sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-28 18:02:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Small internal changes.

Browse Source 
Added support for integration with knockd (http://www.zeroflux.org/knock/)
This integration comes as part of the ACCEPT action:

accept [with knock <name>]
The optional parameter 'with knock' allows easy integration with knockd,
a server that allows you to control access to services, by sending certain
packets to "knock" the door, before the door is open for service.

This parameter accepts just a name. This name is used to build a special
chain knock_<name> which will contain no rules, so that the traffic entering
this chain will just return back and continue to match against the other
rules until the end of the firewall.

As an example, lets say that you want to allow https traffic based on a knock.
In FireHOL you write:

   server https accept with knock hidden

and you configure knockd so that it runs:

   iptables -A knock_hidden -s %IP% -j ACCEPT

to enable the https service (notice that there is no need to match anything
else than the IP. FireHOL already matches everything needed for its rules
to work), and:

   iptables -D knock_hidden -s %IP% -j ACCEPT

to disable this service for the given IP.
This commit is contained in:
ktsaou 2004-12-22 23:05:57 +00:00
parent 28464b03c7
commit c8dad4f53a
2 changed files with 62 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
doc/commands.html
View File

@ -853,16 +853,38 @@ multiple iptables statements to achieve both the logging and the action.
<p>
<a name="accept"><h3><b>accept</b> [with limit &lt;frequency&gt; &lt;burst&gt; [overflow &lt;action&gt;]]</h3></a>
<h3><b>accept</b> [with knock &lt;name&gt;]</h3>
<b>accept</b> allows the traffic matching the rules to reach its destination.
<p>
<b>with limit</b><br>
The optional parameter <b>with limit</b> offers control over the allowed frequency of NEW connections. <b>frequency</b> and <b>burst</b> have the same syntax of the <a href="#limit">limit</a>
optional rule parameter.
<p>
The overflow <b>action</b> offers control over the overflowed NEW connections. The default is to REJECT overflowed connections (not DROP them, since DROP produces timeouts
on the otherwise valid service clients). Also, the REJECT overflow action, will reject TCP connections with <b>tcp-reset</b> and all others with <b>icmp-host-unreachable</b>.
<p>
<br>
The overflowed NEW connection attempts will be logged with a <b>OVERFLOW</b> message, with the options the <a href="#loglimit">loglimit</a> parameter works.
<p>
<b>with knock</b><br>
The optional parameter <b>with knock</b> allows easy integration with <a href="http://www.zeroflux.org/knock/">knockd</a>, a server that allows you to control access to services, by sending certain packets to "knock" the
door, before the door is open for service.<br>
This parameter accepts just a name. This name is used to build a special chain <b>knock_&lt;name&gt;</b> which will contain no rules, so that the traffic entering this chain will just return back
and continue to match against the other rules until the end of the firewall.
<p>
As an example, lets say that you want to allow https traffic based on a knock. In FireHOL you write:
<p>
<pre>server https accept with knock hidden</pre>
<p>
and you configure knockd so that it runs:
<p>
<pre>iptables -A knock_hidden -s %IP% -j ACCEPT</pre>
<p>
to enable the https service (notice that there is no need to match anything else than the IP. FireHOL already matches everything else needed for its rule to work), and:
<p>
<pre>iptables -D knock_hidden -s %IP% -j ACCEPT</pre>
<p>
to disable this service for the given IP.
<p>
Example 1: <b>server smtp accept</b>, to allow SMTP requests and their replies to flow.<br>
Example 2: <b>server smtp accept with limit 10/s 100</b>, to allow SMTP requests to come at 10/second max, with a burst of 100, and their replies to flow back.<br>
Example 3: <b>server smtp accept with limit 10/s 100 overflow drop</b>, to allow SMTP requests to come at 10/second max, with a burst of 100, and their replies to flow back. The overflow requests will be dropped.<br>
@ -1614,7 +1636,7 @@ about optional rule parameters that should not be used in certain commands.
<tr><td align=center valign=middle>
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&amp;type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
</td><td align=center valign=middle>
<small>$Id: commands.html,v 1.57 2004/12/21 21:49:20 ktsaou Exp $</small>
<small>$Id: commands.html,v 1.58 2004/12/22 23:06:00 ktsaou Exp $</small>
<p>
<b>FireHOL</b>, a firewall for humans...<br>
&copy; Copyright 2004

