mirror of
https://github.com/firehol/firehol.git
synced 2024-06-28 18:02:33 +00:00
Small internal changes.
Added support for integration with knockd (http://www.zeroflux.org/knock/) This integration comes as part of the ACCEPT action: accept [with knock <name>] The optional parameter 'with knock' allows easy integration with knockd, a server that allows you to control access to services, by sending certain packets to "knock" the door, before the door is open for service. This parameter accepts just a name. This name is used to build a special chain knock_<name> which will contain no rules, so that the traffic entering this chain will just return back and continue to match against the other rules until the end of the firewall. As an example, lets say that you want to allow https traffic based on a knock. In FireHOL you write: server https accept with knock hidden and you configure knockd so that it runs: iptables -A knock_hidden -s %IP% -j ACCEPT to enable the https service (notice that there is no need to match anything else than the IP. FireHOL already matches everything needed for its rules to work), and: iptables -D knock_hidden -s %IP% -j ACCEPT to disable this service for the given IP.
This commit is contained in:
parent
28464b03c7
commit
c8dad4f53a
@ -853,16 +853,38 @@ multiple iptables statements to achieve both the logging and the action.
|
||||
<p>
|
||||
|
||||
<a name="accept"><h3><b>accept</b> [with limit <frequency> <burst> [overflow <action>]]</h3></a>
|
||||
<h3><b>accept</b> [with knock <name>]</h3>
|
||||
<b>accept</b> allows the traffic matching the rules to reach its destination.
|
||||
<p>
|
||||
<b>with limit</b><br>
|
||||
The optional parameter <b>with limit</b> offers control over the allowed frequency of NEW connections. <b>frequency</b> and <b>burst</b> have the same syntax of the <a href="#limit">limit</a>
|
||||
optional rule parameter.
|
||||
<p>
|
||||
The overflow <b>action</b> offers control over the overflowed NEW connections. The default is to REJECT overflowed connections (not DROP them, since DROP produces timeouts
|
||||
on the otherwise valid service clients). Also, the REJECT overflow action, will reject TCP connections with <b>tcp-reset</b> and all others with <b>icmp-host-unreachable</b>.
|
||||
<p>
|
||||
<br>
|
||||
The overflowed NEW connection attempts will be logged with a <b>OVERFLOW</b> message, with the options the <a href="#loglimit">loglimit</a> parameter works.
|
||||
<p>
|
||||
<b>with knock</b><br>
|
||||
The optional parameter <b>with knock</b> allows easy integration with <a href="http://www.zeroflux.org/knock/">knockd</a>, a server that allows you to control access to services, by sending certain packets to "knock" the
|
||||
door, before the door is open for service.<br>
|
||||
This parameter accepts just a name. This name is used to build a special chain <b>knock_<name></b> which will contain no rules, so that the traffic entering this chain will just return back
|
||||
and continue to match against the other rules until the end of the firewall.
|
||||
<p>
|
||||
As an example, lets say that you want to allow https traffic based on a knock. In FireHOL you write:
|
||||
<p>
|
||||
<pre>server https accept with knock hidden</pre>
|
||||
<p>
|
||||
and you configure knockd so that it runs:
|
||||
<p>
|
||||
<pre>iptables -A knock_hidden -s %IP% -j ACCEPT</pre>
|
||||
<p>
|
||||
to enable the https service (notice that there is no need to match anything else than the IP. FireHOL already matches everything else needed for its rule to work), and:
|
||||
<p>
|
||||
<pre>iptables -D knock_hidden -s %IP% -j ACCEPT</pre>
|
||||
<p>
|
||||
to disable this service for the given IP.
|
||||
<p>
|
||||
Example 1: <b>server smtp accept</b>, to allow SMTP requests and their replies to flow.<br>
|
||||
Example 2: <b>server smtp accept with limit 10/s 100</b>, to allow SMTP requests to come at 10/second max, with a burst of 100, and their replies to flow back.<br>
|
||||
Example 3: <b>server smtp accept with limit 10/s 100 overflow drop</b>, to allow SMTP requests to come at 10/second max, with a burst of 100, and their replies to flow back. The overflow requests will be dropped.<br>
|
||||
@ -1614,7 +1636,7 @@ about optional rule parameters that should not be used in certain commands.
