Tags
firewall

FireHOL is a powerful and intuitive firewall manager for Linux systems. It is widely used on servers, routers, gateways, virtualization hosts, and container environments where clear, stateful, and auditable firewall rules are essential. FireHOL automatically generates iptables/nftables rules and relies heavily on the Linux conntrack subsystem to enable stateful packet inspection and context‑aware filtering.

What Is Conntrack?

Conntrack is a core component of the Linux kernel that records the state of network connections. It enables the firewall to understand whether a packet belongs to a new, established, related, or invalid connection. This stateful awareness allows more precise filtering and improved security.

Why Conntrack Matters

Hinweis: Bei sehr hohen Verbindungszahlen kann conntrack selbst zum Engpass werden. Jede Verbindung benötigt Speicher und Prozessorkapazität. Eine Anpassung der Tabellenkapazität oder Optimierung der Timeouts kann in solchen Fällen sinnvoll sein.

  • State Awareness – Differentiates NEW, ESTABLISHED, RELATED, and INVALID packet flows.
  • Security Improvements – Detects malformed or suspicious TCP patterns (z. B. SYN+FIN, ACK‑only).
  • Performance Efficiency – Reduces overhead for recurring traffic.
  • Diagnostic Insights – Tools like conntrack help administrators inspect active flows and troubleshoot issues.

FireHOL and Conntrack

FireHOL integrates conntrack deeply. Most high‑level FireHOL directives translate into iptables rules that rely on connection tracking. This makes complex stateful firewall behavior easy to configure.

Example: A Simple FireHOL Configuration

A minimal configuration using conntrack might look like this:

version 6

# Default policy: drop everything unless explicitly allowed
iptables_default_policy drop

# Internet-facing interface
interface eth0 inet
  policy drop

  # Allow SSH (stateful)
  server ssh accept
  client ssh accept

  # Allow HTTP/HTTPS (stateful)
  server http  accept
  server https accept

  # Allow all outgoing connections and their replies
  client all accept

FireHOL converts these directives into iptables rules using conntrack states such as:

  • --ctstate NEW,ESTABLISHED,RELATED (allowed traffic)
  • --ctstate INVALID (dropped traffic)

Connection‑State Rules in FireHOL

FireHOL leverages the following conntrack states:

  • NEW – A packet starting a new connection
  • ESTABLISHED – A packet belonging to an already active connection
  • RELATED – Auxiliary traffic related to an existing connection (FTP, SIP, GRE …)
  • INVALID – Malformed, incomplete, or unexpected packets

These states enable FireHOL to behave as a fully stateful firewall without requiring low‑level rule writing.

Installing Conntrack Tools

Conntrack is always active in the kernel. However, the user‑space tools used for inspection and debugging must be installed manually.

Installation

apt install conntrack

Using Conntrack Tools

Understanding why each command is used helps make troubleshooting more effective. Below are the most common diagnostic operations.

Common Commands

  • List all tracked connections – Useful for getting an overview of active traffic.
conntrack -L
  • Filter by protocol or state – Helps isolate a specific flow or diagnose a stalled session.
conntrack -L --proto tcp --state ESTABLISHED
  • Monitor events in real time – Ideal for watching connections open, transition, and close.
conntrack -E

These commands are essential when diagnosing dropped packets, timeouts, broken sessions, or malformed TCP flows.

Practical Use Cases

The advantages of conntrack become particularly clear in operational scenarios.

1. Troubleshooting

Identify why traffic is accepted or rejected by examining connection states and transitions.

2. Security Auditing

Analyze malformed packets, repeated connection attempts, and unusual flows detected by the firewall.

3. Performance Optimization

Identify heavy connection users, reduce session buildup, or fine‑tune timeouts.

4. Debugging NAT

Conntrack is central to NAT debugging. It reveals:

  • Internal and external IP/port mappings
  • Broken or expired translations
  • Sessions that fail due to stale or mismatched NAT entries

Conclusion

FireHOL and conntrack form a robust combination for building clear, maintainable, and secure stateful firewalls on Linux. With conntrack providing deep visibility into connection behavior and FireHOL translating high‑level policies into effective filtering rules, administrators gain both simplicity and precision. Together, they offer a strong foundation for secure and efficient network environments.