https://wiki.alpinelinux.org/w/api.php?action=feedcontributions&feedformat=atom&user=KunkkuAlpine Linux - User contributions [en]2026-04-30T13:58:17ZUser contributionsMediaWiki 1.40.0https://wiki.alpinelinux.org/w/index.php?title=Setting_up_Homer&diff=14234Setting up Homer2017-12-19T16:10:40Z<p>Kunkku: </p>
<hr />
<div>This page describes how to set up [http://sipcapture.org/ HOMER] on<br />
Alpine Linux.<br />
<br />
The packages are available in the community repository starting from<br />
Alpine Linux 3.6. Make sure that this repository is enabled in<br />
<code>/etc/apk/repositories</code>.<br />
<br />
== Primary Node ==<br />
<br />
Install the required packages, set up the database, and enable<br />
required services:<br />
<br />
<pre>apk add homer-api-doc homer-ui mariadb kamailio-mysql nginx php7-fpm<br />
<br />
rc-service mariadb setup<br />
rc-update add mariadb<br />
rc-service mariadb start<br />
mysql_secure_installation<br />
<br />
homer_db_init<br />
rc-update add crond<br />
rc-service crond start<br />
<br />
cp /usr/share/doc/homer-api/examples/sipcapture/sipcapture.kamailio /etc/kamailio/kamailio.cfg<br />
echo rc_need=mariadb > /etc/conf.d/kamailio<br />
rc-update add kamailio<br />
rc-service kamailio start<br />
<br />
cp /usr/share/doc/homer-api/examples/web/homer5.php-fpm /etc/php7/php-fpm.d/homer5.conf<br />
rc-update add php-fpm7<br />
rc-service php-fpm7 start<br />
</pre><br />
<br />
Override the default nginx configuration with the HOMER template:<br />
<br />
<pre>: > /etc/nginx/conf.d/default.conf<br />
cp /usr/share/doc/homer-api/examples/web/homer5.nginx /etc/nginx/conf.d/homer5.conf<br />
</pre><br />
<br />
Make the following changes in<br />
<code>/etc/nginx/conf.d/homer5.conf</code>:<br />
<br />
{|<br />
|root<br />
|<code>/usr/share/webapps/homer</code><br />
|-<br />
|server_name<br />
|your server's host name<br />
|-<br />
|fastcgi_pass<br />
|<code>127.0.0.1:9001</code><br />
|}<br />
<br />
If you are going to deploy database nodes in addition to this primary<br />
node, change <code>SINGLE_NODE</code> to <code>0</code> in<br />
<code>/etc/homer/configuration.php</code>.<br />
<br />
Set <code>HOMER_TIMEZONE</code> in<br />
<code>/etc/homer/preferences.php</code> according to your time zone.<br />
<br />
Enable the <code>nginx</code> service:<br />
<br />
<pre>rc-update add nginx<br />
rc-service nginx start<br />
</pre><br />
<br />
If using a firewall, you have to allow users to access the nginx<br />
server using HTTP. In addition, reception of the captured SIP traffic<br />
must be allowed on UDP port 9060.<br />
<br />
=== LDAP Authentication ===<br />
<br />
If you intend to authenticate the HOMER users using LDAP, install the<br />
LDAP authentication module:<br />
<br />
<pre>apk add homer-api-ldap<br />
</pre><br />
<br />
In addition, you have to allow connections to the LDAP server if using<br />
a firewall.<br />
<br />
==== Changes in /etc/homer/preferences.php ====<br />
<br />
Enable LDAP authentication:<br />
<pre>define('AUTHENTICATION',"LDAP");<br />
</pre><br />
<br />
Uncomment the LDAP section and add/update parameters according to your<br />
server configuration:<br />
<br />
<pre>define('LDAP_HOST',"localhost");<br />
define('LDAP_PORT',389);<br />
define('LDAP_VERSION',3);<br />
define('LDAP_BIND_USER',"cn=HOMER,ou=Apps,dc=example,dc=com");<br />
define('LDAP_BIND_PASSWORD',"secret");<br />
define('LDAP_BASEDN',"ou=Users,dc=example,dc=com");<br />
</pre><br />
<br />
Add one of the following lines, depending on whether the STARTTLS<br />
mechanism shall be used to protect the LDAP connection:<br />
<br />
<pre>define('LDAP_ENCRYPTION',"none");<br />
define('LDAP_ENCRYPTION',"tls");<br />
</pre><br />
<br />
If TLS is used, you have to make sure that the relevant root<br />
certificate is trusted. If using a self-signed root certificate, one<br />
way to achieve this is to add the <code>TLS_CACERT</code> parameter to<br />
<code>/etc/openldap/ldap.conf</code>, specifying the path to the<br />
trusted CA certificate.<br />
<br />
Specify the users who should have admin rights:<br />
<br />
<pre>define('LDAP_ADMIN_USERS',"donald,mike");<br />
</pre><br />
<br />
Remove the parameters starting with <code>LDAP_GROUP_</code> unless<br />
you want to authorize users based on group membership.<br />
<br />
==== Nested Groups with Active Directory ====<br />
<br />
The default settings in <code>/etc/homer/preferences.php</code> are<br />
intended for LDAP schemas conforming to<br />
[https://tools.ietf.org/rfc/rfc2307.txt RFC 2307]. Otherwise, you may<br />
have to modify the parameters starting with<br />
<code>LDAP_USERNAME_ATTRIBUTE_</code>. The following example<br />
demonstrates how to authenticate and authorize users against Microsoft<br />
Windows Active Directory based on nested group membership:<br />
<br />
<pre>define('LDAP_USERNAME_ATTRIBUTE_OPEN',"(&(samaccountname=");<br />
define('LDAP_USERNAME_ATTRIBUTE_CLOSE',")(memberof:1.2.840.113556.1.4.1941:=cn=HOMER,ou=Groups,dc=example,dc=com))");<br />
</pre><br />
<br />
== Database Nodes ==<br />
<br />
To make your HOMER system more scalable, you may want to deploy<br />
multiple database nodes. This sections instructs how to set up an<br />
additional database node.<br />
<br />
Install the required packages on the new database node and enable the<br />
database service:<br />
<br />
<pre>apk add homer-api-doc homer-db mariadb kamailio-mysql<br />
<br />
rc-service mariadb setup<br />
rc-update add mariadb<br />
rc-service mariadb start<br />
</pre><br />
<br />
Set up the database. You may want to disable remote root logins to the<br />
database.<br />
<br />
<pre>mysql_secure_installation<br />
homer_db_init -r<br />
</pre><br />
<br />
You may want to change the default password for the HOMER database<br />
user. This can be done as follows:<br />
<br />
<pre> mysql -e "SET PASSWORD FOR 'homer_user' = PASSWORD('<password>');"<br />
</pre><br />
<br />
Enable the <code>crond</code> service:<br />
<br />
<pre>rc-update add crond<br />
rc-service crond start<br />
</pre><br />
<br />
Override the Kamailio configuration with the HOMER template:<br />
<br />
<pre>cp /usr/share/doc/homer-api/examples/sipcapture/sipcapture.kamailio /etc/kamailio/kamailio.cfg<br />
</pre><br />
<br />
Change the <code>capture_node</code> parameter in<br />
<code>/etc/kamailio/kamailio.cfg</code> to a unique value. If you<br />
changed the database user password, update the<br />
<code>HOMER_DB_PASSWORD</code> parameter accordingly.<br />
<br />
Enable the <code>kamailio</code> service:<br />
<br />
<pre>echo rc_need=mariadb > /etc/conf.d/kamailio<br />
rc-update add kamailio<br />
rc-service kamailio start<br />
</pre><br />
<br />
If using a firewall, you have to allow the reception of captured SIP<br />
packets on UDP port 9060. In addition, you have to allow the primary<br />
node to access the local database.<br />
<br />
Finally, you have to add the database node to the primary server<br />
configuration via the web user interface. Log in as an admin<br />
user. Click on ''Panels'', ''System Admin'', and then<br />
''Add Node''. Use the following values:<br />
<br />
{|<br />
|Node<br />
|Value of <code>capture_node</code> in <code>/etc/kamailio/kamailio.cfg</code><br />
|-<br />
|Host<br />
|Host name or IP address of the database node<br />
|-<br />
|Port<br />
|<code>3306</code><br />
|-<br />
|DB Name<br />
|<code>homer_data</code><br />
|-<br />
|DB Username<br />
|<code>homer_user</code><br />
|-<br />
|DB Password<br />
|Database password, which is <code>homer_password</code> unless you changed it<br />
|-<br />
|DB Tables<br />
|<code>sip_capture</code><br />
|}<br />
<br />
== Capture Nodes ==<br />
<br />
To capture packets on a SIP server, install the HOMER CaptAgent:<br />
<br />
<pre>apk add captagent<br />
</pre><br />
<br />
Configure the <code>capture-host</code> and <code>capture-port</code><br />
parameters in <code>/etc/captagent/transport_hep.xml</code>. The<br />
capture host is the primary or an additional database node. The port<br />
should be set to <code>9060</code>.<br />
<br />
Enable the service:<br />
<br />
<pre>rc-update add captagent<br />
rc-service captagent start<br />
</pre><br />
<br />
If using a firewall, you have to allow sending the captured SIP<br />
packets to UDP port 9060 of the specified capture host.<br />
<br />
== Retention Period of Captured Packets ==<br />
<br />
A cron job takes care of removing obsolete data from the capture host<br />
databases. The retention period can be adjusted by modifying<br />
<code>/etc/homer/rotation.ini</code>.</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_Homer&diff=13864Setting up Homer2017-09-19T08:38:28Z<p>Kunkku: LDAP authentication</p>
<hr />
<div>{{Draft}}<br />
<br />
Rough notes for setting up [http://sipcapture.org Homer] on Alpine Linux from testing repository<br />
<br />
<pre>apk add homer-api-doc homer-ui mariadb kamailio-mysql nginx php7-fpm<br />
<br />
rc-service mariadb setup<br />
rc-update add mariadb<br />
rc-service mariadb start<br />
mysql_secure_installation<br />
<br />
homer_db_init<br />
rc-update add crond<br />
rc-service crond start<br />
<br />
cp /usr/share/doc/homer-api/examples/sipcapture/sipcapture.kamailio /etc/kamailio/kamailio.cfg<br />
echo rc_need=mariadb > /etc/conf.d/kamailio<br />
rc-update add kamailio<br />
rc-service kamailio start<br />
<br />
cp /usr/share/doc/homer-api/examples/web/homer5.php-fpm /etc/php7/php-fpm.d/homer5.conf<br />
rc-update add php-fpm7<br />
rc-service php-fpm7 start<br />
<br />
: > /etc/nginx/conf.d/default.conf<br />
cp /usr/share/doc/homer-api/examples/web/homer5.nginx /etc/nginx/conf.d/homer5.conf<br />
edit "root" in /etc/nginx/conf.d/homer5.conf to "/usr/share/webapps/homer"<br />
edit "server_name" in /etc/nginx/conf.d/homer5.conf<br />
edit "fastcgi_pass" in /etc/nginx/conf.d/homer5.conf to "127.0.0.1:9001"<br />
edit "SINGLE_NODE" in /etc/homer/configuration.php to "0" if using DB nodes<br />
edit "HOMER_TIMEZONE" in /etc/homer/preferences.php<br />
rc-update add nginx<br />
rc-service nginx start<br />
<br />
configure DB nodes in web UI, default password is "homer_password"<br />
</pre><br />
<br />
== LDAP Authentication ==<br />
<br />
Install LDAP authentication module:<br />
<pre>apk add homer-api-ldap<br />
</pre><br />
<br />
=== Changes in /etc/homer/preferences.php ===<br />
<br />
Enable LDAP authentication:<br />
<pre>define('AUTHENTICATION',"LDAP");<br />
</pre><br />
<br />
Uncomment the LDAP section and add/update parameters according to your server<br />
configuration:<br />
<pre>define('LDAP_HOST',"localhost");<br />
define('LDAP_PORT',389);<br />
define('LDAP_VERSION',3);<br />
define('LDAP_BIND_USER',"cn=HOMER,ou=Apps,dc=example,dc=com");<br />
define('LDAP_BIND_PASSWORD',"secret");<br />
define('LDAP_BASEDN',"ou=Users,dc=example,dc=com");<br />
</pre><br />
<br />
Add one of the following lines:<br />
<pre>define('LDAP_ENCRYPTION',"none");<br />
define('LDAP_ENCRYPTION',"tls");<br />
</pre><br />
<br />
Remove the variables starting with LDAP_GROUP_ unless you want to authorize<br />
users based on group membership.<br />
<br />
== Database Nodes ==<br />
<br />
<pre>apk add homer-api-doc homer-db mariadb kamailio-mysql<br />
<br />
rc-service mariadb setup<br />
rc-update add mariadb<br />
rc-service mariadb start<br />
mysql_secure_installation<br />
<br />
homer_db_init -r<br />
rc-update add crond<br />
rc-service crond start<br />
<br />
cp /usr/share/doc/homer-api/examples/sipcapture/sipcapture.kamailio /etc/kamailio/kamailio.cfg<br />
edit "capture_node" in /etc/kamailio/kamailio.cfg<br />
echo rc_need=mariadb > /etc/conf.d/kamailio<br />
rc-update add kamailio<br />
rc-service kamailio start<br />
</pre><br />
<br />
== Capture Nodes ==<br />
<br />
<pre>apk add captagent<br />
edit "capture-host" in /etc/captagent/transport_hep.xml<br />
edit "capture-port" in /etc/captagent/transport_hep.xml to "9060"<br />
rc-update add captagent<br />
rc-service captagent start<br />
</pre></div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_Homer&diff=13755Setting up Homer2017-09-02T10:09:56Z<p>Kunkku: </p>
<hr />
<div>{{Draft}}<br />
<br />
Rough notes for setting up [http://sipcapture.org Homer] on Alpine Linux from testing repository<br />
<br />
<pre>apk add homer-api-doc homer-ui mariadb kamailio-mysql nginx php7-fpm<br />
<br />
rc-service mariadb setup<br />
rc-update add mariadb<br />
rc-service mariadb start<br />
mysql_secure_installation<br />
<br />
homer_db_init<br />
rc-update add crond<br />
rc-service crond start<br />
<br />
cp /usr/share/doc/homer-api/examples/sipcapture/sipcapture.kamailio /etc/kamailio/kamailio.cfg<br />
echo rc_need=mariadb > /etc/conf.d/kamailio<br />
rc-update add kamailio<br />
rc-service kamailio start<br />
<br />
cp /usr/share/doc/homer-api/examples/web/homer5.php-fpm /etc/php7/php-fpm.d/homer5.conf<br />
rc-update add php-fpm7<br />
rc-service php-fpm7 start<br />
<br />
: > /etc/nginx/conf.d/default.conf<br />
cp /usr/share/doc/homer-api/examples/web/homer5.nginx /etc/nginx/conf.d/homer5.conf<br />
edit "root" in /etc/nginx/conf.d/homer5.conf to "/usr/share/webapps/homer"<br />
edit "server_name" in /etc/nginx/conf.d/homer5.conf<br />
edit "fastcgi_pass" in /etc/nginx/conf.d/homer5.conf to "127.0.0.1:9001"<br />
edit "SINGLE_NODE" in /etc/homer/configuration.php to "0" if using DB nodes<br />
edit "HOMER_TIMEZONE" in /etc/homer/preferences.php<br />
rc-update add nginx<br />
rc-service nginx start<br />
<br />
configure DB nodes in web UI, default password is "homer_password"<br />
</pre><br />
<br />
== Database Nodes ==<br />
<br />
<pre>apk add homer-api-doc homer-db mariadb kamailio-mysql<br />
<br />
rc-service mariadb setup<br />
rc-update add mariadb<br />
rc-service mariadb start<br />
mysql_secure_installation<br />
<br />
homer_db_init -r<br />
rc-update add crond<br />
rc-service crond start<br />
<br />
cp /usr/share/doc/homer-api/examples/sipcapture/sipcapture.kamailio /etc/kamailio/kamailio.cfg<br />
edit "capture_node" in /etc/kamailio/kamailio.cfg<br />
echo rc_need=mariadb > /etc/conf.d/kamailio<br />
rc-update add kamailio<br />
rc-service kamailio start<br />
</pre><br />
<br />
== Capture Nodes ==<br />
<br />
<pre>apk add captagent<br />
edit "capture-host" in /etc/captagent/transport_hep.xml<br />
edit "capture-port" in /etc/captagent/transport_hep.xml to "9060"<br />
rc-update add captagent<br />
rc-service captagent start<br />
</pre></div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_Homer&diff=13676Setting up Homer2017-07-06T12:16:18Z<p>Kunkku: </p>
<hr />
<div>{{Draft}}<br />
<br />
Rough notes for setting up [http://sipcapture.org Homer] on Alpine Linux from testing repository<br />
<br />
<pre>apk add homer-api-doc homer-ui mariadb kamailio-mysql nginx php7-fpm<br />
<br />
rc-service mariadb setup<br />
rc-update add mariadb<br />
rc-service mariadb start<br />
mysql_secure_installation<br />
<br />
homer_db_init<br />
rc-update add crond<br />
rc-service crond start<br />
<br />
cp /usr/share/doc/homer-api/examples/sipcapture/sipcapture.kamailio /etc/kamailio/kamailio.cfg<br />
echo rc_need=mariadb > /etc/conf.d/kamailio<br />
rc-update add kamailio<br />
rc-service kamailio start<br />
<br />
cp /usr/share/doc/homer-api/examples/web/homer5.php-fpm /etc/php7/php-fpm.d/homer5.conf<br />
rc-update add php-fpm7<br />
rc-service php-fpm7 start<br />
<br />
rm /etc/nginx/conf.d/default.conf<br />
cp /usr/share/doc/homer-api/examples/web/homer5.nginx /etc/nginx/conf.d/homer5.conf<br />
edit "root" in /etc/nginx/conf.d/homer5.conf to "/usr/share/webapps/homer"<br />
edit "server_name" in /etc/nginx/conf.d/homer5.conf<br />
edit "fastcgi_pass" in /etc/nginx/conf.d/homer5.conf to "127.0.0.1:9001"<br />
edit "SINGLE_NODE" in /etc/homer/configuration.php to "0" if using DB nodes<br />
edit "HOMER_TIMEZONE" in /etc/homer/preferences.php<br />
rc-update add nginx<br />
rc-service nginx start<br />
<br />
configure DB nodes in web UI, default password is "homer_password"<br />
</pre><br />
<br />
== Database Nodes ==<br />
<br />
<pre>apk add homer-api-doc homer-db mariadb kamailio-mysql<br />
<br />
rc-service mariadb setup<br />
rc-update add mariadb<br />
rc-service mariadb start<br />
mysql_secure_installation<br />
<br />
homer_db_init -r<br />
rc-update add crond<br />
rc-service crond start<br />
<br />
cp /usr/share/doc/homer-api/examples/sipcapture/sipcapture.kamailio /etc/kamailio/kamailio.cfg<br />
edit "capture_node" in /etc/kamailio/kamailio.cfg<br />
echo rc_need=mariadb > /etc/conf.d/kamailio<br />
rc-update add kamailio<br />
rc-service kamailio start<br />
</pre><br />
<br />
== Capture Nodes ==<br />
<br />
<pre>apk add captagent<br />
edit "capture-host" in /etc/captagent/transport_hep.xml<br />
edit "capture-port" in /etc/captagent/transport_hep.xml to "9060"<br />
rc-update add captagent<br />
rc-service captagent start<br />
</pre></div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_Homer&diff=13144Setting up Homer2017-02-20T14:57:37Z<p>Kunkku: </p>
<hr />
<div>{{Draft}}<br />
<br />
Rough notes for setting up [http://sipcapture.org Homer] on Alpine Linux from testing repository<br />
<br />
<pre>apk add homer-api-doc homer-ui mariadb kamailio-mysql nginx php5-fpm<br />
<br />
rc-service mariadb setup<br />
rc-update add mariadb<br />
rc-service mariadb start<br />
mysql_secure_installation<br />
<br />
homer_db_init<br />
rc-update add crond<br />
rc-service crond start<br />
<br />
cp /usr/share/doc/homer-api/examples/sipcapture/sipcapture.kamailio /etc/kamailio/kamailio.cfg<br />
echo rc_need=mariadb > /etc/conf.d/kamailio<br />
rc-update add kamailio<br />
rc-service kamailio start<br />
<br />
cp /usr/share/doc/homer-api/examples/web/homer5.php-fpm /etc/php5/fpm.d/homer5.conf<br />
rc-update add php-fpm<br />
rc-service php-fpm start<br />
<br />
rm /etc/nginx/conf.d/default.conf<br />
cp /usr/share/doc/homer-api/examples/web/homer5.nginx /etc/nginx/conf.d/homer5.conf<br />
edit "root" in /etc/nginx/conf.d/homer5.conf to "/usr/share/webapps/homer"<br />
edit "server_name" in /etc/nginx/conf.d/homer5.conf<br />
edit "fastcgi_pass" in /etc/nginx/conf.d/homer5.conf to "127.0.0.1:9001"<br />
edit "SINGLE_NODE" in /etc/homer/configuration.php to "0" if using DB nodes<br />
edit "HOMER_TIMEZONE" in /etc/homer/preferences.php<br />
rc-update add nginx<br />
rc-service nginx start<br />
<br />
configure DB nodes in web UI, default password is "homer_password"<br />
</pre><br />
<br />
== Database Nodes ==<br />
<br />
<pre>apk add homer-api-doc homer-db mariadb kamailio-mysql<br />
<br />
rc-service mariadb setup<br />
rc-update add mariadb<br />
rc-service mariadb start<br />
mysql_secure_installation<br />
<br />
homer_db_init -r<br />
rc-update add crond<br />
rc-service crond start<br />
<br />
cp /usr/share/doc/homer-api/examples/sipcapture/sipcapture.kamailio /etc/kamailio/kamailio.cfg<br />
edit "capture_node" in /etc/kamailio/kamailio.cfg<br />
echo rc_need=mariadb > /etc/conf.d/kamailio<br />
rc-update add kamailio<br />
rc-service kamailio start<br />
</pre><br />
<br />
== Capture Nodes ==<br />
<br />
<pre>apk add captagent<br />
edit "capture-host" in /etc/captagent/transport_hep.xml<br />
edit "capture-port" in /etc/captagent/transport_hep.xml to "9060"<br />
rc-update add captagent<br />
rc-service captagent start<br />
</pre></div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_Homer&diff=13138Setting up Homer2017-02-08T08:00:35Z<p>Kunkku: </p>
<hr />
<div>{{Draft}}<br />
<br />
Rough notes for setting up [http://sipcapture.org Homer] on Alpine Linux from testing repository<br />
<br />
{{Cmd|apk add homer-api-doc homer-ui mariadb mariadb-client kamailio-mysql nginx php5-fpm<br />
<br />
rc-service mariadb setup<br />
rc-update add mariadb<br />
rc-service mariadb start<br />
mysql_secure_installation<br />
<br />
mysql < /usr/share/homer-api/sql/homer_databases.sql<br />
mysql < /usr/share/homer-api/sql/homer_user.sql<br />
mysql homer_data < /usr/share/homer-api/sql/schema_data.sql<br />
mysql homer_configuration < /usr/share/homer-api/sql/schema_configuration.sql<br />
mysql homer_statistic < /usr/share/homer-api/sql/schema_statistic.sql<br />
homer_rotate<br />
<br />
cp /usr/share/doc/homer-api/examples/sipcapture/sipcapture.kamailio /etc/kamailio/kamailio.cfg <br />
rc-update add kamailio<br />
rc-service kamailio start<br />
<br />
cp /usr/share/doc/homer-api/examples/web/homer5.php-fpm /etc/php5/fpm.d/homer5.conf<br />
rc-update add php-fpm<br />
rc-service php-fpm start<br />
<br />
rm /etc/nginx/conf.d/default.conf<br />
cp /usr/share/doc/homer-api/examples/web/homer5.nginx /etc/nginx/conf.d/homer5.conf<br />
edit "root" in /etc/nginx/conf.d/homer5.conf to "/usr/share/webapps/homer"<br />
edit "server_name" in /etc/nginx/conf.d/homer5.conf<br />
edit "fastcgi_pass" in /etc/nginx/conf.d/homer5.conf to "127.0.0.1:9001"<br />
edit "HOMER_TIMEZONE" in /etc/homer/preferences.php<br />
rc-update add nginx<br />
rc-service nginx start<br />
}}</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=11535Alpine Wall User's Guide2015-12-24T11:01:16Z<p>Kunkku: Replaced content with "The current Alpine Wall User's Guide is available [http://git.alpinelinux.org/cgit/awall/about/ here]."</p>
<hr />
<div>The current Alpine Wall User's Guide is available [http://git.alpinelinux.org/cgit/awall/about/ here].</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=10168Alpine Wall User's Guide2014-09-29T10:47:29Z<p>Kunkku: /* Filter Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The files located in<br />
directory <tt>/usr/share/awall/mandatory</tt> are ''mandatory''<br />
policies shipped with APK packages. In addition, there can be<br />
installation-specific mandatory policies in <tt>/etc/awall</tt>.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are ''optional'' policies, which<br />
can be enabled on need basis. Such symbolic links are easily created<br />
and destroyed using the <tt>awall enable</tt> and <tt>awall<br />
disable</tt> commands. <tt>awall list</tt> shows which optional<br />
policies are enabled and disabled. The command also prints the<br />
description of the optional policy if defined in the file using a<br />
top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The imported policies may be<br />
either optional policies or ''private'' policies, located in<br />
<tt>/usr/share/awall/private</tt> or <tt>/etc/awall/private</tt>. By<br />
default, the policies listed there are processed before the importing<br />
policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The<br />
processing order of policies can be adjusted by defining<br />
top-level attributes '''after''' and '''before''' in policy<br />
files. These attributes are lists of policies, after or before<br />
which the declaring policy shall be processed. Putting a policy<br />
name to either of these lists does not by itself import the<br />
policy. The ordering directives are ignored with respect to those<br />
policies that are not enabled by the user or imported by other<br />
