├── .gitignore ├── clean.sh ├── .github └── workflows │ ├── setup.sh │ └── publish.yml ├── openwrt ├── firehol │ ├── files │ │ ├── 50-qos │ │ ├── fireqos │ │ ├── firehol │ │ ├── firehol.conf.example │ │ ├── fireqos.conf.example │ │ └── firehol-defaults.conf │ └── Makefile └── iprange │ └── Makefile ├── x86_64-static ├── iprange │ └── docker-build.sh ├── netdata │ └── docker-build.sh └── docker-setup.sh ├── redhat ├── firehol │ ├── fireqos.init │ ├── firehol.init │ ├── fireqos.service │ ├── firehol.service │ ├── docker-build.sh │ └── firehol.spec ├── iprange │ └── docker-build.sh ├── netdata │ └── docker-build.sh └── docker-setup.sh ├── package.conf ├── setup.sh └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | build/ 2 | output/ 3 | -------------------------------------------------------------------------------- /clean.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | sudo rm -rf build output 4 | 5 | exit 0 6 | -------------------------------------------------------------------------------- /.github/workflows/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | set -x 5 | 6 | sudo apt install ccache 7 | -------------------------------------------------------------------------------- /openwrt/firehol/files/50-qos: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Ensure QOS is restarted e.g. if PPP drops and reconnects 3 | [ "$ACTION" = ifup ] && { 4 | test -f /etc/firehol/fireqos.conf && /sbin/fireqos start 5 | } 6 | -------------------------------------------------------------------------------- /x86_64-static/iprange/docker-build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | base=`dirname $0` 6 | cd "$base" 7 | echo "Running `basename $0` in $0" 8 | 9 | LDFLAGS=-static export LDFLAGS 10 | ./configure 11 | make 12 | -------------------------------------------------------------------------------- /x86_64-static/netdata/docker-build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | base=`dirname $0` 6 | cd "$base" 7 | echo "Running `basename $0` in $0" 8 | 9 | LDFLAGS=-static export LDFLAGS 10 | ./configure --prefix=/opt 11 | make 12 | make install DESTDIR=`pwd` 13 | -------------------------------------------------------------------------------- /redhat/firehol/fireqos.init: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Startup script to implement /etc/firehol/fireqos.conf pre-defined rules. 4 | # 5 | # chkconfig: - 20 80 6 | # 7 | # description: sets up QOS traffic control 8 | # 9 | # config: /etc/firehol/fireqos.conf 10 | exec /usr/sbin/fireqos "$@" 11 | -------------------------------------------------------------------------------- /redhat/firehol/firehol.init: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Startup script to implement /etc/firehol/firehol.conf pre-defined rules. 4 | # 5 | # chkconfig: - 20 80 6 | # 7 | # description: creates stateful iptables packet filtering firewalls. 8 | # 9 | # config: /etc/firehol/firehol.conf 10 | exec /usr/sbin/firehol "$@" 11 | -------------------------------------------------------------------------------- /x86_64-static/docker-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | # Set up an alpine linux docker image so we can perform static builds in it 6 | apk update 7 | apk add --no-cache binutils make libgcc musl-dev gcc g++ 8 | 9 | # FireHOL/Netdata dependencies 10 | apk add --no-cache ipset iptables tcpdump libuuid e2fsprogs-dev zlib-dev 11 | -------------------------------------------------------------------------------- /redhat/firehol/fireqos.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=FireQOS traffic shaping tool 3 | Documentation=man:fireqos(1) man:fireqos.conf(5) 4 | After=network.target 5 | 6 | [Service] 7 | Type=oneshot 8 | ExecStart=/usr/sbin/fireqos start 9 | ExecStop=/usr/sbin/fireqos stop 10 | RemainAfterExit=yes 11 | 12 | [Install] 13 | WantedBy=multi-user.target 14 | -------------------------------------------------------------------------------- /redhat/firehol/firehol.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Firehol iptables stateful firewall 3 | Documentation=man:firehol(1) man:firehol.conf(5) 4 | After=network.target 5 | 6 | [Service] 7 | Type=oneshot 8 | ExecStart=/usr/sbin/firehol start 9 | ExecStop=/usr/sbin/firehol stop 10 | RemainAfterExit=yes 11 | 12 | [Install] 13 | WantedBy=multi-user.target 14 | -------------------------------------------------------------------------------- /redhat/firehol/docker-build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | # Build any .spec files we find 6 | 7 | base=`dirname $0` 8 | cd "$base" 9 | echo "Running `basename $0` in $0" 10 | 11 | ln -s $base/rpmbuild /root/rpmbuild 12 | for i in *.spec 13 | do 14 | echo "Building $i" 15 | chown root:root "$i" $base/rpmbuild/SOURCES/* 16 | rpmbuild -ba "$i" 17 | done 18 | -------------------------------------------------------------------------------- /redhat/iprange/docker-build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | # Build any .spec files we find 6 | 7 | base=`dirname $0` 8 | cd "$base" 9 | echo "Running `basename $0` in $0" 10 | 11 | ln -s $base/rpmbuild /root/rpmbuild 12 | for i in *.spec 13 | do 14 | echo "Building $i" 15 | chown root:root "$i" $base/rpmbuild/SOURCES/* 16 | rpmbuild -ba "$i" 17 | done 18 | -------------------------------------------------------------------------------- /redhat/netdata/docker-build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | # Build any .spec files we find 6 | 7 | base=`dirname $0` 8 | cd "$base" 9 | echo "Running `basename $0` in $0" 10 | 11 | ln -s $base/rpmbuild /root/rpmbuild 12 | for i in *.spec 13 | do 14 | echo "Building $i" 15 | chown root:root "$i" $base/rpmbuild/SOURCES/* 16 | rpmbuild -ba "$i" 17 | done 18 | -------------------------------------------------------------------------------- /package.conf: -------------------------------------------------------------------------------- 1 | # This file is sourced by other scripts and details the versions we build 2 | 3 | FIREHOL_VERSION=3.1.7 4 | RPM_FIREHOL_RELEASE="1" 5 | FIREHOL_URL=https://github.com/firehol/firehol/releases/download/v$FIREHOL_VERSION 6 | 7 | IPRANGE_VERSION=1.0.4 8 | RPM_IPRANGE_RELEASE="2" 9 | IPRANGE_URL=https://github.com/firehol/iprange/releases/download/v$IPRANGE_VERSION 10 | -------------------------------------------------------------------------------- /redhat/docker-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | # Set up a docker image so we can perform RPM builds in it 6 | yum install -y rpm-build make gcc automake autoconf 7 | 8 | # FireHOL dependencies 9 | MAJOR_VERSION=`cat /etc/redhat-release | grep -o -P '[0-9]+\.' | head -n 1 | grep -o -P '[0-9]+'` 10 | if [ "${MAJOR_VERSION}" == "7" ] 11 | then 12 | yum install -y iproute ipset iptables iptables-ipv6 tcpdump systemd zlib-devel libuuid-devel 13 | else 14 | yum install -y iproute ipset iptables-services kmod tcpdump systemd zlib-devel libuuid-devel procps-ng iproute-tc 15 | fi 16 | -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | . ./package.conf 6 | 7 | mkdir -p build 8 | cd build 9 | 10 | if [ ! -f firehol.md5 ] 11 | then 12 | wget $FIREHOL_URL/firehol-$FIREHOL_VERSION.tar.bz2 13 | wget -O "firehol.md5" $FIREHOL_URL/firehol-$FIREHOL_VERSION.tar.bz2.md5 14 | fi 15 | 16 | if [ ! -f iprange.md5 ] 17 | then 18 | wget $IPRANGE_URL/iprange-$IPRANGE_VERSION.tar.bz2 19 | wget -O "iprange.md5" $IPRANGE_URL/iprange-$IPRANGE_VERSION.tar.bz2.md5 20 | fi 21 | 22 | md5sum -c firehol.md5 23 | md5sum -c iprange.md5 24 | 25 | cd .. 26 | rm -rf output 27 | mkdir -p output/packages 28 | mkdir -p output/checksums 29 | 30 | exit 0 31 | -------------------------------------------------------------------------------- /openwrt/firehol/files/fireqos: -------------------------------------------------------------------------------- 1 | #!/bin/sh /etc/rc.common 2 | START=25 3 | start() { 4 | if [ ! -f /etc/firehol/fireqos.conf ] 5 | then 6 | echo "Install /etc/firehol/fireqos.conf" 7 | echo " (for an example, see /etc/firehol/fireqos.conf.example)" 8 | echo "and test it with:" 9 | echo " fireqos start" 10 | exit 1 11 | fi 12 | if [ -x /sbin/insmod -a ! -x /sbin/modprobe ] 13 | then 14 | echo "/sbin/insmod" > /proc/sys/kernel/modprobe 15 | fi 16 | /sbin/fireqos start 17 | } 18 | restart() { 19 | /sbin/fireqos start 20 | } 21 | reload() { 22 | /sbin/fireqos start 23 | } 24 | stop() { 25 | /sbin/fireqos stop 26 | } 27 | -------------------------------------------------------------------------------- /openwrt/iprange/Makefile: -------------------------------------------------------------------------------- 1 | include $(TOPDIR)/rules.mk 2 | 3 | PKG_NAME:=iprange 4 | PKG_VERSION:=<> 5 | PKG_RELEASE:=1 6 | 7 | PKG_BUILD_DIR:=$(BUILD_DIR)/iprange-$(PKG_VERSION) 8 | PKG_SOURCE:=iprange-$(PKG_VERSION).tar.bz2 9 | PKG_SOURCE_URL:=<> 10 | PKG_MD5SUM:=<> 11 | PKG_CAT:=bzcat 12 | 13 | include $(INCLUDE_DIR)/package.mk 14 | 15 | define Package/iprange 16 | SECTION:=utils 17 | CATEGORY:=Utilities 18 | DEPENDS:=+libpthread 19 | TITLE:=iprange - minimise lists of IP addresses 20 | URL:=https://firehol.org/ 21 | endef 22 | 23 | define Package/iprange/description 24 | IP list minimisation utility 25 | Creates a minimal set of IP address ranges from an arbitrary input 26 | endef 27 | 28 | define Build/Configure 29 | $(call Build/Configure/Default) 30 | endef 31 | 32 | define Package/iprange/install 33 | $(INSTALL_DIR) $(1)/usr/bin 34 | $(INSTALL_BIN) $(PKG_BUILD_DIR)/iprange $(1)/usr/bin/ 35 | endef 36 | 37 | $(eval $(call BuildPackage,iprange)) 38 | -------------------------------------------------------------------------------- /openwrt/firehol/files/firehol: -------------------------------------------------------------------------------- 1 | #!/bin/sh /etc/rc.common 2 | 3 | # The OpenWRT system uses this to determine start order for links to 4 | # create in /etc/rc.d when you run e.g. /etc/init.d/firehol enable 5 | START=15 6 | 7 | start() { 8 | # Prior to FireHOL 3.1.0 we recommended saving a copy of your firewall 9 | # for quick restoration. FireHOL now does this automatically provided 10 | # /etc/firehol/firehol-defaults.conf has preference to restore over 11 | # start: FIREHOL_RESTORE_INSTEAD_OF_START=1 12 | # 13 | # Updates to any files under the config folder /etc/firehol result in a 14 | # full start, with the changes saved automatially for restoring next time. 15 | if [ ! -f /etc/firehol/firehol.conf ] 16 | then 17 | echo "Install /etc/firehol/firehol.conf" 18 | echo " (for an example, see /etc/firehol/firehol.conf.example)" 19 | echo "test it with:" 20 | echo " firehol try" 21 | echo "and then disable the default firewall:" 22 | echo " /etc/init.d/firewall disable" 23 | exit 1 24 | fi 25 | /sbin/firehol start 26 | } 27 | 28 | restart() { 29 | /sbin/firehol start 30 | } 31 | 32 | reload() { 33 | /sbin/firehol start 34 | } 35 | -------------------------------------------------------------------------------- /openwrt/firehol/files/firehol.conf.example: -------------------------------------------------------------------------------- 1 | version 6 2 | 3 | # Set these appropriately for your system 4 | lan="br-lan" 5 | wan="ppp+" 6 | 7 | # Remove this when you are confident that the lan and wan variables 8 | # are set correctly 9 | interface any removeme 10 | policy return 11 | server ping accept 12 | server ssh accept 13 | 14 | # Port forwarding example. If you have multiple external IPs, filter 15 | # them by adding at the end, e.g.: