FireHOL – Linux firewalling and traffic shaping for humans (opens in new tab)

(firehol.org)

123 pointstrizic7y ago23 comments

23 comments

We have a couple of servers we can’t move to the cloud for a variety of reasons. In addition, they are running some super legacy applications.

Because of this, we’ve really had to focus on OS level security to protect the application (OS is surprisingly Ubuntu 16).

Good Linux Security Software:

- ModSecurity V3...tough to figure out but so worth it. An incredible L7 Firewall. Immediately provides benefits

- UFW...utterly saves you from IPTABLES. Also has some neat brute force protection (ufw limit ssh).

- ModEvasive...Apache Module which is great for preventing automated vuln scanners like Burp Suite

- ClamAV...antivirus, who knows how effective but is popular

- RKHunter...rootkit hunter, hard to tune but can be worth it

Biggest benefit we got though was from setting all HTTPS Headers on the web server (there are 7 of them now I think you can set). The latest headers like “Feature-Policy” which can disable Javascript’s access to webcam, microphone, and more have been very useful.

Karunamon7y ago

I find that UFW is more of a pain than its worth when it comes to simple rules everybody needs like "block everything, allow this handful of ports", mostly because the syntax is too english-like and so it's easier to get confused how you're supposed to write the rule.

It also spews a bunch of chains all over iptables, making it harder to understand when you actually need to use it directly for something more advanced like mangling.

chmln7y ago

Yeah, the documentation isn't great. However,

> block everything, allow this handful of ports

This is trivial.

  ufw default deny incoming
  ufw allow 22

h1d7y ago

I wonder though, is root kit even detectable? Perhaps most are.

ratiolat7y ago

Which headers are you talking about?

tombrossman7y ago

Not OP but I have to assume they are referring to Content Security Policy headers: https://content-security-policy.com/

unethical_ban7y ago

I'm mobile, but has this been updated? I used this in college back in 08 and it was much better than iptables but I don't know if it's kept up with the times.

idle_zealot7y ago

There was a release this August, but there seems to be a huge gap between 2014 and then.

veeti7y ago

Don't fix what ain't broke.

647387y ago

Nice to see it posted here, I've been a happy user of FireHOL for a decade, if not more. For a while I was worried it was going to be abandoned, I'm really glad it wasn't.

I'm not a network guy but I was tasked with setting up some servers at a co-lo, including a box to act as the router. FireHOL was a godsend for helping me to setup the rules.

I haven't tried FireQOS yet, but I really want to play with it.

iammeow7y ago

I use their iplists in pfblocker-ng since 3 years. It's incredibly useful, like "let's block all traffic from tor exit nodes appeared online in the last 30 days".

voltagex_7y ago

Useful, unless your customers are trying to reach you via Tor.

mirimir7y ago

Yeah, funny. The ones you really need to worry about won't be stopped by that ;)

qwerty4561277y ago

Cool! Add application-level rules (like LittleSnitch) and I'm buying (literally, I don't mind paying for such a feature).

dsl7y ago

You might want to look at OpenSnitch [1]. It requires nfqueue and directly accessing /proc to get info in real time, which is why you'll likely never see it as part of a structured firewall builder like this.

https://github.com/evilsocket/opensnitch

bepvte7y ago

ive used fireQOS and it was a lovely tool i highly recommend it.

joelthelion7y ago

Firehole? Weird name...

orastor7y ago

Read this as a firewall for humans. Am disappointed

tapland7y ago

Being on chemo I was THRILLED

zupa-hu7y ago

Yeah I expected some kind of a big plastic bag to wear :)

krackers7y ago

I hear they have one of those in China.

basementcat7y ago

There has been some discussion about building one for the USA.

chewz7y ago

They have had something similar in Berlin till 1989.

j / k navigate · click thread line to collapse