Hey Guys.

I've spent a bit of time looking into the firewall options on debian, and after reviewing a few different solutions my favoriate is Firehol. I'm playing around with a config now, but would LOVE feedback from anyone who's done something similar.

In the following setup I have a linode that is,
- running a web server (http/https),
- potentially using smtp (to send mail through php scripts)
- ssh access through custom port

#!/sbin/firehol

version 5 

RS_TRUSTED_IPS="1.2.3.4" # my real IP isn't 1.2.3.4 :p

server_ssh_ports="tcp/2022"
client_ssh_ports="default"

interface eth0 server src not "${UNROUTABLE_IPS}"
        
   # drop all traffic by default
   policy drop
        
   # protect against common attacks
   protection strong
        
        # outgoing
            
            client "ntp dns smtp smtps" accept
        
        # incoming 
            
            # server ident reject with tcp-reset 
            # server any nolog drop
            
            # basic ping/pong stuff, keep for convenience, remove if security nut
            server "icmp ping" accept
            
            # most services
            server "http https ICMP" accept
            
            # ssh access for me only
            server ssh accept src "$RS_TRUSTED_IPS"

I wasn't too sure about the ident rejecting and nolog features, and I assume I should at least try running strong protection to begin with.

When I ran the Firehol help it tried to configure two sets of eth0 interfaces (with differences in the src/dst) but I thought it might be a little unnecessary.

I'm currently putting this config through it's paces (and learning along the way) but if anyone has had some experience or would like to help me out with what they've done it would be much appreciated.

Firehol is awesome, too bad it doesn't seem to be actively maintained anymore. Does it even work with IPv6?

But if you don't need IPv6 at the moment, that's OK.

Some observations:

- You will want to allow outgoing HTTP(s) connections, at least to some destinations. Most apt-get updates are done through HTTP. Your web apps might need to access remote APIs.

- You can safely enable "server ident reject with tcp-reset" without affecting anything -- unless you're running IRC clients. According to Wikipedia, "The ident protocol is considered dangerous because it allows crackers to gain a list of usernames on a computer system which can later be used for attacks." (But this probably won't matter unless you're actually running identd.)

- I can't tell exactly what "server any nolog drop" is supposed to accomplish, but it seems redundant because you're already dropping everything that isn't specifically allowed. I'd suggest that you keep it commented out.

- Why both icmp and ICMP?

- Update /etc/firehol/RESERVED_IPS with the latest data. Any IP range in this file is included in ${UNROUTABLE_IPS}, but Linux distributions often ship an outdated version of this file. Lots of ranges that were previously reserved (such as 1.0.0.0/8 and 5.0.0.0/8 ) were recently reclaimed and allocated to RIRs due to IPv4 address shortage. Using an outdated list could make your server inaccessible to legitimate users with recently allocated IPs.

- If Firehol throws messages about loadable kernel modules when you start it, just add "FIREHOL_LOAD_KERNEL_MODULES=0" (without quotes) at the beginning of your config file. This often happens in virtual machines.

I'm not too fussed about IPv6 support right now so I think I'll stick with Firehol. I really like the fact that the config doubles as a bash script.

I was thinking about http(s) last night for things like apt-get, thanks for pointing it out.

I couldn't figure out if there was a difference between icmp and ICMP when reading the Firehol services list but they do list them as two services, strange!