dst $external_ip 16 | # ipv4 dnat to $internal_ip:80 proto tcp dport 80 17 | # ipv4 dnat to $internal_ip:443 proto tcp dport 443 18 | 19 | # This is required for IPv6 to work correctly 20 | ipv6 interface any ipv6inter proto icmpv6 21 | policy return 22 | client ipv6neigh accept 23 | server ipv6neigh accept 24 | client ipv6router accept 25 | server ipv6router accept 26 | client ipv6mld accept 27 | server ipv6mld accept 28 | 29 | interface "$wan" world 30 | protection strong 31 | policy deny 32 | 33 | client all accept 34 | server ping accept 35 | 36 | client dhcpv6 accept 37 | 38 | interface "$lan" local 39 | policy reject 40 | 41 | client all accept 42 | server ping accept 43 | server dns accept 44 | server "http https" accept 45 | server dhcp accept 46 | server dhcpv6 accept 47 | server ssh accept 48 | 49 | router outgoing inface "$lan" outface "$wan" src4 not "${UNROUTABLE_IPV4}" src6 not "${UNROUTABLE_IPV6}" 50 | # Hide internal IPs 51 | ipv4 masquerade 52 | route all accept 53 | 54 | router incoming inface "$wan" outface "$lan" src4 not "${UNROUTABLE_IPV4}" src6 not "${UNROUTABLE_IPV6}" 55 | # e.g.... 56 | # server "http https" accept dst "$internal_ip" 57 | 58 | # Explicitly allow any bridged data, otherwise WiFi <-> LAN can get blocked 59 | # depending on kernel settings 60 | router lan2lan inface "$lan" outface "$lan" 61 | policy accept 62 | -------------------------------------------------------------------------------- /openwrt/firehol/files/fireqos.conf.example: -------------------------------------------------------------------------------- 1 | # Set this appropriately for your system (internet link) 2 | DEVICE=pppoe-wan 3 | 4 | 5 | # my speed is 12200kbit down, 890 up 6 | # I use only 85% of down and 95% of up 7 | INPUT_SPEED="$((12200 * 85 / 100))kbit" 8 | OUTPUT_SPEED="$((890 * 95 / 100))kbit" 9 | 10 | # adsl = ATM overheads calculation 11 | # local = I run pppoe on this linux box 12 | # pppoe-llc = ADSL encapsulation as reported by ADSL modem 13 | LINKTYPE="adsl local pppoe-llc" 14 | # LINKTYPE="adsl local pppoe-llc mtu 1492" 15 | 16 | 17 | # ------------- CUSTOM SERVICES ------------- 18 | # unlike FireHOL, only server ports are needed. 19 | # all the services used but not defined here, are defined internally in FireQOS. 20 | 21 | # VoIP RTP ports. 22 | # As configured in /etc/asterisk/rtp.conf 23 | server_rtp_ports="udp/10000:10100" 24 | 25 | # League of Legends match, for my kids 26 | server_lol_ports="udp/5000:5500 tcp/8393:8400,2099,5223,5222,8088" 27 | 28 | # My OpenVPN servers 29 | server_openvpn_ports="any/1195:1198" 30 | 31 | # Torrent client configured to listen at a fixed port 32 | server_mytorrent_ports="any/51414" 33 | 34 | 35 | # ------------- INTERFACES ------------- 36 | 37 | interface $DEVICE world bidirectional $LINKTYPE input rate $INPUT_SPEED output rate $OUTPUT_SPEED 38 | 39 | class voip commit 100kbit pfifo 40 | # 1st priority: VoIP 41 | 42 | server sip 43 | client sip 44 | server rtp 45 | client stun 46 | 47 | class interactive input commit 20% output commit 10% 48 | # 2nd priority: ICMP, DNS, SSH 49 | 50 | server icmp 51 | 52 | server dns 53 | client dns 54 | 55 | server ssh 56 | client ssh 57 | 58 | client teamviewer 59 | client lol 60 | 61 | class chat input commit 1000kbit output commit 440kbit 62 | # 3rd priority: chat and conferencing 63 | 64 | client facetime 65 | 66 | server hangouts 67 | client hangouts 68 | 69 | client gtalk 70 | client jabber 71 | 72 | class vpns input commit 20% output commit 10% 73 | # 4th priority: my VPNs 74 | 75 | server pptp 76 | server GRE 77 | server openvpn 78 | 79 | class servers 80 | # 5th priority: the servers I run 81 | 82 | server http 83 | 84 | class surfing prio keep commit 10% 85 | # Again 5th priority (prio keep): Internet Surfing 86 | 87 | client surfing 88 | client rsync 89 | 90 | class synacks 91 | # 6th priority: SYNs and small ACKs for the rest of the traffic 92 | 93 | match tcp syn 94 | match tcp ack 95 | 96 | class default 97 | # 7th priority: default 98 | # unclassified traffic ends up in the 'default' class 99 | # no need to match anything here 100 | 101 | class torrents 102 | # 8th priority: torrents 103 | 104 | client torrents 105 | server mytorrent prio 1 106 | match sports 16384:65535 dports 16384:65535 107 | 108 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # FireHOL packages 2 | 3 | This repository is intended to provide 4 | [pre-built packages](https://github.com/firehol/packages/releases/latest) 5 | for distributions that do not have them as standard. 6 | 7 | Current status: 8 | 9 | Package | Architecture | Installs | Runs | Works 10 | ------------------------- | ---------------- | ---------- | ------ | ------- 11 | FireHOL OpenWRT 22.03 ipk | all | ? | ? | ? 12 | FireHOL CentOS/RHEL 8 rpm | all (noarch) | ? | ? | ? 13 | FireHOL CentOS/RHEL 9 rpm | all (noarch) | ? | ? | ? 14 | iprange OpenWRT 22.03 ipk | bcm47xx | ? | ? | ? 15 | iprange OpenWRT 22.03 ipk | ipq806x | ? | ? | ? 16 | iprange CentOS/RHEL 8 rpm | amd64 | ? | ? | ? 17 | iprange CentOS/RHEL 9 rpm | amd64 | ? | ? | ? 18 | 19 | Basically: I run the builds but don't check them personally. I update this 20 | table when people report success/failure. 21 | 22 | It is all something of a best-effort basis, so pull requests to add new 23 | packaging formats, architectures, or updated versions are always welcome. 24 | 25 | # Old packages 26 | 27 | CentOS7/RHEL 7 package build no longer works. Last built RPMs are 28 | [here](https://github.com/firehol/packages/releases/tag/2021-01-01-1948). 29 | 30 | CentOS6/RHEL 6 package build no longer works. Last built RPMs are 31 | [here](https://github.com/firehol/packages/releases/tag/2020-03-19-1724). 