FireHOL (was Re: [clug] Bonjour/ZeroConf Advocacy)

Alex Satrapa grail at
Sun Nov 16 22:10:14 GMT 2008

On 15/11/2008, at 01:55 , Ian wrote:

> For those of us who don't use 'client all accept' in our firewall (for
> one of a great variety of fun an entertaining reasons - in my case
> it's because I want my firewall to REJECT packets that would just get
> lost in a data accounting server anyway

Hrm... I think the reason I still use client all accept is simply that  
I didn't want to go through every single service on my box and figure  
out which ones *really* need to be able to send stuff out to the  

It's probably worth pointing out that FireHOL has a "helpme" facility  
which will build a sample FireHOL configuration based on your  
currently running services.

So you folks out there who don't have as basic a firewall as myself -  
no excuses! Go grab FireHOL, run "firehol helpme > /etc/firehol/ 
firehol.conf" then load that firewall and start learning how to  
configure it :)

As a hint, you'll need to add rules in to allow your machine to talk  
to your ISPs SMTP relay (or MSA, in the current parlance):

   interface any world
     client smtp accept dst
     client pop3 accept dst

I think that should cover it.

Keep an eye on /var/log/kern.log (on Ubuntu at least) for messages  
from the kernel's netfilter about blocked packets. If you get messages  
about stuff being blocked that you don't want to see anymore (such as  
SMB/CIFS network discovery), add rules like this;

    server samba drop
    server dhcp  drop

Have fun :)

More information about the linux mailing list