fireqos_monitor

I tried different flowids (existing and non-existing), without luck. It is supposed that non existing classes should send the packet immediately to the device hardware.

In all cases, for both inbound (DEVICE=ifbX) and outbound (DEVICE=real device) traffic, the packets are lost.

rate 1Mbit appears to somehow end up being rate (10000kbit) in the following config.

Minimum config that produces the issue:

interface br0 myif output rate 1Gbit ethernet
    class group mygroup rate 1Mbit ceil 2Mbit adsl local pppoe-llc
        match all
    class group end

Output:

FireQOS 2.0.0-pre9
(C) 2013 Costa Tsaousis, GPL


: interface br0 myif output rate 1Gbit ethernet (br0, 1000000kbit, MTU 1500, quantum 1500)
:       class mygroup rate 1Mbit ceil 2Mbit adsl local pppoe-llc:       WARNING! ceil (2000kbit) is less than rate (10000kbit). Fixed it by setting ceil to rate.
 (1:11, 10000kbit, prio 0, MTU 1500, quantum 1500)
:               class default (11:5011, 10000kbit, prio 0)
:               committed rate 10000kbit (100%), the remaining 0kbit will be spare bandwidth.
:       class default (1:5000, 10000kbit, prio 1)
:       committed rate 20000kbit (2%), the remaining 980000kbit will be spare bandwidth.


  Traffic is classified:

      - on 1 interfaces
      - to 4 classes
      - by 2 FireQOS matches

  12 TC commands executed

All Done! Enjoy...
bye...
´´´

I know you are merging sanewall back into firehol for IPv6 support. In latest release of sanewall there appears to be problems with the sanewall host acting as an DHCPv6 client. I suspect the issue will apply to firehol as well.

A simple 'ipv6 client "dhcp" accept' doesn't work. It creates rules using the IPv4 DHCP udp/67 which doesn't do anything useful for IPv6.

So without thinking to much I created a simple service for DHCPv6, but this also appears not to create valid since the rules will be created using --state and the state doesn't permit things to work.

A client requesting an address using DHCPv6 basically does this. See http://en.wikipedia.org/wiki/DHCPv6 for the more detailed where ll_client and ll_server are the link local addresses respectively and [ff02::1:2] is the multicast address the dhcpv6 server listens for requests on.

[ll_client]:546 -> [ff02::1:2]:547
[ll_server]:547 -> [ll_client]:546
[ll_client]:546 -> [ff02::1:2]:547
[ll_server]:547 -> [ll_client]:546

Netfilter doesn't seem to have any ability connection tracking modules to handle DHCPv6 so the outgoing request from a client doesn't seem to add anything to the state table that will match the reply from the server.

I am not sure what the fix here is something special needs to be developed to have a box running firehol act as a DHCPv6 cleint or server?

I believe that these ip6tables rules would permit DHCPv6 Though this may be a bit more permissive then what most people would prefer.

ip6tables --protocol udp --src fe80::/64 --source-port 546 --destination ff02::1:2 --destination-port 547
ip6tables --protocol udp --src fe80::/64 --source-port 547 --destination fe80::/64 --destination-port 546

It isn't a huge issue for me, but it is just something you probably needs to be handled in the future.

I have submitted a question to lartc.
When it shows up in the archive, I'll update this.

Hello,

i'm trying to build a deb of latest firehol for my servers but even a simple call to make fails due to a missing rule.

make[2]: Entering directory `/path/to/firehol/doc'
make[2]: *** Keine Regel vorhanden, um das Target »service-links«,
benötigt von »all-local«, zu erstellen. Schluss.

in the doc/Makefile there is that rule but commented out

#service-links: $(FIREHOLIN) services-db.data
#        $(MKSERVICELINKS) service-links $+

if i uncomment that lines i get

make[2]: Entering directory `/path/to/firehol/doc'
service-links services-db.data
/bin/bash: service-links: Kommando nicht gefunden.

when checking what value $(MKSERVICELINKS) has i found

#MKSERVICELINKS = ${top_srcdir}/doc/tools/mkservicelinks
#FIREHOLIN = $(top_srcdir)/sbin/firehol.in

uncommenting this results in the next error...

make[2]: Entering directory `/path/to/firehol/doc/firehol'
make[2]: *** Keine Regel vorhanden, um das Target »man/man1/firehol.1«,
benötigt von »all-am«, zu erstellen. Schluss.

and there is again a hell of lines commented out... and i wonder why?

For instance:

accept src ipv_4 dst_ipv6 => "warn, no traffic allowed"
...

Docbook is proving to be a hardle for documentation additions.

Therefore we will look at other alternatives. A promising one is pandoc, http://johnmacfarlane.net/pandoc/README.html

I have created a pandoc branch for experimentation with producing various formats. See e73f7b8

If this is successful the website will also be updated to use a common language.

I have searched in vain for a way to allow a single IP address to bypass the transparent proxy. This causes issues with devices which cannot utilize proxies.

Hi,

I am using firehol 1.273 as in the debian stable release...

I want to blacklist these networks:

x.214.16.0/18 x.214.80.0/19 x.214.112.0/20 x.214.129.0/21 x.214.137.0/23 x.214.139.0/24 x.214.140.0/20 x.214.156.0/22

(x'ed for privacy reasons)

This is what firehol makes out of it:

BL_IN_UNI all -- 85.214.156.0/22 anywhere
BL_IN_UNI all -- 85.214.128.0/20 anywhere
BL_IN_UNI all -- 85.214.139.0/24 anywhere
BL_IN_UNI all -- 85.214.136.0/23 anywhere
BL_IN_UNI all -- 85.214.128.0/21 anywhere
BL_IN_UNI all -- 85.214.112.0/20 anywhere
BL_IN_UNI all -- 85.214.64.0/19 anywhere
BL_IN_UNI all -- 85.214.0.0/18 anywhere

This does not match my configuration, so e.g. x.214.111.* is passing through :(

Is this a bug?

Thanks,
Dietmar