
FireHOL – Linux firewalling and traffic shaping for humans - trizic
http://firehol.org/
======
Bucephalus355
We have a couple of servers we can’t move to the cloud for a variety of
reasons. In addition, they are running some _super_ legacy applications.

Because of this, we’ve really had to focus on OS level security to protect the
application (OS is surprisingly Ubuntu 16).

Good Linux Security Software:

\- ModSecurity V3...tough to figure out but so worth it. An incredible L7
Firewall. Immediately provides benefits

\- UFW...utterly saves you from IPTABLES. Also has some neat brute force
protection (ufw limit ssh).

\- ModEvasive...Apache Module which is great for preventing automated vuln
scanners like Burp Suite

\- ClamAV...antivirus, who knows how effective but is popular

\- RKHunter...rootkit hunter, hard to tune but can be worth it

Biggest benefit we got though was from setting all HTTPS Headers on the web
server (there are 7 of them now I think you can set). The latest headers like
“Feature-Policy” which can disable Javascript’s access to webcam, microphone,
and more have been very useful.

~~~
Karunamon
I find that UFW is more of a pain than its worth when it comes to simple rules
everybody needs like "block everything, allow this handful of ports", mostly
because the syntax is too english-like and so it's easier to get confused how
you're supposed to write the rule.

It also spews a bunch of chains all over iptables, making it harder to
understand when you actually need to use it directly for something more
advanced like mangling.

~~~
chmln
Yeah, the documentation isn't great. However,

> block everything, allow this handful of ports

This is trivial.

    
    
      ufw default deny incoming
      ufw allow 22

------
unethical_ban
I'm mobile, but has this been updated? I used this in college back in 08 and
it was much better than iptables but I don't know if it's kept up with the
times.

~~~
idle_zealot
There was a release this August, but there seems to be a huge gap between 2014
and then.

------
64738
Nice to see it posted here, I've been a happy user of FireHOL for a decade, if
not more. For a while I was worried it was going to be abandoned, I'm really
glad it wasn't.

I'm not a network guy but I was tasked with setting up some servers at a co-
lo, including a box to act as the router. FireHOL was a godsend for helping me
to setup the rules.

I haven't tried FireQOS yet, but I really want to play with it.

------
iammeow
I use their iplists in pfblocker-ng since 3 years. It's incredibly useful,
like "let's block all traffic from tor exit nodes appeared online in the last
30 days".

~~~
voltagex_
Useful, unless your customers are trying to reach you via Tor.

~~~
mirimir
Yeah, funny. The ones you really need to worry about won't be stopped by that
;)

------
qwerty456127
Cool! Add application-level rules (like LittleSnitch) and I'm buying
(literally, I don't mind paying for such a feature).

~~~
dsl
You might want to look at OpenSnitch [1]. It requires nfqueue and directly
accessing /proc to get info in real time, which is why you'll likely never see
it as part of a structured firewall builder like this.

[https://github.com/evilsocket/opensnitch](https://github.com/evilsocket/opensnitch)

------
bepvte
ive used fireQOS and it was a lovely tool i highly recommend it.

------
joelthelion
Firehole? Weird name...

------
orastor
Read this as a firewall _for_ humans. Am disappointed

~~~
krackers
I hear they have one of those in China.

~~~
basementcat
There has been some discussion about building one for the USA.

