From 9535a7d7dfe619063daaf1d39fe960a7f86f95e1 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 11 Jul 2013 10:39:21 -0700 Subject: [PATCH] Rename 'Trigger' to 'Event' and document Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 4 +- Shorewall/action.IfEvent | 106 ++++++ Shorewall/action.IfTrigger | 86 ----- Shorewall/action.ResetEvent | 51 +++ Shorewall/action.ResetTrigger | 49 --- Shorewall/action.SetEvent | 51 +++ Shorewall/action.SetTrigger | 49 --- Shorewall/actions.std | 6 +- docs/Documentation_Index.xml | 45 ++- docs/Events.xml | 509 +++++++++++++++++++++++++++++ docs/PortKnocking.xml | 7 + docs/blacklisting_support.xml | 5 + 12 files changed, 761 insertions(+), 207 deletions(-) create mode 100644 Shorewall/action.IfEvent delete mode 100644 Shorewall/action.IfTrigger create mode 100644 Shorewall/action.ResetEvent delete mode 100644 Shorewall/action.ResetTrigger create mode 100644 Shorewall/action.SetEvent delete mode 100644 Shorewall/action.SetTrigger create mode 100644 docs/Events.xml diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index f5ae5a9f0..8f7511470 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5413,13 +5413,13 @@ sub get_configuration( $$$$ ) { } # - # It is okay if the trigger mark is outsize of the a 32-bit integer. We check that in IfTrigger" + # It is okay if the event mark is outside of the a 32-bit integer. We check that in IfEvent" # fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 30; $globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} ); $globals{TPROXY_MARK} = $globals{EXCLUSION_MASK} << 1; - $globals{TRIGGER_MARK} = $globals{TPROXY_MARK} << 1; + $globals{EVENT_MARK} = $globals{TPROXY_MARK} << 1; $globals{PROVIDER_MIN} = 1 << $config{PROVIDER_OFFSET}; $globals{TC_MAX} = make_mask( $config{TC_BITS} ); diff --git a/Shorewall/action.IfEvent b/Shorewall/action.IfEvent new file mode 100644 index 000000000..77d8c269e --- /dev/null +++ b/Shorewall/action.IfEvent @@ -0,0 +1,106 @@ +# +# Shorewall version 4 - Perform an Action based on a Event +# +# /etc/shorewall/action.IfEvent +# +# Parameters: +# Event: Must start with a letter and be composed of letters, digits, '-', and '_'. +# Action: Anything that can appear in the ACTION column of a rule. +# Duration: Duration in seconds over which the event is to be tested. +# Hit Count: Number of packets seen within the duration -- default is 1 +# Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source +# address (src) or destination address (dst) +# Command: 'check' (default) 'reset', or 'update'. If 'reset', the event will be reset before +# the Action is taken. If 'update', the timestamp associated with the event will +# be updated and the action taken if the time limit/hitcount are matched. +# If '-', the action will be taken if the limit/hitcount are matched but the +# event's timestamp will not be updated. +# +# If a duration is specified, then 'checkreap' and 'updatereap' may also +# be used. These are like 'check' and 'update' respectively, but they also +# remove any event entries for the IP address that are older than +# seconds. +# Disposition: Disposition for any event generated. +# +# For additional information, see http://www.shorewall.net/Events.html +# +####################################################################################################### +# DO NOT REMOVE THE FOLLOWING LINE +?format 2 +################################################################################################################################################################################################# +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER +# PORT PORT(S) DEST LIMIT GROUP + +DEFAULTS -,ACCEPT,-,1,src,check,- + +?begin perl + +use Shorewall::Config qw(:DEFAULT :internal); +use Shorewall::Chains; +use Shorewall::Rules; +use strict; + +my ( $event, $action, $duration, $hitcount, $destination, $command, $disposition ) = get_action_params( 7 ); + +fatal_error "An event name is required" unless supplied $event; +fatal_error "Invalid event name ($event)" unless $event =~ /^[a-zA-z][-\w]*$/; + +if ( supplied $duration ) { + fatal_error "Invalid time limit ($duration)" unless $duration =~ /^\d+$/; + $duration = "--second $duration "; +} else { + $duration = ''; +} + +fatal_error "Invalid hit count ($hitcount)" unless $hitcount =~ /^\d+$/; +fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src|dst)$/; +fatal_error "Invalid reset flag ($command)" unless $command =~ /^(?:reset|update|updatereap|check|checkreap)$/; + +set_action_disposition( $disposition) if supplied $disposition; +set_action_name_to_caller; + +require_capability 'RECENT_MATCH', 'Use of events', 's'; + +my $reap; + +fatal_error "${command}reap requires a time limit" if ( $reap = $command =~ s/reap$// ? '--reap ' : '' ) && ! $duration; + +$duration .= $reap; + +if ( $command eq 'reset' ) { + require_capability 'MARK_ANYWHERE', 'Resetting an event', 's'; + + print "Resetting....\n"; + + my $mark = $globals{EVENT_MARK}; + # + # The event mark bit must be within 32 bits + # + fatal_error "The mark layout does not permit resetting of events" unless $mark & 0xffffffff; + # + # Reset the event mark bit + # + perl_action_helper( 'INLINE', '-j MARK --and-mark '. in_hex( (~ $mark ) & 0xffffffff ) ); + + $mark = in_hex $mark; + # + # Mark the packet if event is armed + # + if ( $destination eq 'dst' ) { + perl_action_helper( 'INLINE', "-m recent --rcheck ${duration}--hitcount $hitcount --name $event --rdest -j MARK --or-mark $mark" ); + } else { + perl_action_helper( 'INLINE', "-m recent --rcheck ${duration}--hitcount $hitcount --name $event --rsource -j MARK --or-mark $mark" ); + } + # + # if the event is armed, remove it and perform the action + # + perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" ); +} elsif ( $command eq 'update' ) { + perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event" ); +} else { + perl_action_helper( $action, "-m recent --rcheck ${duration}--hitcount $hitcount --name $event" ); +} + +1; + +?end perl diff --git a/Shorewall/action.IfTrigger b/Shorewall/action.IfTrigger deleted file mode 100644 index bbbd08ddc..000000000 --- a/Shorewall/action.IfTrigger +++ /dev/null @@ -1,86 +0,0 @@ -# -# Shorewall version 4 - Perform an Action based on a Trigger -# -# /etc/shorewall/action.IfTrigger -# -# Parameters: -# Trigger: Must start with a letter and be composed of letters, digits, '-', and '_'. -# Action: Anything that can appear in the ACTION column of a rule. -# Time Limit: Amount of time the trigger is to remain armed in seconds" -# Hit Count: Number of packets seen within the Timelimit -- default is 1 -# Src or Dest: 'src' (default) or 'dst'. Determines if the trigger is associated with the source -# address (src) or destination address (dst) -# Reset/update: '-' (default) 'reset', or 'update'. If 'reset', the trigger will be reset before -# the Action is taken. If 'update', the timestamp associated with the trigger will -# be updated and the action taken if the time limit/hitcount are matched. -# If '-', the action will be taken if the limit/hitcount are matched but the -# trigger's timestamp will not be updated. -# Disposition: Disposition for any event generated. -# -####################################################################################################### -# DO NOT REMOVE THE FOLLOWING LINE -?format 2 -################################################################################################################################################################################################# -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER -# PORT PORT(S) DEST LIMIT GROUP - -DEFAULTS -,ACCEPT,60,1,src,check,- - -?begin perl - -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::Chains; -use Shorewall::Rules; -use strict; - -my ( $trigger, $action, $timeout, $hitcount, $destination, $reset, $disposition ) = get_action_params( 7 ); - -fatal_error "A trigger name is required" unless supplied $trigger; -fatal_error "Invalid trigger name ($trigger)" unless $trigger =~ /^[a-zA-z][-\w]*$/; -fatal_error "Invalid time limit ($timeout)" unless $timeout =~ /^\d+$/; -fatal_error "Invalid hit count ($hitcount)" unless $hitcount =~ /^\d+$/; -fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src|dst)$/; -fatal_error "Invalid reset flag ($reset)" unless $reset =~ /^(?:reset|update|check)$/; - -set_action_disposition( $disposition) if supplied $disposition; -set_action_name_to_caller; - -require_capability 'RECENT_MATCH', 'Use of triggers', 's'; - -if ( $reset eq 'reset' ) { - require_capability 'MARK_ANYWHERE', 'Resetting a trigger', 's'; - - print "Resetting....