firehol-params man page

firehol-params — optional rule parameters



{ src | src4 | src6 } [not] host

{ dst | dst4 | dst6 } [not] host

srctype [not] type

dsttype [not] type

proto [not] protocol

mac [not] macaddr

dscp [not] value class classid

mark [not] id

tos [not] id

custom "iptables-options..."

Router Only

inface [not] interface

outface [not] interface

physin [not] interface

physout [not] interface

Interface Only

uid [not] user

gid [not] group


log "log text" [level loglevel]

loglimit "log text" [level loglevel]


sport port

dport port


Optional rule parameters are accepted by many commands to narrow the match they make. Not all parameters are accepted by all commands so you should check the individual commands for exclusions.

All matches are made against the REQUEST. FireHOL automatically sets up the necessary  stateful rules to deal with replies in the reverse direction.

Use the keyword not to match any value other than the one(s) specified.

The logging parameters are unusual in that they do not affect the match, they just cause a log message to be emitted. Therefore, the logging parameters don't support the not option.

FireHOL is designed so that if you specify a parameter that is also used internally by the command then a warning will be issued (and the internal version will be used).


src, dst

Use src and dst to define the source and destination IP addresses of the request respectively. host defines the IP or IPs to be matched. Examples:

server4 smtp accept src not
server4 smtp accept dst
server4 smtp accept src not dst
server6 smtp accept src not 2001:DB8:1::/64
server6 smtp accept dst 2001:DB8:2::/64
server6 smtp accept src not 2001:DB8:1::/64 dst 2001:DB8:2::/64

When attempting to create rules for both IPv4 and IPv6 it is generally easier to use the src4, src6, dst4 and dst6 pairs:

server46 smtp accept src4 src6 2001:DB8:1::/64
server46 smtp accept dst4 dst6 2001:DB8:2::/64
server46 smtp accept dst4 $d4 dst6 $d6 src4 not $d4 src6 not $s6

To keep the rules sane, if one of the 4/6 pair specifies not, then so must the other. If you do not want to use both IPv4 and IPv6 addresses, you must specify the rule as IPv4 or IPv6 only. It is always possible to write a second IPv4 or IPv6 only rule.

srctype, dsttype

Use srctype or dsttype to define the source or destination IP address type of the request. type is the address type category as used in the kernel's network stack. It can be one of:

an unspecified address (i.e.
a unicast address
a local address
a broadcast address
an anycast address
a multicast address
a blackhole address
an unreachable address
a prohibited address

See iptables(8) or run iptables -m addrtype --help for more information. Examples:

server smtp accept srctype not "UNREACHABLE PROHIBIT"


Use proto to match by protocol. The protocol can be any accepted by iptables(8).


Use mac to match by MAC address. The macaddr matches to the "remote" host. In an interface, "remote" always means the non-local host. In a router, "remote" refers to the source of requests for servers. It refers to the destination of requests for clients. Examples:

# Only allow pop3 requests to the e6 host
client pop3 accept mac 00:01:01:00:00:e6

# Only allow hosts other than e7/e8 to access smtp
server smtp accept mac not "00:01:01:00:00:e7 00:01:01:00:00:e8"


Use dscp to match the Dscp field on packets. For details on Dscp values and classids, see firehol-dscp(5).

server smtp accept dscp not "0x20 0x30"
server smtp accept dscp not class "BE EF"


Use mark to match marks set on packets. For details on mark ids, see firehol-mark(5).

server smtp accept mark not "20 55"


Use tos to match the TOS field on packets. For details on TOS ids, see firehol-tos(5).

server smtp accept tos not "Maximize-Throughput 0x10"


Use custom to pass arguments directly to iptables(8). All of the parameters must be in a single quoted string. To pass an option to iptables(8) that itself contains a space you need to quote strings in the usual bash(1) manner. For example:

server smtp accept custom "--some-option some-value"
server smtp accept custom "--some-option 'some-value second-value'"

Router Only

inface, outface

Use inface and outface to define the interface via which a request is received and forwarded respectively. Use the same format as firehol-interface(5). Examples:

server smtp accept inface not eth0
server smtp accept inface not "eth0 eth1"
server smtp accept inface eth0 outface eth1

physin, physout

Use physin and physout to define the physical interface via which a request is received or send in cases where the inface or outface is known to be a virtual interface; e.g. a bridge. Use the same format as firehol-interface(5). Examples:

server smtp accept physin not eth0

Interface Only

These parameters match information related to information gathered from the local host. They apply only to outgoing packets and are silently ignored for incoming requests and requests that will be forwarded.


