Chapter 18. HIP Firewall

This section describes how to use the HIP firewall. The firewall needs to be compiled with the --enable-firewall option to configure. There is also a Python interface included in the source distribution (hip-fw-mi-*tar.gz).

Firewall can be started with "hipfw <file_name>". By default, it drops all HIP traffic and allows all other traffic. You can change the defaults with hipfw command line flags. To get a list of command line flags, give the -h option to hipfw. When you start the firewall the first time, it creates /etc/hip/firewall.conf file which contains an example usage template.

The hipfw must be started before making any HIP connectivity. If you restart hipfw, you must also reset existing HIP connections. If you are running the hipfw in a router, you may also need to set /proc/sys/net/ipv6/conf/all/forwarding and /proc/sys/net/ipv4/conf/all/forwarding to 1.

Rules follow (loosely) the syntax of Linux Iptables with following syntax.

Basic format of rule is: HOOK [match] TARGET

Filtering options:

-src_hit [!] <hit value> --hi <file name>

Matches source HIT of packet. HI can be given with --hi option and by defining path to a public key file as an argument. This causes sender signatures to be verified. The file name must contain either "_rsa_" or "_dsa_" to define whether RSA or DSA is used as algorithm.

-dst_hit [!] <hit>

Matches destination HIT of packet.

-type [!] <hip packet type>

Matches HIP packet type. Type is one of following: "I1", "R1", "I2", "R2", "CER", "UPDATE", "NOTIFY", "CLOSE", "CLOSE_ACK"

-i [!] <incoming interface>

Matches incoming interface. Argument contains name of the interface. Can not be used for rules in OUTPUT hook as packet has no incoming interface in that case.

-o [!] <outgoing interface>

Matches outgoing interface. Argument contains name of the interface. Can not be used for rules in INPUT hook as packet has no outgoing interface in that case.

-state [!] <state> --verify_responder --accept_mobile --decrypt_contents

Matches state of HIP association: "NEW" or "ESTABLISHED". ESP packets are also filtered as part of the connection. With "--verify_responder" option the firewall stores responder HI from R1 packet and uses it for verifying signatures in the packets. With --accept_mobile option, the firewall may establish state for existing connection when a mobile host enters the network protected by the firewall. Please see Chapter 11, Testing Handover to see how mobility events can be tested. When option --decrypt_contents is set firewall tries to decrypt ESP-packet contents. This can be done if session data has been delivered to firewall. See Chapter 28, Using Key Escrow for details. Currently decrypted packet contents can be viewed in firewall output.

If you get "No buffer space available" errors, please disable all of the firewall debug messages (./configure --disable-debug; make clean all). This can occur when moving large files and the firewall cannot serve with sufficient speed when it has to display debug messages.

Management interface: