sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-30 19:02:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added helper 'mark'

Browse Source 
Abstract from the documentation:

mark <NUMBER> <WHERE> [optional rule parameters]

The mark helper marks the traffic with a specific mark NUMBER
that can be matched by traffic shapping tools for controlling the
traffic.

Parameters

    * NUMBER is a number to mark the packets with.

    * WHERE tells FireHOL where to search for the specific traffic
      to be marked.
      Currently, WHERE can be one of the build-in iptables chains
      attached to table mangle. (for example: INPUT, FORWARD, OUTPUT,
      PREROUTING, POSTROUTING - case does matter here).

    * optional rule parameters is a set of rules that allow further
      restriction of the traffic that gets matched by this rule.
      See Optional Rules Parameters for more information.

Example 1: mark 1 OUTPUT
   will mark with 1 all packets send by the local machine.

Example 2: mark 2 FORWARD
   will mark with 2 all packets passing through the local machine.

Example 3: mark 3 FORWARD proto tcp dport 25 dst 1.1.1.1 src 2.2.2.2
   will match with 3 all packets sent by 2.2.2.2, passing through the
   local machine and targeting port TCP/25 of host 1.1.1.1.
This commit is contained in:
ktsaou 2003-09-13 01:03:46 +00:00
parent 71966cd7dc
commit 160dec4ba7
3 changed files with 180 additions and 141 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
TODO
View File

@ -1,21 +1,12 @@
$Id: TODO,v 1.4 2003/01/06 01:49:36 ktsaou Exp $
$Id: TODO,v 1.5 2003/09/13 01:03:46 ktsaou Exp $
The following is a list of features I plan to add to FireHOL,
assuming that my time permits and there is demand for them.
The list appears in no particular order.
* NAT support, including port redirections and load balancing
per firehol element. Today there is some limited support for
masquerading and of course you can embed normal iptables
NAT rules within firehol.conf. However, today these are just
work-arounds since there is no connection between a firehol
rule and the NAT system.
* Bandwidth shaping support per firehol element.
Ideally both the above should be "embedded" in firehol.conf rules
with something like:
Ideally I would like to achieve a situation where FireHOL
directives will be something like:
interface eth0 internet maxbw 1Mbps queue-type htb
server smtp accept \
@ -30,7 +21,7 @@ interface eth0 internet maxbw 1Mbps queue-type htb
client ssh accept priority hi
Nice, eh? I guess the only way to implement this is by making heavy use of the
I guess the only way to implement this is by making heavy use of the
MANGLE table and MARKing uniquely each FireHOL rule. This will allow all
iptables tables (mangle, nat, filter) and iproute to share the same traffic
categorization (through the MARK id on each packet). Some research has to be
@ -51,10 +42,6 @@ have different actions - accept, drop, reject, etc).
solution should show the active connections categorized according to firehol
rules, not iptables rules.
* More documentation:
- a man page for firehol
- a man page for firehol.conf
* A Web interface for configuring FireHOL.
* A secure mechanism for centralized control of a large number