32 | 33 | Last builds for OpenWRT 19.07 (and last ar71xx build) are 34 | [here](https://github.com/firehol/packages/releases/tag/2021-01-01-1948). 35 | 36 | Last builds for OpenWRT 18.06 are 37 | [here](https://github.com/firehol/packages/releases/tag/2020-02-18-0552). 38 | 39 | # Releases 40 | 41 | Everything gets built by Github Actions; tags are created after a package 42 | update or new output is added which automatically puts all the 43 | binaries into github releases: 44 | 45 | ~~~~ 46 | git push 47 | # wait... 48 | git tag YYYY-MM-DD-hhmm 49 | git push --tags 50 | ~~~~ 51 | 52 | # Building outside Github 53 | 54 | Clone the repository and run the common setup script: 55 | 56 | ~~~~ 57 | git clone https://github.com/firehol/packages.git firehol-packages 58 | cd firehol-packages 59 | ./setup.sh 60 | ~~~~ 61 | 62 | Then run any individual (`build-PLATFORM.sh`) scripts you are interested 63 | in e.g.: 64 | 65 | ~~~~ 66 | ./build-openwrt.sh 67 | ~~~~ 68 | 69 | Provided everything works, the outputs all go to `outputs/packages`. 70 | If something goes wrong you most likely need to install a 71 | [dependency](#dependencies) on your build host. 72 | 73 | Github Actions runs each `build-*.sh` script in order and provided 74 | everything builds OK, it builds checksums in `outputs/checksums`. 75 | 76 | ## Dependencies 77 | 78 | * The OpenWRT builds need ccache and basic build tools (make etc.) installed 79 | * The CentOS/Redhat builds need docker (docker.io on Ubuntu) installed 80 | and to be able to run sudo 81 | -------------------------------------------------------------------------------- /.github/workflows/publish.yml: -------------------------------------------------------------------------------- 1 | on: [ push, pull_request, workflow_dispatch ] 2 | 3 | jobs: 4 | prep: 5 | runs-on: ubuntu-latest 6 | name: Prepare build 7 | steps: 8 | - name: Extract tag/branch variables 9 | shell: bash 10 | run: | 11 | echo "tag=$(echo ${GITHUB_REF#refs/tags/}|grep -v '/')" >> $GITHUB_OUTPUT 12 | echo "branch=$(echo ${GITHUB_REF#refs/heads/}|grep -v '/')" >> $GITHUB_OUTPUT 13 | id: extract 14 | outputs: 15 | tag: ${{ steps.extract.outputs.tag }} 16 | branch: ${{ steps.extract.outputs.branch }} 17 | 18 | build: 19 | runs-on: ubuntu-latest 20 | name: Build packages 21 | needs: prep 22 | steps: 23 | - uses: actions/checkout@v4 24 | - name: Set up build tools 25 | run: ./.github/workflows/setup.sh 26 | - name: Run build 27 | run: | 28 | ./setup.sh 29 | for i in build-*.sh 30 | do 31 | ./$i || exit 1 32 | done 33 | - name: Create checksums 34 | run: | 35 | cd output/packages 36 | for i in * 37 | do 38 | md5sum -b $i > ../checksums/$i.md5 39 | sha512sum -b $i > ../checksums/$i.sha 40 | done 41 | - name: Upload build artifacts 42 | uses: actions/upload-artifact@v4 43 | with: 44 | name: build-artifacts 45 | path: | 46 | output/packages/* 47 | output/checksums/* 48 | 49 | validate_build: 50 | runs-on: ubuntu-latest 51 | name: List build content if not tagged 52 | needs: [ prep, build ] 53 | if: ${{ needs.prep.outputs.tag == '' }} 54 | steps: 55 | - name: Download artifacts 56 | uses: actions/download-artifact@v4.1.7 57 | with: 58 | name: build-artifacts 59 | - name: List artifacts 60 | run: ls -lR 61 | 62 | publish_tag: 63 | runs-on: ubuntu-latest 64 | name: Publish to github if tag 65 | needs: [ prep, build ] 66 | if: ${{ needs.prep.outputs.tag != '' }} 67 | steps: 68 | - name: Download artifacts 69 | uses: actions/download-artifact@v4.1.7 70 | with: 71 | name: build-artifacts 72 | - name: Create Release 73 | id: create_release 74 | uses: actions/create-release@v1 75 | env: 76 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 77 | with: 78 | tag_name: ${{ github.ref }} 79 | release_name: Release ${{ github.ref }} 80 | draft: false 81 | - name: Upload packages 82 | uses: actions/github-script@v3 83 | with: 84 | github-token: ${{secrets.GITHUB_TOKEN}} 85 | script: | 86 | const path = require('path'); 87 | const fs = require('fs'); 88 | const release_id = '${{ steps.create_release.outputs.id }}'; 89 | for (let file of await fs.readdirSync('./packages/')) { 90 | console.log('uploadReleaseAsset', file); 91 | await github.repos.uploadReleaseAsset({ 92 | owner: context.repo.owner, 93 | repo: context.repo.repo, 94 | release_id: release_id, 95 | name: file, 96 | data: await fs.readFileSync(`./packages/${file}`) 97 | }); 98 | } 99 | - name: Upload checksums 100 | uses: actions/github-script@v3 101 | with: 102 | github-token: ${{secrets.GITHUB_TOKEN}} 103 | script: | 104 | const path = require('path'); 105 | const fs = require('fs'); 106 | const release_id = '${{ steps.create_release.outputs.id }}'; 107 | for (let file of await fs.readdirSync('./checksums/')) { 108 | console.log('uploadReleaseAsset', file); 109 | await github.repos.uploadReleaseAsset({ 110 | owner: context.repo.owner, 111 | repo: context.repo.repo, 112 | release_id: release_id, 113 | name: file, 114 | data: await fs.readFileSync(`./checksums/${file}`) 115 | }); 116 | } 117 | -------------------------------------------------------------------------------- /openwrt/firehol/Makefile: -------------------------------------------------------------------------------- 1 | include $(TOPDIR)/rules.mk 2 | 3 | PKG_NAME:=firehol 4 | PKG_VERSION:=<> 5 | PKG_RELEASE:=1 6 | 7 | PKG_BUILD_DIR:=$(BUILD_DIR)/firehol-$(PKG_VERSION) 8 | PKG_SOURCE:=firehol-$(PKG_VERSION).tar.bz2 9 | PKG_SOURCE_URL:=<> 10 | PKG_MD5SUM:=<> 11 | PKG_CAT:=bzcat 12 | 13 | include $(INCLUDE_DIR)/package.mk 14 | 15 | define Package/firehol 16 | SECTION:=net 17 | CATEGORY:=Network 18 | PKGARCH=all 19 | DEPENDS:=+bash +ip-full +bash +coreutils-fold +flock \ 20 | +grep +ipset +tc \ 21 | +kmod-ifb +kmod-sched +kmod-dummy +kmod-sched-connmark \ 22 | +iptables-mod-extra +iptables-mod-conntrack-extra \ 23 | +iptables-mod-ipopt 24 | TITLE:=firehol and fireqos - firewalling and QOS for humans 25 | URL:=https://firehol.org/ 26 | endef 27 | 28 | define Package/firehol/description 29 | FireHOL - a firewall for humans 30 | FireQOS - traffic management for humans 31 | Related tools 32 | endef 33 | 34 | CONFIGURE_ARGS += \ 35 | --disable-doc \ 36 | --disable-man \ 37 | --disable-firehol-wizard \ 38 | --disable-link-balancer \ 39 | --disable-update-ipsets \ 40 | --disable-vnetbuild 41 | 42 | CONFIGURE_VARS += \ 43 | IPRANGE_VERSION=1.0.3 \ 44 | BASH_VERSION=4 \ 45 | BASH_VERSION_PATH=/bin/bash \ 46 | 47 | # This list generated by inspecting the results of running 48 | # ./configure on an actual openwrt router - there's no point 49 | # in detecting the locations on the build host. 50 | CONFIGURE_VARS += \ 51 | BASENAME=/usr/bin/basename \ 52 | BRIDGE=x \ 53 | CAT=/bin/cat \ 54 | CHMOD=/bin/chmod \ 55 | CHOWN=/bin/chown \ 56 | CP=/bin/cp \ 57 | CURL=x \ 58 | CUT=/usr/bin/cut \ 59 | DATE=/bin/date \ 60 | DIFF=x \ 61 | DIRNAME=/usr/bin/dirname \ 62 | DOT=x \ 63 | EGREP=/usr/bin/grep\ -E \ 64 | ENV=x \ 65 | EXPR=/usr/bin/expr \ 66 | FIND=/usr/bin/find \ 67 | FLOCK=/usr/bin/flock \ 68 | FOLD=/usr/bin/fold \ 69 | FUNZIP=x \ 70 | JQ=x \ 71 | GAWK=/usr/bin/awk \ 72 | GIT=x \ 73 | GREP=/usr/bin/grep \ 74 | HEAD=/usr/bin/head \ 75 | HOSTNAME=x \ 76 | IP6TABLES=/usr/sbin/ip6tables \ 77 | IP6TABLES_RESTORE=/usr/sbin/ip6tables-restore \ 78 | IP6TABLES_SAVE=/usr/sbin/ip6tables-save \ 79 | IP=/usr/sbin/ip \ 80 | IPRANGE=x \ 81 | IPSET=/usr/sbin/ipset \ 82 | IPTABLES=/usr/sbin/iptables \ 83 | IPTABLES_RESTORE=/usr/sbin/iptables-restore \ 84 | IPTABLES_SAVE=/usr/sbin/iptables-save \ 85 | JQ=x \ 86 | LN=x \ 87 | LOGGER=/usr/bin/logger \ 88 | LS=/bin/ls \ 89 | LSMOD=/usr/sbin/lsmod \ 90 | MKDIR=/bin/mkdir \ 91 | MKTEMP=/bin/mktemp \ 92 | MODPROBE=/usr/sbin/modprobe\ -q \ 93 | MORE=/usr/bin/less \ 94 | MV=/bin/mv \ 95 | NEATO=x \ 96 | NFACCT=x \ 97 | PING6=/bin/ping\ -6 \ 98 | PING=/bin/ping \ 99 | READLINK=/usr/bin/readlink \ 100 | RENICE=: \ 101 | RMMOD=/usr/sbin/rmmod \ 102 | RM=/bin/rm \ 103 | SCREEN=x \ 104 | SED=/bin/sed \ 105 | SEQ=/usr/bin/seq \ 106 | SH=x \ 107 | SLEEP=/bin/sleep \ 108 | SORT=/usr/bin/sort \ 109 | SS=x \ 110 | STTY=: \ 111 | SYSCTL=/sbin/sysctl \ 112 | TAIL=/usr/bin/tail \ 113 | TAR=x \ 114 | TCPDUMP=/usr/sbin/tcpdump \ 115 | TC=/usr/sbin/tc \ 116 | TOUCH=/bin/touch \ 117 | TPUT=x \ 118 | TRACEROUTE=x \ 119 | TR=/usr/bin/tr \ 120 | UNAME=/bin/uname \ 121 | UNIQ=/usr/bin/uniq \ 122 | UNZIP=x \ 123 | WC=/usr/bin/wc \ 124 | WGET=x \ 125 | WHOISx= \ 126 | ZCAT=/bin/zcat 127 | 128 | define Build/Configure 129 | $(call Build/Configure/Default) 130 | endef 131 | 132 | define Package/firehol/install 133 | $(INSTALL_DIR) $(1)/usr/lib/firehol/$(PKG_VERSION) 134 | $(INSTALL_BIN) $(PKG_BUILD_DIR)/sbin/firehol $(1)/usr/lib/firehol/$(PKG_VERSION) 135 | $(INSTALL_BIN) $(PKG_BUILD_DIR)/sbin/fireqos $(1)/usr/lib/firehol/$(PKG_VERSION) 136 | $(INSTALL_DATA) $(PKG_BUILD_DIR)/sbin/functions.common $(1)/usr/lib/firehol/$(PKG_VERSION) 137 | $(INSTALL_DATA) $(PKG_BUILD_DIR)/sbin/services.common $(1)/usr/lib/firehol/$(PKG_VERSION) 138 | $(INSTALL_DATA) $(PKG_BUILD_DIR)/sbin/services.firehol $(1)/usr/lib/firehol/$(PKG_VERSION) 139 | $(INSTALL_DATA) $(PKG_BUILD_DIR)/sbin/services.fireqos $(1)/usr/lib/firehol/$(PKG_VERSION) 140 | $(INSTALL_DATA) $(PKG_BUILD_DIR)/sbin/install.config $(1)/usr/lib/firehol/$(PKG_VERSION) 141 | 142 | # Remove any programs that we do not expect to find and change 143 | # the default spool directory to one that will persist, enabling 144 | # the fast startup functionality to work. 145 | $(INSTALL_DIR) $(1)/etc/firehol-spool/ 146 | sed -i -e 's/"x"/""/' -e '/FIREHOL_SPOOL_DIR=/s:=.*:=/etc/firehol-spool:' $(1)/usr/lib/firehol/$(PKG_VERSION)/install.config 147 | 148 | $(INSTALL_DIR) $(1)/etc/firehol/ 149 | $(INSTALL_DIR) $(1)/etc/firehol/services 150 | $(INSTALL_CONF) files/firehol-defaults.conf $(1)/etc/firehol/ 151 | $(INSTALL_CONF) files/firehol.conf.example $(1)/etc/firehol/ 152 | $(INSTALL_CONF) files/fireqos.conf.example $(1)/etc/firehol/ 153 | 154 | $(INSTALL_DIR) $(1)/sbin 155 | ln -s /usr/lib/firehol/$(PKG_VERSION)/firehol $(1)/sbin/firehol 156 | ln -s /usr/lib/firehol/$(PKG_VERSION)/fireqos $(1)/sbin/fireqos 157 | 158 | $(INSTALL_DIR) $(1)/etc/init.d 159 | $(INSTALL_BIN) files/firehol $(1)/etc/init.d/ 160 | $(INSTALL_BIN) files/fireqos $(1)/etc/init.d/ 161 | 162 | $(INSTALL_DIR) $(1)/etc/hotplug.d/iface/ 163 | $(INSTALL_CONF) files/50-qos $(1)/etc/hotplug.d/iface/ 164 | endef 165 | 166 | $(eval $(call BuildPackage,firehol)) 167 | -------------------------------------------------------------------------------- /redhat/firehol/firehol.spec: -------------------------------------------------------------------------------- 1 | Name: firehol 2 | Version: <> 3 | Release: %{?dist} 4 | Summary: Simple and powerful firewall and traffic shaping languages 5 | License: GPLv2+ 6 | URL: http://firehol.org 7 | Source0: <>/firehol-%{version}.tar.bz2 8 | %if 0%{?rhel} > 0 && 0%{?rhel} < 7 9 | Source1: firehol.init 10 | Source2: fireqos.init 11 | %else 12 | Source1: firehol.service 13 | Source2: fireqos.service 14 | %endif 15 | BuildArch: noarch 16 | BuildRequires: iprange 17 | BuildRequires: iproute 18 | BuildRequires: ipset 19 | %if 0%{?rhel} > 0 && 0%{?rhel} < 7 20 | BuildRequires: iptables 21 | BuildRequires: iptables-ipv6 22 | BuildRequires: procps-ng 23 | BuildRequires: iproute-tc 24 | %else 25 | BuildRequires: iptables-services 26 | BuildRequires: kmod 27 | %endif 28 | BuildRequires: tcpdump 29 | %if 0%{?rhel} > 0 && 0%{?rhel} < 7 30 | %else 31 | BuildRequires: systemd 32 | %endif 