Mercurial > prosody-modules
comparison mod_firewall/README.markdown @ 2540:d637bc0ac604
mod_firewall: Update README for latest changes
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Tue, 21 Feb 2017 10:39:00 +0000 |
parents | 898e70e85185 |
children | 9b46d24edf0d |
comparison
equal
deleted
inserted
replaced
2539:1510b66a43fc | 2540:d637bc0ac604 |
---|---|
78 For example: | 78 For example: |
79 | 79 |
80 NOT FROM: user@example.com | 80 NOT FROM: user@example.com |
81 KIND NOT: message | 81 KIND NOT: message |
82 | 82 |
83 Some conditions do not take parameters, and these should end with just a | |
84 question mark, like: | |
85 | |
86 IN ROSTER? | |
87 | |
83 ### Zones | 88 ### Zones |
84 | 89 |
85 A 'zone' is one or more hosts or JIDs. It is possible to match when a | 90 A 'zone' is one or more hosts or JIDs. It is possible to match when a |
86 stanza is entering or leaving a zone, while at the same time not | 91 stanza is entering or leaving a zone, while at the same time not |
87 matching traffic passing between JIDs in the same zone. | 92 matching traffic passing between JIDs in the same zone. |
102 | 107 |
103 Condition Matches | 108 Condition Matches |
104 ------------ ------------------------------------------ | 109 ------------ ------------------------------------------ |
105 `ENTERING` When a stanza is entering the named zone | 110 `ENTERING` When a stanza is entering the named zone |
106 `LEAVING` When a stanza is leaving the named zone | 111 `LEAVING` When a stanza is leaving the named zone |
112 | |
113 ### Lists | |
114 | |
115 It is possible to create or load lists of strings for use in scripts. For example, you might load a JID blacklist, | |
116 a list of malware URLs or simple words that you want to filter messages on. | |
117 | |
118 List type Example | |
119 ----------- ----------------------- | |
120 memory %LIST spammers: memory | |
121 file %LIST spammers: file:/etc/spammers.txt | |
122 http %LIST spammers: http://example.com/spammers.txt | |
123 | |
124 #### CHECK LIST | |
125 | |
126 Checks whether a simple expression is found in a given list. | |
127 | |
128 Example: | |
129 | |
130 %LIST blacklist: file:/etc/prosody/blacklist.txt | |
131 | |
132 # Rule to block presence subscription requests from blacklisted JIDs | |
133 KIND: presence | |
134 TYPE: subscribe | |
135 CHECK LIST: blacklist contains $<@from> | |
136 BOUNCE=policy-violation (Your JID is blacklisted) | |
137 | |
138 #### SCAN | |
139 | |
140 SCAN allows you to search inside a stanza for a given pattern, and check each result against a list. For example, | |
141 you could scan a message body for words and check if any of the words are found in a given list. | |
142 | |
143 Before using SCAN, you need to define a search location and a pattern. The search location uses the same 'path' | |
144 format as documented under the 'INSPECT' condition. Patterns can be any valid Lua pattern. | |
145 | |
146 To use the above example: | |
147 | |
148 # Define a search location called 'body' which fetches the text of the 'body' element | |
149 %SEARCH body: body# | |
150 # Define a pattern called 'word' which matches any sequence of letters | |
151 %PATTERN word: [A-Za-z]+ | |
152 # Finally, we also need our list of "bad" words: | |
153 %LIST badwords: file:/etc/prosody/bad_words.txt | |
154 | |
155 # Now we can use these to SCAN incoming stanzas | |
156 # If it finds a match, bounce the stanza | |
157 SCAN: body for word in badwords | |
158 BOUNCE=policy-violation (This word is not allowed!) | |
107 | 159 |
108 ### Stanza matching | 160 ### Stanza matching |
109 | 161 |
110 Condition Matches | 162 Condition Matches |
111 ----------- ------------------------------------------------------------------------------------------------------------------------------------------------------------ | 163 ----------- ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
124 | 176 |
125 **Note:** The type 'available' for presence does not actually appear in | 177 **Note:** The type 'available' for presence does not actually appear in |