269
doc/commands.html
View File

@ -48,16 +48,17 @@ automatically. FireHOL is extremely easy to understand, configure and audit.
</li>
<li><a href="#helpers">Helper commands</a>
<ul>
<li><a href="#version">version</a>, require a specific version of FireHOL
<li><a href="#iptables">iptables</a>, add some custom iptables commands to the firewall
<li><a href="#masquerade">masquerade</a>, setup masquerading (NAT) to the output of a network interface</li>
<li><a href="#transparent_squid">transparent_squid</a>, setup a transparent squid proxy running on the firewall host</li>
<li><a href="#nat">nat</a>, setup a NAT rule for routed traffic</li>
<li><a href="#dnat">dnat</a>, setup a Destination NAT rule for routed traffic</li>
<li><a href="#snat">snat</a>, setup a Source NAT rule for routed traffic</li>
<li><a href="#redirect">redirect</a>, setup a port redirection rule</li>
<li><a href="#mac">mac</a>, setup a source mac address with IP match</li>
<li><a href="#blacklist">blackilist</a>, setup a unidirectional or bidirectional blacklist</li>
<li><a href="#dnat">dnat</a>, setup a Destination NAT rule for routed traffic</li>
<li><a href="#iptables">iptables</a>, add some custom iptables commands to the firewall
<li><a href="#mac">mac</a>, setup a source mac address with IP match</li>
<li><a href="#mark">mark</a>, mark traffic for traffic shapping tools</li>
<li><a href="#masquerade">masquerade</a>, setup masquerading (NAT) to the output of a network interface</li>
<li><a href="#nat">nat</a>, setup a NAT rule for routed traffic</li>
<li><a href="#redirect">redirect</a>, setup a port redirection rule</li>
<li><a href="#snat">snat</a>, setup a Source NAT rule for routed traffic</li>
<li><a href="#transparent_squid">transparent_squid</a>, setup a transparent squid proxy running on the firewall host</li>
<li><a href="#version">version</a>, require a specific version of FireHOL
</ul>
&nbsp;
</li>
@ -354,27 +355,43 @@ Subcommands must be given within <a href="#primary_commands">Primary commands</a
<small>Helper commands provide shortcuts for common functions not handled by the core of FireHOL's logic.</small>
<p>
<a name="version"><h3><b>version</b> <font color="red">&lt;number&gt;</font></h3></a>
<H4>Description</H4>
The <b>version</b> command states the FireHOL <u>release</u> the configuration file was
created for. In case the configuration file is newer than FireHOL, FireHOL will deny
to run it.
<a name="blacklist"><h3><b>blacklist</b> [option] <font color="red">&lt;IPs&gt;</font></h3></a>
The <b>blacklist</b> helper creates a blacklist for the <b>IP</b> addresses given. It supports two modes of operation
based on the option given (or the absence of it).
<p>
This command is here to allow you or anyone else design and distribute FireHOL configuration files, while
ensuring that the correct FireHOL version is going to run them.
The option can be:
<ul>
<li>one of the words <b>them, him, her, it, this, these, input</b> in which case it will generate a unidirectional
statefull blacklist, meaning that you will be able to ask (initiate connections) anything from them,
but they will not be able to ask (initiate connections) anything from you or the remote hosts you protect (routing).
<br>&nbsp;
</li>
<li>one of the words <b>all, full</b> or ommitted (no option given), in which case FireHOL will create bidirectional
stateless rules that will DROP all traffic comming in from these IPs and will REJECT all traffic going to them.
</li>
<p>
</ul>
The blacklist helper affects both interfaces and routers and can be used as many times as needed, but before the first interface statement.
The blacklist helper accepts multiple IPs both as one quoted and space separated list and as separate arguments.
<p>
Since FireHOL configurations are BASH script, it is relatively easy to use FireHOL configurations as small
scripts that dynamically process rules stored in a database, in a file system as separate files, or elsewhere.
This directive will help the developers of FireHOL configurations to control the required version of
FireHOL.
<p>
The FireHOL release is increased every time the format of the configuration file and the internals of FireHOL are changed.
<p>
Since FireHOL v1.67 <b>version</b> is not required to be present in every configuration file.
Example 1: <b>blacklist this "195.97.5.202 10.1.1.1"</b> # please note the quotes<br>
Example 2: <b>blacklist full 195.97.5.202 10.1.1.1</b> # please note the absence of quotes<br>
<p>
<hr noshade size=1 width="100%">
<a name="dnat"><h3><b>dnat</b> [to] <font color="red">&lt;target&gt;</font> [optional rule parameters]</h3></a>
