Package firehol

Simple and powerful firewall and traffic shaping languages

http://firehol.org

FireHOL is a generic firewall generator, meaning that you can design any kind
of local or routing stateful packet filtering firewalls with ease. Install
FireHOL if you want an easy way to configure stateful packet filtering
firewalls on Linux hosts and routers.

FireHOL uses an extremely simple but powerful way to define firewall rules
which it turns into complete stateful iptables firewalls.

You can run FireHOL with the 'helpme' argument, to get a configuration
file for the system run, which you can modify according to your
needs. The default configuration file will allow only client traffic
on all interfaces.

General Commands (Section 1)
firehol
Running firehol invokes iptables(8) to manipulate your firewall. Run without any arguments, firehol will present some help on usage. When given CONFIGFILE...
fireqos
FireQOS is a helper to assist you configure traffic shaping on Linux. Run without any arguments, fireqos will present some help on usage. When given CONFIGFILE...
File Formats (Section 5)
firehol-action
The action helper command creates an iptables(8) chain which can be used to control the action of other firewall rules once the firewall is running. For...
firehol-actions
These actions are the actions to be taken on traffic that has been matched by a particular rule. FireHOL will also pass through any actions that iptables(8)...
firehol-blacklist
The blacklist helper command creates a blacklist for the ip list given (which can be in quotes or not). If the type full or one of its aliases is supplied, or...
firehol-classify
The classify helper command puts matching traffic into the specified traffic shaping class. The class is a class as used by iptables(8) and tc(8) (e.g...
firehol-client
The client subcommand defines a client of a service on an interface or router. Any rule-params given to a parent interface or router are inherited by the...
firehol-conf
/etc/firehol/firehol.conf is the default configuration file for firehol(1). It defines the stateful firewall that will be produced.
firehol-connmark
The connmark helper command sets a mark on a whole connection. It applies to both directions.
firehol-dscp
The dscp helper command sets the DSCP field in the header of packets traffic, to allow QoS shaping.
firehol-group
The group command allows you to group together multiple client and server commands. Grouping commands with common options (see firehol-params(5)) allows the...
firehol-interface
An interface definition creates a firewall for protecting the host on which the firewall is running. The default policy is DROP, so that if no subcommands are...
firehol-iptables
The iptables and ip6tables helper commands pass all of their arguments to the real iptables(8) or ip6tables(8) at the appropriate point during run-time.
firehol-mac
Any mac commands will affect all traffic destined for the firewall host, or to be forwarded by the host. They must be declared before the first router or...
firehol-mark
The mark helper command sets a mark on packets that can be matched by traffic shaping tools for controlling the traffic.
firehol-masquerade
The masquerade helper command sets up masquerading on the output of a real network interface (as opposed to a FireHOL interface definition). If a real-interface...
firehol-modifiers
Without a modifier, interface and router definitions and commands that come before either will be applied to both IPv4 and IPV6. Commands within an interface or...
firehol-nat
Destination NAT is provided by nat to-destination and its synonym dnat. Source NAT is provided by nat to-source and its synonym snat. Redirection to a port on...
firehol-params
Optional rule parameters are accepted by many commands to narrow the match they make. Not all parameters are accepted by all commands so you should check the...
firehol-policy
The policy subcommand defines the default policy for an interface or router. The action can be any of the actions listed in firehol-actions(5).
firehol-protection
The protection subcommand sets protection rules on an interface or router. Flood protections honour the values requests/period and burst. They are used to limit...
firehol-proxy
The transparent_proxy helper command sets up transparent caching for TCP traffic. The transparent_squid helper command sets up the special case for HTTP traffic...
firehol-router
A router definition consists of a set of rules for traffic passing through the host running the firewall. The default policy for router definitions is RETURN...
firehol-server
The server subcommand defines a server of a service on an interface or router. Any rule-params given to a parent interface or router are inherited by the...
firehol-services
service: AHservice: allservice: amandaservice: anyservice: anystatelessservice: apcupsdservice: apcupsdnisservice: aptproxyservice: asteriskservice...
firehol-tcpmss
The tcpmss helper command sets the MSS (Maximum Segment Size) of TCP SYN packets routed through the firewall. This can be used to overcome situations where Path...
firehol-tos
The tos helper command sets the Type of Service (TOS) field in packet headers.
firehol-tosfix
The tosfix helper command sets the Type of Service (TOS) field in packet headers based on the suggestions given by Erik Hensema in iptables and tc shaping...
firehol-variables
There are a number of variables that control the behaviour of FireHOL. All variables may be set in the main FireHOL configuration file...
firehol-version
The version helper command states the configuration file version. If the value passed is newer than the running version of FireHOL supports, FireHOL will not...
fireqos-class
There is also an optional match parameter called class; see fireqos-params-match(5). Writing class inherits the IPv4/IPv6 version from its enclosing interface...
fireqos-conf
This file defines the traffic shaping that will be applied by fireqos(1). The default configuration file is /etc/firehol/fireqos.conf. It can be overridden from...
fireqos-interface
Writing interface or interface4 applies traffic shaping rules only to IPv4 traffic. Writing interface6 applies traffic shaping rules only to IPv6 traffic...
fireqos-match
Writing match inherits the IPv4/IPv6 version from its enclosing class (see fireqos-class(5)). Writing match4 includes only IPv4 traffic in the match. Writing...
fireqos-params
Some optional parameter names are the same for both class and match. This page exists as a placeholder to help you find the appropriate documentation. If you...
fireqos-params-class
All of the options apply to interface and class statements. Units for speeds are defined in fireqos.conf(5).rate, commit, min When a committed rate of speed is...
fireqos-params-match
These options apply to match statements.at By default a match is attached to the parent of its parent class. For example, if its parent is a class directly...