[Firehol-support] Improving FireHOL

Vincent Danjean vdanjean.ml at free.fr
Sun Feb 25 15:34:11 GMT 2007


  I started to use FireHOL a few days ago as I wanted I flexible but easy
and powerful firewall. And I find it really nice.
  As I use vlan (802.1Q), I had to modify firehol-wizard so that they work.
(see Debian bug #411662 [1] that has the little patch)

  Now, they are several things I want to add to firehol. Thanks to the
opensource, I can hack firehol to add these features for me. But I would be
very glad if theses features interest you too and if they are added upstream.
  So, here is my thinkings. I will explain what I want (and why) and when how
I think I will implement them. I would be very pleased if you tell me what
features you are interested in too (ie if I can hope they will be added
upstream when I write them) and if you have comments about what I plan to do.

New features I want to add:
A: a support for generating rules (iptables commands) to be run on another
   computer (something similar to what 'firehol debug' produce)
B: a support to run as a 'normal' user. Of cause, new rules cannot be
   installed in this case.
C: a [limited for now] support for IPv6

Why I want these features:
  I find the configuration language of firehol very powerful and flexible.
I would like to use it to configure a firewall on a router running OpenWRT.
However, this router would be VERY slow to compute the rules. And I do not
want to have to install 'bash' on it. So having firehol computing the rules
on another computer and installing them on the routeur 'by hand' would
pleased me. So the 'A' feature.
  The 'B' feature comes from the fact that I do not want to have to be root
on the computer where I run firehol when I only want to generate rules for
another computer.
  The 'C' feature is because I want to try to use IPv6. I saw very little
IPv6 capable firewall. I know that the kernel support is very limited (no
tracking connection, no REDIRECT, ...) but I would be very pleased if I can
use firehol to at least generate rules for a simple state-less IPv6 firewall.

How I think I will implement these features:
  [A] and [B] will require to separate things that must be run on the machine
that will run the rules (ie testing the kernel functionalities, loading kernel
modules...) and thing needed to generate the rules (running the configuration
script, ...).
  This will lead to a reorganisation of the code. Probably, this will require
to add new functions with the current code in it and call them either from
where the current code is, or from the generated file (load kernel modules,
check kernel version, ...) before the rules.
  I will also separate file management so that a user can add services from
whichever directory he wants (not only /etc/firehol/services) and so that
firehol do not try to read/write system locations when running in A or B

  For the 'C', I will start by replacing 'iptables' by 'iptables6' and see
what happen. This is a long-term project for me, and I did not read all the
documentation about IPv6 netfilter yet.

  Best regards,

[1]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=411662

More information about the Firehol-support mailing list