[Firehol-support] Improving FireHOL

Vincent Danjean vdanjean.ml at free.fr
Sun Feb 25 20:27:49 GMT 2007


Carlos Rodrigues a écrit :
> On 2/25/07, Vincent Danjean <vdanjean.ml at free.fr> wrote:
>> New features I want to add:
>> A: a support for generating rules (iptables commands) to be run on
>> another
>>    computer (something similar to what 'firehol debug' produce)
> 
> I'm not sure you can do that, not without loosing the power that comes
> from the configuration file being a bash script. The configuration may
> depend on stuff only available in the target machine itself.

I know. On my firewall, I add some stuff in the config script so that
IP, networks, ... are automatically read from the interfaces. Of course,
if I would like to generate the rules from another machine, this would not
work.
  I'm not telling that FireHOL must be run in two parts on two different
machines. I'm just telling that there is not a lot of work to do so that
this is possible. And sometimes this would be really useful, even if there
is some limitations from the 'normal' mode.

> This is similar to the problem of generating input for
> "iptables-restore" instead of running the iptables command multiple
> times, so I guess you should read this first:
> 
> http://article.gmane.org/gmane.comp.security.firewalls.firehol.user/332/
> 
>> Why I want these features:
>>   I find the configuration language of firehol very powerful and
>> flexible.
>> I would like to use it to configure a firewall on a router running
>> OpenWRT.
>> However, this router would be VERY slow to compute the rules. And I do
>> not
>> want to have to install 'bash' on it. So having firehol computing the
>> rules
>> on another computer and installing them on the routeur 'by hand' would
>> pleased me. So the 'A' feature.
> 
> Yup. I run FireHOL on several machines, and one of them is my home
> gateway. That box is an old Pentium 133 and it takes it 5 minutes to
> generate the rules...

In my case, this is not really a problem of time (whereas...). It is also
the problem the box (linksys WRT54G) is very limited in space (8Mo of
flash and 16 of RAM). So, if I would like to include fireHol on such a
machine, I have to also include bash (not present by default) and all
others tools needed by firehol (chown, expr, iptables-save, ...). This would
increase the size of the image a lot. And I would not be able to include in
the 8Mo other tools I really need.

> PS: A while ago there was talk about FireHOL having problems with
> kernels >= 2.6.19. Any news on that anyone?

I use debian kernel 2.6.18. So I do not know.




More information about the Firehol-support mailing list