\n"; - - my $mark = $globals{TRIGGER_MARK}; - # - # The trigger mark bit must be within 32 bits - # - fatal_error "The mark layout does not permit resetting of triggers" unless $mark & 0xffffffff; - # - # Reset the trigger mark bit - # - perl_action_helper( 'INLINE', '-j MARK --and-mark '. in_hex( (~ $mark ) & 0xffffffff ) ); - - $mark = in_hex $mark; - # - # Mark the packet if trigger is armed - # - if ( $destination eq 'dst' ) { - perl_action_helper( 'INLINE', "-m recent --rcheck --seconds $timeout --hitcount $hitcount --name $trigger --rdest -j MARK --or-mark $mark" ); - } else { - perl_action_helper( 'INLINE', "-m recent --rcheck --seconds $timeout --hitcount $hitcount --name $trigger --rsource -j MARK --or-mark $mark" ); - } - # - # if the trigger is armed, remove it and perform the action - # - perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $trigger" ); -} elsif ( $reset eq 'update' ) { - perl_action_helper( $action, "-m recent --update --seconds $timeout --hitcount $hitcount --name $trigger" ); -} else { - perl_action_helper( $action, "-m recent --rcheck --seconds $timeout --hitcount $hitcount --name $trigger" ); -} - -1; - -?end perl diff --git a/Shorewall/action.ResetEvent b/Shorewall/action.ResetEvent new file mode 100644 index 000000000..d983cfdde --- /dev/null +++ b/Shorewall/action.ResetEvent @@ -0,0 +1,51 @@ +# +# Shorewall version 4 - Reset an Event +# +# /etc/shorewall/action.ResetEvent +# +# Parameters: +# Event: Must start with a letter and be composed of letters, digits, '-', and '_'. +# Action: Action to perform after setting the event. Default is ACCEPT +# Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source +# address (src) or destination address (dst) +# Disposition: Disposition for any rule generated. +# +# For additional information, see http://www.shorewall.net/Events.html +# +####################################################################################################### +# DO NOT REMOVE THE FOLLOWING LINE +?format 2 +################################################################################################################################################################################################# +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER +# PORT PORT(S) DEST LIMIT GROUP + +DEFAULTS -,ACCEPT,src,- + +?begin perl + +use Shorewall::Config; +use Shorewall::Chains; +use Shorewall::Rules; +use strict; + +my ( $event, $action, $destination, $disposition ) = get_action_params( 4 ); + +require_capability 'RECENT_MATCH', 'Use of events', 's'; +require_capability 'MARK_ANYWHERE', 'Use of events', 's'; + +fatal_error "An event name is required" unless supplied $event; +fatal_error "Invalid event name ($event)" unless $event =~ /^[a-zA-z][-\w]*$/; +fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src|dst)$/; + +set_action_disposition( $disposition) if supplied $disposition; +set_action_name_to_caller; + +if ( $destination eq 'dst' ) { + perl_action_helper( $action, "-m recent --name $event --remove --rdest" ); +} else { + perl_action_helper( $action, "-m recent --name $event --remove --rsource" ); +} + +1; + +?end perl diff --git a/Shorewall/action.ResetTrigger b/Shorewall/action.ResetTrigger deleted file mode 100644 index 491a4a6ed..000000000 --- a/Shorewall/action.ResetTrigger +++ /dev/null @@ -1,49 +0,0 @@ -# -# Shorewall version 4 - Reset a Trigger -# -# /etc/shorewall/action.ResetTrigger -# -# Parameters: -# Trigger: Must start with a letter and be composed of letters, digits, '-', and '_'. -# Action: Action to perform after setting the trigger. Default is ACCEPT -# Src or Dest: 'src' (default) or 'dst'. Determines if the trigger is associated with