The <b>dnat</b> helper sets up a Destination NAT rule for routed traffic, by calling<br>
<b>nat to-destination &lt;target&gt [optional rule parameters]</b>
<p>
See the <a href="#nat">nat</a> helper.
<p>
Example: <b>dnat to 1.1.1.1 inface eth0 src 2.2.2.2 dst 3.3.3.3</b>
<p>
<hr noshade size=1 width="100%">
<a name="iptables"><h3><b>iptables</b> <font color="red">&lt;arguments&gt;</font></h3></a>
<H4>Description</H4>
The <b>iptables</b> command passes all its arguments to the real iptables command, during run-time.
@ -387,6 +404,54 @@ Subcommands must be given within <a href="#primary_commands">Primary commands</a
Always use the <b>iptables</b> directive to hook iptables commands in a FireHOL firewall. Nothing else.
<p>
<hr noshade size=1 width="100%">
<a name="mac"><h3><b>mac</b> <font color="red">&lt;IP&gt;</font> <font color="red">&lt;MAC&gt;</font></h3></a>
The <b>mac</b> helper verifies that all traffic <b>comming in</b> with source the <b>IP</b> address, comes from the
<b>MAC</b> address. The helper applies its rules to filter/INPUT and filter/FORWARD and checks the source IP address
in combination with the source MAC address.
<p>
The same MAC address is allowed to use other IPs; only the specific IP is required to be used with the specified MAC
address.
<p>
Packets with the given IP address but with wrong MAC address will be DROPped and a log (as in <A HREF="#loglimit">loglimit</a>)
with label "MAC MISSMATCH" will appear in the system logs.
<p>
This helper has to be used before all interface or router statements. Of course, you can use as many mac statements as you wish.
<p>
Example: <b>mac 195.97.5.202 00:02:8a:21:a9:d8</b>
<p>
<hr noshade size=1 width="100%">
<a name="mark"><h3><b>mark</b> <font color="red">&lt;NUMBER&gt;</font> <font color="red">&lt;WHERE&gt;</font> [optional rule parameters]</h3></a>
The <b>mark</b> helper marks the traffic with a specific mark NUMBER that can be matched by traffic shapping tools
for controlling the traffic.
<H4>Parameters</H4>
<ul>
<li> <b>NUMBER</b> is a number to mark the packets with.
<br>&nbsp;
</li>
<li> <b>WHERE</b> tells FireHOL where to search for the specific traffic to be marked.
<br>Currently, WHERE can be one of the build-in iptables chains attached to table <b>mangle</b>.
(for example: INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING - case does matter here).
<br>&nbsp;
</li>
<li> <b>optional rule parameters</b> is a set of rules that allow further restriction of the traffic that
gets matched by this rule. See <a href="#parameters">Optional Rules Parameters</a> for more information.
<br>&nbsp;
</li>
</ul>
<br>&nbsp;
<br>Example 1: <b>mark 1 OUTPUT</b>, will mark with 1 all packets send by the local machine.
<br>Example 2: <b>mark 2 FORWARD</b>, will mark with 2 all packets passing through the local machine.
<br>Example 3: <b>mark 3 FORWARD proto tcp dport 25 dst 1.1.1.1 src 2.2.2.2</b>, will match with 3
all packets sent by 2.2.2.2, passing through the local machine and targeting port TCP/25 of host 1.1.1.1.
<p>
<hr noshade size=1 width="100%">
<a name="masquerade"><h3><b>masquerade</b> [reverse | interface] [optional rule parameters]</h3></a>
@ -420,44 +485,6 @@ Subcommands must be given within <a href="#primary_commands">Primary commands</a
<br>Example 3: within a router: <b>masquerade reverse</b>, to masquerade on the output of the router's inface.
<p>
<hr noshade size=1 width="100%">
<a name="transparent_squid"><h3><b>transparent_squid</b> <font color="red">&lt;port&gt; &lt;user&gt;</font> [optional rule parameters]</h3></a>
The <b>transparent_squid</b> helper sets up trasparent caching for HTTP traffic.
The squid proxy is assumed to be running on the firewall host at port <b>port</b> (normally port is <b>squid</b>), with the credentials of the local user <b>user</b> (normally user is <b>squid</b>).
<p>
The <b>transparent_squid</b> helper can be used for two kinds of traffic:
<ul>
<li>Incomming HTTP traffic, either targeted to the firewall host or passing through the firewall host.
<br>The optional rule parameters can be used to specify which kind of <b>incomming</b> traffic to be catched
(by using <a href="#inface">inface</a>, <a href="#src">src</a>, <a href="#dst">dst</a>, etc --
<a href="#outface">outface</a> should not be used here, because the rules generated are placed before
the routing decision and therefore the outgoing interface is not yet known).
<p>
If no optional rule parameters are given, then the transparent
cache will be setup on <b>all network interfaces for all HTTP traffic</b> (use this with care since you are