126 the protocol. Available presence is signalled by the omission of a type. | 178 the protocol. Available presence is signalled by the omission of a type. |
127 Similarly, a message stanza with no type is equivalent to one of type | 179 Similarly, a message stanza with no type is equivalent to one of type |
128 'normal'. mod\_firewall handles these cases for you automatically. | 180 'normal'. mod\_firewall handles these cases for you automatically. |
181 | |
182 ### Sender/recipient matching | |
183 | |
184 Condition Matches | |
185 ----------- ------------------------------------------------------- | |
186 `FROM` The JID in the 'from' attribute matches the given JID | |
187 `TO` The JID in the 'to' attribute matches the given JID | |
188 | |
189 These conditions both accept wildcards in the JID when the wildcard | |
190 expression is enclosed in angle brackets ('\<...\>'). For example: | |
191 | |
192 # All users at example.com | |
193 FROM: <*>@example.com | |
194 | |
195 # The user 'admin' on any subdomain of example.com | |
196 FROM: admin@<*.example.com> | |
197 | |
198 You can also use [Lua's pattern | |
199 matching](http://www.lua.org/manual/5.1/manual.html#5.4.1) for more | |
200 powerful matching abilities. Patterns are a lightweight | |
201 regular-expression alternative. Simply contain the pattern in double | |
202 angle brackets. The pattern is automatically anchored at the start and | |
203 end (so it must match the entire portion of the JID). | |
204 | |
205 # Match admin@example.com, and admin1@example.com, etc. | |
206 FROM: <<admin%d*>>@example.com | |
207 | |
208 **Note:** It is important to know that 'example.com' is a valid JID on | |
209 its own, and does **not** match 'user@example.com'. To perform domain | |
210 whitelists or blacklists, use Zones. | |
211 | |
212 Condition Matches | |
213 ---------------- --------------------------------------------------------------- | |
214 `FROM_EXACTLY` The JID in the 'from' attribute exactly matches the given JID | |
215 `TO_EXACTLY` The JID in the 'to' attribute exactly matches the given JID | |
216 | |
217 These additional conditions do not support pattern matching, but are | |
218 useful to match the exact to/from address on a stanza. For example, if | |
219 no resource is specified then only bare JIDs will be matched. TO and FROM | |
220 match all resources if no resource is specified to match. | |
221 | |
222 **Note:** Some chains execute before Prosody has performed any | |
223 normalisation or validity checks on the to/from JIDs on an incoming | |
224 stanza. It is not advisable to perform access control or similar rules | |
225 on JIDs in these chains (see the chain documentation for more info). | |
129 | 226 |
130 #### INSPECT | 227 #### INSPECT |
131 | 228 |
132 INSPECT takes a 'path' through the stanza to get a string (an attribute | 229 INSPECT takes a 'path' through the stanza to get a string (an attribute |
133 value or text content). An example is the best way to explain. Let's | 230 value or text content). An example is the best way to explain. Let's |
166 INSPECT is somewhat slower than the other stanza matching conditions. To | 263 INSPECT is somewhat slower than the other stanza matching conditions. To |
167 minimise performance impact, always place it below other faster | 264 minimise performance impact, always place it below other faster |
168 condition checks where possible (e.g. above we first checked KIND, TYPE | 265 condition checks where possible (e.g. above we first checked KIND, TYPE |
169 and PAYLOAD matched before INSPECT). | 266 and PAYLOAD matched before INSPECT). |
170 | 267 |
171 ### Sender/recipient matching | |
172 | |
173 Condition Matches | |
174 ----------- ------------------------------------------------------- | |
175 `FROM` The JID in the 'from' attribute matches the given JID | |
176 `TO` The JID in the 'to' attribute matches the given JID | |
177 | |
178 These conditions both accept wildcards in the JID when the wildcard | |
179 expression is enclosed in angle brackets ('\<...\>'). For example: | |
180 | |
