When generating a firewall script, Firehol always seems to include rules that allow IRC and FTP traffic, even if the user didn't specify this in the config file. Indeed, in /lib/firehol/firehol, this seems to be hard coded.
I don't find a thing about this behaviour in the documentation. In my book, sneakily generating firewall rules that allow network traffic and that the user didn't ask for is a potential security hazard.
Proposed fixes:
1/ Comment out or delete lines in /lib/firehol/firehol that add "irc" and "ftp" to ${ALL_SHOULD_ALSO_RUN} so IRC and FTP rules are not generated in the vanilla version of Firehol. A howto is provided for people that still want to enable these rules (which is probably trivial, considering the ease of use of firehol).
or
2/ The current default behaviour is documented and a howto is provided for those who don't want the irc/ftp rules to be generated. This workaround should be robust with regard to package upgrades, i.e. when I upgrade, I don't want my changes to the default behaviour to be undone.
Keep up the good work! Firehol is a great tool!
Cheers,
bert