policies. If not defined, '''after''' is assumed to be equal to<br />
the relative complement of the '''before''' definition in the<br />
'''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named<br />
'''proto''', which corresponds to the <tt>--protocol</tt> option<br />
of iptables. The protocol can be defined as a numerical value or<br />
string as defined in <tt>/etc/protocols</tt>. If the protocol is<br />
'''tcp''' or '''udp''', the scope of the service definition may<br />
be constrained by defining an attribute named '''port''', which<br />
is a list of TCP or UDP port numbers or ranges thereof, separated<br />
by the '''-''' character. If the protocol is '''icmp''' or<br />
'''icmpv6''', an analogous '''type''' attribute may be used. The<br />
replies to ICMP messages have their own type codes, which may be<br />
specified using the '''reply-type''' attribute.<br />
<br />
If the protocol is '''icmp''' or '''icmpv6''', the scope of the<br />
rule is also automatically limited to IPv4 or IPv6,<br />
respectively. There are also other services which are specific to<br />
IPv4 or IPv6. To constrain the scope of the service definition to<br />
either protocol version, an optional '''family''' attribute can<br />
be set to value '''inet''' or '''inet6''', respectively.<br />
<br />
Some services require the server or client to open additional<br />
connections to dynamically allocated ports or even different<br />
hosts. ''Connection tracking helpers'' are used to make the firewall<br />
aware of such additional connections. The '''ct-helper''' attribute is<br />
used to associate such a helper to a service definition when<br />
required by the service.<br />
<br />
All rule objects, except for policies, may have an attribute named<br />
'''service''', constraining the rule's scope to specific services<br />
only. This attribute is a list of service names, referring to the keys<br />
of the top-level service dictionary.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Limits ===<br />
<br />
A ''limit'' specifies the maximum rate for a flow of packets or new<br />
connections. Unlike the other auxiliary objects, limits are not named<br />
members of a top-level dictionary but are embedded into other objects.<br />
<br />
In its simplest form, a limit definition is an integer specifying the<br />
maximum number of packets or connections per second. More complex<br />
limits are defined as objects, where the '''count''' attribute define<br />
the maximum during an interval defined by the '''interval'''<br />
attribute. The unit of the '''interval''' attribute is second, and<br />
the default value is 1.<br />
<br />
The maximum rate defined by a limit may be absolute or specific to<br />
blocks of IP addresses or pairs thereof. The number of most<br />
significant bits taken into account when mapping the source and<br />
destination IP addresses to blocks can be specified with the<br />
'''mask''' attribute. The '''mask''' attribute is an object with two<br />
attributes defining the prefix lengths, named '''src''' and<br />
'''dest'''. Alternatively, the '''mask''' object may have object<br />
attributes named '''inet''' and '''inet6''' which contain address<br />
family&ndash;specific prefix length pairs. If '''mask''' is defined as<br />
an integer, it is interpreted as the source address prefix length.<br />
<br />
The default value for '''mask''' depends on the type of the enclosing<br />
object. For [[#Filter Rules|filters]], the default behavior is to<br />
apply the limit for each source address separately. For<br />
[[#Logging Classes|logging classes]], the limit is considered absolute<br />
by default.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging.<br />
<br />
The following table shows the optional attributes valid for all<br />
logging modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''every'''<br />
|Divide successive packets into groups, the size of which is specified by the value of this attribute, and log only the first packet of each group<br />
|-<br />
|'''limit'''<br />
|Maximum number of packets to be logged defined as [[#Limits|limit]]<br />
|-<br />
|'''prefix'''<br />
|String with which the log entries are prefixed<br />
|-<br />
|'''probability'''<br />
|Probability for logging an individual packet (default: 1)<br />
|}<br />
<br />
With the in-kernel log mode '''log''', the level of logging may be<br />
specified using the '''level''' attribute. Log modes '''nflog''' and<br />
'''ulog''' are about copying the packets into user space, at least<br />
partially. The following table shows the additional attributes valid<br />
with these modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''group'''<br />
|Netlink group to be used<br />
|-<br />
|'''range'''<br />
|Number of bytes to be copied<br />
|-<br />
|'''threshold'''<br />
|Number of packets to queue inside the kernel before copying them<br />
|}<br />
<br />
[[#Filter Rules|Filter]] and [[#Policy Rules|policy]] rules can have<br />
an attribute named '''log'''. If it is a string, it is interpreted as<br />
a reference to a logging class, and logging is performed according to<br />
the definitions. If the value of the '''log''' attribute is '''true'''<br />
(boolean), logging is done using default settings. If the value is<br />
'''false''' (boolean), logging is disabled for the rule. If '''log'''<br />
is not defined, logging is done using the default settings except for<br />
accept rules, for which logging is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are several types of rule objects:<br />
* Filter rules<br />
* Policy rules<br />
* Packet Logging rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* Transparent Proxy rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to [[#Zones|zones]] as described in the previous section. In<br />
addition, the scope of the rule can be further constrained with the<br />
following attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of [[#Zones|zone objects]]<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of [[#Zones|zone objects]]<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an [[#IP Sets|IP set]] and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filter Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet (default)<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are<br />
[[#Limits|limit objects]]. The '''drop''' action is applied to the<br />
packets exceeding the limit. Optionally, the limit object may have an<br />
attribute named '''log'''. It defines how the dropped packets should<br />
be logged and is semantically similar to the '''log''' attribute of<br />
rule objects.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value<br />
of which is an IPv4 address. If defined, this enables destination<br />
NAT for all IPv4 packets matching the rule, such that the<br />
specified address replaces the original destination address. If<br />
also port translation is desired, the attribute may be defined as<br />
an object consisting of attributes '''addr''' and '''port'''. The<br />
format of the '''port''' attribute is similar to that of the<br />
'''to-port''' attribute of [[#NAT Rules|NAT rules]]. This option<br />
has no effect on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
If one or more connection tracking helpers are associated with the<br />
services referred to by an accept rule, additional iptables rules are<br />
generated for the related connections detected by the helpers. The<br />
'''related''' attribute can be used to override the default rules<br />
generated by awall. It is a list of basic rule objects, the packets<br />
matching to which are accepted, provided that they are also detected<br />
by at least one of the helpers.<br />
<br />
==== Policy Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in<br />
[[#Filter Rules|filter rules]].<br />
<br />
==== Packet Logging Rules ====<br />
<br />
Packet logging rules allow packets matching the specified criteria to<br />
be logged before any filtering takes place. Such rules are contained<br />
in the top-level list named '''packet-log'''.<br />
<br />
Logging class may be specified using the '''log'''<br />
attribute. Otherwise, default logging settings are used.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
NAT rules, may have an '''action''' attribute set to value<br />
'''include''' or '''exclude'''. The latter means that NAT is not<br />
performed on the matching packets (unless they match an '''include'''<br />
rule processed earlier). The default value is '''include'''.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Transparent Proxy Rules ====<br />
<br />
Transparent proxy rules divert the matching packets to a local proxy<br />
process without altering their headers. Such rules are contained in<br />
the top-level list named '''tproxy'''.<br />
<br />
In addition to the firewall configuration, using a transparent proxy<br />
requires a routing configuration where packets marked for proxying are<br />
diverted to a local process. The '''awall_tproxy_mark''' variable can<br />
be used to specify the mark for such packets, which defaults to 1.<br />
<br />
Proxy rules may also have an attribute named '''to-port''' for<br />
specifying the TCP or UDP port of the proxy if it is different from<br />
the original destination port.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Like [[#NAT Rules|NAT rules]], connection tracking bypass rules may<br />
have an '''action''' attribute set to value '''include''' or<br />
'''exclude'''.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=10167Alpine Wall User's Guide2014-09-29T10:43:35Z<p>Kunkku: /* Filter Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The files located in<br />
directory <tt>/usr/share/awall/mandatory</tt> are ''mandatory''<br />
policies shipped with APK packages. In addition, there can be<br />
installation-specific mandatory policies in <tt>/etc/awall</tt>.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are ''optional'' policies, which<br />
can be enabled on need basis. Such symbolic links are easily created<br />
and destroyed using the <tt>awall enable</tt> and <tt>awall<br />
disable</tt> commands. <tt>awall list</tt> shows which optional<br />
policies are enabled and disabled. The command also prints the<br />
description of the optional policy if defined in the file using a<br />
top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The imported policies may be<br />
either optional policies or ''private'' policies, located in<br />
<tt>/usr/share/awall/private</tt> or <tt>/etc/awall/private</tt>. By<br />
default, the policies listed there are processed before the importing<br />
policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The<br />
processing order of policies can be adjusted by defining<br />
top-level attributes '''after''' and '''before''' in policy<br />
files. These attributes are lists of policies, after or before<br />
which the declaring policy shall be processed. Putting a policy<br />
name to either of these lists does not by itself import the<br />
policy. The ordering directives are ignored with respect to those<br />
policies that are not enabled by the user or imported by other<br />
policies. If not defined, '''after''' is assumed to be equal to<br />
the relative complement of the '''before''' definition in the<br />
'''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named<br />
'''proto''', which corresponds to the <tt>--protocol</tt> option<br />
of iptables. The protocol can be defined as a numerical value or<br />
string as defined in <tt>/etc/protocols</tt>. If the protocol is<br />
'''tcp''' or '''udp''', the scope of the service definition may<br />
be constrained by defining an attribute named '''port''', which<br />
is a list of TCP or UDP port numbers or ranges thereof, separated<br />
by the '''-''' character. If the protocol is '''icmp''' or<br />
'''icmpv6''', an analogous '''type''' attribute may be used. The<br />
replies to ICMP messages have their own type codes, which may be<br />
specified using the '''reply-type''' attribute.<br />
<br />
If the protocol is '''icmp''' or '''icmpv6''', the scope of the<br />
rule is also automatically limited to IPv4 or IPv6,<br />
respectively. There are also other services which are specific to<br />
IPv4 or IPv6. To constrain the scope of the service definition to<br />
either protocol version, an optional '''family''' attribute can<br />
be set to value '''inet''' or '''inet6''', respectively.<br />
<br />
Some services require the server or client to open additional<br />
connections to dynamically allocated ports or even different<br />
hosts. ''Connection tracking helpers'' are used to make the firewall<br />
aware of such additional connections. The '''ct-helper''' attribute is<br />
used to associate such a helper to a service definition when<br />
required by the service.<br />
<br />
All rule objects, except for policies, may have an attribute named<br />
'''service''', constraining the rule's scope to specific services<br />
only. This attribute is a list of service names, referring to the keys<br />
of the top-level service dictionary.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Limits ===<br />
<br />
A ''limit'' specifies the maximum rate for a flow of packets or new<br />
connections. Unlike the other auxiliary objects, limits are not named<br />
members of a top-level dictionary but are embedded into other objects.<br />
<br />
In its simplest form, a limit definition is an integer specifying the<br />
maximum number of packets or connections per second. More complex<br />
limits are defined as objects, where the '''count''' attribute define<br />
the maximum during an interval defined by the '''interval'''<br />
attribute. The unit of the '''interval''' attribute is second, and<br />
the default value is 1.<br />
<br />
The maximum rate defined by a limit may be absolute or specific to<br />
blocks of IP addresses or pairs thereof. The number of most<br />
significant bits taken into account when mapping the source and<br />
destination IP addresses to blocks can be specified with the<br />
'''mask''' attribute. The '''mask''' attribute is an object with two<br />
attributes defining the prefix lengths, named '''src''' and<br />
'''dest'''. Alternatively, the '''mask''' object may have object<br />
attributes named '''inet''' and '''inet6''' which contain address<br />
family&ndash;specific prefix length pairs. If '''mask''' is defined as<br />
an integer, it is interpreted as the source address prefix length.<br />
<br />
The default value for '''mask''' depends on the type of the enclosing<br />
object. For [[#Filter Rules|filters]], the default behavior is to<br />
apply the limit for each source address separately. For<br />
[[#Logging Classes|logging classes]], the limit is considered absolute<br />
by default.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging.<br />
<br />
The following table shows the optional attributes valid for all<br />
logging modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''every'''<br />
|Divide successive packets into groups, the size of which is specified by the value of this attribute, and log only the first packet of each group<br />
|-<br />
|'''limit'''<br />
|Maximum number of packets to be logged defined as [[#Limits|limit]]<br />
|-<br />
|'''prefix'''<br />
|String with which the log entries are prefixed<br />
|-<br />
|'''probability'''<br />
|Probability for logging an individual packet (default: 1)<br />
|}<br />
<br />
With the in-kernel log mode '''log''', the level of logging may be<br />
specified using the '''level''' attribute. Log modes '''nflog''' and<br />
'''ulog''' are about copying the packets into user space, at least<br />
partially. The following table shows the additional attributes valid<br />
with these modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''group'''<br />
|Netlink group to be used<br />
|-<br />
|'''range'''<br />
|Number of bytes to be copied<br />
|-<br />
|'''threshold'''<br />
|Number of packets to queue inside the kernel before copying them<br />
|}<br />
<br />
[[#Filter Rules|Filter]] and [[#Policy Rules|policy]] rules can have<br />
an attribute named '''log'''. If it is a string, it is interpreted as<br />
a reference to a logging class, and logging is performed according to<br />
the definitions. If the value of the '''log''' attribute is '''true'''<br />
(boolean), logging is done using default settings. If the value is<br />
'''false''' (boolean), logging is disabled for the rule. If '''log'''<br />
is not defined, logging is done using the default settings except for<br />
accept rules, for which logging is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are several types of rule objects:<br />
* Filter rules<br />
* Policy rules<br />
* Packet Logging rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* Transparent Proxy rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to [[#Zones|zones]] as described in the previous section. In<br />
addition, the scope of the rule can be further constrained with the<br />
following attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of [[#Zones|zone objects]]<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of [[#Zones|zone objects]]<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an [[#IP Sets|IP set]] and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filter Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet (default)<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are<br />
[[#Limits|limit objects]]. The '''drop''' action is applied to the<br />
packets exceeding the limit. Optionally, the limit object may have an<br />
attribute named '''log'''. It defines how the dropped packets should<br />
be logged and is semantically similar to the '''log''' attribute of<br />
rule objects.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value<br />
of which is an IPv4 address. If defined, this enables destination<br />
NAT for all IPv4 packets matching the rule, such that the<br />
specified address replaces the original destination address. If<br />
also port translation is desired, the attribute may be defined as<br />
an object consisting of attributes '''addr''' and '''port'''.<br />
This option has no effect on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
If one or more connection tracking helpers are associated with the<br />
services referred to by an accept rule, additional iptables rules are<br />
generated for the related connections detected by the helpers. The<br />
'''related''' attribute can be used to override the default rules<br />
generated by awall. It is a list of basic rule objects, the packets<br />
matching to which are accepted, provided that they are also detected<br />
by at least one of the helpers.<br />
<br />
==== Policy Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in<br />
[[#Filter Rules|filter rules]].<br />
<br />
==== Packet Logging Rules ====<br />
<br />
Packet logging rules allow packets matching the specified criteria to<br />
be logged before any filtering takes place. Such rules are contained<br />
in the top-level list named '''packet-log'''.<br />
<br />
Logging class may be specified using the '''log'''<br />
attribute. Otherwise, default logging settings are used.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
NAT rules, may have an '''action''' attribute set to value<br />
'''include''' or '''exclude'''. The latter means that NAT is not<br />
performed on the matching packets (unless they match an '''include'''<br />
rule processed earlier). The default value is '''include'''.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Transparent Proxy Rules ====<br />
<br />
Transparent proxy rules divert the matching packets to a local proxy<br />
process without altering their headers. Such rules are contained in<br />
the top-level list named '''tproxy'''.<br />
<br />
In addition to the firewall configuration, using a transparent proxy<br />
requires a routing configuration where packets marked for proxying are<br />
diverted to a local process. The '''awall_tproxy_mark''' variable can<br />
be used to specify the mark for such packets, which defaults to 1.<br />
<br />
Proxy rules may also have an attribute named '''to-port''' for<br />
specifying the TCP or UDP port of the proxy if it is different from<br />
the original destination port.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Like [[#NAT Rules|NAT rules]], connection tracking bypass rules may<br />
have an '''action''' attribute set to value '''include''' or<br />
'''exclude'''.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=10158Alpine Wall User's Guide2014-09-19T08:55:24Z<p>Kunkku: /* Configuration Objects */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The files located in<br />
directory <tt>/usr/share/awall/mandatory</tt> are ''mandatory''<br />
policies shipped with APK packages. In addition, there can be<br />
installation-specific mandatory policies in <tt>/etc/awall</tt>.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are ''optional'' policies, which<br />
can be enabled on need basis. Such symbolic links are easily created<br />
and destroyed using the <tt>awall enable</tt> and <tt>awall<br />
disable</tt> commands. <tt>awall list</tt> shows which optional<br />
policies are enabled and disabled. The command also prints the<br />
description of the optional policy if defined in the file using a<br />
top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The imported policies may be<br />
either optional policies or ''private'' policies, located in<br />
<tt>/usr/share/awall/private</tt> or <tt>/etc/awall/private</tt>. By<br />
default, the policies listed there are processed before the importing<br />
policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The<br />
processing order of policies can be adjusted by defining<br />
top-level attributes '''after''' and '''before''' in policy<br />
files. These attributes are lists of policies, after or before<br />
which the declaring policy shall be processed. Putting a policy<br />
name to either of these lists does not by itself import the<br />
policy. The ordering directives are ignored with respect to those<br />
policies that are not enabled by the user or imported by other<br />
policies. If not defined, '''after''' is assumed to be equal to<br />
the relative complement of the '''before''' definition in the<br />
'''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named<br />
'''proto''', which corresponds to the <tt>--protocol</tt> option<br />
of iptables. The protocol can be defined as a numerical value or<br />
string as defined in <tt>/etc/protocols</tt>. If the protocol is<br />
'''tcp''' or '''udp''', the scope of the service definition may<br />
be constrained by defining an attribute named '''port''', which<br />
is a list of TCP or UDP port numbers or ranges thereof, separated<br />
by the '''-''' character. If the protocol is '''icmp''' or<br />
'''icmpv6''', an analogous '''type''' attribute may be used. The<br />
