From c8dad4f53a0f002ccc49641320b54c6f797cd3de Mon Sep 17 00:00:00 2001 From: ktsaou Date: Wed, 22 Dec 2004 23:05:57 +0000 Subject: [PATCH] Small internal changes. Added support for integration with knockd (http://www.zeroflux.org/knock/) This integration comes as part of the ACCEPT action: accept [with knock ] The optional parameter 'with knock' allows easy integration with knockd, a server that allows you to control access to services, by sending certain packets to "knock" the door, before the door is open for service. This parameter accepts just a name. This name is used to build a special chain knock_ which will contain no rules, so that the traffic entering this chain will just return back and continue to match against the other rules until the end of the firewall. As an example, lets say that you want to allow https traffic based on a knock. In FireHOL you write: server https accept with knock hidden and you configure knockd so that it runs: iptables -A knock_hidden -s %IP% -j ACCEPT to enable the https service (notice that there is no need to match anything else than the IP. FireHOL already matches everything needed for its rules to work), and: iptables -D knock_hidden -s %IP% -j ACCEPT to disable this service for the given IP. --- doc/commands.html | 26 ++++++++++++++++++++++++-- firehol.sh | 46 ++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 62 insertions(+), 10 deletions(-) diff --git a/doc/commands.html b/doc/commands.html index 2994eb3..1901034 100644 --- a/doc/commands.html +++ b/doc/commands.html @@ -853,16 +853,38 @@ multiple iptables statements to achieve both the logging and the action.

accept [with limit <frequency> <burst> [overflow <action>]]

+

accept [with knock <name>]

accept allows the traffic matching the rules to reach its destination.

+ with limit
The optional parameter with limit offers control over the allowed frequency of NEW connections. frequency and burst have the same syntax of the limit optional rule parameter.

The overflow action offers control over the overflowed NEW connections. The default is to REJECT overflowed connections (not DROP them, since DROP produces timeouts on the otherwise valid service clients). Also, the REJECT overflow action, will reject TCP connections with tcp-reset and all others with icmp-host-unreachable. -

+
The overflowed NEW connection attempts will be logged with a OVERFLOW message, with the options the loglimit parameter works.

+ with knock
+ The optional parameter with knock allows easy integration with knockd, a server that allows you to control access to services, by sending certain packets to "knock" the + door, before the door is open for service.
+ This parameter accepts just a name. This name is used to build a special chain knock_<name> which will contain no rules, so that the traffic entering this chain will just return back + and continue to match against the other rules until the end of the firewall. +

+ As an example, lets say that you want to allow https traffic based on a knock. In FireHOL you write: +

+ 

server https accept with knock hidden
+

+ and you configure knockd so that it runs: +

+ 

iptables -A knock_hidden -s %IP% -j ACCEPT
+

+ to enable the https service (notice that there is no need to match anything else than the IP. FireHOL already matches everything else needed for its rule to work), and: +

+ 

iptables -D knock_hidden -s %IP% -j ACCEPT
+

+ to disable this service for the given IP. +

Example 1: server smtp accept, to allow SMTP requests and their replies to flow.
Example 2: server smtp accept with limit 10/s 100, to allow SMTP requests to come at 10/second max, with a burst of 100, and their replies to flow back.
Example 3: server smtp accept with limit 10/s 100 overflow drop, to allow SMTP requests to come at 10/second max, with a burst of 100, and their replies to flow back. The overflow requests will be dropped.
@@ -1614,7 +1636,7 @@ about optional rule parameters that should not be used in certain commands. SourceForge Logo - $Id: commands.html,v 1.57 2004/12/21 21:49:20 ktsaou Exp $ + $Id: commands.html,v 1.58 2004/12/22 23:06:00 ktsaou Exp $

FireHOL, a firewall for humans...
© Copyright 2004 diff --git a/firehol.sh b/firehol.sh index f297c90..76e1462 100755 --- a/firehol.sh +++ b/firehol.sh @@ -10,7 +10,7 @@ # # config: /etc/firehol/firehol.conf # -# $Id: firehol.sh,v 1.218 2004/12/21 21:49:11 ktsaou Exp $ +# $Id: firehol.sh,v 1.219 2004/12/22 23:05:57 ktsaou Exp $ # # Remember who you are. @@ -2909,6 +2909,7 @@ rule_action_param() { local table="${1}"; shift local -a action_param=() + # All arguments until the separator are the parameters of the action local count=0 while [ ! -z "${1}" -a ! "A${1}" = "A--" ] do @@ -2918,10 +2919,11 @@ rule_action_param() { count=$[count + 1] done + # If we don't have a seperator, generate an error local sep="${1}"; shift if [ ! "A${sep}" = "A--" ] then - error "Internal Error, in parsing action_param parameters ($FUNCNAME '${action}' '${protocol}' '${action_param[@]}' ${sep} $@)." + error "Internal Error, in parsing action_param parameters ($FUNCNAME '${action}' '${protocol}' '${statenot}' '${state}' '${table}' '${action_param[@]}' ${sep} '$@')." return 1 fi @@ -2933,7 +2935,7 @@ rule_action_param() { ACCEPT) # do we have any options for this accept? - if [ ! -z "${state}" -a ! -z "${action_param[0]}" ] + if [ ! -z "${action_param[0]}" ] then # find the options we have case "${action_param[0]}" in @@ -3007,8 +3009,31 @@ rule_action_param() { fi ;; + 'knock') + # the name of the knock + local name="knock_${action_param[1]}" + + # unset the action_param, so that if this rule does not include NEW connections, + # we will not append anything to the generated iptables statements. + local -a action_param=() + + # does the knock chain exists? + if [ ! -f "${FIREHOL_CHAINS_DIR}/${name}" ] + then + # the chain does not exist. create it. + iptables ${table} -N "${name}" + touch "${FIREHOL_CHAINS_DIR}/${name}" + + # knockd (http://www.zeroflux.org/knock/) + # will create the rules inside this chain. + fi + + # send the rule to be generated to this knock chain + local action=${name} + ;; + *) - error "Internal error. Cannot understand action ${action} with parameter '${action_param[1]}'." + error "Internal error. Cannot understand action ${action} with parameter '${action_param[0]}'." return 1 ;; esac @@ -3477,6 +3502,11 @@ rule() { fi ;; + knock|KNOCK) + local -a action_param=("knock" "${2}") + shift 2 + ;; + *) error "Cannot understand action's '${action}' directive '${1}'" return 1 @@ -5038,7 +5068,7 @@ case "${arg}" in else ${CAT_CMD} < FireHOL is distributed under GPL. @@ -5224,7 +5254,7 @@ then ${CAT_CMD} < FireHOL is distributed under GPL. Home Page: http://firehol.sourceforge.net @@ -5518,7 +5548,7 @@ then ${CAT_CMD} >&2 < FireHOL is distributed under GPL. Home Page: http://firehol.sourceforge.net @@ -5601,7 +5631,7 @@ EOF echo "# " ${CAT_CMD} < # FireHOL is distributed under GPL. # Home Page: http://firehol.sourceforge.net