Projects / FireHOL


FireHOL a simple yet powerful way to configure stateful iptables firewalls. It can be used for almost any purpose, including control of any number of internal/external/virtual interfaces, control of any combination of routed traffic, setting up DMZ routers and servers, and all kinds of NAT. It provides strong protection (flooding, spoofing, etc.), transparent caches, source MAC verification, blacklists, whitelists, and more. Its goal is to be completely abstracted and powerful but also easy to use, audit, and understand.

Operating Systems

Recent releases

  •  31 Jul 2008 04:24

    Release Notes: This version was updated to parse the latest format of the IANA reservations page. Support for custom actions for services was added. This opens a way to allow actions that can be controlled externally without restarting the firewall. Several minor issues were fixed, providing better NAT support for all services, handling for external pager commands, kernel config parsing, a config wizard, etc.

    •  23 May 2007 04:57

      Release Notes: Minor updates were made for the latest IANA reservations. A cron job script was provided to notify the administrator when IANA reservations change.

      •  21 May 2007 10:29

        Release Notes: This maintenance release mainly fixed kernel 2.6.20+ and BASH 3.2 issues and added support for external definitions of all IP address space definitions. All users are advised to upgrade to this release.

        •  30 Jan 2005 08:19

          Release Notes: This version fixes issues with the security of the created temporary files.

          •  25 Jan 2005 06:04

            Release Notes: This release fixed vulnerabilities where malicious local system users could use FireHOL's temporary files to overwrite arbitrary files on the system. All users are advised to update to this version. This release included new service definitions: ANYSTATELESS, TIMESTAMP, and DICT. A TRANSPARENT_PROXY helper was added. Support for knockd as an argument to the accept action was added.

            Recent comments

            12 Jan 2008 14:12 amontefusco

            High level solution for firewalling with IPTables
            Very good software:

            1) one configuration file keep all configs: nice to manage via industrial strength configuration management tool (like RANCID)

            2) high level configuration language

            I install it on my firewall, embedded Linux Box (Devil Linux on CF flash), replacing Shorewall.

            What is the next step ?

            A true command line interface IOS like to configure it on the fly !


            01 Feb 2007 20:52 pascaldamian

            What is it with firehol and traceroute? There's nothing about it mentioned in the documentation, and very few is discussed when I search the web. How do you enable a firewalled host to be traceroute-able?

            25 Feb 2005 01:39 dankrones

            This program is excellent!
            Trouble free, easy to use, very intuitive. This program makes very complex firewalling a snap. I love it and highly recommend it if you are searching for a firewall solution.

            19 Jul 2004 05:51 sk6307

            It generates excellent iptables rule-sets with a very easy but powerful configuration. It has support for many different complex services natively like samba and peer-to-peer firesharing applications.

            If only firehol had native support for some form of QoS with tc or iptables it would be the perfect firewall solution. Without QoS the firewall needs to be complemented by other tools or manual packet queueing configuration.

            13 Jul 2004 07:59 exPFCLucas

            An Understatement
            Of all of the open source projects which are described by their authors as "simple yet powerful," very few can actually live up to it, and only a choice few can call such a description an understatement. Firehol is one of those choice few. Keep up the excellent work.


            Project Spotlight


            A Fluent OpenStack client API for Java.


            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.