Admitting that I have have a non-simple firewall setup

November 6, 2016

When I talked about why I'm interested in nftables I mentioned in passing that I'd looked at FireHOL out of dissatisfaction with my current firewall stuff. In comments James mentioned settling on Shorewall and that plus a Twitter conversation got me to take a look at it too. My gut level reaction to Shorewall made me sit back and think about the whole situation with my firewall rules, and the result is that I've come to the simple and probably obvious conclusion that I don't have a simple firewall setup.

My view is that firewall management systems like Shorewall are a great fit if your problem is that you are trying to materialize a simple firewall setup in the 'low level assembly' of iptables or nftables rules, and the resulting rule complexity is getting really annoying. You know what you want to do, it's simple to express it at a high level, and it's only the low level nature of iptables that makes it a pain. FireHOL, Shorewall, and other systems then let you more or less directly express your simple desires and they manage the underlying iptables mess.

I don't have that situation. My high level desires are relatively complicated and entangled (especially once you start considering policy based routing as well as pure firewall rules). It is kind of annoying to express these in iptables rules, but in a modern environment with ipsets and a better understanding of how to use chains, it's actually not necessarily as painful as it looks to me today; clever use of nftables may make it even easier, and redoing things from the ground up is likely to help in general.

Since I'm starting with a somewhat complex situation, high level tools like FireHOL and Shorewall can't magically make my life simple the way I'd initially (and irrationally) hoped when I started looking into them. Maybe they can reduce the complexity a bit by providing more high level ways of expressing what I want, and perhaps that would be a win if I was starting from total scratch. But as it is, moving to something like Shorewall would require me to learn how to express my complexity in Shorewall instead of in the iptables rules that I already have.

On the one hand, in hindsight this feels like an obvious observation. On the other hand it's a useful clarifying one for me, because it means that I should stop looking for a magic solution that doesn't actually exist. Instead I should just get along with either reforming my iptables rules and adding IPv6 filtering or moving to nftables (with IPv6 filtering).

(Looking for magic solutions is always tempting if I think that one might exist because magic solutions mean less work. Well, if they exist. If they don't, it's easy to spend a bunch of time trying to find them.)

Comments on this page:

What are you trying to do?

I use FireHOL is several router/firewall configurations which are quite complex and still I have a manageable setup.

Open a github issue at to discuss this.

I checked the twitter link you posted.

Most probably you need this:


The real problem IMHO with "magical" solutions is when the "magic" suddenly stops working (specially when it falls in some subtle, hard to detect way) and, as it made it "easy" to start with, you have no control nor/nand internal knowledge of it to troubleshoot (or worse, even detect that it has failed in the first place).

I generally avoid any "magic" as much as I can, specially in firewalls and similar security setups where the "subtle, undetected" failing scenario can have serious consequences. I have done all my firewall rule configuration by hand (with the help of a shell "framework" I've built over the years) since 1994 with the advent of ipfwadm, and I plan in continuing to do so for the foreseeable future.



By James (trs80) at 2016-11-06 11:29:30:

You rationale makes sense - while I'm sure you could do what you want in Shorewall, you would need to invest a reasonable amount of time to properly grok it. Time which, these days (vs five years ago when I picked up Shorewall), is probably better spent learning nftables.

(BTW, that was me on Twitter)

By cks at 2016-11-07 11:23:04:

Costa Tsaousis, I think I wasn't clear in my entry. I'm sure that FireHOL can meet my needs for at least firewall rules (and apparently policy based routing, which is nice). What it can't do is magically make those rules simple, because I have a non-trivial tangle of rules with all sorts of cases (some ports aren't accessible by anyone off the machine, some ports are accessible by some people but not others, some ports are accessible from some interfaces but not others, and so on). Regardless of what system I use, I have to spell these rules out explicitly, and that process is inherently not simple regardless of exactly what I use to do it.

FireHOL or Shorewall or etc should make the expression of those rules shorter than they are in raw iptables, but they cannot possibly boil them down to only a couple of simple lines of configuration because the underlying configuration is not simple. The only way to boil things down that far would be a magic 'read my mind' configuration option, and such a thing can't exist.

Written on 06 November 2016.
« Web pages versus APIs, or my views on handling 'bad' requests
The other reason why I've wound up not interested in firewall managers »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Nov 6 01:08:58 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.