33 | Requires: coreutils 34 | Requires: gawk 35 | Requires: grep 36 | Requires: gzip 37 | Requires: ipset 38 | Requires: iproute 39 | %if 0%{?rhel} > 0 && 0%{?rhel} < 7 40 | Requires: iptables 41 | Requires: iptables-ipv6 42 | %else 43 | Requires: iptables-services 44 | Requires: kmod 45 | Requires: procps-ng 46 | Requires: iproute-tc 47 | %endif 48 | Requires: less 49 | Requires: sed 50 | Requires: util-linux 51 | Requires: tcpdump 52 | %if 0%{?rhel} > 0 && 0%{?rhel} < 7 53 | Requires: module-init-tools 54 | %else 55 | Requires: kmod 56 | Requires(post): systemd 57 | Requires(preun): systemd 58 | Requires(postun): systemd 59 | %endif 60 | 61 | %description 62 | FireHOL is a generic firewall generator, meaning that you can design any kind 63 | of local or routing stateful packet filtering firewalls with ease. Install 64 | FireHOL if you want an easy way to configure stateful packet filtering 65 | firewalls on Linux hosts and routers. 66 | 67 | FireHOL uses an extremely simple but powerful way to define firewall rules 68 | which it turns into complete stateful iptables firewalls. 69 | 70 | You can run FireHOL with the 'helpme' argument, to get a configuration 71 | file for the system run, which you can modify according to your 72 | needs. The default configuration file will allow only client traffic 73 | on all interfaces. 74 | 75 | %prep 76 | %setup -q 77 | 78 | %build 79 | %configure \ 80 | --disable-link-balancer \ 81 | --disable-vnetbuild 82 | make %{?_smp_mflags} 83 | 84 | %install 85 | rm -rf "%{buildroot}" 86 | make %{?_smp_mflags} install DESTDIR="%{buildroot}" 87 | # Fixup the symlinks manually 88 | rm %{buildroot}/usr/sbin/firehol 89 | rm %{buildroot}/usr/sbin/fireqos 90 | rm %{buildroot}/usr/sbin/update-ipsets 91 | ln -s %{_libexecdir}/firehol/%{version}/firehol %{buildroot}/usr/sbin 92 | ln -s %{_libexecdir}/firehol/%{version}/fireqos %{buildroot}/usr/sbin 93 | ln -s %{_libexecdir}/firehol/%{version}/update-ipsets %{buildroot}/usr/sbin 94 | 95 | %if 0%{?rhel} > 0 && 0%{?rhel} < 7 96 | mkdir -p %{buildroot}%{_initrddir} 97 | install -pm755 %{S:1} %{buildroot}%{_initrddir}/firehol 98 | install -pm755 %{S:2} %{buildroot}%{_initrddir}/fireqos 99 | %else 100 | # Install systemd units. 101 | mkdir -p %{buildroot}%{_unitdir} 102 | install -pm644 %{S:1} %{S:2} %{buildroot}%{_unitdir} 103 | %endif 104 | 105 | # Install runtime directories. 106 | mkdir -p %{buildroot}%{_sysconfdir}/firehol/services 107 | mkdir -p %{buildroot}%{_localstatedir}/spool/firehol 108 | 109 | # Ghost configurations. 110 | touch %{buildroot}%{_sysconfdir}/firehol/firehol.conf \ 111 | %{buildroot}%{_sysconfdir}/firehol/fireqos.conf 112 | 113 | %post 114 | %if 0%{?rhel} > 0 && 0%{?rhel} < 7 115 | /sbin/chkconfig --add firehol 116 | /sbin/chkconfig --add fireqos 117 | %else 118 | %systemd_post firehol.service 119 | %systemd_post fireqos.service 120 | %endif 121 | 122 | %preun 123 | %if 0%{?rhel} > 0 && 0%{?rhel} < 7 124 | if [ $1 = 0 ] ; then 125 | /sbin/service firehol stop >/dev/null 2>&1 126 | /sbin/service fireqos stop >/dev/null 2>&1 127 | /sbin/chkconfig --del firehol 128 | /sbin/chkconfig --del fireqos 129 | fi 130 | %else 131 | %systemd_preun firehol.service 132 | %systemd_preun fireqos.service 133 | %endif 134 | 135 | %postun 136 | %if 0%{?rhel} > 0 && 0%{?rhel} < 7 137 | if [ "$1" -ge "1" ] ; then 138 | /sbin/service firehol condrestart >/dev/null 2>&1 || : 139 | /sbin/service fireqos condrestart >/dev/null 2>&1 || : 140 | fi 141 | %else 142 | %systemd_postun_with_restart firehol.service 143 | %systemd_postun_with_restart fireqos.service 144 | %endif 145 | 146 | %files 147 | %doc README THANKS examples contrib 148 | %doc doc/firehol 149 | %doc doc/fireqos 150 | %dir %{_sysconfdir}/firehol 151 | %config(noreplace) %{_sysconfdir}/firehol/firehol.conf 152 | %config(noreplace) %{_sysconfdir}/firehol/fireqos.conf 153 | %{_sysconfdir}/firehol/firehol.conf.example 154 | %{_sysconfdir}/firehol/fireqos.conf.example 155 | %{_sysconfdir}/firehol/services/bittorrent.conf.example 156 | %if 0%{?rhel} > 0 && 0%{?rhel} < 7 157 | %{_initrddir}/firehol 158 | %{_initrddir}/fireqos 159 | %else 160 | %{_unitdir}/firehol.service 161 | %{_unitdir}/fireqos.service 162 | %endif 163 | %{_sbindir}/firehol 164 | %{_sbindir}/fireqos 165 | %{_sbindir}/update-ipsets 166 | %{_docdir}/firehol/html/* 167 | %{_docdir}/firehol/contrib/* 168 | %{_docdir}/firehol/examples/* 169 | %{_docdir}/firehol/*.pdf 170 | %{_mandir}/man1/*.1* 171 | %{_mandir}/man5/*.5* 172 | %{_datadir}/update-ipsets/webdir/* 173 | %dir %{_sysconfdir}/firehol/services/ 174 | %{_localstatedir}/spool/firehol 175 | %{_libexecdir}/firehol/%{version}/firehol 176 | %{_libexecdir}/firehol/%{version}/fireqos 177 | %{_libexecdir}/firehol/%{version}/update-ipsets 178 | %{_libexecdir}/firehol/%{version}/functions.common 179 | %{_libexecdir}/firehol/%{version}/install.config 180 | %{_libexecdir}/firehol/%{version}/services.common 181 | %{_libexecdir}/firehol/%{version}/services.firehol 182 | %{_libexecdir}/firehol/%{version}/services.fireqos 183 | 184 | %changelog 185 | * Sat Feb 15 2020 John Ramsden - 3.1.1-2 186 | - Enable update-ipsets 187 | * Thu Jan 19 2017 Phil Whineray - 3.1.1-1 188 | - Imported from final RedHat version, updated for v3.1.1 package 189 | -------------------------------------------------------------------------------- /openwrt/firehol/files/firehol-defaults.conf: -------------------------------------------------------------------------------- 1 | # --- BEGIN OF FIREHOL DEFAULTS --- 2 | # 3 | 4 | # These are the defaults for FireHOL. 5 | # You can set everything system-wide here, or set any or all 6 | # of these to your firewall config file. 7 | # The options set in the firewall config file have the highest 8 | # priority (will overwrite these one). 