risking to serve requests from the internet using your squid).
<br>&nbsp;
</li>
<li>Locally generated outgoing HTTP traffic, except HTTP traffic generated by processes running as the <b>user</b> argument.
The optional rule parameters <a href="#inface">inface</a>, <a href="#outface">outface</a> and <a href="#src">src</a> are
ignored for this type of traffic.
<p>
This kind of matching makes it possible to support transparent caching for WEB browsers running on the firewall
host, as far as they do not run as the user excluded. More that one users can be specified by space-separating
and enclosing them in double quotes.
<p>
This rule can be disabled by specifing as user the empty string: <b>""</b>
<br>&nbsp;
</li>
</ul>
<p>
Of course, make sure that your firewall allows requests to reach your proxy server.
<p>
Example 1: <b>transparent_squid 3128 squid inface eth0 src 10.0.0.0/8</b>
<br>Example 2: <b>transparent_squid 8080 "squid privoxy root bin" inface not "ppp+ ipsec+" dst not "a.not.proxied.server"</b>
<p>
<hr noshade size=1 width="100%">
<a name="nat"><h3><b>nat</b> <font color="red">&lt;type&gt; &lt;target&gt;</font> [optional rule parameters]</h3></a>
@ -543,6 +570,18 @@ Subcommands must be given within <a href="#primary_commands">Primary commands</a
<br>Example 2: <b>nat to-destination 4.4.4.4 inface eth0 src 5.5.5.5 dst 6.6.6.6</b>
<br>Example 3: <b>nat redirect-to 8080 inface eth0 src 2.2.2.0/24 proto tcp dport 80</b>
<p>
<hr noshade size=1 width="100%">
<a name="redirect"><h3><b>redirect</b> [to] <font color="red">&lt;target&gt;</font> [optional rule parameters]</h3></a>
The <b>redirect</b> helper catches all incomming traffic matching the optional rule parameters given and
redirects it to ports on the local host, by calling<br>
<b>nat redirect-to &lt;target&gt [optional rule parameters]</b>
<p>
See the <a href="#nat">nat</a> helper.
<p>
Example: <b>redirect to 8080 inface eth0 src 2.2.2.0/24 proto tcp dport 80</b>
<p>
<hr noshade size=1 width="100%">
@ -557,69 +596,61 @@ Subcommands must be given within <a href="#primary_commands">Primary commands</a
<hr noshade size=1 width="100%">
<a name="dnat"><h3><b>dnat</b> [to] <font color="red">&lt;target&gt;</font> [optional rule parameters]</h3></a>
The <b>dnat</b> helper sets up a Destination NAT rule for routed traffic, by calling<br>
<b>nat to-destination &lt;target&gt [optional rule parameters]</b>
<a name="transparent_squid"><h3><b>transparent_squid</b> <font color="red">&lt;port&gt; &lt;user&gt;</font> [optional rule parameters]</h3></a>
The <b>transparent_squid</b> helper sets up trasparent caching for HTTP traffic.
The squid proxy is assumed to be running on the firewall host at port <b>port</b> (normally port is <b>squid</b>), with the credentials of the local user <b>user</b> (normally user is <b>squid</b>).
<p>
See the <a href="#nat">nat</a> helper.
The <b>transparent_squid</b> helper can be used for two kinds of traffic:
<ul>
<li>Incomming HTTP traffic, either targeted to the firewall host or passing through the firewall host.
<br>The optional rule parameters can be used to specify which kind of <b>incomming</b> traffic to be catched
(by using <a href="#inface">inface</a>, <a href="#src">src</a>, <a href="#dst">dst</a>, etc --
<a href="#outface">outface</a> should not be used here, because the rules generated are placed before
the routing decision and therefore the outgoing interface is not yet known).
<p>
If no optional rule parameters are given, then the transparent
cache will be setup on <b>all network interfaces for all HTTP traffic</b> (use this with care since you are
risking to serve requests from the internet using your squid).
<br>&nbsp;
</li>
<li>Locally generated outgoing HTTP traffic, except HTTP traffic generated by processes running as the <b>user</b> argument.
The optional rule parameters <a href="#inface">inface</a>, <a href="#outface">outface</a> and <a href="#src">src</a> are
ignored for this type of traffic.
<p>
This kind of matching makes it possible to support transparent caching for WEB browsers running on the firewall
host, as far as they do not run as the user excluded. More that one users can be specified by space-separating
and enclosing them in double quotes.
<p>
This rule can be disabled by specifing as user the empty string: <b>""</b>
<br>&nbsp;
</li>
</ul>
<p>
Example: <b>dnat to 1.1.1.1 inface eth0 src 2.2.2.2 dst 3.3.3.3</b>
<p>
<hr noshade size=1 width="100%">
<a name="redirect"><h3><b>redirect</b> [to] <font color="red">&lt;target&gt;</font> [optional rule parameters]</h3></a>
