FireHOL and FireQOS setup on Ubuntu 16.04

This is the FireHOL/FireQOS installation method and configuration that I use for my home server, here for easy reference in case I need to set it up again, or something similar.

• apt purge ufw # First, uninstall Ubuntu’s default firewall.
• # Ubuntu comes with FireHOL 2.x, need to install PPA for 3.x series for connmark support. Connmark is useful in that it allows you to mark incoming packets for established connections, allowing QOS on downstream traffic by process. This is especially useful for programs that have dynamic server/client ports, such as torrents.
  • add-apt-repository ppa:andvgal/firehol-bpo
  • apt update
• apt install fireqos ulogd
• /etc/default/firehol # Must explicitly enable startup
• /etc/firehol/firehol.conf

  version 6
  
  FIREHOL_LOG_MODE="NFLOG"			# Prevents log spamming.
  
  ipv4 transparent_proxy http 3128 "" src 192.168.0.0/24		# Squid HTTP proxy. The process owner is intentionally blank, in order that all locally-originating connections bypass the proxy. (if it breaks, I need to Google how to fix it!)
  #ipv4 transparent_proxy https 3130 "" src 192.168.0.0/24		# Squid HTTPS proxy
  connmark 1 OUTPUT user "proxy"			# Mark all proxied connections
  mark 1 FORWARD					# Mark all routed/masqueraded connections
  
  connmark 7 OUTPUT user "i2psvc"			# Mark local i2p
  connmark 8 OUTPUT user "debian-tor"		# Mark local TOR
  connmark 9 OUTPUT user "debian-transmission"	# Mark local torrent client
  
  # Save/restore connmarks on outgoing/incoming packets
  connmark save OUTPUT
  connmark restore PREROUTING
  
  # service definitions
  server_udpweb_ports="udp/80 udp/443"	# QUIC/SPDY protocols
  client_udpweb_ports="default"
  
  interface br0 mylan
      policy accept
  
  interface eth_discreet internet
  
  	policy drop
  	protection strong # 10/sec 10
  
  	server http accept
  	server httpalt accept
  	server https accept #tor
  	server ICMP accept
  	server openvpn accept
  	server ssh accept
  	server webcache accept
  	server custom torrent_tcp tcp/51413 any accept
  	server custom torrent_udp udp/51413 any accept
  	server custom i2p_udp udp/29996 any accept
  	server custom i2p_tcp tcp/29996 any accept
  	client dhcp accept # DHCP is a "complex" protocol, best to specifically allow it if your ISP assigns you dynamic IPs.
  	client all accept
  
  router mylan2internet inface br0 outface eth_discreet
  	masquerade
  	route udpweb deny 	# Block QUIC/SPDY protocols, squid can't cache them. This forces TCP connections and allows caching of sites like YouTube.
  	route all accept
  			

• firehol try
• /etc/default/fireqos # Must explicitly enable startup
• /etc/fireqos/fireqos.conf

  FIREQOS_CONNMARK_RESTORE="act_connmark"
  
  DEVICE=eth_discreet
  INPUT_SPEED=16mbit
  OUTPUT_SPEED=2mbit
  LINKTYPE=""
  
  # Service definitions
  server_openvpn_ports="any/1194"
  server_httpalt_ports="tcp/8080"
  
  server_bittorrent_ports="any/6881:6999,51413"
  server_i2p_ports="any/29996"
  service_facetime_ports="udp/3478:3497,16384:16387,16393:16402"
  
  server_hng_ports="tcp/15000:15500,16667 udp/16000:17000"	# Game: Heroes and Generals
  server_lol_ports="udp/5000:5500"				# Game: League of Legends
  
  
  interface $DEVICE world bidirectional $LINKTYPE input rate $INPUT_SPEED output rate $OUTPUT_SPEED
  
  	# By omitting 'balanced' from the interface line, packets are prioritized in order of the class that they are in.
  	class	latency		commit 20%	# Placeholder for time-critical packets (games)
  	class	bandwidth	commit 40%	# Placeholder for bandwidth-dependent streams (videoconferencing)
  
  	class	responsive
  		client	dns
  		server	ssh	# SSH is not in the 'time-critical' class, because it is sometimes used for file transfers or tunnels. It cannot be allowed to interfere with the preceeding classes.
  		client	ssh
  		match	icmp
  		server	openvpn
  
  	class	group	routed	commit 1%	# Router traffic
  		match	mark 1			# Intercept generic forwarded packets
  		match	connmark 1		# This classes packets marks as Squid traffic
  		class	default
  			client	hng							class latency	# Reassign Heroes & Generals to time-critical priority
  			client	lol							class latency	# Reassign League of Legends to time-critical priority
  			match	udp	sports	3478:3481	dports 3478:3481	class bandwidth	# Facebook/Skype use two sets of dynamic ports on both sides of the connection /
  			match		sports	49152:65535	dports 49152:65535	class bandwidth	# / Reassign them to bandwidth-dependent priority
  			# Background
  			match sports 16384:65535 dports 16384:65535	class background	#Torrent catch-all
  	class	group	end
  
  	class	default
  
  	class	background
  		server	http				# Local webserver
  		server	httpalt				# Local webserver
  		match	connmark 9			# transmission process
  		server	bittorrent
  	class	hidden
  		match	connmark 8	prio 6		# tor process
  		server	https		prio 6		# tor port
  		match	connmark 7	prio 7		# i2p process
  		server	i2p		prio 7		# i2p
  

• (use “fireqos status world-in” to monitor)
• I found that FireHOL doesn’t like to start up at boot. I haven’t yet properly solved this, but my temporary workaround is to add this to crontab:

  @reboot sleep 60 && /usr/sbin/firehol start