9 | 10 | # FireHOL config directory. 11 | # EVEN IF YOU CHANGE THIS, THE firehol-defaults.conf FILE 12 | # SHOULD STILL EXIST IN /etc/firehol 13 | FIREHOL_CONFIG_DIR="/etc/firehol" 14 | 15 | # FireHOL services directory. 16 | # FireHOL will look into this directory for service 17 | # definition files (*.conf). 18 | # Package maintainers may install their service definitions 19 | # in this directory. 20 | # Default: /etc/firehol/services 21 | FIREHOL_SERVICES_DIR="${FIREHOL_CONFIG_DIR}/services" 22 | 23 | # Where to permanently save state information? 24 | # Default: /etc/firehol-spool 25 | FIREHOL_SPOOL_DIR="${FIREHOL_SPOOL_DIR}" 26 | 27 | # Where temporary files should go? 28 | # /var/run is usualy a ram drive, so we prefer to use 29 | # this for temporary files. 30 | # Default: /var/run/firehol 31 | FIREHOL_RUN_DIR="/tmp/run/firehol" 32 | 33 | # Restore instead of Start when possible. 34 | # If set to 1, FireHOL will actually do a 'restore' when a 35 | # 'start' is requested. 36 | # If enabled and the config files have not changed since 37 | # the last successful activation, the last successfuly 38 | # activated firewall will be restored. 39 | # THIS OPTION SHOULD NOT BE ENABLED IF THE FIREWALL CONFIG 40 | # IS USING DYNAMIC DETECTION OF SERVER PORTS OR OTHER DATA 41 | # THAT MAY INFLUENCE THE GENERATED RULES. 42 | # At the other hand, if the firewall is always static 43 | # this option provides fast startup of the firewall. 44 | # Default: 0 45 | FIREHOL_RESTORE_INSTEAD_OF_START="1" 46 | 47 | # Enable IPv4 firewall 48 | # Default: 1 49 | ENABLE_IPV4="1" 50 | 51 | # Enable IPv6 firewall 52 | # Default: 1 53 | ENABLE_IPV6="1" 54 | 55 | # Syslog facility to use when logging FireHOL events. 56 | # This is only used by FireHOL, not the iptables packet 57 | # logging mechanism. 58 | # Default: daemon 59 | FIREHOL_SYSLOG_FACILITY="daemon" 60 | 61 | # FireHOL can wait for an interface to come up. 62 | # Set the interface name to wait for, here. 63 | # Default: check the environment variable, if any 64 | WAIT_FOR_IFACE="${WAIT_FOR_IFACE}" 65 | 66 | # External program to call on 'start' (successfull or 67 | # failed), 'stop' and 'panic' 68 | # It will be run like this: 69 | # "${FIREHOL_NOTIFICATION_PROGRAM}" "${FIREHOL_CONFIG}" "${result}" "${restored}" "${work_error}" "${work_runtime_error}" 70 | # where 71 | # FIREHOL_CONFIG is the filename of the config 72 | # result is either empty, OK or FAILED 73 | # restored is either NO, OK or FAILED 74 | # work_error is the count of pre-processing errors encountered 75 | # work_runtime_error is the count of post-processing errors encountered 76 | # Default: check the environment variable, if any 77 | FIREHOL_NOTIFICATION_PROGRAM="${FIREHOL_NOTIFICATION_PROGRAM}" 78 | 79 | 80 | # ---------------------------------------------------------------------- 81 | # RUNTIME CONTROL VARIABLES 82 | 83 | # These do not affect the final firewall output. They just control how 84 | # FireHOL behaves. 85 | # They can also be set as environment variables of the same name. 86 | 87 | # If set to 1, FireHOL will attempt to activate the firewall with 88 | # iptables-restore. This is a lot faster firewall activation. 89 | # The only drawback of this, is that in case of error, FireHOL may be 90 | # unable to identify the exact statement in the firewall config that 91 | # caused the error. 92 | # Default: 1 93 | FIREHOL_FAST_ACTIVATION="${FIREHOL_FAST_ACTIVATION-1}" 94 | 95 | # If set to 0, firehol will not try to load the required kernel modules 96 | # Generally, FireHOL is able to detect if a module is compiled in the 97 | # kernel, even if this is set to 1. 98 | # Default: 1 99 | FIREHOL_LOAD_KERNEL_MODULES="${FIREHOL_LOAD_KERNEL_MODULES-1}" 100 | 101 | # Firewall Policy during firewall activation 102 | # Default: ACCEPT 103 | # Possible values: ACCEPT, REJECT, DROP 104 | FIREHOL_INPUT_ACTIVATION_POLICY="${FIREHOL_INPUT_ACTIVATION_POLICY-ACCEPT}" 105 | FIREHOL_OUTPUT_ACTIVATION_POLICY="${FIREHOL_OUTPUT_ACTIVATION_POLICY-ACCEPT}" 106 | FIREHOL_FORWARD_ACTIVATION_POLICY="${FIREHOL_FORWARD_ACTIVATION_POLICY-ACCEPT}" 107 | 108 | # Do we allow pre-existing connections to continue during activation? 109 | # If this is set to 0 and FIREHOL_FAST_ACTIVATION is also set to 0, then 110 | # every time the firewall is activated, existing connections will be disrupted. 111 | # Default: 1 112 | FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT="${FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT-1}" 113 | 114 | # Set this to 1 have firehol load NAT kernel modules 115 | # It will be enabled automatically if nat commands are given in the firewall 116 | # Default: 0 117 | FIREHOL_NAT="${FIREHOL_NAT-0}" 118 | 119 | # Set this to 1 to enable rooting of packets in the kernel 120 | # It will be enabled automatically if routers are defined in the firewall 121 | # Default: 0 122 | FIREHOL_ROUTING="${FIREHOL_ROUTING-0}" 123 | 124 | # If you want to restore the firewall using the iptables init script of 125 | # your distribution, set here the paths where it expects the rules. 126 | # These settings are only saved when 'save' is requested at the command line. 127 | # Default: unset for automatic detection. 128 | FIREHOL_AUTOSAVE= 129 | FIREHOL_AUTOSAVE6= 130 | 131 | # Ready to use values for various distributions: 132 | # 133 | # Gentoo 134 | # Check: /etc/conf.d/iptables and ip6tables 135 | #FIREHOL_AUTOSAVE="/var/lib/iptables/rules-save" 136 | #FIREHOL_AUTOSAVE6="/var/lib/ip6tables/rules-save" 137 | # 138 | # Arch 139 | # Check: /usr/lib/systemd/system/iptables.service and ip6tables.service 140 | #FIREHOL_AUTOSAVE=/etc/iptables/iptables.rules 141 | #FIREHOL_AUTOSAVE6=/etc/iptables/ip6tables.rules 142 | 143 | 144 | # ---------------------------------------------------------------------- 145 | # FIREWALL CONFIGURATION VARIABLES 146 | 147 | # These affect the final output firewall. 