the source -# address (src) or destination address (dst) -# Disposition: Disposition for any event generated. -# -####################################################################################################### -# DO NOT REMOVE THE FOLLOWING LINE -?format 2 -################################################################################################################################################################################################# -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER -# PORT PORT(S) DEST LIMIT GROUP - -DEFAULTS -,ACCEPT,src,- - -?begin perl - -use Shorewall::Config; -use Shorewall::Chains; -use Shorewall::Rules; -use strict; - -my ( $trigger, $action, $destination, $disposition ) = get_action_params( 4 ); - -require_capability 'RECENT_MATCH', 'Use of triggers', 's'; -require_capability 'MARK_ANYWHERE', 'Use of triggers', 's'; - -fatal_error "A trigger name is required" unless supplied $trigger; -fatal_error "Invalid trigger name ($trigger)" unless $trigger =~ /^[a-zA-z][-\w]*$/; -fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src|dst)$/; - -set_action_disposition( $disposition) if supplied $disposition; -set_action_name_to_caller; - -if ( $destination eq 'dst' ) { - perl_action_helper( $action, "-m recent --name $trigger --remove --rdest" ); -} else { - perl_action_helper( $action, "-m recent --name $trigger --remove --rsource" ); -} - -1; - -?end perl diff --git a/Shorewall/action.SetEvent b/Shorewall/action.SetEvent new file mode 100644 index 000000000..24a073927 --- /dev/null +++ b/Shorewall/action.SetEvent @@ -0,0 +1,51 @@ +# +# Shorewall version 4 - Set an Event +# +# /etc/shorewall/action.SetEvent +# +# Parameters: +# Event: Must start with a letter and be composed of letters, digits, '-', and '_'. +# Action: Action to perform after setting the event. Default is ACCEPT +# Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source +# address (src) or destination address (dst) +# Disposition: Disposition for any event generated. +# +# For additional information, see http://www.shorewall.net/Events.html +# +####################################################################################################### +# DO NOT REMOVE THE FOLLOWING LINE +?format 2 +################################################################################################################################################################################################# +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER +# PORT PORT(S) DEST LIMIT GROUP + +DEFAULTS -,ACCEPT,src + +?begin perl + +use Shorewall::Config; +use Shorewall::Chains; +use Shorewall::Rules; +use strict; + +my ( $event, $action, $destination, $disposition ) = get_action_params( 4 ); + +require_capability 'RECENT_MATCH', 'Use of events', 's'; +require_capability 'MARK_ANYWHERE', 'Use of events', 's'; + +fatal_error "An event name is required" unless supplied $event; +fatal_error "Invalid event name ($event)" unless $event =~ /^[a-zA-z][-\w]*$/; +fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src|dst)$/; + +set_action_disposition( $disposition) if supplied $disposition; +set_action_name_to_caller; + +if ( $destination eq 'dst' ) { + perl_action_helper( $action, "-m recent --name $event --set --rdest" ); +} else { + perl_action_helper( $action, "-m recent --name $event --set --rsource" ); +} + +1; + +?end perl diff --git a/Shorewall/action.SetTrigger b/Shorewall/action.SetTrigger deleted file mode 100644 index 0f2b8c611..000000000 --- a/Shorewall/action.SetTrigger +++ /dev/null @@ -1,49 +0,0 @@ -# -# Shorewall version 4 - Set a Trigger -# -# /etc/shorewall/action.SetTrigger -# -# Parameters: -# Trigger: Must start with a letter and be composed of letters, digits, '-', and '_'. -# Action: Action to perform after setting the trigger. Default is ACCEPT -# Src or Dest: 'src' (default) or 'dst'. Determines if the trigger is associated with the source -# address (src) or destination address (dst) -# Disposition: Disposition for any event generated. -# -####################################################################################################### -# DO