This section describes how to use the HIP firewall. The firewall needs to be compiled with the --enable-firewall option to configure.
Ip6tables must define that HIP and ESP packets are queued in the userspace. These rules are inserted automatically at the head of each chain. Other rules that might concern the HIP (-p 253) and ESP packets (-p 50) must not be inserted before them.
ip6tables -A FORWARD -p 253 -j QUEUE
ip6tables -A FORWARD -p 50 -j QUEUE
ip6tables -A INPUT -p 253 -j QUEUE
ip6tables -A INPUT -p 50 -j QUEUE
ip6tables -A OUTPUT -p 253 -j QUEUE
ip6tables -A OUTPUT -p 50 -j QUEUE
Make sure that you set /proc/sys/net/ipv6/conf/all/forwarding to one, if you want your firewall to forward IPv6 traffic. Remember to configure IPv6 routes to the hosts.
Firewall can be started with "./firewall <file_name>" "timeout value" at firewall directory, where file_name is path of the file containing the firewall rules and timeout value is the connection timeout value in seconds. If connection timeout is defined as zero or negative, the connection timeout checking is not used. Rules in the file must be separated with newline. The firewall (currently) prints out debug information from rule parsing test functions and from filtering packets.
Rules follow (loosely) the syntax of Linux Iptables with following syntax.
Basic format of rule is: HOOK [match] TARGET
Here HOOK is one of the netfilter hooks: "INPUT", "OUTPUT", "FORWARD". Target is either "ACCEPT" or "DROP", whether packet should be allowed or not. Match is a combination of filtering option described below.
Filtering options:
Matches source HIT of packet. HI can be given with --hi option and by defining path to a public key file as an argument. This causes sender signatures to be verified. The file name must contain either "_rsa_" or "_dsa_" to define whether RSA or DSA is used as algorithm.
Matches destination HIT of packet.
Matches HIP packet type. Type is one of following: "I1", "R1", "I2", "R2", "CER", "UPDATE", "NOTIFY", "CLOSE", "CLOSE_ACK"
Matches incoming interface. Argument contains name of the interface. Can not be used for rules in OUTPUT hook as packet has no incoming interface in that case.
Matches outgoing interface. Argument contains name of the interface. Can not be used for rules in INPUT hook as packet has no outgoing interface in that case.
Matches state of HIP association: "NEW" or "ESTABLISHED". ESP packets are also filtered as part of the connection. With "--verify_responder" option the firewall stores responder HI from R1 packet and uses it for verifying signatures in the packets. With --accept_mobile option, the firewall may establish state for existing connection when a mobile host enters the network protected by the firewall. Please see Chapter 8, Testing Handover to see how mobility events can be tested. When option --decrypt_contents is set firewall tries to decrypt ESP-packet contents. This can be done if session data has been delivered to firewall. See Chapter 22, Using Key Escrow for details. Currently decrypted packet contents can be viewed in firewall output.
If you get "No buffer space available" errors, please disable all of the firewall debug messages (./configure --disable-debug; make clean all). This can occur when moving large files and the firewall cannot serve with sufficient speed when it has to display debug messages.
Management interface:
Firewall management interface contains functions for altering rules of running firewall. Functions are defined in firewall/rule_management.h and implemented in firewall/rule_management.c. Rule_management.c also contains functions for copying, comparing and freeing rules, etc. If any functions are needed outside the rule_management, they can be defined in the header file.
The argument "hook" in the rule is the Netfilter hook for which rule is intended. The hooks are defined in linux/netfilter_ipv6.h as NF_IP6_LOCAL_IN, NF_IP6_FORWARD, NF_IP6_LOCAL_OUT.
The argument rule is structure describing the rule defined in rule_management.h. The structure contains pointers to options. The pointer value must be NULL, when option is not defined. The structures for options are also defined in rule_management.h. Function: rule * parse_rule(char * string) can be used for creating a rule structure from a string. This also inspects that the rule syntax is correct.
void insert_rule(const struct rule * rule, int hook): Inserts argument rule into with the hook. Insert makes local copy of the argument rule.
int delete_rule(const struct rule * rule, int hook): Deletes the local rule that is equal to the argument rule.
GList * list_rules(int hook): creates a copy of the rule list and returns it. Caller must take care of freeing the returned list.
int flush(int hook): Clears all rules.