46
firehol.sh
View File

@ -10,7 +10,7 @@
#
# config: /etc/firehol/firehol.conf
#
# $Id: firehol.sh,v 1.218 2004/12/21 21:49:11 ktsaou Exp $
# $Id: firehol.sh,v 1.219 2004/12/22 23:05:57 ktsaou Exp $
#
# Remember who you are.
@ -2909,6 +2909,7 @@ rule_action_param() {
local table="${1}"; shift
local -a action_param=()
# All arguments until the separator are the parameters of the action
local count=0
while [ ! -z "${1}" -a ! "A${1}" = "A--" ]
do
@ -2918,10 +2919,11 @@ rule_action_param() {
count=$[count + 1]
done
# If we don't have a seperator, generate an error
local sep="${1}"; shift
if [ ! "A${sep}" = "A--" ]
then
error "Internal Error, in parsing action_param parameters ($FUNCNAME '${action}' '${protocol}' '${action_param[@]}' ${sep} $@)."
error "Internal Error, in parsing action_param parameters ($FUNCNAME '${action}' '${protocol}' '${statenot}' '${state}' '${table}' '${action_param[@]}' ${sep} '$@')."
return 1
fi
@ -2933,7 +2935,7 @@ rule_action_param() {
ACCEPT)
# do we have any options for this accept?
if [ ! -z "${state}" -a ! -z "${action_param[0]}" ]
if [ ! -z "${action_param[0]}" ]
then
# find the options we have
case "${action_param[0]}" in
@ -3007,8 +3009,31 @@ rule_action_param() {
fi
;;
'knock')
# the name of the knock
local name="knock_${action_param[1]}"
# unset the action_param, so that if this rule does not include NEW connections,
# we will not append anything to the generated iptables statements.
local -a action_param=()
# does the knock chain exists?
if [ ! -f "${FIREHOL_CHAINS_DIR}/${name}" ]
then
# the chain does not exist. create it.
iptables ${table} -N "${name}"
touch "${FIREHOL_CHAINS_DIR}/${name}"
# knockd (http://www.zeroflux.org/knock/)
# will create the rules inside this chain.
fi
# send the rule to be generated to this knock chain
local action=${name}
;;
*)
error "Internal error. Cannot understand action ${action} with parameter '${action_param[1]}'."
error "Internal error. Cannot understand action ${action} with parameter '${action_param[0]}'."
return 1
;;
esac
@ -3477,6 +3502,11 @@ rule() {
fi
;;
knock|KNOCK)
local -a action_param=("knock" "${2}")
shift 2
;;
*)
error "Cannot understand action's '${action}' directive '${1}'"
return 1
@ -5038,7 +5068,7 @@ case "${arg}" in
else
${CAT_CMD} <<EOF
$Id: firehol.sh,v 1.218 2004/12/21 21:49:11 ktsaou Exp $
$Id: firehol.sh,v 1.219 2004/12/22 23:05:57 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
@ -5224,7 +5254,7 @@ then
${CAT_CMD} <<EOF
$Id: firehol.sh,v 1.218 2004/12/21 21:49:11 ktsaou Exp $
$Id: firehol.sh,v 1.219 2004/12/22 23:05:57 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
Home Page: http://firehol.sourceforge.net
@ -5518,7 +5548,7 @@ then
${CAT_CMD} >&2 <<EOF
$Id: firehol.sh,v 1.218 2004/12/21 21:49:11 ktsaou Exp $
$Id: firehol.sh,v 1.219 2004/12/22 23:05:57 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
Home Page: http://firehol.sourceforge.net
@ -5601,7 +5631,7 @@ EOF
echo "# "
${CAT_CMD} <<EOF
# $Id: firehol.sh,v 1.218 2004/12/21 21:49:11 ktsaou Exp $
# $Id: firehol.sh,v 1.219 2004/12/22 23:05:57 ktsaou Exp $
# (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
# FireHOL is distributed under GPL.
# Home Page: http://firehol.sourceforge.net