replies to ICMP messages have their own type codes, which may be<br />
specified using the '''reply-type''' attribute.<br />
<br />
If the protocol is '''icmp''' or '''icmpv6''', the scope of the<br />
rule is also automatically limited to IPv4 or IPv6,<br />
respectively. There are also other services which are specific to<br />
IPv4 or IPv6. To constrain the scope of the service definition to<br />
either protocol version, an optional '''family''' attribute can<br />
be set to value '''inet''' or '''inet6''', respectively.<br />
<br />
Some services require the server or client to open additional<br />
connections to dynamically allocated ports or even different<br />
hosts. ''Connection tracking helpers'' are used to make the firewall<br />
aware of such additional connections. The '''ct-helper''' attribute is<br />
used to associate such a helper to a service definition when<br />
required by the service.<br />
<br />
All rule objects, except for policies, may have an attribute named<br />
'''service''', constraining the rule's scope to specific services<br />
only. This attribute is a list of service names, referring to the keys<br />
of the top-level service dictionary.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Limits ===<br />
<br />
A ''limit'' specifies the maximum rate for a flow of packets or new<br />
connections. Unlike the other auxiliary objects, limits are not named<br />
members of a top-level dictionary but are embedded into other objects.<br />
<br />
In its simplest form, a limit definition is an integer specifying the<br />
maximum number of packets or connections per second. More complex<br />
limits are defined as objects, where the '''count''' attribute define<br />
the maximum during an interval defined by the '''interval'''<br />
attribute. The unit of the '''interval''' attribute is second, and<br />
the default value is 1.<br />
<br />
The maximum rate defined by a limit may be absolute or specific to<br />
blocks of IP addresses or pairs thereof. The number of most<br />
significant bits taken into account when mapping the source and<br />
destination IP addresses to blocks can be specified with the<br />
'''mask''' attribute. The '''mask''' attribute is an object with two<br />
attributes defining the prefix lengths, named '''src''' and<br />
'''dest'''. Alternatively, the '''mask''' object may have object<br />
attributes named '''inet''' and '''inet6''' which contain address<br />
family&ndash;specific prefix length pairs. If '''mask''' is defined as<br />
an integer, it is interpreted as the source address prefix length.<br />
<br />
The default value for '''mask''' depends on the type of the enclosing<br />
object. For [[#Filter Rules|filters]], the default behavior is to<br />
apply the limit for each source address separately. For<br />
[[#Logging Classes|logging classes]], the limit is considered absolute<br />
by default.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging.<br />
<br />
The following table shows the optional attributes valid for all<br />
logging modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''every'''<br />
|Divide successive packets into groups, the size of which is specified by the value of this attribute, and log only the first packet of each group<br />
|-<br />
|'''limit'''<br />
|Maximum number of packets to be logged defined as [[#Limits|limit]]<br />
|-<br />
|'''prefix'''<br />
|String with which the log entries are prefixed<br />
|-<br />
|'''probability'''<br />
|Probability for logging an individual packet (default: 1)<br />
|}<br />
<br />
With the in-kernel log mode '''log''', the level of logging may be<br />
specified using the '''level''' attribute. Log modes '''nflog''' and<br />
'''ulog''' are about copying the packets into user space, at least<br />
partially. The following table shows the additional attributes valid<br />
with these modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''group'''<br />
|Netlink group to be used<br />
|-<br />
|'''range'''<br />
|Number of bytes to be copied<br />
|-<br />
|'''threshold'''<br />
|Number of packets to queue inside the kernel before copying them<br />
|}<br />
<br />
[[#Filter Rules|Filter]] and [[#Policy Rules|policy]] rules can have<br />
an attribute named '''log'''. If it is a string, it is interpreted as<br />
a reference to a logging class, and logging is performed according to<br />
the definitions. If the value of the '''log''' attribute is '''true'''<br />
(boolean), logging is done using default settings. If the value is<br />
'''false''' (boolean), logging is disabled for the rule. If '''log'''<br />
is not defined, logging is done using the default settings except for<br />
accept rules, for which logging is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are several types of rule objects:<br />
* Filter rules<br />
* Policy rules<br />
* Packet Logging rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* Transparent Proxy rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to [[#Zones|zones]] as described in the previous section. In<br />
addition, the scope of the rule can be further constrained with the<br />
following attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of [[#Zones|zone objects]]<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of [[#Zones|zone objects]]<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an [[#IP Sets|IP set]] and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filter Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet (default)<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are<br />
[[#Limits|limit objects]]. The '''drop''' action is applied to the<br />
packets exceeding the limit. Optionally, the limit object may have an<br />
attribute named '''log'''. It defines how the dropped packets should<br />
be logged and is semantically similar to the '''log''' attribute of<br />
rule objects.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
If one or more connection tracking helpers are associated with the<br />
services referred to by an accept rule, additional iptables rules are<br />
generated for the related connections detected by the helpers. The<br />
'''related''' attribute can be used to override the default rules<br />
generated by awall. It is a list of basic rule objects, the packets<br />
matching to which are accepted, provided that they are also detected<br />
by at least one of the helpers.<br />
<br />
==== Policy Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in<br />
[[#Filter Rules|filter rules]].<br />
<br />
==== Packet Logging Rules ====<br />
<br />
Packet logging rules allow packets matching the specified criteria to<br />
be logged before any filtering takes place. Such rules are contained<br />
in the top-level list named '''packet-log'''.<br />
<br />
Logging class may be specified using the '''log'''<br />
attribute. Otherwise, default logging settings are used.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
NAT rules, may have an '''action''' attribute set to value<br />
'''include''' or '''exclude'''. The latter means that NAT is not<br />
performed on the matching packets (unless they match an '''include'''<br />
rule processed earlier). The default value is '''include'''.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Transparent Proxy Rules ====<br />
<br />
Transparent proxy rules divert the matching packets to a local proxy<br />
process without altering their headers. Such rules are contained in<br />
the top-level list named '''tproxy'''.<br />
<br />
In addition to the firewall configuration, using a transparent proxy<br />
requires a routing configuration where packets marked for proxying are<br />
diverted to a local process. The '''awall_tproxy_mark''' variable can<br />
be used to specify the mark for such packets, which defaults to 1.<br />
<br />
Proxy rules may also have an attribute named '''to-port''' for<br />
specifying the TCP or UDP port of the proxy if it is different from<br />
the original destination port.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Like [[#NAT Rules|NAT rules]], connection tracking bypass rules may<br />
have an '''action''' attribute set to value '''include''' or<br />
'''exclude'''.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=10157Alpine Wall User's Guide2014-09-19T08:19:07Z<p>Kunkku: /* Configuration Objects */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The files located in<br />
directory <tt>/usr/share/awall/mandatory</tt> are ''mandatory''<br />
policies shipped with APK packages. In addition, there can be<br />
installation-specific mandatory policies in <tt>/etc/awall</tt>.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are ''optional'' policies, which<br />
can be enabled on need basis. Such symbolic links are easily created<br />
and destroyed using the <tt>awall enable</tt> and <tt>awall<br />
disable</tt> commands. <tt>awall list</tt> shows which optional<br />
policies are enabled and disabled. The command also prints the<br />
description of the optional policy if defined in the file using a<br />
top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The imported policies may be<br />
either optional policies or ''private'' policies, located in<br />
<tt>/usr/share/awall/private</tt> or <tt>/etc/awall/private</tt>. By<br />
default, the policies listed there are processed before the importing<br />
policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The<br />
processing order of policies can be adjusted by defining<br />
top-level attributes '''after''' and '''before''' in policy<br />
files. These attributes are lists of policies, after or before<br />
which the declaring policy shall be processed. Putting a policy<br />
name to either of these lists does not by itself import the<br />
policy. The ordering directives are ignored with respect to those<br />
policies that are not enabled by the user or imported by other<br />
policies. If not defined, '''after''' is assumed to be equal to<br />
the relative complement of the '''before''' definition in the<br />
'''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named<br />
'''proto''', which corresponds to the <tt>--protocol</tt> option<br />
of iptables. The protocol can be defined as a numerical value or<br />
string as defined in <tt>/etc/protocols</tt>. If the protocol is<br />
'''tcp''' or '''udp''', the scope of the service definition may<br />
be constrained by defining an attribute named '''port''', which<br />
is a list of TCP or UDP port numbers or ranges thereof, separated<br />
by the '''-''' character. If the protocol is '''icmp''' or<br />
'''icmpv6''', an analogous '''type''' attribute may be used. The<br />
replies to ICMP messages have their own type codes, which may be<br />
specified using the '''reply-type''' attribute.<br />
<br />
If the protocol is '''icmp''' or '''icmpv6''', the scope of the<br />
rule is also automatically limited to IPv4 or IPv6,<br />
respectively. There are also other services which are specific to<br />
IPv4 or IPv6. To constrain the scope of the service definition to<br />
either protocol version, an optional '''family''' attribute can<br />
be set to value '''inet''' or '''inet6''', respectively.<br />
<br />
Some services require the server or client to open additional<br />
connections to dynamically allocated ports or even different<br />
hosts. ''Connection tracking helpers'' are used to make the firewall<br />
aware of such additional connections. The '''ct-helper''' attribute is<br />
used to associate such a helper to a service definition when<br />
required by the service.<br />
<br />
All rule objects, except for policies, may have an attribute named<br />
'''service''', constraining the rule's scope to specific services<br />
only. This attribute is a list of service names, referring to the keys<br />
of the top-level service dictionary.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging.<br />
<br />
The following table shows the optional attributes valid for all<br />
logging modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''every'''<br />
|Divide successive packets into groups, the size of which is specified by the value of this attribute, and log only the first packet of each group<br />
|-<br />
|'''limit'''<br />
|Maximum number of packets to be logged per second per this rule<br />
|-<br />
|'''prefix'''<br />
|String with which the log entries are prefixed<br />
|-<br />
|'''probability'''<br />
|Probability for logging an individual packet (default: 1)<br />
|}<br />
<br />
With the in-kernel log mode '''log''', the level of logging may be<br />
specified using the '''level''' attribute. Log modes '''nflog''' and<br />
'''ulog''' are about copying the packets into user space, at least<br />
partially. The following table shows the additional attributes valid<br />
with these modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''group'''<br />
|Netlink group to be used<br />
|-<br />
|'''range'''<br />
|Number of bytes to be copied<br />
|-<br />
|'''threshold'''<br />
|Number of packets to queue inside the kernel before copying them<br />
|}<br />
<br />
[[#Filter Rules|Filter]] and [[#Policy Rules|policy]] rules can have<br />
an attribute named '''log'''. If it is a string, it is interpreted as<br />
a reference to a logging class, and logging is performed according to<br />
the definitions. If the value of the '''log''' attribute is '''true'''<br />
(boolean), logging is done using default settings. If the value is<br />
'''false''' (boolean), logging is disabled for the rule. If '''log'''<br />
is not defined, logging is done using the default settings except for<br />
accept rules, for which logging is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are several types of rule objects:<br />
* Filter rules<br />
* Policy rules<br />
* Packet Logging rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* Transparent Proxy rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to [[#Zones|zones]] as described in the previous section. In<br />
addition, the scope of the rule can be further constrained with the<br />
following attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of [[#Zones|zone objects]]<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of [[#Zones|zone objects]]<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an [[#IP Sets|IP set]] and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filter Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet (default)<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' in seconds (default: 1). The<br />
'''drop''' action is applied to the packets exceeding the<br />
limit. Optionally, the limit object may have an attribute named<br />
'''log'''. It defines how the dropped packets should be logged and is<br />
semantically similar to the '''log''' attribute of rule objects. A<br />
limit may also be specified by a plain integer, which is interpreted<br />
as the count while using default interval and log settings.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
If one or more connection tracking helpers are associated with the<br />
services referred to by an accept rule, additional iptables rules are<br />
generated for the related connections detected by the helpers. The<br />
'''related''' attribute can be used to override the default rules<br />
generated by awall. It is a list of basic rule objects, the packets<br />
matching to which are accepted, provided that they are also detected<br />
by at least one of the helpers.<br />
<br />
==== Policy Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in<br />
[[#Filter Rules|filter rules]].<br />
<br />
==== Packet Logging Rules ====<br />
<br />
Packet logging rules allow packets matching the specified criteria to<br />
be logged before any filtering takes place. Such rules are contained<br />
in the top-level list named '''packet-log'''.<br />
<br />
Logging class may be specified using the '''log'''<br />
attribute. Otherwise, default logging settings are used.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
NAT rules, may have an '''action''' attribute set to value<br />
'''include''' or '''exclude'''. The latter means that NAT is not<br />
performed on the matching packets (unless they match an '''include'''<br />
rule processed earlier). The default value is '''include'''.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Transparent Proxy Rules ====<br />
<br />
Transparent proxy rules divert the matching packets to a local proxy<br />
process without altering their headers. Such rules are contained in<br />
the top-level list named '''tproxy'''.<br />
<br />
In addition to the firewall configuration, using a transparent proxy<br />
requires a routing configuration where packets marked for proxying are<br />
diverted to a local process. The '''awall_tproxy_mark''' variable can<br />
be used to specify the mark for such packets, which defaults to 1.<br />
<br />
Proxy rules may also have an attribute named '''to-port''' for<br />
specifying the TCP or UDP port of the proxy if it is different from<br />
the original destination port.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Like [[#NAT Rules|NAT rules]], connection tracking bypass rules may<br />
have an '''action''' attribute set to value '''include''' or<br />
'''exclude'''.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=9917Alpine Wall User's Guide2014-03-31T16:50:44Z<p>Kunkku: /* Connection Tracking Bypass Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The files located in<br />
directory <tt>/usr/share/awall/mandatory</tt> are ''mandatory''<br />
policies shipped with APK packages. In addition, there can be<br />
installation-specific mandatory policies in <tt>/etc/awall</tt>.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are ''optional'' policies, which<br />
can be enabled on need basis. Such symbolic links are easily created<br />
and destroyed using the <tt>awall enable</tt> and <tt>awall<br />
disable</tt> commands. <tt>awall list</tt> shows which optional<br />
policies are enabled and disabled. The command also prints the<br />
description of the optional policy if defined in the file using a<br />
top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The imported policies may be<br />
either optional policies or ''private'' policies, located in<br />
<tt>/usr/share/awall/private</tt> or <tt>/etc/awall/private</tt>. By<br />
default, the policies listed there are processed before the importing<br />
policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The<br />
processing order of policies can be adjusted by defining<br />
top-level attributes '''after''' and '''before''' in policy<br />
files. These attributes are lists of policies, after or before<br />
which the declaring policy shall be processed. Putting a policy<br />
name to either of these lists does not by itself import the<br />
policy. The ordering directives are ignored with respect to those<br />
policies that are not enabled by the user or imported by other<br />
policies. If not defined, '''after''' is assumed to be equal to<br />
the relative complement of the '''before''' definition in the<br />
'''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named<br />
'''proto''', which corresponds to the <tt>--protocol</tt> option<br />
of iptables. The protocol can be defined as a numerical value or<br />
string as defined in <tt>/etc/protocols</tt>. If the protocol is<br />
'''tcp''' or '''udp''', the scope of the service definition may<br />
be constrained by defining an attribute named '''port''', which<br />
is a list of TCP or UDP port numbers or ranges thereof, separated<br />
by the '''-''' character. If the protocol is '''icmp''' or<br />
'''icmpv6''', an analogous '''type''' attribute may be used. The<br />
replies to ICMP messages have their own type codes, which may be<br />
specified using the '''reply-type''' attribute.<br />
<br />
If the protocol is '''icmp''' or '''icmpv6''', the scope of the<br />
rule is also automatically limited to IPv4 or IPv6,<br />
respectively. There are also other services which are specific to<br />
IPv4 or IPv6. To constrain the scope of the service definition to<br />
either protocol version, an optional '''family''' attribute can<br />
be set to value '''inet''' or '''inet6''', respectively.<br />
<br />
Some services require the server or client to open additional<br />
connections to dynamically allocated ports or even different<br />
hosts. ''Connection tracking helpers'' are used to make the firewall<br />
aware of such additional connections. The '''ct-helper''' attribute is<br />
used to associate such a helper to a service definition when<br />
required by the service.<br />
<br />
All rule objects, except for policies, may have an attribute named<br />
'''service''', constraining the rule's scope to specific services<br />
only. This attribute is a list of service names, referring to the keys<br />
of the top-level service dictionary.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging.<br />
<br />
The following table shows the optional attributes valid for all<br />
logging modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''every'''<br />
|Divide successive packets into groups, the size of which is specified by the value of this attribute, and log only the first packet of each group<br />
|-<br />
|'''limit'''<br />
|Maximum number of packets to be logged per second per this rule<br />
|-<br />
|'''prefix'''<br />
|String with which the log entries are prefixed<br />
|-<br />
|'''probability'''<br />
|Probability for logging an individual packet (default: 1)<br />
|}<br />
<br />
With the in-kernel log mode '''log''', the level of logging may be<br />
specified using the '''level''' attribute. Log modes '''nflog''' and<br />
'''ulog''' are about copying the packets into user space, at least<br />
partially. The following table shows the additional attributes valid<br />
with these modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''group'''<br />
|Netlink group to be used<br />
|-<br />
|'''range'''<br />
|Number of bytes to be copied<br />
|-<br />
|'''threshold'''<br />
|Number of packets to queue inside the kernel before copying them<br />
|}<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are several types of rule objects:<br />
* Filter rules<br />
* Policy rules<br />
* Packet Logging rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* Transparent Proxy rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filter Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet (default)<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' in seconds (default: 1). The<br />
'''drop''' action is applied to the packets exceeding the<br />
limit. Optionally, the limit object may have an attribute named<br />
'''log'''. It defines how the dropped packets should be logged and is<br />
semantically similar to the '''log''' attribute of rule objects. A<br />
limit may also be specified by a plain integer, which is interpreted<br />
