Francis J. Lacoste > Fwctl-0.28 > Fwctl::RuleSet

Download:
Fwctl-0.28.tar.gz

Dependencies

Annotate this POD

View/Report Bugs
Source  

NAME ^

Fwctl::RuleSet - Module to add sets of rules to the linux firewall.

SYNOPSIS ^

  use IPChains;
  use Fwctl::RuleSet qw(:masq :tcp_rulesets :ports);

  my $chain = new IPChains( Prot       => 'tcp',
                            SourcePort => UNPRIVILEGED_PORTS,
                            DestPort   => 23,
                            )
  accept_tcp_ruleset( $chain, $src, $src_if, $dst, $dst_if, NOMASQ );

DESCRIPTION ^

This module contains primitives to add sets of rules to the Linux packet filtering firewall implementing a particular policy. It is used primarly by service modules. The module handle all the special cases for when the src or dst interface is ANY, when masquerading is involved, when a local ip is implied by the src or dst address. All this logic has not to be implemented by the service modules, which only have to specify the kind of packets and the direction of traffic (using the src and dst paremeter).

There are 5 tags that can be imported from the modules.

:masq

Constant used to specify how to handle masquerade.

:ports

Constants that refers to range of ports.

:tcp_rulesets

Functions that implements policy rulesets for TCP connection.

:udp_rulesets

Functions that implements policy rulesets for bidirectional UDP traffic.

:ip_rulesets

Funtions that implements policy rulesets for IP traffic. This are the primitives on which the tcp and udp rulesets are built.

:masq ^

NOMASQ

Constant used to represent that the traffic shouldn't be masqueraded.

MASQ

Constant use to denote that this traffic will be masqueraded when going throught the forward chain.

UNMASQ

Constant use to denote that traffic should be unmasqueraded when passing the input chain.

To better understand the way the MASQ and UNMASQ constants works together lets look at how they would be use to handle a TCP connection.

    accept_ip_rulesets( $chain, $src, $src_if, $dst, $dst_if, MASQ );
    $chain->attribute( SYN => '!' );
    accept_ip_rulesets( $chain, $dst, $dst_if, $src, $src_if, UNMASQ);

:ports ^

RESERVED_PORTS

Constant that represents the ports 1 through 1023.

UNPRIVILEGED_PORTS

Constant that represents the ports 1024 through 65535.

MASQ_PORTS

Constant that represents the ports used when masquerading a connection : 61000 through 65096.

:ip_rulesets ^

This tags imports three functions that are the primitives on which the others are built. All src or dst can be classified in one of four category. =over

ANY

Source or destination is any address on any interface.

LOCAL_IP

Source or destination is a local interface

LOCAL_IMPLIED

Source or destination implied a local interface. Example of those includes a broadcast address of a local interface or network address of a local interface.

REMOTE

Source or destination doesn't imply a local IP.

So this means a total of 16 combination of source and destination address. Add the parameter MASQ,UNMASQ and NOMASQ and you got 48 possibilities. Those usually can be reduced to between 7 and 16 cases depending on the policy you want to handle. (REJECT, DENY, ACCEPT or ACCOUNT). The following functions handle all those possibilities for you, and adds the appropriate rules with address and interface specification to the appropriate chains.

accept_ip_ruleset($chain,$src,$src_if,$dst,$dst_if,$masq)

Adds the necessary rules to accept the kind of traffic specified by the $chain parameter.

$chain

IPChains objects that contains the prototypes of the rules to add to the firewall. Source, Dest and Interface parameter are overwritten by the function.

$src

The source address of the packet.

$src_if

The interface associated to the $src address.

$dst

The destination address of the packet.

$dst_if

The interface associated to the $dst address.

$masq

How the packet should be masqueraded.

Usually the $src, $src_if, $dst and $dst_if packets are not modified by the service modules and are those passed by the Fwctl module. Or the module will switch them (dst becomes src), or change them because the protocol uses broadcast or other stuff.

block_ip_ruleset( $chain, $src, $src_if, $dst, $dst_if )

This primitive handles both REJECT and DENY policies. The parameter have the same meaning as in the accept_ip_ruleset() function.

account_ip_ruleset( $chain, $src, $src_if, $dst, $dst_if )

This primitive handles the ACCOUNT policy. The parameter have the same meaning as in the accept_ip_ruleset() function.

:tcp_rulesets ^

This tags imports three functions: accept_tcp_ruleset(), block_tcp_ruleset() and account_tcp_ruleset() which have the same parameters and semantics as their *_ip_ruleset() counterpart. They are indeed implemented in terms of these.

The difference is that the $chain parameter can only be used to represent a TCP connection. The functions will add rules for the client and server side of the connection with the SYN and ACK flags handled properly.

:udp_rulesets ^

This tags imports three functions: accept_udp_ruleset(), block_udp_ruleset() and account_udp_ruleset() which have the same parameters and semantics as their *_ip_ruleset() counterpart. They are indeed implemented in terms of these.

These functions will add rules to handle client / server UDP connection. It like calling the *_ip_ruleset() functions two times with the src and dst inversed (the SourcePort and DestPort are naturally also inversed).

AUTHOR ^

Francis J. Lacoste <francis.lacoste@iNsu.COM>

COPYRIGHT ^

Copyright (c) 1999,2000 iNsu Innovations Inc. All rights reserved.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

SEE ALSO ^

fwctl(8) Fwctl(3) IPChains(3)

syntax highlighting: