Help-Site Computer Manuals
Software
Hardware
Programming
Networking
  Algorithms & Data Structures   Programming Languages   Revision Control
  Protocols
  Cameras   Computers   Displays   Keyboards & Mice   Motherboards   Networking   Printers & Scanners   Storage
  Windows   Linux & Unix   Mac

Fwctl::RuleSet
Module to add sets of rules to the linux firewall.

Fwctl::RuleSet - Module to add sets of rules to the linux firewall.



NAME

Fwctl::RuleSet - Module to add sets of rules to the linux firewall.


SYNOPSIS


  use IPChains;

  use Fwctl::RuleSet qw(:masq :tcp_rulesets :ports);

  my $chain = new IPChains( Prot       => 'tcp',

                            SourcePort => UNPRIVILEGED_PORTS,

                            DestPort   => 23,

                            )

  accept_tcp_ruleset( $chain, $src, $src_if, $dst, $dst_if, NOMASQ );


DESCRIPTION

This module contains primitives to add sets of rules to the Linux packet filtering firewall implementing a particular policy. It is used primarly by service modules. The module handle all the special cases for when the src or dst interface is ANY, when masquerading is involved, when a local ip is implied by the src or dst address. All this logic has not to be implemented by the service modules, which only have to specify the kind of packets and the direction of traffic (using the src and dst paremeter).

There are 5 tags that can be imported from the modules.

:masq
Constant used to specify how to handle masquerade.

:ports
Constants that refers to range of ports.

:tcp_rulesets
Functions that implements policy rulesets for TCP connection.

:udp_rulesets
Functions that implements policy rulesets for bidirectional UDP traffic.

:ip_rulesets
Funtions that implements policy rulesets for IP traffic. This are the primitives on which the tcp and udp rulesets are built.


:masq

NOMASQ
Constant used to represent that the traffic shouldn't be masqueraded.

MASQ
Constant use to denote that this traffic will be masqueraded when going throught the forward chain.

UNMASQ
Constant use to denote that traffic should be unmasqueraded when passing the input chain.

To better understand the way the MASQ and UNMASQ constants works together lets look at how they would be use to handle a TCP connection.


    accept_ip_rulesets( $chain, $src, $src_if, $dst, $dst_if, MASQ );

    $chain->attribute( SYN => '!' );

    accept_ip_rulesets( $chain, $dst, $dst_if, $src, $src_if, UNMASQ);


:ports

RESERVED_PORTS
Constant that represents the ports 1 through 1023.

UNPRIVILEGED_PORTS
Constant that represents the ports 1024 through 65535.

MASQ_PORTS
Constant that represents the ports used when masquerading a connection : 61000 through 65096.


:ip_rulesets

This tags imports three functions that are the primitives on which the others are built. All src or dst can be classified in one of four category. =over

ANY
Source or destination is any address on any interface.

LOCAL_IP
Source or destination is a local interface

LOCAL_IMPLIED
Source or destination implied a local interface. Example of those includes a broadcast address of a local interface or network address of a local interface.

REMOTE
Source or destination doesn't imply a local IP.

So this means a total of 16 combination of source and destination address. Add the parameter MASQ,UNMASQ and NOMASQ and you got 48 possibilities. Those usually can be reduced to between 7 and 16 cases depending on the policy you want to handle. (REJECT, DENY, ACCEPT or ACCOUNT). The following functions handle all those possibilities for you, and adds the appropriate rules with address and interface specification to the appropriate chains.

accept_ip_ruleset($chain,$src,$src_if,$dst,$dst_if,$masq)
Adds the necessary rules to accept the kind of traffic specified by the $chain parameter.
$chain
IPChains objects that contains the prototypes of the rules to add to the firewall. Source, Dest and Interface parameter are overwritten by the function.

$src
The source address of the packet.

$src_if
The interface associated to the $src address.

$dst
The destination address of the packet.

$dst_if
The interface associated to the $dst address.

$masq
How the packet should be masqueraded.

Usually the $src, $src_if, $dst and $dst_if packets are not modified by the service modules and are those passed by the Fwctl module. Or the module will switch them (dst becomes src), or change them because the protocol uses broadcast or other stuff.

block_ip_ruleset( $chain, $src, $src_if, $dst, $dst_if )
This primitive handles both REJECT and DENY policies. The parameter have the same meaning as in the accept_ip_ruleset() function.

account_ip_ruleset( $chain, $src, $src_if, $dst, $dst_if )
This primitive handles the ACCOUNT policy. The parameter have the same meaning as in the accept_ip_ruleset() function.


:tcp_rulesets

This tags imports three functions: accept_tcp_ruleset(), block_tcp_ruleset() and account_tcp_ruleset() which have the same parameters and semantics as their *_ip_ruleset() counterpart. They are indeed implemented in terms of these.

The difference is that the $chain parameter can only be used to represent a TCP connection. The functions will add rules for the client and server side of the connection with the SYN and ACK flags handled properly.


:udp_rulesets

This tags imports three functions: accept_udp_ruleset(), block_udp_ruleset() and account_udp_ruleset() which have the same parameters and semantics as their *_ip_ruleset() counterpart. They are indeed implemented in terms of these.

These functions will add rules to handle client / server UDP connection. It like calling the *_ip_ruleset() functions two times with the src and dst inversed (the SourcePort and DestPort are naturally also inversed).


AUTHOR

Francis J. Lacoste <francis.lacoste@iNsu.COM>


COPYRIGHT

Copyright (c) 1999,2000 iNsu Innovations Inc. All rights reserved.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.


SEE ALSO

fwctl(8) Fwctl(3) IPChains(3)

Programminig
Wy
Wy
yW
Wy
Programming
Wy
Wy
Wy
Wy