[Firehol-support] Improving FireHOL

Carlos Rodrigues carlos.efr at mail.telepac.pt
Sun Feb 25 18:33:55 CET 2007 

On 2/25/07, Vincent Danjean <vdanjean.ml at free.fr> wrote:
>   Now, they are several things I want to add to firehol. Thanks to the
> opensource, I can hack firehol to add these features for me. But I would be
> very glad if theses features interest you too and if they are added upstream.
>   So, here is my thinkings. I will explain what I want (and why) and when how
> I think I will implement them. I would be very pleased if you tell me what
> features you are interested in too (ie if I can hope they will be added
> upstream when I write them) and if you have comments about what I plan to do.

I, for one, would like to see firehol picking up some steam. I think
it makes a real difference when you want to do something more
complicated... raw iptables commands are nice and all but without
something like firehol one can't really do anything beyond the basics
without getting swamped in a mess of unreadable command scripts.

> New features I want to add:
> A: a support for generating rules (iptables commands) to be run on another
>    computer (something similar to what 'firehol debug' produce)

I'm not sure you can do that, not without loosing the power that comes
from the configuration file being a bash script. The configuration may
depend on stuff only available in the target machine itself.

This is similar to the problem of generating input for
"iptables-restore" instead of running the iptables command multiple
times, so I guess you should read this first:

http://article.gmane.org/gmane.comp.security.firewalls.firehol.user/332/

> Why I want these features:
>   I find the configuration language of firehol very powerful and flexible.
> I would like to use it to configure a firewall on a router running OpenWRT.
> However, this router would be VERY slow to compute the rules. And I do not
> want to have to install 'bash' on it. So having firehol computing the rules
> on another computer and installing them on the routeur 'by hand' would
> pleased me. So the 'A' feature.

Yup. I run FireHOL on several machines, and one of them is my home
gateway. That box is an old Pentium 133 and it takes it 5 minutes to
generate the rules...

PS: A while ago there was talk about FireHOL having problems with
kernels >= 2.6.19. Any news on that anyone?

-- 
Carlos Rodrigues

More information about the Firehol-support mailing list