as the count while using default interval and log settings.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
If one or more connection tracking helpers are associated with the<br />
services referred to by an accept rule, additional iptables rules are<br />
generated for the related connections detected by the helpers. The<br />
'''related''' attribute can be used to override the default rules<br />
generated by awall. It is a list of basic rule objects, the packets<br />
matching to which are accepted, provided that they are also detected<br />
by at least one of the helpers.<br />
<br />
==== Policy Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== Packet Logging Rules ====<br />
<br />
Packet logging rules allow packets matching the specified criteria to<br />
be logged before any filtering takes place. Such rules are contained<br />
in the top-level list named '''packet-log'''.<br />
<br />
Logging class may be specified using the '''log'''<br />
attribute. Otherwise, default logging settings are used.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
Like NAT rules, connection tracking bypass rules may have an<br />
'''action''' attribute set to value '''include''' or<br />
'''exclude'''.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Transparent Proxy Rules ====<br />
<br />
Transparent proxy rules divert the matching packets to a local proxy<br />
process without altering their headers. Such rules are contained in<br />
the top-level list named '''tproxy'''.<br />
<br />
In addition to the firewall configuration, using a transparent proxy<br />
requires a routing configuration where packets marked for proxying are<br />
diverted to a local process. The '''awall_tproxy_mark''' variable can<br />
be used to specify the mark for such packets, which defaults to 1.<br />
<br />
Proxy rules may also have an attribute named '''to-port''' for<br />
specifying the TCP or UDP port of the proxy if it is different from<br />
the original destination port.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Like NAT rules, connection tracking bypass rules may have an<br />
'''action''' attribute set to value '''include''' or<br />
'''exclude'''.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=9916Alpine Wall User's Guide2014-03-31T16:50:11Z<p>Kunkku: </p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The files located in<br />
directory <tt>/usr/share/awall/mandatory</tt> are ''mandatory''<br />
policies shipped with APK packages. In addition, there can be<br />
installation-specific mandatory policies in <tt>/etc/awall</tt>.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are ''optional'' policies, which<br />
can be enabled on need basis. Such symbolic links are easily created<br />
and destroyed using the <tt>awall enable</tt> and <tt>awall<br />
disable</tt> commands. <tt>awall list</tt> shows which optional<br />
policies are enabled and disabled. The command also prints the<br />
description of the optional policy if defined in the file using a<br />
top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The imported policies may be<br />
either optional policies or ''private'' policies, located in<br />
<tt>/usr/share/awall/private</tt> or <tt>/etc/awall/private</tt>. By<br />
default, the policies listed there are processed before the importing<br />
policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The<br />
processing order of policies can be adjusted by defining<br />
top-level attributes '''after''' and '''before''' in policy<br />
files. These attributes are lists of policies, after or before<br />
which the declaring policy shall be processed. Putting a policy<br />
name to either of these lists does not by itself import the<br />
policy. The ordering directives are ignored with respect to those<br />
policies that are not enabled by the user or imported by other<br />
policies. If not defined, '''after''' is assumed to be equal to<br />
the relative complement of the '''before''' definition in the<br />
'''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named<br />
'''proto''', which corresponds to the <tt>--protocol</tt> option<br />
of iptables. The protocol can be defined as a numerical value or<br />
string as defined in <tt>/etc/protocols</tt>. If the protocol is<br />
'''tcp''' or '''udp''', the scope of the service definition may<br />
be constrained by defining an attribute named '''port''', which<br />
is a list of TCP or UDP port numbers or ranges thereof, separated<br />
by the '''-''' character. If the protocol is '''icmp''' or<br />
'''icmpv6''', an analogous '''type''' attribute may be used. The<br />
replies to ICMP messages have their own type codes, which may be<br />
specified using the '''reply-type''' attribute.<br />
<br />
If the protocol is '''icmp''' or '''icmpv6''', the scope of the<br />
rule is also automatically limited to IPv4 or IPv6,<br />
respectively. There are also other services which are specific to<br />
IPv4 or IPv6. To constrain the scope of the service definition to<br />
either protocol version, an optional '''family''' attribute can<br />
be set to value '''inet''' or '''inet6''', respectively.<br />
<br />
Some services require the server or client to open additional<br />
connections to dynamically allocated ports or even different<br />
hosts. ''Connection tracking helpers'' are used to make the firewall<br />
aware of such additional connections. The '''ct-helper''' attribute is<br />
used to associate such a helper to a service definition when<br />
required by the service.<br />
<br />
All rule objects, except for policies, may have an attribute named<br />
'''service''', constraining the rule's scope to specific services<br />
only. This attribute is a list of service names, referring to the keys<br />
of the top-level service dictionary.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging.<br />
<br />
The following table shows the optional attributes valid for all<br />
logging modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''every'''<br />
|Divide successive packets into groups, the size of which is specified by the value of this attribute, and log only the first packet of each group<br />
|-<br />
|'''limit'''<br />
|Maximum number of packets to be logged per second per this rule<br />
|-<br />
|'''prefix'''<br />
|String with which the log entries are prefixed<br />
|-<br />
|'''probability'''<br />
|Probability for logging an individual packet (default: 1)<br />
|}<br />
<br />
With the in-kernel log mode '''log''', the level of logging may be<br />
specified using the '''level''' attribute. Log modes '''nflog''' and<br />
'''ulog''' are about copying the packets into user space, at least<br />
partially. The following table shows the additional attributes valid<br />
with these modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''group'''<br />
|Netlink group to be used<br />
|-<br />
|'''range'''<br />
|Number of bytes to be copied<br />
|-<br />
|'''threshold'''<br />
|Number of packets to queue inside the kernel before copying them<br />
|}<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are several types of rule objects:<br />
* Filter rules<br />
* Policy rules<br />
* Packet Logging rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* Transparent Proxy rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filter Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet (default)<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' in seconds (default: 1). The<br />
'''drop''' action is applied to the packets exceeding the<br />
limit. Optionally, the limit object may have an attribute named<br />
'''log'''. It defines how the dropped packets should be logged and is<br />
semantically similar to the '''log''' attribute of rule objects. A<br />
limit may also be specified by a plain integer, which is interpreted<br />
as the count while using default interval and log settings.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
If one or more connection tracking helpers are associated with the<br />
services referred to by an accept rule, additional iptables rules are<br />
generated for the related connections detected by the helpers. The<br />
'''related''' attribute can be used to override the default rules<br />
generated by awall. It is a list of basic rule objects, the packets<br />
matching to which are accepted, provided that they are also detected<br />
by at least one of the helpers.<br />
<br />
==== Policy Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== Packet Logging Rules ====<br />
<br />
Packet logging rules allow packets matching the specified criteria to<br />
be logged before any filtering takes place. Such rules are contained<br />
in the top-level list named '''packet-log'''.<br />
<br />
Logging class may be specified using the '''log'''<br />
attribute. Otherwise, default logging settings are used.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
Like NAT rules, connection tracking bypass rules may have an<br />
'''action''' attribute set to value '''include''' or<br />
'''exclude'''.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Transparent Proxy Rules ====<br />
<br />
Transparent proxy rules divert the matching packets to a local proxy<br />
process without altering their headers. Such rules are contained in<br />
the top-level list named '''tproxy'''.<br />
<br />
In addition to the firewall configuration, using a transparent proxy<br />
requires a routing configuration where packets marked for proxying are<br />
diverted to a local process. The '''awall_tproxy_mark''' variable can<br />
be used to specify the mark for such packets, which defaults to 1.<br />
<br />
Proxy rules may also have an attribute named '''to-port''' for<br />
specifying the TCP or UDP port of the proxy if it is different from<br />
the original destination port.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action'''<br />
attribute set to value '''include''' or '''exclude''', with<br />
behavior similar to that of NAT rules.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=9878Alpine Wall User's Guide2014-03-07T10:52:18Z<p>Kunkku: /* Services */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The files located in<br />
directory <tt>/usr/share/awall/mandatory</tt> are ''mandatory''<br />
policies shipped with APK packages. In addition, there can be<br />
installation-specific mandatory policies in <tt>/etc/awall</tt>.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are ''optional'' policies, which<br />
can be enabled on need basis. Such symbolic links are easily created<br />
and destroyed using the <tt>awall enable</tt> and <tt>awall<br />
disable</tt> commands. <tt>awall list</tt> shows which optional<br />
policies are enabled and disabled. The command also prints the<br />
description of the optional policy if defined in the file using a<br />
top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The imported policies may be<br />
either optional policies or ''private'' policies, located in<br />
<tt>/usr/share/awall/private</tt> or <tt>/etc/awall/private</tt>. By<br />
default, the policies listed there are processed before the importing<br />
policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named<br />
'''proto''', which corresponds to the <tt>--protocol</tt> option<br />
of iptables. The protocol can be defined as a numerical value or<br />
string as defined in <tt>/etc/protocols</tt>. If the protocol is<br />
'''tcp''' or '''udp''', the scope of the service definition may<br />
be constrained by defining an attribute named '''port''', which<br />
is a list of TCP or UDP port numbers or ranges thereof, separated<br />
by the '''-''' character. If the protocol is '''icmp''' or<br />
'''icmpv6''', an analogous '''type''' attribute may be used. The<br />
replies to ICMP messages have their own type codes, which may be<br />
specified using the '''reply-type''' attribute.<br />
<br />
If the protocol is '''icmp''' or '''icmpv6''', the scope of the<br />
rule is also automatically limited to IPv4 or IPv6,<br />
respectively. There are also other services which are specific to<br />
IPv4 or IPv6. To constrain the scope of the service definition to<br />
either protocol version, an optional '''family''' attribute can<br />
be set to value '''inet''' or '''inet6''', respectively.<br />
<br />
Some services require the server or client to open additional<br />
connections to dynamically allocated ports or even different<br />
hosts. ''Connection tracking helpers'' are used to make the firewall<br />
aware of such additional connections. The '''ct-helper''' attribute is<br />
used to associate such a helper to a service definition when<br />
required by the service.<br />
<br />
All rule objects, except for policies, may have an attribute named<br />
'''service''', constraining the rule's scope to specific services<br />
only. This attribute is a list of service names, referring to the keys<br />
of the top-level service dictionary.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging.<br />
<br />
The following table shows the optional attributes valid for all<br />
logging modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''every'''<br />
|Divide successive packets into groups, the size of which is specified by the value of this attribute, and log only the first packet of each group<br />
|-<br />
|'''limit'''<br />
|Maximum number of packets to be logged per second per this rule<br />
|-<br />
|'''prefix'''<br />
|String with which the log entries are prefixed<br />
|-<br />
|'''probability'''<br />
|Probability for logging an individual packet (default: 1)<br />
|}<br />
<br />
With the in-kernel log mode '''log''', the level of logging may be<br />
specified using the '''level''' attribute. Log modes '''nflog''' and<br />
'''ulog''' are about copying the packets into user space, at least<br />
partially. The following table shows the additional attributes valid<br />
with these modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''group'''<br />
|Netlink group to be used<br />
|-<br />
|'''range'''<br />
|Number of bytes to be copied<br />
|-<br />
|'''threshold'''<br />
|Number of packets to queue inside the kernel before copying them<br />
|}<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are several types of rule objects:<br />
* Filter rules<br />
* Policy rules<br />
* Packet Logging rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* Transparent Proxy rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filter Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' in seconds (default: 1). The<br />
'''drop''' action is applied to the packets exceeding the<br />
limit. Optionally, the limit object may have an attribute named<br />
'''log'''. It defines how the dropped packets should be logged and is<br />
semantically similar to the '''log''' attribute of rule objects. A<br />
limit may also be specified by a plain integer, which is interpreted<br />
as the count while using default interval and log settings.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
If one or more connection tracking helpers are associated with the<br />
services referred to by an accept rule, additional iptables rules are<br />
generated for the related connections detected by the helpers. The<br />
'''related''' attribute can be used to override the default rules<br />
generated by awall. It is a list of basic rule objects, the packets<br />
matching to which are accepted, provided that they are also detected<br />
by at least one of the helpers.<br />
<br />
==== Policy Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== Packet Logging Rules ====<br />
<br />
Packet logging rules allow packets matching the specified criteria to<br />
be logged before any filtering takes place. Such rules are contained<br />
in the top-level list named '''packet-log'''.<br />
<br />
Logging class may be specified using the '''log'''<br />
attribute. Otherwise, default logging settings are used.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Transparent Proxy Rules ====<br />
<br />
Transparent proxy rules divert the matching packets to a local proxy<br />
process without altering their headers. Such rules are contained in<br />
the top-level list named '''tproxy'''.<br />
<br />
In addition to the firewall configuration, using a transparent proxy<br />
requires a routing configuration where packets marked for proxying are<br />
diverted to a local process. The '''awall_tproxy_mark''' variable can<br />
be used to specify the mark for such packets, which defaults to 1.<br />
<br />
Proxy rules may also have an attribute named '''to-port''' for<br />
specifying the TCP or UDP port of the proxy if it is different from<br />
the original destination port.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=9393Alpine Wall User's Guide2013-10-07T19:34:57Z<p>Kunkku: /* Services */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The files located in<br />
directory <tt>/usr/share/awall/mandatory</tt> are ''mandatory''<br />
policies shipped with APK packages. In addition, there can be<br />
installation-specific mandatory policies in <tt>/etc/awall</tt>.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are ''optional'' policies, which<br />
can be enabled on need basis. Such symbolic links are easily created<br />
and destroyed using the <tt>awall enable</tt> and <tt>awall<br />
disable</tt> commands. <tt>awall list</tt> shows which optional<br />
policies are enabled and disabled. The command also prints the<br />
description of the optional policy if defined in the file using a<br />
top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The imported policies may be<br />
either optional policies or ''private'' policies, located in<br />
<tt>/usr/share/awall/private</tt> or <tt>/etc/awall/private</tt>. By<br />
default, the policies listed there are processed before the importing<br />
policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
There are also other services which are specific to IPv4 or IPv6. To<br />
constrain the scope of the service definition to either protocol<br />
version, an optional '''family''' attribute can be set to value<br />
'''inet''' or '''inet6''', respectively.<br />
<br />
Some services require the server or client to open additional<br />
connections to dynamically allocated ports or even different<br />
hosts. ''Connection tracking helpers'' are used to make the firewall<br />
aware of such additional connections. The '''ct-helper''' attribute is<br />
used to associate such a helper to a service definition when<br />
required by the service.<br />
<br />
All rule objects, except for policies, may have an attribute named<br />
'''service''', constraining the rule's scope to specific services<br />
only. This attribute is a list of service names, referring to the keys<br />
of the top-level service dictionary.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging.<br />
<br />
The following table shows the optional attributes valid for all<br />
logging modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''every'''<br />
|Divide successive packets into groups, the size of which is specified by the value of this attribute, and log only the first packet of each group<br />
|-<br />
|'''limit'''<br />
|Maximum number of packets to be logged per second per this rule<br />
|-<br />
|'''prefix'''<br />
|String with which the log entries are prefixed<br />
|-<br />
|'''probability'''<br />
|Probability for logging an individual packet (default: 1)<br />
|}<br />
<br />
With the in-kernel log mode '''log''', the level of logging may be<br />
specified using the '''level''' attribute. Log modes '''nflog''' and<br />
'''ulog''' are about copying the packets into user space, at least<br />
partially. The following table shows the additional attributes valid<br />
with these modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''group'''<br />
|Netlink group to be used<br />
|-<br />
|'''range'''<br />
|Number of bytes to be copied<br />
|-<br />
|'''threshold'''<br />
|Number of packets to queue inside the kernel before copying them<br />
|}<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are several types of rule objects:<br />
* Filter rules<br />
* Policy rules<br />
* Packet Logging rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* Transparent Proxy rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filter Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' in seconds (default: 1). The<br />
'''drop''' action is applied to the packets exceeding the<br />
limit. Optionally, the limit object may have an attribute named<br />
'''log'''. It defines how the dropped packets should be logged and is<br />
semantically similar to the '''log''' attribute of rule objects. A<br />
limit may also be specified by a plain integer, which is interpreted<br />
as the count while using default interval and log settings.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
If one or more connection tracking helpers are associated with the<br />
services referred to by an accept rule, additional iptables rules are<br />
generated for the related connections detected by the helpers. The<br />
'''related''' attribute can be used to override the default rules<br />
generated by awall. It is a list of basic rule objects, the packets<br />
matching to which are accepted, provided that they are also detected<br />
by at least one of the helpers.<br />
<br />
==== Policy Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== Packet Logging Rules ====<br />
<br />
Packet logging rules allow packets matching the specified criteria to<br />
be logged before any filtering takes place. Such rules are contained<br />
in the top-level list named '''packet-log'''.<br />
<br />
Logging class may be specified using the '''log'''<br />
attribute. Otherwise, default logging settings are used.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Transparent Proxy Rules ====<br />
<br />
Transparent proxy rules divert the matching packets to a local proxy<br />
process without altering their headers. Such rules are contained in<br />
the top-level list named '''tproxy'''.<br />
<br />
In addition to the firewall configuration, using a transparent proxy<br />
requires a routing configuration where packets marked for proxying are<br />
diverted to a local process. The '''awall_tproxy_mark''' variable can<br />
be used to specify the mark for such packets, which defaults to 1.<br />
<br />
Proxy rules may also have an attribute named '''to-port''' for<br />
specifying the TCP or UDP port of the proxy if it is different from<br />
the original destination port.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=9392Alpine Wall User's Guide2013-10-07T19:25:24Z<p>Kunkku: /* Services */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The files located in<br />
directory <tt>/usr/share/awall/mandatory</tt> are ''mandatory''<br />
policies shipped with APK packages. In addition, there can be<br />
installation-specific mandatory policies in <tt>/etc/awall</tt>.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are ''optional'' policies, which<br />
