firehol(1)                           3.1.6                          firehol(1)

       firehol - an easy to use but powerful iptables stateful firewall


       sudo -E firehol panic [ IP ]

       firehol command [ – conf-arg... ]

       firehol CONFIGFILE [start|debug|try] [– conf-arg... ]

       Running firehol invokes iptables(8) to manipulate your firewall.

       Run without any arguments, firehol will present some help on usage.

       When given CONFIGFILE, firehol will use the named file instead of
       /etc/firehol/firehol.conf as its configuration.  If no command is
       given, firehol assumes try.

       It is possible to pass arguments for use by the configuration file
       separating any conf-arg values from the rest of the arguments with --.
       The arguments are accessible in the configuration using standard
       bash(1) syntax e.g.  $1, $2, etc.

       To block all communication, invoke firehol with the panic command.

       FireHOL removes all rules from the running firewall and then DROPs all
       traffic on all iptables(8) tables (mangle, nat, filter) and pre-defined

       DROPing is not done by changing the default policy to DROP, but by
       adding one rule per table/chain to drop all traffic.  This allows
       systems which do not reset all the chains to ACCEPT when starting to
       function correctly.

       When activating panic mode, FireHOL checks for the existence of the
       SSH_CLIENT shell environment variable, which is set by ssh(1).  If it
       finds this, then panic mode will allow the established SSH connection
       specified in this variable to operate.


              In order for FireHOL to see the environment variable you must
              ensure that it is preserved.  For sudo(8) use the -E and for
              su(1) omit the - (minus sign).

       If SSH_CLIENT is not set, the IP after the panic argument allows you to
       give an IP address for which all established connections between the IP
       address and the host in panic will be allowed to continue.

       start; restart
              Activates the firewall using /etc/firehol/firehol.conf.

              Use of the term restart is allowed for compatibility with common
              init implementations.

       try    Activates the firewall, waiting for the user to type the word
              commit.  If this word is not typed within 30 seconds, the
              previous firewall is restored.

       stop   Stops a running iptables(8) firewall by clearing all of the
              tables and chains and setting the default policies to ACCEPT.
              This will allow all traffic to pass unchecked.

              Restarts the FireHOL firewall only if it is already active.
              This is the generally expected behaviour (but opposite to
              FireHOL prior to 2.0.0-pre4).

       status Shows the running firewall, using /sbin/iptables -nxvL | less.

       save   Start the firewall and then save it using iptables-save(8) to
              the location given by FIREHOL_AUTOSAVE.  See
              firehol-defaults.conf(5) for more information.

              The required kernel modules are saved to an executable shell
              script /var/spool/firehol/, which can be
              called during boot if a firewall is to be restored.


                     External changes may cause a firewall restored after a
                     reboot to not work as intended where starting the
                     firewall with FireHOL will work.

                     This is because as part of starting a firewall, FireHOL
                     checks some changeable values.  For instance the current
                     kernel configuration is checked (for client port ranges),
                     and RPC servers are queried (to allow correct functioning
                     of the NFS service).

       debug  Parses the configuration file but instead of activating it,
              FireHOL shows the generated iptables(8) statements.

              Enters an interactive mode where FireHOL accepts normal
              configuration commands and presents the generated iptables(8)
              commands for each of them, together with some reasoning for its

              Additionally, FireHOL automatically generates a configuration
              script based on the successful commands given.

              Some extra commands are available in explain mode.

              help   Present some help

              show   Present the generated configuration

              quit   Exit interactive mode and quit

       helpme; wizard
              Tries to guess the FireHOL configuration needed for the current

              FireHOL will not stop or alter the running firewall.  The
              configuration file is given in the standard output of firehol,
              thus firehol helpme > /tmp/firehol.conf will produce the output
              in /tmp/firehol.conf.

              The generated FireHOL configuration must be edited before use on
              your systems.  You are required to take a number of decisions;
              the comments in the generated file will instruct you in the
              choices you must make.


       · firehol.conf(5) - FireHOL configuration

       · firehol-defaults.conf(5) - control variables

       · FireHOL Website (

       · FireHOL Online PDF Manual (

       · FireHOL Online Documentation (

       FireHOL Team; Original man page by Marc Brockschmidt.

FireHOL Reference              Built 12 Apr 2019                    firehol(1)