NOT REMOVE THE FOLLOWING LINE -?format 2 -################################################################################################################################################################################################# -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER -# PORT PORT(S) DEST LIMIT GROUP - -DEFAULTS -,ACCEPT,src - -?begin perl - -use Shorewall::Config; -use Shorewall::Chains; -use Shorewall::Rules; -use strict; - -my ( $trigger, $action, $destination, $disposition ) = get_action_params( 4 ); - -require_capability 'RECENT_MATCH', 'Use of triggers', 's'; -require_capability 'MARK_ANYWHERE', 'Use of triggers', 's'; - -fatal_error "A trigger name is required" unless supplied $trigger; -fatal_error "Invalid trigger name ($trigger)" unless $trigger =~ /^[a-zA-z][-\w]*$/; -fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src|dst)$/; - -set_action_disposition( $disposition) if supplied $disposition; -set_action_name_to_caller; - -if ( $destination eq 'dst' ) { - perl_action_helper( $action, "-m recent --name $trigger --set --rdest" ); -} else { - perl_action_helper( $action, "-m recent --name $trigger --set --rsource" ); -} - -1; - -?end perl diff --git a/Shorewall/actions.std b/Shorewall/actions.std index 90cf9ce01..2caeaf62b 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -33,14 +33,14 @@ Drop # Default Action for DROP policy dropInvalid inline # Drops packets in the INVALID conntrack state DropSmurfs noinline # Drop smurf packets Established inline # Handles packets in the ESTABLISHED state -IfTrigger noinline # Perform an action if a trigger is set +IfEvent noinline # Perform an action based on an event Invalid inline # Handles packets in the INVALID conntrack state New inline # Handles packets in the NEW conntrack state NotSyn inline # Handles TCP packets which do not have SYN=1 and ACK=0 Reject # Default Action for REJECT policy Related inline # Handles packets in the RELATED conntrack state -ResetTrigger inline # Reset a Trigger +ResetEvent inline # Reset an Event RST inline # Handle packets with RST set -SetTrigger inline # Set a trigger for the packet's source IP +SetEvent inline # Initialize an event TCPFlags # Handle bad flag combinations. Untracked inline # Handles packets in the UNTRACKED conntrack state diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index 734f87a8e..5707dc42b 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -18,7 +18,7 @@ - 2001-2012 + 2001-2013 Thomas M. Eastep @@ -271,9 +271,7 @@ - Extension Scripts - (User Exits) + Events Packet Marking @@ -282,8 +280,9 @@ - Fallback/Uninstall + Extension Scripts + (User Exits) Packet Processing in a Shorewall-based Firewall @@ -292,7 +291,8 @@ - FAQs + Fallback/Uninstall 'Ping' Management @@ -301,8 +301,7 @@ - Features + FAQs Port Forwarding @@ -312,8 +311,8 @@ - Forwarding Traffic on the - Same Interface + Features Port Information @@ -321,11 +320,21 @@ Xen Dom0 + + Forwarding Traffic on the + Same Interface + + Port Knocking + (deprecated) + + + + FTP and Shorewall - Port Knocking and Other Uses - of the 'Recent Match' + Port Knocking, Auto Blacklisting + and Other Uses of the 'Recent Match' @@ -406,8 +415,7 @@ Kazaa Filtering - Shorewall - Init + Shorewall Events @@ -416,8 +424,8 @@ Kernel Configuration - Shorewall - Lite + Shorewall + Init @@ -426,7 +434,8 @@ KVM (Kernel-mode Virtual Machine) - + Shorewall + Lite diff --git a/docs/Events.xml b/docs/Events.xml new file mode 100644 index 000000000..db4491906 --- /dev/null +++ b/docs/Events.xml @@ -0,0 +1,509 @@ + + +
+ + + + Shorewall Events + + + + Tom + + Eastep + + + + + + + 2013 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + + + This article applies to Shorewall 4.5.19 and later and supercedes + this article. + + +
+ Overview + + Shorewall events were introduced in Shorewall 4.5.19 and provide a + high-level interface to the Netfilter recent match + capability. An event is actually a list of (IP address, timestamp) pairs, + and can be tested in a number of different ways: + + + + Has event E ever occurred for IP address A (is the IP address in + the list)? + + + + Has event E occurred M or more times for IP address A? + + + + Has Event E occurred in the last N seconds for IP Address A (is + there an entry for the address with a timestamp falling within the + last N seconds)? + + + + Has Event E occurred M or more times in the last N seconds for + IP address A (are there M or more entries for the address with + timestamps falling within the last N seconds)? + + + + The event interface is implemented as three parameterized Shorewall + Actions: + + + + SetEvent + + + This action initializes an event list for either the source or + destination IP address in the current packets. The list will contain + a single entry for the address that will have the current + timestamp. + + + + + ResetEvent + + + This action removes all entries for either the source or + destination IP address from an event list. + + + + + IfEvent + + + This action tests an event in one of the ways listed above, + and performs an action based on the result. + + + +
+ +
+ Details + + Because these are parameterized actions, optional parameters may be + omitted. Trailing omitted parameters may be omitted entirely while + embedded omitted parameters are represented by a hyphen ("-"). + + Each event is given a name. Event names: + + + + Must begin with a letter. + + + + May be composed of letters, digits, hyphens ('-') or underscores + ('_'). + + + + May be at most 29 characters in length. + + + +
+ SetEvent + + SetEvent( + event, [ action ], + [ src-dst ], [ + disposition ] ) + + + + event + + + Name of the event. + + + + + action + + + An action to perform after the event is initialized. May be + any action that may appear in the ACTION column of shorewall-rules (5). + If no action is to be performed, use COUNT. + + + + + src-dst + + + Specifies whether the source IP address (src) or destination IP address (dst) is to be added to the event. The + default is src. + + + + + disposition + + + If the action involves logging, + then this parameter specifies the disposition that will appear in + the log entry prefix. If no disposition + is given, the log prefix is determines normally. The default is + ACCEPT. + + + +
+ +
+ ResetEvent + + ResetEvent( + event, [ action ], + [ src-dst ], [ + disposition ] ) + + + + event + + + Name of the event. + + + + + action + + + An action to perform after the event is reset. May be any + action that may appear in the ACTION column of shorewall-rules (5). + If no action is to be performed, use COUNT. The default is + ACCEPT. + + + + + src-dst + + + Specifies whether the source IP address (src) or destination IP address (dst) is to be removed from the event. The + default is src. + + + + + disposition + + + If the action involves logging, + then this parameter specifies the disposition that will appear in + the log entry prefix. If no disposition + is given, the log prefix is determines normally. + + + +
+ +
+ IfEvent + + IfEvent( + event, [ action ], + [ duration ], [ + hitcount ], [ + src-dst], [ + command ], [ + disposition ] ) + + + + event + + + Name of the event. + + + + + action + + + An action to perform if the test succeeds. May be any action + that may appear in the ACTION column of shorewall-rules (5). + The default is ACCEPT. + + + + + duration + + + Number of seconds over which the event is to be tested. If + not specified, the test is not constrained by time. + + + + + hitcount + + + Specifies the minimum number of packets required for the + test to succeed. If not specified, 1 packet is assumed. + + + + + src-dst + + + Specifies whether the source IP address (src) or destination IP address (dst) is to be tested. The default is + src. + + + + + command + + + May be one of the following: + + + + check + + + Simply test if the + duration/hitcount + test is satisfied. If so, the + action is performed. + + + + + reset + + + Like check. If the + test succeeds, the event will be + reset before the action is + taken. + + + + + update + + + Like check. + Regardless of whether the test succeeds, an entry with the + current time and for the src-dst + iP address will be