[Firehol-support] FireHOL Config Blacklist and Whitelists

Christopher Gilroy chris.gilroy at gmail.com
Fri Oct 9 02:22:38 BST 2015

Thanks for the replies, I just download the 3.0.0-rc.2 version from the
FireHOL site...

I do have one quick additional question too. When using hash:net, should return with ipset saying 1 IP or am I doing something wrong and
it should know how many IPs are in that mask?


ipv4 ipset create whitelistednets hash:net
ipv4 ipset addfile whitelistednets nets /etc/firehol/whitelistednets

If I add a single IP ( and then run: firehol ipset_update_from_file
whitelistednets nets /etc/firehol/whitelistednets, I get: FireHOL: Updating
ipset 'whitelistednets' with options: nets /etc/firehol/whitelistednets...
OK  (0 IPs)
If I make the IP ( it then says: FireHOL: Updating ipset
'whitelistednets' with options: nets /etc/firehol/whitelistednets...  OK
 (1 IPs), hence my confusion.

Note: I do see a small difference between how you run:

ipset4 create blocked hash:net
ipset4 addfile blocked /etc/firehol/blocked

-and- my way would be (probably wrong):

ipv4 ipset create blocked hash:net
ipv4 ipset addfile blocked nets /etc/firehol/blocked


On Thu, Oct 8, 2015 at 4:51 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:

> Hi Christopher.
> > 1) I believe the blacklisted ipset lists are all correct in that
> regardless
> > of what server is configured below, those IPs will still get dropped?
> true
> > 2) I believe that the wan interface is, currently, dropping all packets
> > from the blacklists, and only allowing those IPs contained in the
> > whitelistednets ipset list to have full access to the server?
> almost true. You are dropping all packets from and TO the blacklisted IPs.
> If you want to block only new connections FROM the blacklists, change
> the 'full' keyword to 'input'.
> Using 'input' you will be able to initiate connections to the
> blacklisted IPs, but the blacklisted IPs will not be able to initiate
> connections to you.
> > 3.) All other traffic not contained in the blacklist or whitelist lists
> are
> > dropped, because I don't have any other services configured?
> true
> Keep in mind that if you are using a v3+ kernel and the github version
> of firehol, you can have 'net' ipsets containing both IPs and subnets,
> like this:
> ipset4 create blocked hash:net
> ipset4 addfile blocked /etc/firehol/blocked
> The file '/etc/firehol/blocked' can contain both IPs and subnets.
> Also, the github version of firehol will use the 'iprange' tool
> included in its contrib directory (cd contrib; make install), to
> reduce the lookups made by the kernel for hash:net ipsets.
> Costa

-Chris A. Gilroy

More information about the Firehol-support mailing list