181 # All users at example.com | |
182 FROM: <*>@example.com | |
183 | |
184 # The user 'admin' on any subdomain of example.com | |
185 FROM: admin@<*.example.com> | |
186 | |
187 You can also use [Lua's pattern | |
188 matching](http://www.lua.org/manual/5.1/manual.html#5.4.1) for more | |
189 powerful matching abilities. Patterns are a lightweight | |
190 regular-expression alternative. Simply contain the pattern in double | |
191 angle brackets. The pattern is automatically anchored at the start and | |
192 end (so it must match the entire portion of the JID). | |
193 | |
194 # Match admin@example.com, and admin1@example.com, etc. | |
195 FROM: <<admin%d*>>@example.com | |
196 | |
197 **Note:** It is important to know that 'example.com' is a valid JID on | |
198 its own, and does **not** match 'user@example.com'. To perform domain | |
199 whitelists or blacklists, use Zones. | |
200 | |
201 Condition Matches | |
202 ---------------- --------------------------------------------------------------- | |
203 `FROM_EXACTLY` The JID in the 'from' attribute exactly matches the given JID | |
204 `TO_EXACTLY` The JID in the 'to' attribute exactly matches the given JID | |
205 | |
206 These additional conditions do not support pattern matching, but are | |
207 useful to match the exact to/from address on a stanza. For example, if | |
208 no resource is specified then only bare JIDs will be matched. TO and FROM | |
209 match all resources if no resource is specified to match. | |
210 | |
211 **Note:** Some chains execute before Prosody has performed any | |
212 normalisation or validity checks on the to/from JIDs on an incoming | |
213 stanza. It is not advisable to perform access control or similar rules | |
214 on JIDs in these chains (see the chain documentation for more info). | |
215 | |
216 ### Roster | 268 ### Roster |
217 | 269 |
218 These functions access the roster of the recipient (only). Therefore they cannot (currently) | 270 These functions access the roster of the recipient (only). Therefore they cannot (currently) |
219 be used in some chains, such as for outgoing messages (the recipient may be on another server). | 271 be used in some chains, such as for outgoing messages (the recipient may be on another server). |
220 | 272 |
221 Performance note: this check can potentially cause storage access (especially if the recipient | 273 Performance note: this check can potentially cause storage access (especially if the recipient |
222 is currently offline), so you may want to limit its use in high-traffic situations, and place | 274 is currently offline), so you may want to limit its use in high-traffic situations, and place |
223 it below other checks (such as a rate limiter). | 275 it below other checks (such as a rate limiter). |
224 | 276 |
225 #### IN_ROSTER | 277 #### IN ROSTER |
226 | 278 |
227 Tests whether the sender is in the recipient's roster. | 279 Tests whether the sender is in the recipient's roster. |
228 | 280 |
229 IN_ROSTER: yes | 281 IN ROSTER? |
230 | 282 |
231 #### IN_ROSTER_GROUP | 283 #### IN ROSTER GROUP |
232 | 284 |
233 Tests whether the sender is in the recipient's roster, and in the named group. | 285 Tests whether the sender is in the recipient's roster, and in the named group. |
234 | 286 |
235 IN_ROSTER_GROUP: Friends | 287 IN ROSTER GROUP: Friends |
236 | 288 |
237 #### SUBSCRIBED | 289 #### SUBSCRIBED |
238 | 290 |
239 Tests whether the recipient is subscribed to the sender, ie will receive | 291 Tests whether the recipient is subscribed to the sender, ie will receive |
240 presence updates from them. | 292 presence updates from them. |
248 Using Prosody's mod\_groups it is possible to define groups of users on the server. You can | 300 Using Prosody's mod\_groups it is possible to define groups of users on the server. You can |
249 match based on these groups in firewall rules. | 301 match based on these groups in firewall rules. |
250 | 302 |
251 Condition Matches | 303 Condition Matches |
252 ------------- ---------------------------- | 304 ------------- ---------------------------- |
