This section describes how to use the HIP firewall. The firewall needs to be compiled with the --enable-firewall option to configure. There is also a Python interface included in the source distribution (hip-fw-mi-*tar.gz).
Firewall can be started with "hipfw <file_name>". By default, it drops all HIP traffic and allows all other traffic. You can change the defaults with hipfw command line flags. To get a list of command line flags, give the -h option to hipfw. When you start the firewall the first time, it creates /etc/hip/firewall.conf file which contains an example usage template.
The hipfw must be started before making any HIP connectivity. If you restart hipfw, you must also reset existing HIP connections. If you are running the hipfw in a router, you may also need to set /proc/sys/net/ipv6/conf/all/forwarding and /proc/sys/net/ipv4/conf/all/forwarding to 1.
Rules follow (loosely) the syntax of Linux Iptables with following syntax.
Basic format of rule is: HOOK [match] TARGET
Here HOOK is one of the netfilter hooks: "INPUT", "OUTPUT", "FORWARD". Target is either "ACCEPT" or "DROP", whether packet should be allowed or not. Match is a combination of filtering option described below.
Filtering options:
Matches source HIT of packet. HI can be given with --hi option and by defining path to a public key file as an argument. This causes sender signatures to be verified. The file name must contain either "_rsa_" or "_dsa_" to define whether RSA or DSA is used as algorithm.
Matches destination HIT of packet.
Matches HIP packet type. Type is one of following: "I1", "R1", "I2", "R2", "CER", "UPDATE", "NOTIFY", "CLOSE", "CLOSE_ACK"
Matches incoming interface. Argument contains name of the interface. Can not be used for rules in OUTPUT hook as packet has no incoming interface in that case.
Matches outgoing interface. Argument contains name of the interface. Can not be used for rules in INPUT hook as packet has no outgoing interface in that case.
Matches state of HIP association: "NEW" or "ESTABLISHED". ESP packets are also filtered as part of the connection. With "--verify_responder" option the firewall stores responder HI from R1 packet and uses it for verifying signatures in the packets. With --accept_mobile option, the firewall may establish state for existing connection when a mobile host enters the network protected by the firewall. Please see Chapter 11, Testing Handover to see how mobility events can be tested. When option --decrypt_contents is set firewall tries to decrypt ESP-packet contents. This can be done if session data has been delivered to firewall. See Chapter 28, Using Key Escrow for details. Currently decrypted packet contents can be viewed in firewall output.
If you get "No buffer space available" errors, please disable all of the firewall debug messages (./configure --disable-debug; make clean all). This can occur when moving large files and the firewall cannot serve with sufficient speed when it has to display debug messages.
Management interface:
Firewall management interface contains functions for altering rules of running firewall. Functions are defined in firewall/rule_management.h and implemented in firewall/rule_management.c. Rule_management.c also contains functions for copying, comparing and freeing rules, etc. If any functions are needed outside the rule_management, they can be defined in the header file.
The argument "hook" in the rule is the Netfilter hook for which rule is intended. The hooks are defined in linux/netfilter_ipv6.h as NF_IP6_LOCAL_IN, NF_IP6_FORWARD, NF_IP6_LOCAL_OUT.
The argument rule is structure describing the rule defined in rule_management.h. The structure contains pointers to options. The pointer value must be NULL, when option is not defined. The structures for options are also defined in rule_management.h. Function: rule * parse_rule(char * string) can be used for creating a rule structure from a string. This also inspects that the rule syntax is correct.
void insert_rule(const struct rule * rule, int hook): Inserts argument rule into with the hook. Insert makes local copy of the argument rule.
int delete_rule(const struct rule * rule, int hook): Deletes the local rule that is equal to the argument rule.
GList * list_rules(int hook): creates a copy of the rule list and returns it. Caller must take care of freeing the returned list.
int flush(int hook): Clears all rules.