can be enabled on need basis. Such symbolic links are easily created<br />
and destroyed using the <tt>awall enable</tt> and <tt>awall<br />
disable</tt> commands. <tt>awall list</tt> shows which optional<br />
policies are enabled and disabled. The command also prints the<br />
description of the optional policy if defined in the file using a<br />
top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The imported policies may be<br />
either optional policies or ''private'' policies, located in<br />
<tt>/usr/share/awall/private</tt> or <tt>/etc/awall/private</tt>. By<br />
default, the policies listed there are processed before the importing<br />
policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
Some services require the server or client to open additional<br />
connections to dynamically allocated ports or even different<br />
hosts. ''Connection tracking helpers'' are used to make the firewall<br />
aware of such additional connections. The '''ct-helper''' attribute is<br />
used to associate such a helper to a service definition when<br />
required by the service.<br />
<br />
All rule objects, except for policies, may have an attribute named<br />
'''service''', constraining the rule's scope to specific services<br />
only. This attribute is a list of service names, referring to the keys<br />
of the top-level service dictionary.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging.<br />
<br />
The following table shows the optional attributes valid for all<br />
logging modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''every'''<br />
|Divide successive packets into groups, the size of which is specified by the value of this attribute, and log only the first packet of each group<br />
|-<br />
|'''limit'''<br />
|Maximum number of packets to be logged per second per this rule<br />
|-<br />
|'''prefix'''<br />
|String with which the log entries are prefixed<br />
|-<br />
|'''probability'''<br />
|Probability for logging an individual packet (default: 1)<br />
|}<br />
<br />
With the in-kernel log mode '''log''', the level of logging may be<br />
specified using the '''level''' attribute. Log modes '''nflog''' and<br />
'''ulog''' are about copying the packets into user space, at least<br />
partially. The following table shows the additional attributes valid<br />
with these modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''group'''<br />
|Netlink group to be used<br />
|-<br />
|'''range'''<br />
|Number of bytes to be copied<br />
|-<br />
|'''threshold'''<br />
|Number of packets to queue inside the kernel before copying them<br />
|}<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are several types of rule objects:<br />
* Filter rules<br />
* Policy rules<br />
* Packet Logging rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* Transparent Proxy rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filter Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' in seconds (default: 1). The<br />
'''drop''' action is applied to the packets exceeding the<br />
limit. Optionally, the limit object may have an attribute named<br />
'''log'''. It defines how the dropped packets should be logged and is<br />
semantically similar to the '''log''' attribute of rule objects. A<br />
limit may also be specified by a plain integer, which is interpreted<br />
as the count while using default interval and log settings.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
If one or more connection tracking helpers are associated with the<br />
services referred to by an accept rule, additional iptables rules are<br />
generated for the related connections detected by the helpers. The<br />
'''related''' attribute can be used to override the default rules<br />
generated by awall. It is a list of basic rule objects, the packets<br />
matching to which are accepted, provided that they are also detected<br />
by at least one of the helpers.<br />
<br />
==== Policy Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== Packet Logging Rules ====<br />
<br />
Packet logging rules allow packets matching the specified criteria to<br />
be logged before any filtering takes place. Such rules are contained<br />
in the top-level list named '''packet-log'''.<br />
<br />
Logging class may be specified using the '''log'''<br />
attribute. Otherwise, default logging settings are used.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Transparent Proxy Rules ====<br />
<br />
Transparent proxy rules divert the matching packets to a local proxy<br />
process without altering their headers. Such rules are contained in<br />
the top-level list named '''tproxy'''.<br />
<br />
In addition to the firewall configuration, using a transparent proxy<br />
requires a routing configuration where packets marked for proxying are<br />
diverted to a local process. The '''awall_tproxy_mark''' variable can<br />
be used to specify the mark for such packets, which defaults to 1.<br />
<br />
Proxy rules may also have an attribute named '''to-port''' for<br />
specifying the TCP or UDP port of the proxy if it is different from<br />
the original destination port.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=9033Alpine Wall User's Guide2013-02-19T11:21:46Z<p>Kunkku: /* Configuration Objects */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The files located in<br />
directory <tt>/usr/share/awall/mandatory</tt> are ''mandatory''<br />
policies shipped with APK packages. In addition, there can be<br />
installation-specific mandatory policies in <tt>/etc/awall</tt>.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are ''optional'' policies, which<br />
can be enabled on need basis. Such symbolic links are easily created<br />
and destroyed using the <tt>awall enable</tt> and <tt>awall<br />
disable</tt> commands. <tt>awall list</tt> shows which optional<br />
policies are enabled and disabled. The command also prints the<br />
description of the optional policy if defined in the file using a<br />
top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The imported policies may be<br />
either optional policies or ''private'' policies, located in<br />
<tt>/usr/share/awall/private</tt> or <tt>/etc/awall/private</tt>. By<br />
default, the policies listed there are processed before the importing<br />
policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
Some services require the server or client to open additional<br />
connections to dynamically allocated ports or even different<br />
hosts. ''Connection tracking helpers'' are used to make the firewall<br />
aware of such additional connections. The '''ct-helper''' attribute is<br />
used to associate such a helper to a service definition when<br />
required by the service.<br />
<br />
All rule objects, except for policies, may have an attribute named<br />
'''service''', constraining the rule's scope to specific services<br />
only. This attribute is a list of service names, referring to the keys<br />
of the top-level service dictionary.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging.<br />
<br />
The following table shows the optional attributes valid for all<br />
logging modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''every'''<br />
|Divide successive packets into groups, the size of which is specified by the value of this attribute, and log only the first packet of each group<br />
|-<br />
|'''limit'''<br />
|Maximum number of packets to be logged per second per this rule<br />
|-<br />
|'''prefix'''<br />
|String with which the log entries are prefixed<br />
|-<br />
|'''probability'''<br />
|Probability for logging an individual packet (default: 1)<br />
|}<br />
<br />
With the in-kernel log mode '''log''', the level of logging may be<br />
specified using the '''level''' attribute. Log modes '''nflog''' and<br />
'''ulog''' are about copying the packets into user space, at least<br />
partially. The following table shows the additional attributes valid<br />
with these modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''group'''<br />
|Netlink group to be used<br />
|-<br />
|'''range'''<br />
|Number of bytes to be copied<br />
|-<br />
|'''threshold'''<br />
|Number of packets to queue inside the kernel before copying them<br />
|}<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are several types of rule objects:<br />
* Filter rules<br />
* Policy rules<br />
* Packet Logging rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* Transparent Proxy rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filter Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' in seconds (default: 1). The<br />
'''drop''' action is applied to the packets exceeding the<br />
limit. Optionally, the limit object may have an attribute named<br />
'''log'''. It defines how the dropped packets should be logged and is<br />
semantically similar to the '''log''' attribute of rule objects. A<br />
limit may also be specified by a plain integer, which is interpreted<br />
as the count while using default interval and log settings.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
If one or more connection tracking helpers are associated with the<br />
services referred to by an accept rule, additional iptables rules are<br />
generated for the related connections detected by the helpers. The<br />
'''related''' attribute can be used to override the default rules<br />
generated by awall. It is a list of basic rule objects, the packets<br />
matching to which are accepted, provided that they are also detected<br />
by at least one of the helpers.<br />
<br />
==== Policy Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== Packet Logging Rules ====<br />
<br />
Packet logging rules allow packets matching the specified criteria to<br />
be logged before any filtering takes place. Such rules are contained<br />
in the top-level list named '''packet-log'''.<br />
<br />
Logging class may be specified using the '''log'''<br />
attribute. Otherwise, default logging settings are used.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Transparent Proxy Rules ====<br />
<br />
Transparent proxy rules divert the matching packets to a local proxy<br />
process without altering their headers. Such rules are contained in<br />
the top-level list named '''tproxy'''.<br />
<br />
In addition to the firewall configuration, using a transparent proxy<br />
requires a routing configuration where packets marked for proxying are<br />
diverted to a local process. The '''awall_tproxy_mark''' variable can<br />
be used to specify the mark for such packets, which defaults to 1.<br />
<br />
Proxy rules may also have an attribute named '''to-port''' for<br />
specifying the TCP or UDP port of the proxy if it is different from<br />
the original destination port.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=9032Alpine Wall User's Guide2013-02-19T08:15:16Z<p>Kunkku: /* Transparent Proxy Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The files located in<br />
directory <tt>/usr/share/awall/mandatory</tt> are ''mandatory''<br />
policies shipped with APK packages. In addition, there can be<br />
installation-specific mandatory policies in <tt>/etc/awall</tt>.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are ''optional'' policies, which<br />
can be enabled on need basis. Such symbolic links are easily created<br />
and destroyed using the <tt>awall enable</tt> and <tt>awall<br />
disable</tt> commands. <tt>awall list</tt> shows which optional<br />
policies are enabled and disabled. The command also prints the<br />
description of the optional policy if defined in the file using a<br />
top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The imported policies may be<br />
either optional policies or ''private'' policies, located in<br />
<tt>/usr/share/awall/private</tt> or <tt>/etc/awall/private</tt>. By<br />
default, the policies listed there are processed before the importing<br />
policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
All rule objects, except for policies, may have an attribute named<br />
'''service''', constraining the rule's scope to specific services<br />
only. This attribute is a list of service names, referring to the keys<br />
of the top-level service dictionary.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging.<br />
<br />
The following table shows the optional attributes valid for all<br />
logging modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''every'''<br />
|Divide successive packets into groups, the size of which is specified by the value of this attribute, and log only the first packet of each group<br />
|-<br />
|'''limit'''<br />
|Maximum number of packets to be logged per second per this rule<br />
|-<br />
|'''prefix'''<br />
|String with which the log entries are prefixed<br />
|-<br />
|'''probability'''<br />
|Probability for logging an individual packet (default: 1)<br />
|}<br />
<br />
With the in-kernel log mode '''log''', the level of logging may be<br />
specified using the '''level''' attribute. Log modes '''nflog''' and<br />
'''ulog''' are about copying the packets into user space, at least<br />
partially. The following table shows the additional attributes valid<br />
with these modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''group'''<br />
|Netlink group to be used<br />
|-<br />
|'''range'''<br />
|Number of bytes to be copied<br />
|-<br />
|'''threshold'''<br />
|Number of packets to queue inside the kernel before copying them<br />
|}<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are several types of rule objects:<br />
* Filter rules<br />
* Policy rules<br />
* Packet Logging rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* Transparent Proxy rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filter Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' in seconds (default: 1). The<br />
'''drop''' action is applied to the packets exceeding the<br />
limit. Optionally, the limit object may have an attribute named<br />
'''log'''. It defines how the dropped packets should be logged and is<br />
semantically similar to the '''log''' attribute of rule objects. A<br />
limit may also be specified by a plain integer, which is interpreted<br />
as the count while using default interval and log settings.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policy Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== Packet Logging Rules ====<br />
<br />
Packet logging rules allow packets matching the specified criteria to<br />
be logged before any filtering takes place. Such rules are contained<br />
in the top-level list named '''packet-log'''.<br />
<br />
Logging class may be specified using the '''log'''<br />
attribute. Otherwise, default logging settings are used.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Transparent Proxy Rules ====<br />
<br />
Transparent proxy rules divert the matching packets to a local proxy<br />
process without altering their headers. Such rules are contained in<br />
the top-level list named '''tproxy'''.<br />
<br />
In addition to the firewall configuration, using a transparent proxy<br />
requires a routing configuration where packets marked for proxying are<br />
diverted to a local process. The '''awall_tproxy_mark''' variable can<br />
be used to specify the mark for such packets, which defaults to 1.<br />
<br />
Proxy rules may also have an attribute named '''to-port''' for<br />
specifying the TCP or UDP port of the proxy if it is different from<br />
the original destination port.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=9021Alpine Wall User's Guide2013-02-08T07:33:31Z<p>Kunkku: /* Configuration File Processing */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The files located in<br />
directory <tt>/usr/share/awall/mandatory</tt> are ''mandatory''<br />
policies shipped with APK packages. In addition, there can be<br />
installation-specific mandatory policies in <tt>/etc/awall</tt>.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are ''optional'' policies, which<br />
can be enabled on need basis. Such symbolic links are easily created<br />
and destroyed using the <tt>awall enable</tt> and <tt>awall<br />
disable</tt> commands. <tt>awall list</tt> shows which optional<br />
policies are enabled and disabled. The command also prints the<br />
description of the optional policy if defined in the file using a<br />
top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The imported policies may be<br />
either optional policies or ''private'' policies, located in<br />
<tt>/usr/share/awall/private</tt> or <tt>/etc/awall/private</tt>. By<br />
default, the policies listed there are processed before the importing<br />
policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
All rule objects, except for policies, may have an attribute named<br />
'''service''', constraining the rule's scope to specific services<br />
only. This attribute is a list of service names, referring to the keys<br />
of the top-level service dictionary.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging.<br />
<br />
The following table shows the optional attributes valid for all<br />
logging modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''every'''<br />
|Divide successive packets into groups, the size of which is specified by the value of this attribute, and log only the first packet of each group<br />
|-<br />
|'''limit'''<br />
|Maximum number of packets to be logged per second per this rule<br />
|-<br />
|'''prefix'''<br />
|String with which the log entries are prefixed<br />
|-<br />
|'''probability'''<br />
|Probability for logging an individual packet (default: 1)<br />
|}<br />
<br />
With the in-kernel log mode '''log''', the level of logging may be<br />
specified using the '''level''' attribute. Log modes '''nflog''' and<br />
'''ulog''' are about copying the packets into user space, at least<br />
partially. The following table shows the additional attributes valid<br />
with these modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''group'''<br />
|Netlink group to be used<br />
|-<br />
|'''range'''<br />
|Number of bytes to be copied<br />
|-<br />
|'''threshold'''<br />
|Number of packets to queue inside the kernel before copying them<br />
|}<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are several types of rule objects:<br />
* Filter rules<br />
* Policy rules<br />
* Packet Logging rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* Transparent Proxy rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filter Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' in seconds (default: 1). The<br />
'''drop''' action is applied to the packets exceeding the<br />
limit. Optionally, the limit object may have an attribute named<br />
'''log'''. It defines how the dropped packets should be logged and is<br />
semantically similar to the '''log''' attribute of rule objects. A<br />
limit may also be specified by a plain integer, which is interpreted<br />
as the count while using default interval and log settings.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policy Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== Packet Logging Rules ====<br />
<br />
Packet logging rules allow packets matching the specified criteria to<br />
be logged before any filtering takes place. Such rules are contained<br />
in the top-level list named '''packet-log'''.<br />
<br />
Logging class may be specified using the '''log'''<br />
attribute. Otherwise, default logging settings are used.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Transparent Proxy Rules ====<br />
<br />
Transparent proxy rules divert the matching packets to a local proxy<br />
process without altering their headers. Such rules are contained in<br />
the top-level list named '''tproxy'''.<br />
<br />
In addition to the firewall configuration, using a transparent proxy<br />
requires a routing configuration where packets marked for proxying are<br />
diverted to a local process. The '''mark''' attribute of a proxy rule<br />
specifies the mark to be used.<br />
<br />
Proxy rules may also have an attribute named '''to-port''' for<br />
specifying the TCP or UDP port of the proxy if it is different from<br />
the original destination port.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=9020Alpine Wall User's Guide2013-02-08T07:13:28Z<p>Kunkku: /* Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are optional policies, which can<br />
be enabled on need basis. Such symbolic links are easily created and<br />
destroyed using the <tt>awall enable</tt> and <tt>awall disable</tt><br />
commands. <tt>awall list</tt> shows which optional policies are<br />
enabled and disabled. The command also prints the description of the<br />
optional policy if defined in the file using a top-level attribute<br />
named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. By default, the policies<br />
listed there are processed before the importing policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
All rule objects, except for policies, may have an attribute named<br />
'''service''', constraining the rule's scope to specific services<br />
only. This attribute is a list of service names, referring to the keys<br />
of the top-level service dictionary.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging.<br />
<br />
The following table shows the optional attributes valid for all<br />
logging modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''every'''<br />
|Divide successive packets into groups, the size of which is specified by the value of this attribute, and log only the first packet of each group<br />
|-<br />
|'''limit'''<br />
|Maximum number of packets to be logged per second per this rule<br />
|-<br />
|'''prefix'''<br />
|String with which the log entries are prefixed<br />
|-<br />
|'''probability'''<br />
|Probability for logging an individual packet (default: 1)<br />
|}<br />
<br />
With the in-kernel log mode '''log''', the level of logging may be<br />
specified using the '''level''' attribute. Log modes '''nflog''' and<br />
'''ulog''' are about copying the packets into user space, at least<br />
partially. The following table shows the additional attributes valid<br />
with these modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''group'''<br />
|Netlink group to be used<br />
|-<br />
|'''range'''<br />
|Number of bytes to be copied<br />
|-<br />
|'''threshold'''<br />
|Number of packets to queue inside the kernel before copying them<br />
|}<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are several types of rule objects:<br />
* Filter rules<br />
* Policy rules<br />
* Packet Logging rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* Transparent Proxy rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filter Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' in seconds (default: 1). The<br />
'''drop''' action is applied to the packets exceeding the<br />
limit. Optionally, the limit object may have an attribute named<br />