|
||||
<tr><td align=center valign=middle>
|
||||
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
|
||||
</td><td align=center valign=middle>
|
||||
<small>$Id: commands.html,v 1.57 2004/12/21 21:49:20 ktsaou Exp $</small>
|
||||
<small>$Id: commands.html,v 1.58 2004/12/22 23:06:00 ktsaou Exp $</small>
|
||||
<p>
|
||||
<b>FireHOL</b>, a firewall for humans...<br>
|
||||
© Copyright 2004
|
||||
|
46
firehol.sh
46
firehol.sh
@ -10,7 +10,7 @@
|
||||
#
|
||||
# config: /etc/firehol/firehol.conf
|
||||
#
|
||||
# $Id: firehol.sh,v 1.218 2004/12/21 21:49:11 ktsaou Exp $
|
||||
# $Id: firehol.sh,v 1.219 2004/12/22 23:05:57 ktsaou Exp $
|
||||
#
|
||||
|
||||
# Remember who you are.
|
||||
@ -2909,6 +2909,7 @@ rule_action_param() {
|
||||
local table="${1}"; shift
|
||||
local -a action_param=()
|
||||
|
||||
# All arguments until the separator are the parameters of the action
|
||||
local count=0
|
||||
while [ ! -z "${1}" -a ! "A${1}" = "A--" ]
|
||||
do
|
||||
@ -2918,10 +2919,11 @@ rule_action_param() {
|
||||
count=$[count + 1]
|
||||
done
|
||||
|
||||
# If we don't have a seperator, generate an error
|
||||
local sep="${1}"; shift
|
||||
if [ ! "A${sep}" = "A--" ]
|
||||
then
|
||||
error "Internal Error, in parsing action_param parameters ($FUNCNAME '${action}' '${protocol}' '${action_param[@]}' ${sep} $@)."
|
||||
error "Internal Error, in parsing action_param parameters ($FUNCNAME '${action}' '${protocol}' '${statenot}' '${state}' '${table}' '${action_param[@]}' ${sep} '$@')."
|
||||
return 1
|
||||
fi
|
||||
|
||||
@ -2933,7 +2935,7 @@ rule_action_param() {
|
||||
|
||||
ACCEPT)
|
||||
# do we have any options for this accept?
|
||||
if [ ! -z "${state}" -a ! -z "${action_param[0]}" ]
|
||||
if [ ! -z "${action_param[0]}" ]
|
||||
then
|
||||
# find the options we have
|
||||
case "${action_param[0]}" in
|
||||
@ -3007,8 +3009,31 @@ rule_action_param() {
|
||||
fi
|
||||
;;
|
||||
|
||||
'knock')
|
||||
# the name of the knock
|
||||
local name="knock_${action_param[1]}"
|
||||
|
||||
# unset the action_param, so that if this rule does not include NEW connections,
|
||||
# we will not append anything to the generated iptables statements.
|
||||
local -a action_param=()
|
||||
|
||||
# does the knock chain exists?
|
||||
if [ ! -f "${FIREHOL_CHAINS_DIR}/${name}" ]
|
||||
then
|
||||
# the chain does not exist. create it.
|
||||
iptables ${table} -N "${name}"
|
||||
touch "${FIREHOL_CHAINS_DIR}/${name}"
|
||||
|
||||
# knockd (http://www.zeroflux.org/knock/)
|
||||
# will create the rules inside this chain.
|
||||
fi
|
||||
|
||||
# send the rule to be generated to this knock chain
|
||||
local action=${name}
|
||||
;;
|
||||
|
||||
*)
|
||||
error "Internal error. Cannot understand action ${action} with parameter '${action_param[1]}'."
|
||||
error "Internal error. Cannot understand action ${action} with parameter '${action_param[0]}'."
|
||||
return 1
|
||||
;;
|
||||
esac
|
||||
@ -3477,6 +3502,11 @@ rule() {
|
||||
fi
|
||||
;;
|
||||
|
||||
knock|KNOCK)
|
||||
local -a action_param=("knock" "${2}")
|
||||
shift 2
|
||||
;;
|
||||
|
||||
*)
|
||||
error "Cannot understand action's '${action}' directive '${1}'"
|
||||
return 1
|
||||
@ -5038,7 +5068,7 @@ case "${arg}" in
|
||||
else
|
||||
|
||||
${CAT_CMD} <<EOF
|
||||
$Id: firehol.sh,v 1.218 2004/12/21 21:49:11 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.219 2004/12/22 23:05:57 ktsaou Exp $
|
||||
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
|
||||
@ -5224,7 +5254,7 @@ then
|
||||
|
||||
${CAT_CMD} <<EOF
|
||||
|
||||
$Id: firehol.sh,v 1.218 2004/12/21 21:49:11 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.219 2004/12/22 23:05:57 ktsaou Exp $
|
||||
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
Home Page: http://firehol.sourceforge.net
|
||||
@ -5518,7 +5548,7 @@ then
|
||||
|
||||
${CAT_CMD} >&2 <<EOF
|
||||
|
||||
$Id: firehol.sh,v 1.218 2004/12/21 21:49:11 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.219 2004/12/22 23:05:57 ktsaou Exp $
|
||||
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
Home Page: http://firehol.sourceforge.net
|
||||
@ -5601,7 +5631,7 @@ EOF
|
||||
echo "# "
|
||||
|
||||
${CAT_CMD} <<EOF
|
||||
# $Id: firehol.sh,v 1.218 2004/12/21 21:49:11 ktsaou Exp $
|
||||
# $Id: firehol.sh,v 1.219 2004/12/22 23:05:57 ktsaou Exp $
|
||||
# (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
# FireHOL is distributed under GPL.
|
||||
# Home Page: http://firehol.sourceforge.net
|
||||
|
Loading…
Reference in New Issue
Block a user