The <b>redirect</b> helper catches all incomming traffic matching the optional rule parameters given and
redirects it to ports on the local host, by calling<br>
<b>nat redirect-to &lt;target&gt [optional rule parameters]</b>
<p>
See the <a href="#nat">nat</a> helper.
<p>
Example: <b>redirect to 8080 inface eth0 src 2.2.2.0/24 proto tcp dport 80</b>
<p>
<hr noshade size=1 width="100%">
<a name="mac"><h3><b>mac</b> <font color="red">&lt;IP&gt;</font> <font color="red">&lt;MAC&gt;</font></h3></a>
The <b>mac</b> helper verifies that all traffic <b>comming in</b> with source the <b>IP</b> address, comes from the
<b>MAC</b> address. The helper applies its rules to filter/INPUT and filter/FORWARD and checks the source IP address
in combination with the source MAC address.
<p>
The same MAC address is allowed to use other IPs; only the specific IP is required to be used with the specified MAC
address.
<p>
Packets with the given IP address but with wrong MAC address will be DROPped and a log (as in <A HREF="#loglimit">loglimit</a>)
with label "MAC MISSMATCH" will appear in the system logs.
<p>
This helper has to be used before all interface or router statements. Of course, you can use as many mac statements as you wish.
<p>
Example: <b>mac 195.97.5.202 00:02:8a:21:a9:d8</b>
Of course, make sure that your firewall allows requests to reach your proxy server.
<p>
Example 1: <b>transparent_squid 3128 squid inface eth0 src 10.0.0.0/8</b>
<br>Example 2: <b>transparent_squid 8080 "squid privoxy root bin" inface not "ppp+ ipsec+" dst not "a.not.proxied.server"</b>
<p>
<hr noshade size=1 width="100%">
<a name="blacklist"><h3><b>blacklist</b> [option] <font color="red">&lt;IPs&gt;</font></h3></a>
The <b>blacklist</b> helper creates a blacklist for the <b>IP</b> addresses given. It supports two modes of operation
based on the option given (or the absence of it).
<a name="version"><h3><b>version</b> <font color="red">&lt;number&gt;</font></h3></a>
<H4>Description</H4>
The <b>version</b> command states the FireHOL <u>release</u> the configuration file was
created for. In case the configuration file is newer than FireHOL, FireHOL will deny
to run it.
<p>
The option can be:
<ul>
<li>one of the words <b>them, him, her, it, this, these, input</b> in which case it will generate a unidirectional
statefull blacklist, meaning that you will be able to ask (initiate connections) anything from them,
but they will not be able to ask (initiate connections) anything from you or the remote hosts you protect (routing).
<br>&nbsp;
</li>
<li>one of the words <b>all, full</b> or ommitted (no option given), in which case FireHOL will create bidirectional
stateless rules that will DROP all traffic comming in from these IPs and will REJECT all traffic going to them.
</li>
<p>
</ul>
The blacklist helper affects both interfaces and routers and can be used as many times as needed, but before the first interface statement.
The blacklist helper accepts multiple IPs both as one quoted and space separated list and as separate arguments.
This command is here to allow you or anyone else design and distribute FireHOL configuration files, while
ensuring that the correct FireHOL version is going to run them.
<p>
Example 1: <b>blacklist this "195.97.5.202 10.1.1.1"</b> # please note the quotes<br>
Example 2: <b>blacklist full 195.97.5.202 10.1.1.1</b> # please note the absence of quotes<br>
Since FireHOL configurations are BASH script, it is relatively easy to use FireHOL configurations as small
scripts that dynamically process rules stored in a database, in a file system as separate files, or elsewhere.
This directive will help the developers of FireHOL configurations to control the required version of
FireHOL.
<p>
The FireHOL release is increased every time the format of the configuration file and the internals of FireHOL are changed.
<p>
Since FireHOL v1.67 <b>version</b> is not required to be present in every configuration file.
<p>
<table border=0 cellpadding=10 cellspacing=0 width="100%"><tr bgcolor="#777777"><td align=center><font color="white"><b><big><a name="actions">Actions</a></td</tr></table>
@ -1252,7 +1283,7 @@ about optional rule parameters that should not be used in certain commands.
<tr><td align=center valign=middle>
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&amp;type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
</td><td align=center valign=middle>
<small>$Id: commands.html,v 1.38 2003/08/23 23:26:50 ktsaou Exp $</small>
<small>$Id: commands.html,v 1.39 2003/09/13 01:03:46 ktsaou Exp $</small>
<p>
<b>FireHOL</b>, a firewall for humans...<br>
&copy; Copyright 2003