'''log'''. It defines how the dropped packets should be logged and is<br />
semantically similar to the '''log''' attribute of rule objects. A<br />
limit may also be specified by a plain integer, which is interpreted<br />
as the count while using default interval and log settings.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policy Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== Packet Logging Rules ====<br />
<br />
Packet logging rules allow packets matching the specified criteria to<br />
be logged before any filtering takes place. Such rules are contained<br />
in the top-level list named '''packet-log'''.<br />
<br />
Logging class may be specified using the '''log'''<br />
attribute. Otherwise, default logging settings are used.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Transparent Proxy Rules ====<br />
<br />
Transparent proxy rules divert the matching packets to a local proxy<br />
process without altering their headers. Such rules are contained in<br />
the top-level list named '''tproxy'''.<br />
<br />
In addition to the firewall configuration, using a transparent proxy<br />
requires a routing configuration where packets marked for proxying are<br />
diverted to a local process. The '''mark''' attribute of a proxy rule<br />
specifies the mark to be used.<br />
<br />
Proxy rules may also have an attribute named '''to-port''' for<br />
specifying the TCP or UDP port of the proxy if it is different from<br />
the original destination port.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=9019Alpine Wall User's Guide2013-02-05T16:10:39Z<p>Kunkku: /* Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are optional policies, which can<br />
be enabled on need basis. Such symbolic links are easily created and<br />
destroyed using the <tt>awall enable</tt> and <tt>awall disable</tt><br />
commands. <tt>awall list</tt> shows which optional policies are<br />
enabled and disabled. The command also prints the description of the<br />
optional policy if defined in the file using a top-level attribute<br />
named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. By default, the policies<br />
listed there are processed before the importing policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
All rule objects, except for policies, may have an attribute named<br />
'''service''', constraining the rule's scope to specific services<br />
only. This attribute is a list of service names, referring to the keys<br />
of the top-level service dictionary.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging.<br />
<br />
The following table shows the optional attributes valid for all<br />
logging modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''every'''<br />
|Divide successive packets into groups, the size of which is specified by the value of this attribute, and log only the first packet of each group<br />
|-<br />
|'''limit'''<br />
|Maximum number of packets to be logged per second per this rule<br />
|-<br />
|'''prefix'''<br />
|String with which the log entries are prefixed<br />
|-<br />
|'''probability'''<br />
|Probability for logging an individual packet (default: 1)<br />
|}<br />
<br />
With the in-kernel log mode '''log''', the level of logging may be<br />
specified using the '''level''' attribute. Log modes '''nflog''' and<br />
'''ulog''' are about copying the packets into user space, at least<br />
partially. The following table shows the additional attributes valid<br />
with these modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''group'''<br />
|Netlink group to be used<br />
|-<br />
|'''range'''<br />
|Number of bytes to be copied<br />
|-<br />
|'''threshold'''<br />
|Number of packets to queue inside the kernel before copying them<br />
|}<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are several types of rule objects:<br />
* Filter rules<br />
* Policy rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* Transparent Proxy rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filter Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' in seconds (default: 1). The<br />
'''drop''' action is applied to the packets exceeding the<br />
limit. Optionally, the limit object may have an attribute named<br />
'''log'''. It defines how the dropped packets should be logged and is<br />
semantically similar to the '''log''' attribute of rule objects. A<br />
limit may also be specified by a plain integer, which is interpreted<br />
as the count while using default interval and log settings.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policy Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Transparent Proxy Rules ====<br />
<br />
Transparent proxy rules divert the matching packets to a local proxy<br />
process without altering their headers. Such rules are contained in<br />
the top-level list named '''tproxy'''.<br />
<br />
In addition to the firewall configuration, using a transparent proxy<br />
requires a routing configuration where packets marked for proxying are<br />
diverted to a local process. The '''mark''' attribute of a proxy rule<br />
specifies the mark to be used.<br />
<br />
Proxy rules may also have an attribute named '''to-port''' for<br />
specifying the TCP or UDP port of the proxy if it is different from<br />
the original destination port.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=9018Alpine Wall User's Guide2013-02-05T14:58:40Z<p>Kunkku: /* Logging Classes */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are optional policies, which can<br />
be enabled on need basis. Such symbolic links are easily created and<br />
destroyed using the <tt>awall enable</tt> and <tt>awall disable</tt><br />
commands. <tt>awall list</tt> shows which optional policies are<br />
enabled and disabled. The command also prints the description of the<br />
optional policy if defined in the file using a top-level attribute<br />
named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. By default, the policies<br />
listed there are processed before the importing policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
All rule objects, except for policies, may have an attribute named<br />
'''service''', constraining the rule's scope to specific services<br />
only. This attribute is a list of service names, referring to the keys<br />
of the top-level service dictionary.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging.<br />
<br />
The following table shows the optional attributes valid for all<br />
logging modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''every'''<br />
|Divide successive packets into groups, the size of which is specified by the value of this attribute, and log only the first packet of each group<br />
|-<br />
|'''limit'''<br />
|Maximum number of packets to be logged per second per this rule<br />
|-<br />
|'''prefix'''<br />
|String with which the log entries are prefixed<br />
|-<br />
|'''probability'''<br />
|Probability for logging an individual packet (default: 1)<br />
|}<br />
<br />
With the in-kernel log mode '''log''', the level of logging may be<br />
specified using the '''level''' attribute. Log modes '''nflog''' and<br />
'''ulog''' are about copying the packets into user space, at least<br />
partially. The following table shows the additional attributes valid<br />
with these modes:<br />
<br />
{|<br />
!Attribute!!Description<br />
|-<br />
|'''group'''<br />
|Netlink group to be used<br />
|-<br />
|'''range'''<br />
|Number of bytes to be copied<br />
|-<br />
|'''threshold'''<br />
|Number of packets to queue inside the kernel before copying them<br />
|}<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are six types of rule objects:<br />
* Filter rules<br />
* Policy rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* Transparent Proxy rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filter Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' in seconds (default: 1). The<br />
'''drop''' action is applied to the packets exceeding the<br />
limit. Optionally, the limit object may have an attribute named<br />
'''log'''. It defines how the dropped packets should be logged and is<br />
semantically similar to the '''log''' attribute of rule objects. A<br />
limit may also be specified by a plain integer, which is interpreted<br />
as the count while using default interval and log settings.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policy Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Transparent Proxy Rules ====<br />
<br />
Transparent proxy rules divert the matching packets to a local proxy<br />
process without altering their headers. Such rules are contained in<br />
the top-level list named '''tproxy'''.<br />
<br />
In addition to the firewall configuration, using a transparent proxy<br />
requires a routing configuration where packets marked for proxying are<br />
diverted to a local process. The '''mark''' attribute of a proxy rule<br />
specifies the mark to be used.<br />
<br />
Proxy rules may also have an attribute named '''to-port''' for<br />
specifying the TCP or UDP port of the proxy if it is different from<br />
the original destination port.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=9010Alpine Wall User's Guide2013-01-30T08:23:54Z<p>Kunkku: /* Filter Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are optional policies, which can<br />
be enabled on need basis. Such symbolic links are easily created and<br />
destroyed using the <tt>awall enable</tt> and <tt>awall disable</tt><br />
commands. <tt>awall list</tt> shows which optional policies are<br />
enabled and disabled. The command also prints the description of the<br />
optional policy if defined in the file using a top-level attribute<br />
named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. By default, the policies<br />
listed there are processed before the importing policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
All rule objects, except for policies, may have an attribute named<br />
'''service''', constraining the rule's scope to specific services<br />
only. This attribute is a list of service names, referring to the keys<br />
of the top-level service dictionary.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging. The object may also have a '''limit''' attribute, which is an<br />
integer specifying the maximum number of matching packets to be logged<br />
per second per rule. Optionally, the log entries are prefixed with a<br />
string configured using the '''prefix''' attribute.<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are six types of rule objects:<br />
* Filter rules<br />
* Policy rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* Transparent Proxy rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filter Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' in seconds (default: 1). The<br />
'''drop''' action is applied to the packets exceeding the<br />
limit. Optionally, the limit object may have an attribute named<br />
'''log'''. It defines how the dropped packets should be logged and is<br />
semantically similar to the '''log''' attribute of rule objects. A<br />
limit may also be specified by a plain integer, which is interpreted<br />
as the count while using default interval and log settings.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policy Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Transparent Proxy Rules ====<br />
<br />
Transparent proxy rules divert the matching packets to a local proxy<br />
process without altering their headers. Such rules are contained in<br />
the top-level list named '''tproxy'''.<br />
<br />
In addition to the firewall configuration, using a transparent proxy<br />
requires a routing configuration where packets marked for proxying are<br />
diverted to a local process. The '''mark''' attribute of a proxy rule<br />
specifies the mark to be used.<br />
<br />
Proxy rules may also have an attribute named '''to-port''' for<br />
specifying the TCP or UDP port of the proxy if it is different from<br />
the original destination port.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=9009Alpine Wall User's Guide2013-01-29T11:21:42Z<p>Kunkku: /* Configuration Objects */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are optional policies, which can<br />
be enabled on need basis. Such symbolic links are easily created and<br />
destroyed using the <tt>awall enable</tt> and <tt>awall disable</tt><br />
commands. <tt>awall list</tt> shows which optional policies are<br />
enabled and disabled. The command also prints the description of the<br />
optional policy if defined in the file using a top-level attribute<br />
named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. By default, the policies<br />
listed there are processed before the importing policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
All rule objects, except for policies, may have an attribute named<br />
'''service''', constraining the rule's scope to specific services<br />
only. This attribute is a list of service names, referring to the keys<br />
of the top-level service dictionary.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging. The object may also have a '''limit''' attribute, which is an<br />
integer specifying the maximum number of matching packets to be logged<br />
per second per rule. Optionally, the log entries are prefixed with a<br />
string configured using the '''prefix''' attribute.<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are six types of rule objects:<br />
* Filter rules<br />
* Policy rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* Transparent Proxy rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filter Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''drop'''<br />
action is applied to the packets exceeding the limit. Optionally, the<br />
limit object may have an attribute named '''log'''. It defines how the<br />
dropped packets should be logged and is semantically similar to the<br />
'''log''' attribute of rule objects.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policy Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Transparent Proxy Rules ====<br />
<br />
Transparent proxy rules divert the matching packets to a local proxy<br />
process without altering their headers. Such rules are contained in<br />
the top-level list named '''tproxy'''.<br />
<br />
In addition to the firewall configuration, using a transparent proxy<br />
requires a routing configuration where packets marked for proxying are<br />
diverted to a local process. The '''mark''' attribute of a proxy rule<br />
specifies the mark to be used.<br />
<br />
Proxy rules may also have an attribute named '''to-port''' for<br />
specifying the TCP or UDP port of the proxy if it is different from<br />
the original destination port.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8950Alpine Wall User's Guide2013-01-18T17:27:34Z<p>Kunkku: /* IP Sets */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are optional policies, which can<br />
be enabled on need basis. Such symbolic links are easily created and<br />
destroyed using the <tt>awall enable</tt> and <tt>awall disable</tt><br />
commands. <tt>awall list</tt> shows which optional policies are<br />
enabled and disabled. The command also prints the description of the<br />
optional policy if defined in the file using a top-level attribute<br />
named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. By default, the policies<br />
listed there are processed before the importing policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging. The object may also have a '''limit''' attribute, which is an<br />
integer specifying the maximum number of matching packets to be logged<br />
per second per rule. Optionally, the log entries are prefixed with a<br />
string configured using the '''prefix''' attribute.<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are six types of rule objects:<br />
* Filters rules<br />
* Policies rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''drop'''<br />
action is applied to the packets exceeding the limit. Optionally, the<br />
limit object may have an attribute named '''log'''. It defines how the<br />
dropped packets should be logged and is semantically similar to the<br />
'''log''' attribute of rule objects.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policies Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
For bitmap-type IP sets, the '''range''' attribute specifies the<br />
range of allowed IPv4 addresses. It may be given as a network<br />
address or two addresses separated by the '''-''' character. It<br />
is not necessary to specify '''family''' for bitmaps, since the<br />
kernel supports only IPv4 bitmaps.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8595Alpine Wall User's Guide2012-10-23T11:23:56Z<p>Kunkku: /* Configuration File Processing */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt> and<br />
<tt>/etc/awall/optional</tt>. These are optional policies, which can<br />
be enabled on need basis. Such symbolic links are easily created and<br />
destroyed using the <tt>awall enable</tt> and <tt>awall disable</tt><br />
commands. <tt>awall list</tt> shows which optional policies are<br />
enabled and disabled. The command also prints the description of the<br />
optional policy if defined in the file using a top-level attribute<br />
named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. By default, the policies<br />
listed there are processed before the importing policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging. The object may also have a '''limit''' attribute, which is an<br />
integer specifying the maximum number of matching packets to be logged<br />
per second per rule. Optionally, the log entries are prefixed with a<br />
string configured using the '''prefix''' attribute.<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are six types of rule objects:<br />
* Filters rules<br />
* Policies rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''drop'''<br />
action is applied to the packets exceeding the limit. Optionally, the<br />
limit object may have an attribute named '''log'''. It defines how the<br />
dropped packets should be logged and is semantically similar to the<br />
'''log''' attribute of rule objects.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policies Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8593Alpine Wall User's Guide2012-10-23T07:03:18Z<p>Kunkku: /* Filters Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. By default, the policies<br />
listed there are processed before the importing policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging. The object may also have a '''limit''' attribute, which is an<br />
integer specifying the maximum number of matching packets to be logged<br />
per second per rule. Optionally, the log entries are prefixed with a<br />
string configured using the '''prefix''' attribute.<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are six types of rule objects:<br />
* Filters rules<br />
* Policies rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''drop'''<br />
action is applied to the packets exceeding the limit. Optionally, the<br />
limit object may have an attribute named '''log'''. It defines how the<br />
dropped packets should be logged and is semantically similar to the<br />
'''log''' attribute of rule objects.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policies Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8485Alpine Wall User's Guide2012-10-17T13:16:15Z<p>Kunkku: /* MSS Clamping Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. By default, the policies<br />
listed there are processed before the importing policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging. The object may also have a '''limit''' attribute, which is an<br />
integer specifying the maximum number of matching packets to be logged<br />
per second per rule. Optionally, the log entries are prefixed with a<br />
string configured using the '''prefix''' attribute.<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are six types of rule objects:<br />
* Filters rules<br />
* Policies rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''drop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policies Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU. The MSS clamping rules are located in the top-level<br />
dictionary named '''clamp-mss'''.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8484Alpine Wall User's Guide2012-10-17T13:04:07Z<p>Kunkku: /* Filters Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. By default, the policies<br />
listed there are processed before the importing policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging. The object may also have a '''limit''' attribute, which is an<br />
integer specifying the maximum number of matching packets to be logged<br />
per second per rule. Optionally, the log entries are prefixed with a<br />
string configured using the '''prefix''' attribute.<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are six types of rule objects:<br />
* Filters rules<br />
* Policies rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''drop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policies Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8438Alpine Wall User's Guide2012-10-03T07:31:00Z<p>Kunkku: /* Zones */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. By default, the policies<br />
listed there are processed before the importing policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
By default, awall does not generate iptables rules with identical<br />
ingress and egress interfaces. This behavior can be changed per zone<br />
by setting the optional '''route-back''' attribute of the zone to<br />
'''true'''. Note that this attribute can have an effect also in the<br />
case where '''in''' and '''out''' attributes of a rule are not equal<br />
but their definitions overlap. In this case, the '''route-back'''<br />
attribute of the '''out''' zone determines the behavior.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging. The object may also have a '''limit''' attribute, which is an<br />
integer specifying the maximum number of matching packets to be logged<br />
per second per rule. Optionally, the log entries are prefixed with a<br />
string configured using the '''prefix''' attribute.<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are six types of rule objects:<br />
* Filters rules<br />
* Policies rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''logdrop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policies Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8437Alpine Wall User's Guide2012-10-03T07:24:30Z<p>Kunkku: /* Zones */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. By default, the policies<br />
listed there are processed before the importing policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging. The object may also have a '''limit''' attribute, which is an<br />