253 `FROM_GROUP` When the stanza is being sent from a member of the named group | 305 `FROM GROUP` When the stanza is being sent from a member of the named group |
254 `TO_GROUP` When the stanza is being sent to a member of the named group | 306 `TO GROUP` When the stanza is being sent to a member of the named group |
307 | |
308 #### SENT DIRECTED PRESENCE TO SENDER | |
309 | |
310 This condition matches if the recipient of a stanza has previously sent directed presence to the sender of the stanza. This | |
311 is often done in XMPP to exchange presence information with JIDs that are not on your roster, such as MUC rooms. | |
312 | |
313 This condition does not take a parameter - end the condition name with a question mark: | |
314 | |
315 # Rule to bounce messages from senders not in the roster who haven't been sent directed presence | |
316 NOT IN ROSTER? | |
317 NOT SENT DIRECTED PRESENCE TO SENDER? | |
318 BOUNCE=service-unavailable | |
255 | 319 |
256 ### Admins | 320 ### Admins |
257 | 321 |
258 Prosody allows certain JIDs to be declared as administrators of a host, component or the whole server. | 322 Prosody allows certain JIDs to be declared as administrators of a host, component or the whole server. |
259 | 323 |
260 Condition Matches | 324 Condition Matches |
261 -------------- ---------------------------------- | 325 -------------- ---------------------------------- |
262 FROM_ADMIN_OF When the sender of the stanza is an admin of the named host on the current server | 326 FROM ADMIN OF When the sender of the stanza is an admin of the named host on the current server |
263 TO_ADMIN_OF When the recipient of the stanza is an admin of the named host on the current server | 327 TO ADMIN OF When the recipient of the stanza is an admin of the named host on the current server |
264 | 328 |
265 ### Time and date | 329 ### Time and date |
266 | 330 |
267 #### TIME | 331 #### TIME |
268 | 332 |
356 It is possible to 'mark' sessions (see the MARK_ORIGIN action below). To match stanzas from marked sessions, use the | 420 It is possible to 'mark' sessions (see the MARK_ORIGIN action below). To match stanzas from marked sessions, use the |
357 `ORIGIN_MARKED` condition. | 421 `ORIGIN_MARKED` condition. |
358 | 422 |
359 Condition Description | 423 Condition Description |
360 ------------------------------- --------------------------------------------------------------- | 424 ------------------------------- --------------------------------------------------------------- |
361 ORIGIN_MARKED: markname Matches if the origin has been marked with 'markname'. | 425 ORIGIN MARKED: markname Matches if the origin has been marked with 'markname'. |
362 ORIGIN_MARKED: markname (Xs) Matches if the origin has been marked with 'markname' within the past X seconds. | 426 ORIGIN MARKED: markname (Xs) Matches if the origin has been marked with 'markname' within the past X seconds. |
363 | 427 |
364 Example usage: | 428 Example usage: |
365 | 429 |
366 # This rule drops messages from sessions that have been marked as spammers in the past hour | 430 # This rule drops messages from sessions that have been marked as spammers in the past hour |
367 ORIGIN_MARKED: spammer (3600s) | 431 ORIGIN MARKED: spammer (3600s) |
368 DROP. | 432 DROP. |
369 | 433 |
370 # This rule marks the origin session as a spammer if they send a message to a honeypot JID | 434 # This rule marks the origin session as a spammer if they send a message to a honeypot JID |
371 KIND: message | 435 KIND: message |
372 TO: honeypot@example.com | 436 TO: honeypot@example.com |
373 MARK_ORIGIN=spammer | 437 MARK ORIGIN=spammer |
374 | 438 |
375 Actions | 439 Actions |
376 ------- | 440 ------- |
377 | 441 |
378 Actions come after all conditions in a rule block. There must be at | 442 Actions come after all conditions in a rule block. There must be at |
421 | 485 |
422 It is possible to mark sessions, and then use these marks to match rules later on. | 486 It is possible to mark sessions, and then use these marks to match rules later on. |
423 | 487 |
424 Action Description | 488 Action Description |