31
firehol.sh
View File

@ -10,7 +10,7 @@
#
# config: /etc/firehol/firehol.conf
#
# $Id: firehol.sh,v 1.153 2003/08/31 22:21:49 ktsaou Exp $
# $Id: firehol.sh,v 1.154 2003/09/13 01:03:46 ktsaou Exp $
#
FIREHOL_FILE="${0}"
@ -1334,6 +1334,27 @@ blacklist() {
return 0
}
mark_count=0
mark() {
work_realcmd=($FUNCNAME "$@")
set_work_function -ne "Initializing $FUNCNAME"
require_work clear || ( error "$FUNCNAME cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
local num="${1}"; shift
local where="${1}"; shift
test -z "${where}" && where=OUTPUT
mark_count=$[mark_count + 1]
set_work_function "Setting up rules for MARK"
create_chain mangle "mark.${mark_count}" "${where}" "$@" action "mark.${mark_count}" || return 1
iptables -t mangle -A "mark.${mark_count}" -j MARK --set-mark ${num}
return 0
}
# ------------------------------------------------------------------------------
@ -3610,7 +3631,7 @@ case "${arg}" in
else
${CAT_CMD} <<EOF
$Id: firehol.sh,v 1.153 2003/08/31 22:21:49 ktsaou Exp $
$Id: firehol.sh,v 1.154 2003/09/13 01:03:46 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
@ -3796,7 +3817,7 @@ then
${CAT_CMD} <<EOF
$Id: firehol.sh,v 1.153 2003/08/31 22:21:49 ktsaou Exp $
$Id: firehol.sh,v 1.154 2003/09/13 01:03:46 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
Home Page: http://firehol.sourceforge.net
@ -4091,7 +4112,7 @@ then
${CAT_CMD} >&2 <<EOF
$Id: firehol.sh,v 1.153 2003/08/31 22:21:49 ktsaou Exp $
$Id: firehol.sh,v 1.154 2003/09/13 01:03:46 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
Home Page: http://firehol.sourceforge.net
@ -4184,7 +4205,7 @@ EOF
echo "# "
${CAT_CMD} <<EOF
# $Id: firehol.sh,v 1.153 2003/08/31 22:21:49 ktsaou Exp $
# $Id: firehol.sh,v 1.154 2003/09/13 01:03:46 ktsaou Exp $
# (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
# FireHOL is distributed under GPL.
# Home Page: http://firehol.sourceforge.net