integer specifying the maximum number of matching packets to be logged<br />
per second per rule. Optionally, the log entries are prefixed with a<br />
string configured using the '''prefix''' attribute.<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are six types of rule objects:<br />
* Filters rules<br />
* Policies rules<br />
* NAT rules<br />
* Packet Marking rules<br />
* MSS Clamping rules<br />
* Connection Tracking Bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters Rules ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''logdrop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policies Rules ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8395Alpine Wall User's Guide2012-09-13T10:12:24Z<p>Kunkku: /* NAT Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. By default, the policies<br />
listed there are processed before the importing policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging. The object may also have a '''limit''' attribute, which is an<br />
integer specifying the maximum number of matching packets to be logged<br />
per second per rule. Optionally, the log entries are prefixed with a<br />
string configured using the '''prefix''' attribute.<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are five types of rule objects:<br />
* policies<br />
* filters<br />
* NAT rules<br />
* packet marking rules<br />
* MSS clamping rules<br />
* connection tracking bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''logdrop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''to-addr''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''to-port''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''to-port''' is not specified, the original port number<br />
is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8394Alpine Wall User's Guide2012-09-12T08:32:45Z<p>Kunkku: /* Logging Classes */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. By default, the policies<br />
listed there are processed before the importing policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging. The object may also have a '''limit''' attribute, which is an<br />
integer specifying the maximum number of matching packets to be logged<br />
per second per rule. Optionally, the log entries are prefixed with a<br />
string configured using the '''prefix''' attribute.<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are five types of rule objects:<br />
* policies<br />
* filters<br />
* NAT rules<br />
* packet marking rules<br />
* MSS clamping rules<br />
* connection tracking bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''logdrop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8387Alpine Wall User's Guide2012-09-03T11:21:51Z<p>Kunkku: /* Services */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. By default, the policies<br />
listed there are processed before the importing policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port numbers<br />
or ranges thereof, separated by the '''-''' character. If the protocol<br />
is '''icmp''' or '''icmpv6''', an analogous '''icmp-type''' attribute<br />
may be used. In addition, the scope of the rule is also automatically<br />
limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging. The object may also have a '''limit''' attribute, which is an<br />
integer specifying the maximum number of matching packets to be logged<br />
per second per rule.<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are five types of rule objects:<br />
* policies<br />
* filters<br />
* NAT rules<br />
* packet marking rules<br />
* MSS clamping rules<br />
* connection tracking bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''logdrop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8386Alpine Wall User's Guide2012-09-03T11:19:50Z<p>Kunkku: /* Filters */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. By default, the policies<br />
listed there are processed before the importing policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port<br />
numbers. If the protocol is '''icmp''' or '''icmpv6''', an analogous <br />
'''icmp-type''' attribute may be used. In addition, the scope of the<br />
rule is also automatically limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging. The object may also have a '''limit''' attribute, which is an<br />
integer specifying the maximum number of matching packets to be logged<br />
per second per rule.<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are five types of rule objects:<br />
* policies<br />
* filters<br />
* NAT rules<br />
* packet marking rules<br />
* MSS clamping rules<br />
* connection tracking bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''logdrop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
Filter objects may have a boolean attribute named '''no-track'''. If<br />
set to '''true''', connection tracking is bypassed for the matching<br />
packets. In addition, if '''action''' is set to '''accept''', the<br />
corresponding packets travelling to the reverse direction are also<br />
allowed.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8385Alpine Wall User's Guide2012-08-28T10:57:07Z<p>Kunkku: /* Configuration File Processing */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. By default, the policies<br />
listed there are processed before the importing policy.<br />
<br />
The order of the generated iptables rules generally reflects the<br />
processing order of their corresponding awall policies. The processing<br />
order of policies can be adjusted by defining top-level attributes<br />
'''after''' and '''before''' in policy files. These attributes are<br />
lists of policies, after or before which the declaring policy shall be<br />
processed. Putting a policy name to either of these lists does not by<br />
itself import the policy. The ordering directives are ignored with<br />
respect to those policies that are not enabled by the user or imported<br />
by other policies. If not defined, '''after''' is assumed to be equal<br />
to the '''import''' definition of the policy.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port<br />
numbers. If the protocol is '''icmp''' or '''icmpv6''', an analogous <br />
'''icmp-type''' attribute may be used. In addition, the scope of the<br />
rule is also automatically limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging. The object may also have a '''limit''' attribute, which is an<br />
integer specifying the maximum number of matching packets to be logged<br />
per second per rule.<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are five types of rule objects:<br />
* policies<br />
* filters<br />
* NAT rules<br />
* packet marking rules<br />
* MSS clamping rules<br />
* connection tracking bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''logdrop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8384Alpine Wall User's Guide2012-08-28T08:20:45Z<p>Kunkku: </p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The policies listed there are<br />
always processed before the importing policy. The order of the<br />
generated iptables rules generally reflects the processing order of<br />
their corresponding awall policies.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port<br />
numbers. If the protocol is '''icmp''' or '''icmpv6''', an analogous <br />
'''icmp-type''' attribute may be used. In addition, the scope of the<br />
rule is also automatically limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
The firewall host itself can be referred to using the special value<br />
'''_fw''' as the zone name.<br />
<br />
=== Logging Classes ===<br />
<br />
A ''logging class'' specifies how packets matching certain rules are<br />
logged. A top-level attribute '''log''' is a dictionary that maps<br />
logging class names to setting objects.<br />
<br />
A setting object may have an attribute named '''mode''', which<br />
specifies which logging facility to use. Allowed values are '''log''',<br />
'''nflog''', and '''ulog'''. The default is '''log''', i.e. in-kernel<br />
logging. The object may also have a '''limit''' attribute, which is an<br />
integer specifying the maximum number of matching packets to be logged<br />
per second per rule.<br />
<br />
Filter and policy rules can have an attribute named '''log'''. If it<br />
is a string, it is interpreted as a reference to a logging class, and<br />
logging is performed according to the definitions. If the value of the<br />
'''log''' attribute is '''true''' (boolean), logging is done using<br />
default settings. If the value is '''false''' (boolean), logging is<br />
disabled for the rule. If '''log''' is not defined, logging is done<br />
using the default settings except for accept rules, for which logging<br />
is omitted.<br />
<br />
Default logging settings can be set by defining a logging class named<br />
'''_default'''. Normally, default logging uses the '''log''' mode with<br />
packets limited to one per second.<br />
<br />
=== Rules ===<br />
<br />
There are five types of rule objects:<br />
* policies<br />
* filters<br />
* NAT rules<br />
* packet marking rules<br />
* MSS clamping rules<br />
* connection tracking bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''tarpit'''<br />
|Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.)<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''logdrop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8351Alpine Wall User's Guide2012-07-19T05:59:37Z<p>Kunkku: /* Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The policies listed there are<br />
always processed before the importing policy. The order of the<br />
generated iptables rules generally reflects the processing order of<br />
their corresponding awall policies.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port<br />
numbers. If the protocol is '''icmp''' or '''icmpv6''', an analogous <br />
'''icmp-type''' attribute may be used. In addition, the scope of the<br />
rule is also automatically limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
=== Rules ===<br />
<br />
There are five types of rule objects:<br />
* policies<br />
* filters<br />
* NAT rules<br />
* packet marking rules<br />
* MSS clamping rules<br />
* connection tracking bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''logreject'''<br />
|Similar to '''reject''' but with kernel logging<br />
|-<br />
|'''logdrop'''<br />
|Similar to '''drop''' but with kernel logging<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''logdrop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== MSS Clamping Rules ====<br />
<br />
MSS Clamping Rules are used to deal with ISPs that block ICMP<br />
Fragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping<br />
rule overwrites the MSS option with a value specified with the<br />
'''mss''' attribute for the matching TCP connections. If '''mss''' is<br />
not specified, a suitable value is automatically determined from the<br />
path MTU.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8316Alpine Wall User's Guide2012-07-13T13:22:32Z<p>Kunkku: /* Debugging Policies */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The policies listed there are<br />
always processed before the importing policy. The order of the<br />
generated iptables rules generally reflects the processing order of<br />
their corresponding awall policies.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port<br />
numbers. If the protocol is '''icmp''' or '''icmpv6''', an analogous <br />
'''icmp-type''' attribute may be used. In addition, the scope of the<br />
rule is also automatically limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
=== Rules ===<br />
<br />
There are five types of rule objects:<br />
* policies<br />
* filters<br />
* NAT rules<br />
* packet marking rules<br />
* connection tracking bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''logreject'''<br />
|Similar to '''reject''' but with kernel logging<br />
|-<br />
|'''logdrop'''<br />
|Similar to '''drop''' but with kernel logging<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''logdrop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;5 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8315Alpine Wall User's Guide2012-07-13T11:44:50Z<p>Kunkku: /* Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The policies listed there are<br />
always processed before the importing policy. The order of the<br />
generated iptables rules generally reflects the processing order of<br />
their corresponding awall policies.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port<br />
numbers. If the protocol is '''icmp''' or '''icmpv6''', an analogous <br />
'''icmp-type''' attribute may be used. In addition, the scope of the<br />
rule is also automatically limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
=== Rules ===<br />
<br />
There are five types of rule objects:<br />
* policies<br />
* filters<br />
* NAT rules<br />
* packet marking rules<br />
* connection tracking bypass rules<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''logreject'''<br />
|Similar to '''reject''' but with kernel logging<br />
|-<br />
|'''logdrop'''<br />
|Similar to '''drop''' but with kernel logging<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''logdrop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Packet Marking Rules ====<br />
<br />
Packet marking rules are used to mark incoming packets matching the<br />
specified criteria. The mark can be used as a basis for the routing<br />
decision. Each marking rule must specify the mark using the '''mark'''<br />
attribute, which is a 32-bit integer.<br />
<br />
Normal marking rules are contained by the top-level list attribute<br />
named '''mark'''.<br />
<br />
There is another top-level list attribute, named '''route-track''',<br />
which contains route tracking rules. These are special marking rules<br />
which cause all the subsequent packets related to the same connection<br />
to be marked according to the rule.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;3 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8313Alpine Wall User's Guide2012-07-12T13:00:43Z<p>Kunkku: /* NAT Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The policies listed there are<br />
always processed before the importing policy. The order of the<br />
generated iptables rules generally reflects the processing order of<br />
their corresponding awall policies.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port<br />
numbers. If the protocol is '''icmp''' or '''icmpv6''', an analogous <br />
'''icmp-type''' attribute may be used. In addition, the scope of the<br />
rule is also automatically limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
=== Rules ===<br />
<br />
There are four types of rule objects: ''policies'', ''filters'',<br />
''NAT rules'', and ''connection tracking bypass rules''.<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''logreject'''<br />
|Similar to '''reject''' but with kernel logging<br />
|-<br />
|'''logdrop'''<br />
|Similar to '''drop''' but with kernel logging<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''logdrop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule may have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destination address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character. If not defined, it defaults to the primary address of the<br />
ingress interface in case of destination NAT, or that of the egress<br />
interface in case of source NAT.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;3 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8312Alpine Wall User's Guide2012-07-12T12:20:43Z<p>Kunkku: /* Connection Tracking Bypass Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The policies listed there are<br />
always processed before the importing policy. The order of the<br />
generated iptables rules generally reflects the processing order of<br />
their corresponding awall policies.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port<br />
numbers. If the protocol is '''icmp''' or '''icmpv6''', an analogous <br />
'''icmp-type''' attribute may be used. In addition, the scope of the<br />
rule is also automatically limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
=== Rules ===<br />
<br />
There are four types of rule objects: ''policies'', ''filters'',<br />
''NAT rules'', and ''connection tracking bypass rules''.<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''logreject'''<br />
|Similar to '''reject''' but with kernel logging<br />
|-<br />
|'''logdrop'''<br />
|Similar to '''drop''' but with kernel logging<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''logdrop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule must have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destinatinon address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''no-track''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;3 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8307Alpine Wall User's Guide2012-07-12T05:52:52Z<p>Kunkku: /* Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The policies listed there are<br />
always processed before the importing policy. The order of the<br />
generated iptables rules generally reflects the processing order of<br />
their corresponding awall policies.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port<br />
numbers. If the protocol is '''icmp''' or '''icmpv6''', an analogous <br />
'''icmp-type''' attribute may be used. In addition, the scope of the<br />
rule is also automatically limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
=== Rules ===<br />
<br />
There are four types of rule objects: ''policies'', ''filters'',<br />
''NAT rules'', and ''connection tracking bypass rules''.<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''logreject'''<br />
|Similar to '''reject''' but with kernel logging<br />
|-<br />
|'''logdrop'''<br />
|Similar to '''drop''' but with kernel logging<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''logdrop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule must have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destinatinon address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
==== Connection Tracking Bypass Rules ====<br />
<br />
Connection tracking bypass rules are used to disable connection<br />
tracking for packets matching the specified criteria. The top-level<br />
attribute '''notrack''' is a list of such rules.<br />
<br />
Connection tracking bypass rules may have an '''action''' attribute<br />
set to value '''accept'''. The effect is similar to corresponding NAT<br />
rules, i.e. connection tracking is not bypassed for the matching<br />
packets.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;3 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8306Alpine Wall User's Guide2012-07-12T05:44:13Z<p>Kunkku: /* Run-Time Configuration of Firewall */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The policies listed there are<br />
always processed before the importing policy. The order of the<br />
generated iptables rules generally reflects the processing order of<br />
their corresponding awall policies.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port<br />
numbers. If the protocol is '''icmp''' or '''icmpv6''', an analogous <br />
'''icmp-type''' attribute may be used. In addition, the scope of the<br />
rule is also automatically limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
=== Rules ===<br />
<br />
There are three types of rule objects: ''policies'', ''filters'', and <br />
''NAT rules''.<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''logreject'''<br />
|Similar to '''reject''' but with kernel logging<br />
|-<br />
|'''logdrop'''<br />
|Similar to '''drop''' but with kernel logging<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''logdrop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule must have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destinatinon address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate''' ['''-f'''|'''--force''']<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds or the <tt>--force</tt> option is<br />
used, the configuration is saved to the files. Otherwise, the old<br />
configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;3 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8305Alpine Wall User's Guide2012-07-12T05:41:55Z<p>Kunkku: /* Run-Time Activation of New Firewall Configuration */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The policies listed there are<br />
always processed before the importing policy. The order of the<br />
generated iptables rules generally reflects the processing order of<br />
their corresponding awall policies.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port<br />
numbers. If the protocol is '''icmp''' or '''icmpv6''', an analogous <br />
'''icmp-type''' attribute may be used. In addition, the scope of the<br />
rule is also automatically limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
=== Rules ===<br />
<br />
There are three types of rule objects: ''policies'', ''filters'', and <br />
''NAT rules''.<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''logreject'''<br />
|Similar to '''reject''' but with kernel logging<br />
|-<br />
|'''logdrop'''<br />
|Similar to '''drop''' but with kernel logging<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''logdrop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule must have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destinatinon address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Configuration of Firewall ===<br />
<br />
'''awall activate'''<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds, the configuration is saved to the<br />
files. Otherwise, the old configuration is restored.<br />
<br />
There is also a command for deleting all firewall rules:<br />
<br />
'''awall flush'''<br />
<br />
This command configures the firewall to drop all packets.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;3 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8304Alpine Wall User's Guide2012-07-12T05:38:03Z<p>Kunkku: /* Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The policies listed there are<br />
always processed before the importing policy. The order of the<br />
generated iptables rules generally reflects the processing order of<br />
their corresponding awall policies.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port<br />
numbers. If the protocol is '''icmp''' or '''icmpv6''', an analogous <br />
'''icmp-type''' attribute may be used. In addition, the scope of the<br />
rule is also automatically limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
=== Rules ===<br />
<br />
There are three types of rule objects: ''policies'', ''filters'', and <br />
''NAT rules''.<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''logreject'''<br />
|Similar to '''reject''' but with kernel logging<br />
|-<br />
|'''logdrop'''<br />
