Projects / FireHOL


FireHOL a simple yet powerful way to configure stateful iptables firewalls. It can be used for almost any purpose, including control of any number of internal/external/virtual interfaces, control of any combination of routed traffic, setting up DMZ routers and servers, and all kinds of NAT. It provides strong protection (flooding, spoofing, etc.), transparent caches, source MAC verification, blacklists, whitelists, and more. Its goal is to be completely abstracted and powerful but also easy to use, audit, and understand.

Operating Systems

RSS Recent releases

  •  31 Jul 2008 04:24

Release Notes: This version was updated to parse the latest format of the IANA reservations page. Support for custom actions for services was added. This opens a way to allow actions that can be controlled externally without restarting the firewall. Several minor issues were fixed, providing better NAT support for all services, handling for external pager commands, kernel config parsing, a config wizard, etc.

  •  22 May 2007 21:57

Release Notes: Minor updates were made for the latest IANA reservations. A cron job script was provided to notify the administrator when IANA reservations change.

Release Notes: This maintenance release mainly fixed kernel 2.6.20+ and BASH 3.2 issues and added support for external definitions of all IP address space definitions. All users are advised to upgrade to this release.

  •  30 Jan 2005 00:19

Release Notes: This version fixes issues with the security of the created temporary files.

  •  24 Jan 2005 22:04

Release Notes: This release fixed vulnerabilities where malicious local system users could use FireHOL's temporary files to overwrite arbitrary files on the system. All users are advised to update to this version. This release included new service definitions: ANYSTATELESS, TIMESTAMP, and DICT. A TRANSPARENT_PROXY helper was added. Support for knockd as an argument to the accept action was added.

RSS Recent comments

12 Jan 2008 14:12 Avatar amontefusco Thumbs up

High level solution for firewalling with IPTables
Very good software:

1) one configuration file keep all configs: nice to manage via industrial strength configuration management tool (like RANCID)

2) high level configuration language

I install it on my firewall, embedded Linux Box (Devil Linux on CF flash), replacing Shorewall.

What is the next step ?

A true command line interface IOS like to configure it on the fly !


01 Feb 2007 20:52 pascaldamian

What is it with firehol and traceroute? There's nothing about it mentioned in the documentation, and very few is discussed when I search the web. How do you enable a firewalled host to be traceroute-able?

25 Feb 2005 01:39 dankrones Thumbs up

This program is excellent!
Trouble free, easy to use, very intuitive. This program makes very complex firewalling a snap. I love it and highly recommend it if you are searching for a firewall solution.

19 Jul 2004 05:51 sk6307 Thumbs up

It generates excellent iptables rule-sets with a very easy but powerful configuration. It has support for many different complex services natively like samba and peer-to-peer firesharing applications.

If only firehol had native support for some form of QoS with tc or iptables it would be the perfect firewall solution. Without QoS the firewall needs to be complemented by other tools or manual packet queueing configuration.

13 Jul 2004 07:59 exPFCLucas Thumbs up

An Understatement
Of all of the open source projects which are described by their authors as "simple yet powerful," very few can actually live up to it, and only a choice few can call such a description an understatement. Firehol is one of those choice few. Keep up the excellent work.


Project Spotlight

MUltihost SSH Wrapper

Broadcasts commands over SSH to multiple hosts.


Project Spotlight


A PHP class for modifying Zip archives without extensions or temporary files.