The Linux kernel infrastructure to match PID/SID and executable names with pid, sid and cmd has been removed so these options can no longer be used.


Use uid to match the operating system user sending the traffic. The user is a username, uid number or a quoted list of the two.

For example, to limit which users can access POP3 and IMAP by preventing replies for certain users from being sent:

client "pop3 imap" accept user not "user1 user2 user3"

Similarly, this will allow all requests to reach the server but prevent replies unless the web server is running as apache:

server http accept user apache


Use gid to match the operating system group sending the traffic. The group is a group name, gid number or a quoted list of the two.


log, loglimit

Use log or loglimit to log matching packets to syslog. Unlike iptables(8) logging, this is not an action: FireHOL will produce multiple iptables(8) commands to accomplish both the action for the rule and the logging.

Logging is controlled using the FIREHOL_LOG_OPTIONS and FIREHOL_LOG_LEVEL environment variables - see firehol-variables(5). loglimit additionally honours the FIREHOL_LOG_FREQUENCY and FIREHOL_LOG_BURST variables.

Specifying level (which takes the same values as FIREHOL_LOG_LEVEL) allows you to override the log level for a single rule.

Lesser Used Parameters

dport, sport

FireHOL also provides dport, sport and limit which are used internally and rarely needed within configuration files.

dport and sport require an argument port which can be a name, number, range (FROM:TO) or a quoted list of ports.

For dport port specifies the destination port of a request and can be useful when matching traffic to helper commands (such as nat) where there is no implicit port.

For sport port specifies the source port of a request and can be useful when matching traffic to helper commands (such as nat) where there is no implicit port.


limit requires the arguments frequency and burst and will limit the matching of traffic in both directions.

See Also

firehol(1) - FireHOL program
firehol.conf(5) - FireHOL configuration
firehol-server(5) - server, route commands
firehol-client(5) - client command
firehol-interface(5) - interface definition
firehol-router(5) - router definition
firehol-mark(5) - mark config helper
firehol-tos(5) - tos config helper
firehol-dscp(5) - dscp config helper
firehol-variables(5) - control variables
iptables(8) (http://ipset.netfilter.org/iptables.man…) - administration tool for IPv4 firewalls
ip6tables(8) (http://ipset.netfilter.org/ip6tables.ma…) - administration tool for IPv6 firewalls
FireHOL Website (http://firehol.org/)
FireHOL Online PDF Manual (http://firehol.org/firehol-manual.pdf)
FireHOL Online HTML Manual (http://firehol.org/manual)


FireHOL Team.

Referenced By

firehol-actions(5), firehol-classify(5), firehol-client(5), firehol-connmark(5), firehol-dscp(5), firehol-group(5), firehol-interface(5), firehol-mac(5), firehol-mark(5), firehol-masquerade(5), firehol-nat(5), firehol-proxy(5), firehol-router(5), firehol-server(5), firehol-services(5), firehol-tos(5).

Explore man page connections for firehol-params(5).

firehol-custom(5), firehol-dport(5), firehol-dscp-param(5), firehol-dst(5), firehol-dst4(5), firehol-dst6(5), firehol-dsttype(5), firehol-gid(5), firehol-inface(5), firehol-log(5), firehol-loglimit(5), firehol-mac-param(5), firehol-mark-param(5), firehol-outface(5), firehol-physin(5), firehol-physout(5), firehol-proto(5), firehol-sport(5), firehol-src(5), firehol-src4(5), firehol-src6(5), firehol-srctype(5), firehol-tos-param(5) and firehol-uid(5) are aliases of firehol-params(5).

Built 2.0.1 15 Feb 2015