added to the + event. + + + + + checkreap + + + Requires a duration. Like + check but regardless of + whether the test succeeds, entries for the + src-dst IP address that are older + than duration seconds will be + deleted from the event. + + + + + updatereap + + + Requires a duration. Like + update but regardless of + whether the test succeeds, entries for the + src-dst IP address that are older + than duration seconds will be + deleted from the event. + + + + + The default is check. + + + + + disposition + + + If the action involves logging, + then this parameter specifies the disposition that will appear in + the log entry prefix. If no disposition + is given, the log prefix is determines normally. + + + +
+
+ +
+ Examples + +
+ Automatic Blacklisting + + This example is taken from this + article which explains the nice benifits of this approach. This + example is for ssh, but it can be adapted for any application. + + The name SSH has been changed to SSHLIMIT so as not to override + the Shorewall macro of the same name. + + /etc/shorewall/actions: + + #ACTION OPTION DESCRIPTION +SSHLIMIT #Automatically blacklist hosts who exceed SSH connection limits +SSH_BLACKLIST #Helper for SSH + + /etc/shorewall/action.SSH_BLACKLIST: + + # +# Shorewall version 4 - SSH_BLACKLIST Action +# +?format 2 +############################################################################### +#TARGET SOURCE DEST PROTO DPORT SPORT +# +# Log the Reject +# +LOG:$LOG:REJECT +# +# And set the SSH_COUNTER trigger for the SOURCE IP address +# +SetEvent(SSH_COUNTER,REJECT,src) + + /etc/shorewall/action.SSHLIMIT: + + # +# Shorewall version 4 - SSHLIMIT Action +# +?format 2 +############################################################################### +#TARGET SOURCE DEST PROTO DPORT SPORT +# +# Silently reject the client if blacklisted +# +IfEvent(SSH_COUNTER,REJECT,300,1) +# +# Blacklist if 5 attempts in the last minute +# +IfEvent(SSH,SSH_BLACKLIST,60,5,src,checkreap) +# +# Log and reject if the client has tried to connect +# in the last two seconds +# +IfEvent(SSH,REJECT:$LOG:,2,1,-,update,Added) +# +# Un-blacklist the client +# +ResetEvent(SSH_COUNTER,LOG:$LOG,-,Removed) +# +# Set the 'SSH' trigger and accept the connection +# +SetEvent(SSH,ACCEPT,src) + + etc/shorewall/rules: + + #ACTION SOURCE DEST PROTO DEST +# PORT(S) +SSHLIMIT net $FW tcp 22 +
+ +
+ Port Knocking + + This example shows a different implementation of the one shown in + the Port Knocking article. + + In this example: + + + + Attempting to connect to port 1600 enables SSH access. Access + is enabled for 60 seconds. + + + + Attempting to connect to port 1601 disables SSH access (note + that in the article linked above, attempting to connect to port 1599 + also disables access. This is an port scan defence as explained in + the article). + + + + To implement that approach: + + /etc/shorewall/actions: + + #ACTION OPTION DESCRIPTION +Knock #Port Knocking + + /etc/shorewall/action.Knock: + + # +# Shorewall version 4 - SSH_BLACKLIST Action +# +?format 2 +############################################################################### +#ACTION SOURCE DEST PROTO DEST +# PORT(S) +IfEvent(SSH,ACCEPT:info,60,1,src,reset)\ + - - tcp 22 +SetEvent(SSH,ACCEPT) - - tcp 1600 +ResetEvent(SSH,DROP:info) + + etc/shorewall/rules: + + #ACTION SOURCE DEST PROTO DEST +# PORT(S) +Knock net $FW tcp 22,1599-1601 +
+
+
diff --git a/docs/PortKnocking.xml b/docs/PortKnocking.xml index e52c5c47b..ced88164f 100644 --- a/docs/PortKnocking.xml +++ b/docs/PortKnocking.xml @@ -24,6 +24,8 @@ 2009 + 2013 + Thomas M. Eastep @@ -38,6 +40,11 @@ + + The techniques described in this article were superceded in + Shorewall 4.5.19 with the introduction of Shorewall Events. + + The feature described in this article require 'Recent Match' in diff --git a/docs/blacklisting_support.xml b/docs/blacklisting_support.xml index f627a2058..1caf8d0db 100644 --- a/docs/blacklisting_support.xml +++ b/docs/blacklisting_support.xml @@ -66,6 +66,11 @@ existing connections. + + + For automatic blacklisting based on exceeding defined threshholds, + see Events. +