148 | # They can also be set in the firewall config file. 149 | 150 | # The default policy for the interfaces of the firewall. 151 | # This can be controlled on a per interface basis using the 152 | # policy interface subcommand. 153 | # Default: DROP 154 | # Possible Values: DROP REJECT RETURN 155 | DEFAULT_INTERFACE_POLICY="DROP" 156 | 157 | # The default policy for the router commands of the firewall. 158 | # This can be controlled on a per interface basis using the 159 | # policy interface subscommand. 160 | # Default: RETURN 161 | # Possible Values: DROP REJECT RETURN 162 | DEFAULT_ROUTER_POLICY="RETURN" 163 | 164 | # Should we drop all INVALID packets always? 165 | # INVALID packets as seen by the connection tracker. 166 | # Default: 0 167 | FIREHOL_DROP_INVALID=0 168 | 169 | # At the end of the firewall, there may be packets not matched 170 | # anywhere. What to do with them? 171 | # Default: DROP 172 | # Possible Values: DROP REJECT 173 | UNMATCHED_INPUT_POLICY="DROP" 174 | UNMATCHED_OUTPUT_POLICY="DROP" 175 | UNMATCHED_ROUTER_POLICY="DROP" 176 | 177 | # The client ports to be used for "default" client ports when the 178 | # client specified is a foreign host. 179 | # Note that FireHOL will ask the kernel for default client ports of 180 | # the local host. This setting only applies to client ports of remote hosts. 181 | # Default: 1024:65535 182 | DEFAULT_CLIENT_PORTS="1024:65535" 183 | 184 | # If set to 0, FireHOL will NOT trust interface lo for all traffic, thus 185 | # a firewall could be set up on lo. 186 | # Default: 1 187 | FIREHOL_TRUST_LOOPBACK=1 188 | 189 | 190 | # ---------------------------------------------------------------------- 191 | # IPTABLES MARKS BITMASKING 192 | 193 | # FireHOL allows multiple independent MARKs. 194 | # By default FireHOL requires 'connmark' and 'usermark'. 195 | # The possible values supported by each may be defined here. 196 | # The value must be a power of two. 197 | 198 | # reset the internal marks to empty - do not remove 199 | marksreset 200 | 201 | # connmarks are used by the connmark helper 202 | markdef connmark 64 203 | 204 | # usermark are used by the mark helper 205 | markdef usermark 128 206 | 207 | # Additional types may be defined like this: 208 | # markdef qosmark 8 209 | # To use it use 'custommark' helper and match 210 | # The first argument to both is the mark name (qosmark in this case) 211 | markdef qosmark 2 stateless permanent 212 | 213 | 214 | # ---------------------------------------------------------------------- 215 | # IPTABLES PACKETS LOGGING 216 | 217 | # LOG mode for iptables 218 | # Default: LOG 219 | # Possible Values: LOG, ULOG, NFLOG 220 | # LOG = syslog 221 | # We recommend to install ulogd and use NFLOG. 222 | FIREHOL_LOG_MODE="LOG" 223 | 224 | # Accepts anything iptables accepts for each mode. 225 | # Check: iptables -j LOG --help 226 | # iptables -j ULOG --help 227 | # iptables -j NFLOG --help 228 | # Default: empty 229 | FIREHOL_LOG_OPTIONS="" 230 | 231 | # FireHOL can prefix each log with a keyword. 232 | # Default: empty 233 | FIREHOL_LOG_PREFIX="" 234 | 235 | # Used only for FIREHOL_LOG_MODE="LOG" 236 | # The syslog level to be used when logging packets. 237 | FIREHOL_LOG_LEVEL="debug" 238 | 239 | # For loglimit, these are the frequency and the burst 240 | # of logging. They are applied per logging rule, not across 241 | # the firewall. 242 | FIREHOL_LOG_FREQUENCY="1/second" 243 | FIREHOL_LOG_BURST="5" 244 | 245 | # If set to 1, FireHOL will silently drop orphan TCP packets with ACK,FIN set. 246 | # In modern kernels, the connection tracker detects closed sockets 247 | # and removes them from memory before receiving the FIN,ACK from the remote 248 | # party. This makes FireHOL log these packets when they will be received. 249 | # To silently drop these packets, enable this option. 250 | # Default: 1 251 | FIREHOL_DROP_ORPHAN_TCP_ACK_FIN=1 252 | 253 | 254 | # ---------------------------------------------------------------------- 255 | # DEFAULT IP SETS 256 | 257 | # FireHOL will overwite these settings with the contents of the files with 258 | # the same names in ${FIREHOL_CONFIG_DIR}. 259 | # 260 | # For example, RESERVED_IPV4 will be set from /etc/firehol/RESERVED_IPV4 261 | 262 | # IANA reserved address space that should never appear 263 | RESERVED_IPV4="0.0.0.0/8 127.0.0.0/8 240.0.0.0/4 " 264 | RESERVED_IPV6="::/8 0100::/8 0200::/7 0400::/6 0800::/5 1000::/4 4000::/3 6000::/3 8000::/3 A000::/3 C000::/3 E000::/4 F000::/5 F800::/6 FE00::/9 FEC0::/10" 265 | 266 | # Private IPv4 address space 267 | # 10.0.0.0/8 => RFC 1918: IANA Private Use 268 | # 169.254.0.0/16 => Link Local 269 | # 192.0.2.0/24 => Test Net 270 | # 192.88.99.0/24 => RFC 3068: 6to4 anycast & RFC 2544: Benchmarking addresses 271 | # 192.168.0.0/16 => RFC 1918: Private use 272 | PRIVATE_IPV4="10.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16" 273 | 274 | # Private IPv6 address space 275 | # FC00::/7 => Unique Local Unicast 276 | # FE80::/10 => Link Local Unicast 277 | PRIVATE_IPV6="FC00::/7 FE80::/10" 278 | 279 | # The multicast address space 280 | MULTICAST_IPV4="224.0.0.0/4" 281 | MULTICAST_IPV6="FF00::/16" 282 | 283 | IP_CMD=/sbin/ip 284 | MODPROBE_CMD=/sbin/modprobe 285 | 286 | # Have firehol use iprange if we installed it: 287 | if [ -x /usr/bin/iprange ] 288 | then 289 | IPRANGE_CMD=/usr/bin/iprange 290 | fi 291 | # --- END OF FIREHOL DEFAULTS --- 292 | --------------------------------------------------------------------------------