|Similar to '''drop''' but with kernel logging<br />
|}<br />
<br />
Filter objects, the action of which is '''accept''', may also contain<br />
limits for packet flow or new connections. These are specified with<br />
the '''flow-limit''' and '''conn-limit''' attributes,<br />
respectively. The values of these attributes are limit objects that<br />
have two attributes: '''count''' and '''interval'''. '''count'''<br />
specifies how many new connections or packets are allowed within the<br />
time frame specified by '''interval''' (in seconds). The '''logdrop'''<br />
action is applied to the packets exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects.<br />
<br />
Policy objects must have the '''action''' attribute defined. The<br />
possible values and their semantics are the same as in filter objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule must have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destinatinon address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
NAT rules may have an '''action''' attribute set to value<br />
'''accept'''. In this case, NAT is not performed on the packets<br />
reaching and matching this rule.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Activation of New Firewall Configuration ===<br />
<br />
'''awall activate'''<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds, the configuration is saved to the<br />
files. Otherwise, the old configuration is restored.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;3 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8303Alpine Wall User's Guide2012-07-12T05:20:00Z<p>Kunkku: /* Zones */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The policies listed there are<br />
always processed before the importing policy. The order of the<br />
generated iptables rules generally reflects the processing order of<br />
their corresponding awall policies.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port<br />
numbers. If the protocol is '''icmp''' or '''icmpv6''', an analogous <br />
'''icmp-type''' attribute may be used. In addition, the scope of the<br />
rule is also automatically limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces. An empty zone can be defined by setting either '''addr'''<br />
or '''iface''' to an empty list.<br />
<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
=== Rules ===<br />
<br />
There are three types of rule objects: ''policies'', ''filters'', and <br />
''NAT rules''.<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''logreject'''<br />
|Similar to '''reject''' but with kernel logging<br />
|-<br />
|'''logdrop'''<br />
|Similar to '''drop''' but with kernel logging<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects may also contain limits for packet flow or new<br />
connections. These are specified with the '''flow-limit''' and<br />
'''conn-limit''' attributes, respectively. The values of these<br />
attributes are limit objects that have two attributes: '''count''' and<br />
'''interval'''. '''count''' specifies how many new connections or<br />
packets are allowed within the time frame specified by '''interval''' <br />
(in seconds). The '''logdrop''' action is applied to the packets<br />
exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects. Policy objects do not have other attributes than those<br />
common to all rule objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule must have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destinatinon address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Activation of New Firewall Configuration ===<br />
<br />
'''awall activate'''<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds, the configuration is saved to the<br />
files. Otherwise, the old configuration is restored.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;3 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=8302Alpine Wall User's Guide2012-07-12T05:16:53Z<p>Kunkku: /* Command Line Syntax */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and <br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The policies listed there are<br />
always processed before the importing policy. The order of the<br />
generated iptables rules generally reflects the processing order of<br />
their corresponding awall policies.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port<br />
numbers. If the protocol is '''icmp''' or '''icmpv6''', an analogous <br />
'''icmp-type''' attribute may be used. In addition, the scope of the<br />
rule is also automatically limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute <br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in''' <br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
=== Rules ===<br />
<br />
There are three types of rule objects: ''policies'', ''filters'', and <br />
''NAT rules''.<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''logreject'''<br />
|Similar to '''reject''' but with kernel logging<br />
|-<br />
|'''logdrop'''<br />
|Similar to '''drop''' but with kernel logging<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a <br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects may also contain limits for packet flow or new<br />
connections. These are specified with the '''flow-limit''' and<br />
'''conn-limit''' attributes, respectively. The values of these<br />
attributes are limit objects that have two attributes: '''count''' and<br />
'''interval'''. '''count''' specifies how many new connections or<br />
packets are allowed within the time frame specified by '''interval''' <br />
(in seconds). The '''logdrop''' action is applied to the packets<br />
exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects. Policy objects do not have other attributes than those<br />
common to all rule objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule must have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destinatinon address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type''' <br />
corresponds to the type argument of the <tt>ipset create</tt> <br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt> <br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Activation of New Firewall Configuration ===<br />
<br />
'''awall activate'''<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds, the configuration is saved to the<br />
files. Otherwise, the old configuration is restored.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.<br />
<br />
=== Debugging Policies ===<br />
<br />
This command can be used to dump variable, zone, and other definitions<br />
as well as their source policies:<br />
<br />
'''awall dump''' [LEVEL]<br />
<br />
The level is an integer in range 0&ndash;3 and defaults to 0. More<br />
information is displayed on higher levels.<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=7937Alpine Wall User's Guide2012-05-03T06:19:07Z<p>Kunkku: /* Rules */</p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and<br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The policies listed there are<br />
always processed before the importing policy. The order of the<br />
generated iptables rules generally reflects the processing order of<br />
their corresponding awall policies.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port<br />
numbers. If the protocol is '''icmp''' or '''icmpv6''', an analogous<br />
'''icmp-type''' attribute may be used. In addition, the scope of the<br />
rule is also automatically limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute<br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in'''<br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
=== Rules ===<br />
<br />
There are three types of rule objects: ''policies'', ''filters'', and<br />
''NAT rules''.<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''logreject'''<br />
|Similar to '''reject''' but with kernel logging<br />
|-<br />
|'''logdrop'''<br />
|Similar to '''drop''' but with kernel logging<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are defined in different policy files, the one that was processed<br />
earlier takes precedence in the current implementation, but this may<br />
change in future versions.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a<br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects may also contain limits for packet flow or new<br />
connections. These are specified with the '''flow-limit''' and<br />
'''conn-limit''' attributes, respectively. The values of these<br />
attributes are limit objects that have two attributes: '''count''' and<br />
'''interval'''. '''count''' specifies how many new connections or<br />
packets are allowed within the time frame specified by '''interval'''<br />
(in seconds). The '''logdrop''' action is applied to the packets<br />
exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects. Policy objects do not have other attributes than those<br />
common to all rule objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule must have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destinatinon address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type'''<br />
corresponds to the type argument of the <tt>ipset create</tt><br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt><br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Activation of New Firewall Configuration ===<br />
<br />
'''awall activate'''<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds, the configuration is saved to the<br />
files. Otherwise, the old configuration is restored.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.</div>Kunkkuhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Wall_User%27s_Guide&diff=7936Alpine Wall User's Guide2012-05-03T05:59:42Z<p>Kunkku: </p>
<hr />
<div>== Configuration File Processing ==<br />
<br />
[[Alpine Wall]] (awall) reads its configuration from multiple<br />
JSON-formatted files, called ''policy files''. The processing starts<br />
from directory <tt>/usr/share/awall/mandatory</tt>, which contains<br />
mandatory policy files shipped with APK packages. After that,<br />
installation-specific policy files in <tt>/etc/awall</tt> are<br />
processed.<br />
<br />
The latter directory may also contain symbolic links to policy files<br />
located in <tt>/usr/share/awall/optional</tt>. These are optional<br />
policies, which can be enabled on need basis. Such symbolic links are<br />
easily created and destroyed using the <tt>awall enable</tt> and<br />
<tt>awall disable</tt> commands. <tt>awall list</tt> shows which<br />
optional policies are enabled and disabled. The command also prints<br />
the description of the optional policy if defined in the file using<br />
a top-level attribute named '''description'''.<br />
<br />
Sometimes a policy file depends on other policy files. In this case,<br />
the policy file must have a top-level attribute '''import''', the<br />
value of which is a list of policy names, which correspond to the file<br />
names without the <tt>.json</tt> suffix. The policies listed there are<br />
always processed before the importing policy. The order of the<br />
generated iptables rules generally reflects the processing order of<br />
their corresponding awall policies.<br />
<br />
As the import directive does not require the path name to be<br />
specified, awall expects policies to have unique names, even if<br />
located in different directories. It is allowed to import optional<br />
policies that are not explicitly enabled by the user. Such policies<br />
show up with the <tt>required</tt> status in the output of <tt>awall<br />
list</tt>.<br />
<br />
== List Parameters ==<br />
<br />
Several awall parameters are defined as lists of values. In order to<br />
facilitate manual editing of policy files, awall also accepts single<br />
values in place of lists. Such values are semantically equivalent to<br />
lists containing one element.<br />
<br />
== Variable Expansion ==<br />
<br />
Awall allows variable definitions in policy files. The top-level<br />
attribute '''variable''' is a dictionary containing the<br />
definitions. The value of a variable can be of any type (string,<br />
integer, list, or dictionary).<br />
<br />
A variable is referenced in policy files by a string which equals the<br />
variable name prepended with the '''$''' character. If the value of<br />
the variable is a string, the reference can be embedded into a longer<br />
string in order to substitute some part of that string (in shell<br />
style). Variable references can be used when defining other variables,<br />
as long as the definitions are not circular.<br />
<br />
Policy files can reference variables defined in other policy<br />
files. Policy files can also override variables defined elsewhere by<br />
redefining them. In this case, the new definition affects all policy<br />
files, also those processed before the overriding policy. Awall<br />
variables are in fact simple macros, since each variable remains<br />
constant thoughout a single processing round. If multiple files define<br />
the same variable, the definition in the file processed last takes<br />
effect.<br />
<br />
If defined as an empty string, all non-embedded references to a<br />
variable evaluate as if the attribute in question was not present in<br />
the configuration. This is also the case when a string containing<br />
embedded variable references finally evaluates to an empty string.<br />
<br />
== Configuration Objects ==<br />
<br />
Configuration objects can be divided into two main types.<br />
''Auxiliary objects'' model high-level concepts such as services and<br />
zones. ''Rule objects'' translate into one or more iptables rules, and<br />
are often defined with the help of some auxiliary objects.<br />
<br />
=== Services ===<br />
<br />
A ''service'' represents a set of network protocols. A top-level<br />
attribute '''service''' is a dictionary that maps service names to<br />
service definition objects, or lists thereof in more complex cases.<br />
<br />
A service definition object contains an attribute named '''proto''',<br />
which corresponds to the <tt>--protocol</tt> option of iptables. The<br />
protocol can be defined as a numerical value or string as defined in<br />
<tt>/etc/protocols</tt>. If the protocol is '''tcp''' or '''udp''',<br />
the scope of the service definition may be constrained by defining an<br />
attribute named '''port''', which is a list of TCP or UDP port<br />
numbers. If the protocol is '''icmp''' or '''icmpv6''', an analogous<br />
'''icmp-type''' attribute may be used. In addition, the scope of the<br />
rule is also automatically limited to IPv4 or IPv6, respectively.<br />
<br />
=== Zones ===<br />
<br />
A ''zone'' represents a set of network hosts. A top-level attribute<br />
'''zone''' is a dictionary that maps zone names to zone objects. A<br />
zone object has an attribute named '''iface''', '''addr''', or<br />
both. '''iface''' is a list of network interfaces and '''addr''' is a<br />
list of IPv4/IPv6 host and network addresses (CIDR<br />
notation). '''addr''' may also contain domain names, which are<br />
expanded to IP addresses using DNS resolution. If not defined,<br />
'''addr''' defaults to the entire address space and '''iface''' to all<br />
interfaces.<br />
<br />
Rule objects contain two attributes, '''in''' and '''out''', which are<br />
lists of zone names. These attributes control whether a packet matches<br />
the rule or not. If a particular zone is referenced by the '''in'''<br />
attribute, the rule applies to packets whose ingress interface and<br />
source address are covered by the zone definition. Correspondingly, if<br />
a zone is referenced by the '''out''' attribute, the rule applies to<br />
packets whose egress interface and destination address are included in<br />
the zone. If both '''in''' and '''out''' are defined, the packet must<br />
fulfill both criteria in order to match the rule.<br />
<br />
=== Rules ===<br />
<br />
There are three types of rule objects: ''policies'', ''filters'', and<br />
''NAT rules''.<br />
<br />
All rule objects can have the '''in''' and '''out''' attributes<br />
referring to zones as described in the previous section. In addition,<br />
the scope of the rule can be further constrained with the following<br />
attributes:<br />
<br />
{|<br />
!Attribute!!Value format!!Effect<br />
|-<br />
|'''src'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's source address matches the value<br />
|-<br />
|'''dest'''<br />
|Similar to '''addr''' attribute of zone objects<br />
|Packet's destination address matches the value<br />
|-<br />
|'''ipset'''<br />
|Object containing two attributes: '''name''' referring to an IP set and '''args''', which is a list of strings '''in''' and '''out'''<br />
|Packet matches the IP set referred here when the match arguments are taken from the source ('''in''') and destination ('''out''') address or port in the order specified by '''args'''<br />
|-<br />
|'''ipsec'''<br />
|'''in''' or '''out'''<br />
|IPsec decapsulation perfomed on ingress ('''in''') or encapsulation performed on egress ('''out''')<br />
|}<br />
<br />
Rule objects must have an attribute named '''action''', the value of<br />
which can be one of the following:<br />
<br />
{|<br />
!Value!!Action<br />
|-<br />
|'''accept'''<br />
|Accept the packet<br />
|-<br />
|'''reject'''<br />
|Reject the packet with an ICMP error message<br />
|-<br />
|'''drop'''<br />
|Silently drop the packet<br />
|-<br />
|'''logreject'''<br />
|Similar to '''reject''' but with kernel logging<br />
|-<br />
|'''logdrop'''<br />
|Similar to '''drop''' but with kernel logging<br />
|}<br />
<br />
Rule objects are declared in type-specific top-level dictionaries in<br />
awall policy files. If a packet matches multiple rules, the one<br />
appearing earlier in the list takes precedence. If the matching rules<br />
are in defined by different policy files, the one that was processed<br />
earlier takes precedence.<br />
<br />
==== Filters ====<br />
<br />
Filter objects specify an action for packets fulfilling certain<br />
criteria. The top-level attribute '''filter''' is a list of filter<br />
objects. The precedence rules are similar to those of policy objects.<br />
<br />
In addition to the common rule attributes, filter objects can have a<br />
'''service''' attribute constraining the scope to specific services<br />
only. This attribute is a list of service names, referring to the<br />
keys of the top-level '''service''' dictionary.<br />
<br />
Filter objects may also contain limits for packet flow or new<br />
connections. These are specified with the '''flow-limit''' and<br />
'''conn-limit''' attributes, respectively. The values of these<br />
attributes are limit objects that have two attributes: '''count''' and<br />
'''interval'''. '''count''' specifies how many new connections or<br />
packets are allowed within the time frame specified by '''interval'''<br />
(in seconds). The '''logdrop''' action is applied to the packets<br />
exceeding the limit.<br />
<br />
Filter objects may have an attribute named '''dnat''', the value of<br />
which is an IPv4 address. If defined, this enables destination NAT for<br />
all IPv4 packets matching the rule, such that the specified address<br />
replaces the original destination address. This option has no effect<br />
on IPv6 packets.<br />
<br />
==== Policies ====<br />
<br />
Policy objects describe the default action for packets that did not<br />
match any filter. The top-level attribute '''policy''' is a list of<br />
policy objects. Policy objects do not have other attributes than those<br />
common to all rule objects.<br />
<br />
==== NAT Rules ====<br />
<br />
NAT rules come in two flavors: ''source NAT rules'' and<br />
''destination NAT rules''. These are contained in two top-level lists<br />
named '''snat''' and '''dnat''', respectively.<br />
<br />
Each NAT rule must have an attribute named '''ip-range''' that<br />
specifies the IPv4 address range to which the original source or<br />
destinatinon address is mapped. The value can be a single IPv4 address<br />
or a range specified by two addresses, separated with the '''-'''<br />
character.<br />
<br />
Optionally, a NAT rule can specify the TCP and UDP port range to which<br />
the original source or destination port is mapped. The attribute is<br />
named '''port-range''', and the value can be a single port number or a<br />
range specified by two numbers, separated with the '''-'''<br />
character. If '''port-range''' is not specified, the original port<br />
number is kept intact.<br />
<br />
Like filters, NAT rules can have a '''service''' attribute<br />
constraining their scope to specific services.<br />
<br />
=== IP Sets ===<br />
<br />
Any IP set referenced by rule objects should be created by<br />
awall. Auxiliary ''IP set'' objects are used to defined them in awall<br />
policy files. The top-level attribute '''ipset''' is a dictionary, the<br />
keys of which are IP set names. The values are IP set objects, which<br />
have two mandatory attributes. The attribute named '''type'''<br />
corresponds to the type argument of the <tt>ipset create</tt><br />
command. '''family''' specifies whether the set is for IPv4 or IPv6<br />
addresses, and the possible values are '''inet''' and '''inet6''',<br />
correspondingly.<br />
<br />
== Command Line Syntax ==<br />
<br />
=== Translating Policy Files to Firewall Configuration Files ===<br />
<br />
'''awall translate''' ['''-o'''|'''--output''' DIRECTORY] ['''-V'''|'''--verify''']<br />
<br />
The <tt>--verify</tt> option makes awall verify the configuration<br />
using the test mode of iptables-restore before overwriting the old<br />
files.<br />
<br />
Specifying the output directory allows testing awall policies without<br />
overwriting the current iptables and ipset configuration files. By<br />
default, awall generates the configuration to <tt>/etc/iptables</tt><br />
and <tt>/etc/ipset.d</tt>, which are read by the init scripts.<br />
<br />
=== Run-Time Activation of New Firewall Configuration ===<br />
<br />
'''awall activate'''<br />
<br />
This command genereates firewall configuration from the policy files<br />
and enables it. If the user confirms the new configuration by hitting<br />
the Return key within 10 seconds, the configuration is saved to the<br />
files. Otherwise, the old configuration is restored.<br />
<br />
=== Optional Policies ===<br />
<br />
Optional policies can be enabled or disabled using this command:<br />
<br />
'''awall''' {'''enable'''|'''disable'''} POLICY...<br />
<br />
Optional policies can be listed using this command:<br />
<br />
'''awall list'''<br />
<br />
The '''enabled''' status means that the policy has been enabled by the<br />
user. The '''disabled''' status means that the policy is not in<br />
use. The '''required''' status means that the policy has not been<br />
enabled by the user but is in use because it is required by another<br />
policy which is in use.</div>Kunkku