This is the FireHOL/FireQOS installation method and configuration that I use for my home server, here for easy reference in case I need to set it up again, or something similar.

  • apt purge ufw # First, uninstall Ubuntu’s default firewall.
  • # Ubuntu comes with FireHOL 2.x, need to install PPA for 3.x series for connmark support. Connmark is useful in that it allows you to mark incoming packets for established connections, allowing QOS on downstream traffic by process. This is especially useful for programs that have dynamic server/client ports, such as torrents.
    • add-apt-repository ppa:andvgal/firehol-bpo
    • apt update
  • apt install fireqos ulogd
  • /etc/default/firehol # Must explicitly enable startup
  • /etc/firehol/firehol.conf
    version 6
    
    FIREHOL_LOG_MODE="NFLOG"			# Prevents log spamming.
    
    ipv4 transparent_proxy http 3128 "" src 192.168.0.0/24		# Squid HTTP proxy. The process owner is intentionally blank, in order that all locally-originating connections bypass the proxy. (if it breaks, I need to Google how to fix it!)
    ipv4 transparent_proxy https 3130 "" src 192.168.0.0/24		# Squid HTTPS proxy
    connmark 1 OUTPUT user "proxy"			# Mark all proxied connections
    mark 1 FORWARD					# Mark all routed/masqueraded connections
    
    connmark 7 OUTPUT user "i2psvc"			# Mark local i2p
    connmark 8 OUTPUT user "debian-tor"		# Mark local TOR
    connmark 9 OUTPUT user "debian-transmission"	# Mark local torrent client
    
    # Save/restore connmarks on outgoing/incoming packets
    connmark save OUTPUT
    connmark restore PREROUTING
    
    # service definitions
    server_udpweb_ports="udp/80 udp/443"	# QUIC/SPDY protocols
    client_udpweb_ports="default"
    
    interface br0 mylan
        policy accept
    
    interface eth_discreet internet
    
    	policy drop
    	protection strong # 10/sec 10
    
    	server http accept
    	server httpalt accept
    	server https accept #tor
    	server ICMP accept
    	server openvpn accept
    	server ssh accept
    	server webcache accept
    	server custom torrent_tcp tcp/51413 any accept
    	server custom torrent_udp udp/51413 any accept
    	server custom i2p_udp udp/29996 any accept
    	server custom i2p_tcp tcp/29996 any accept
    	client dhcp accept # DHCP is a "complex" protocol, best to specifically allow it if your ISP assigns you dynamic IPs.
    	client all accept
    
    router mylan2internet inface br0 outface eth_discreet
    	masquerade
    	route udpweb deny 	# Block QUIC/SPDY protocols, squid can't cache them. This forces TCP connections and allows caching of sites like YouTube.
    	route all accept
    			

  • firehol try
  • /etc/default/fireqos # Must explicitly enable startup
  • /etc/fireqos/fireqos.conf
    FIREQOS_CONNMARK_RESTORE="act_connmark"
    
    DEVICE=eth_discreet
    INPUT_SPEED=16mbit
    OUTPUT_SPEED=2mbit
    LINKTYPE=""
    
    # Service definitions
    server_openvpn_ports="any/1194"
    server_httpalt_ports="tcp/8080"
    
    server_bittorrent_ports="any/6881:6999,51413"
    server_i2p_ports="any/29996"
    service_facetime_ports="udp/3478:3497,16384:16387,16393:16402"
    
    server_hng_ports="tcp/15000:15500,16667 udp/16000:17000"	# Game: Heroes and Generals
    server_lol_ports="udp/5000:5500"				# Game: League of Legends
    
    
    interface $DEVICE world bidirectional $LINKTYPE input rate $INPUT_SPEED output rate $OUTPUT_SPEED
    
    	# By omitting 'balanced' from the interface line, packets are prioritized in order of the class that they are in.
    	class	latency		commit 20%	# Placeholder for time-critical packets (games)
    	class	bandwidth	commit 40%	# Placeholder for bandwidth-dependent streams (videoconferencing)
    
    	class	responsive
    		client	dns
    		server	ssh	# SSH is not in the 'time-critical' class, because it is sometimes used for file transfers or tunnels. It cannot be allowed to interfere with the preceeding classes.
    		client	ssh
    		match	icmp
    		server	openvpn
    
    	class	group	routed	commit 1%	# Router traffic
    		match	mark 1			# Intercept generic forwarded packets
    		match	connmark 1		# This classes packets marks as Squid traffic
    		class	default
    			client	hng							class latency	# Reassign Heroes & Generals to time-critical priority
    			client	lol							class latency	# Reassign League of Legends to time-critical priority
    			match	udp	sports	3478:3481	dports 3478:3481	class bandwidth	# Facebook/Skype use two sets of dynamic ports on both sides of the connection /
    			match		sports	49152:65535	dports 49152:65535	class bandwidth	# / Reassign them to bandwidth-dependent priority
    			# Background
    			match sports 16384:65535 dports 16384:65535	class background	#Torrent catch-all
    	class	group	end
    
    	class	default
    
    	class	background
    		server	http				# Local webserver
    		server	httpalt				# Local webserver
    		match	connmark 9			# transmission process
    		server	bittorrent
    	class	hidden
    		match	connmark 8	prio 6		# tor process
    		server	https		prio 6		# tor port
    		match	connmark 7	prio 7		# i2p process
    		server	i2p		prio 7		# i2p
    
  • (use “fireqos status world-in” to monitor)
  • I found that FireHOL doesn’t like to start up at boot. I haven’t yet properly solved this, but my temporary workaround is to add this to crontab:
    @reboot sleep 60 && /usr/sbin/firehol start