NAME
Fwctl::RuleSet - Module to add sets of rules to the linux firewall.
SYNOPSIS
use IPChains;
use Fwctl::RuleSet qw(:masq :tcp_rulesets :ports);
my $chain = new IPChains( Prot => 'tcp',
SourcePort => UNPRIVILEGED_PORTS,
DestPort => 23,
)
accept_tcp_ruleset( $chain, $src, $src_if, $dst, $dst_if, NOMASQ );
DESCRIPTION
This module contains primitives to add sets of rules to the Linux packet filtering firewall implementing a particular policy. It is used primarly by service modules. The module handle all the special cases for when the src or dst interface is ANY, when masquerading is involved, when a local ip is implied by the src or dst address. All this logic has not to be implemented by the service modules, which only have to specify the kind of packets and the direction of traffic (using the src and dst paremeter).
There are 5 tags that can be imported from the modules.
- :masq
-
Constant used to specify how to handle masquerade.
- :ports
-
Constants that refers to range of ports.
- :tcp_rulesets
-
Functions that implements policy rulesets for TCP connection.
- :udp_rulesets
-
Functions that implements policy rulesets for bidirectional UDP traffic.
- :ip_rulesets
-
Funtions that implements policy rulesets for IP traffic. This are the primitives on which the tcp and udp rulesets are built.
:masq
- NOMASQ
-
Constant used to represent that the traffic shouldn't be masqueraded.
- MASQ
-
Constant use to denote that this traffic will be masqueraded when going throught the forward chain.
- UNMASQ
-
Constant use to denote that traffic should be unmasqueraded when passing the input chain.
To better understand the way the MASQ and UNMASQ constants works together lets look at how they would be use to handle a TCP connection.
accept_ip_rulesets( $chain, $src, $src_if, $dst, $dst_if, MASQ );
$chain->attribute( SYN => '!' );
accept_ip_rulesets( $chain, $dst, $dst_if, $src, $src_if, UNMASQ);
:ports
- RESERVED_PORTS
-
Constant that represents the ports 1 through 1023.
- UNPRIVILEGED_PORTS
-
Constant that represents the ports 1024 through 65535.
- MASQ_PORTS
-
Constant that represents the ports used when masquerading a connection : 61000 through 65096.
:ip_rulesets
This tags imports three functions that are the primitives on which the others are built. All src or dst can be classified in one of four category. =over
- ANY
-
Source or destination is any address on any interface.
- LOCAL_IP
-
Source or destination is a local interface
- LOCAL_IMPLIED
-
Source or destination implied a local interface. Example of those includes a broadcast address of a local interface or network address of a local interface.
- REMOTE
-
Source or destination doesn't imply a local IP.
So this means a total of 16 combination of source and destination address. Add the parameter MASQ,UNMASQ and NOMASQ and you got 48 possibilities. Those usually can be reduced to between 7 and 16 cases depending on the policy you want to handle. (REJECT, DENY, ACCEPT or ACCOUNT). The following functions handle all those possibilities for you, and adds the appropriate rules with address and interface specification to the appropriate chains.
- accept_ip_ruleset($chain,$src,$src_if,$dst,$dst_if,$masq)
-
Adds the necessary rules to accept the kind of traffic specified by the $chain parameter.
- $chain
-
IPChains objects that contains the prototypes of the rules to add to the firewall. Source, Dest and Interface parameter are overwritten by the function.
- $src
-
The source address of the packet.
- $src_if
-
The interface associated to the $src address.
- $dst
-
The destination address of the packet.
- $dst_if
-
The interface associated to the $dst address.
- $masq
-
How the packet should be masqueraded.
Usually the $src, $src_if, $dst and $dst_if packets are not modified by the service modules and are those passed by the Fwctl module. Or the module will switch them (dst becomes src), or change them because the protocol uses broadcast or other stuff.
- block_ip_ruleset( $chain, $src, $src_if, $dst, $dst_if )
-
This primitive handles both REJECT and DENY policies. The parameter have the same meaning as in the accept_ip_ruleset() function.
- account_ip_ruleset( $chain, $src, $src_if, $dst, $dst_if )
-
This primitive handles the ACCOUNT policy. The parameter have the same meaning as in the accept_ip_ruleset() function.
:tcp_rulesets
This tags imports three functions: accept_tcp_ruleset(), block_tcp_ruleset() and account_tcp_ruleset() which have the same parameters and semantics as their *_ip_ruleset() counterpart. They are indeed implemented in terms of these.
The difference is that the $chain parameter can only be used to represent a TCP connection. The functions will add rules for the client and server side of the connection with the SYN and ACK flags handled properly.
:udp_rulesets
This tags imports three functions: accept_udp_ruleset(), block_udp_ruleset() and account_udp_ruleset() which have the same parameters and semantics as their *_ip_ruleset() counterpart. They are indeed implemented in terms of these.
These functions will add rules to handle client / server UDP connection. It like calling the *_ip_ruleset() functions two times with the src and dst inversed (the SourcePort and DestPort are naturally also inversed).
AUTHOR
Francis J. Lacoste <francis.lacoste@iNsu.COM>
COPYRIGHT
Copyright (c) 1999,2000 iNsu Innovations Inc. All rights reserved.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
SEE ALSO
fwctl(8) Fwctl(3) IPChains(3)
1 POD Error
The following errors were encountered while parsing the POD:
- Around line 990:
'=item' outside of any '=over'