425 ------------------------ -------------------------------------------------------------------------- | 489 ------------------------ -------------------------------------------------------------------------- |
426 `MARK_ORIGIN=mark` Marks the originating session with the given flag. | 490 `MARK ORIGIN=mark` Marks the originating session with the given flag. |
427 `UNMARK_ORIGIN=mark` Removes the given mark from the origin session (if it is set). | 491 `UNMARK ORIGIN=mark` Removes the given mark from the origin session (if it is set). |
428 | 492 |
429 **Note:** Marks apply to sessions, not JIDs. E.g. if marking in a rule that matches a stanza received | 493 **Note:** Marks apply to sessions, not JIDs. E.g. if marking in a rule that matches a stanza received |
430 over s2s, it is the s2s session that is marked. | 494 over s2s, it is the s2s session that is marked. |
431 | 495 |
432 It is possible to have multiple marks on an origin at any given time. | 496 It is possible to have multiple marks on an origin at any given time. |
491 TO: alice@remote.example.com | 555 TO: alice@remote.example.com |
492 DROP. | 556 DROP. |
493 | 557 |
494 Action Description | 558 Action Description |
495 ------------------------ ------------------------------------------------------------------------ | 559 ------------------------ ------------------------------------------------------------------------ |
496 `JUMP_CHAIN=name` Switches chains, and passes the stanza through the rules in chain 'name'. If the new chain causes the stanza to be dropped/redirected, the current chain halts further processing. | 560 `JUMP CHAIN=name` Switches chains, and passes the stanza through the rules in chain 'name'. If the new chain causes the stanza to be dropped/redirected, the current chain halts further processing. |
497 | 561 |
498 It is possible to jump to chains defined by other scripts and modules. | 562 It is possible to jump to chains defined by other scripts and modules. |
499 | 563 |
500 Expressions | 564 Expressions |
501 ----------- | 565 ----------- |
504 are static once the firewall script is loaded and compiled internally, however parameters that allow expressions can be dynamically calculated when a | 568 are static once the firewall script is loaded and compiled internally, however parameters that allow expressions can be dynamically calculated when a |
505 rule is being run. | 569 rule is being run. |
506 | 570 |
507 There are two kinds of expression that you can use: stanza expressions, and code expressions. | 571 There are two kinds of expression that you can use: stanza expressions, and code expressions. |
508 | 572 |
573 ### Stanza expressions | |
574 | |
509 Stanza expressions are of the form `$<...>`, where `...` is a stanza path. For syntax of stanza paths, see the documentation for the 'INSPECT' condition | 575 Stanza expressions are of the form `$<...>`, where `...` is a stanza path. For syntax of stanza paths, see the documentation for the 'INSPECT' condition |
510 above. | 576 above. |
511 | 577 |
512 Example: | 578 Example: |
513 | 579 |
514 LOG=Matched a stanza from $<@from> to $<@to> | 580 LOG=Matched a stanza from $<@from> to $<@to> |
515 | 581 |
516 If the path does not match (e.g. the element isn't found, or the attribute doesn't exist) it will return the text `<undefined>`. You can override this | 582 There are built in functions which can be applied to the output of a stanza expression, by appending the pipe ('|') operator, followed by the function |
517 by specifying an alternative default value, using the syntax `$<path||default>`. | 583 name. These functions are: |
584 | |
585 Function Description | |
586 ------------ --------------------------------------- | |
587 bare Given a JID, strip any resource | |
588 node Return the node ('user part') of a JID | |
589 host Return the host ('domain') part of a JID | |
590 resource Return the resource part of a JID | |
591 | |
592 For example, to apply a rate limit to stanzas per sender domain: | |
593 | |
594 LIMIT normal on $<@from|domain> | |
595 | |
596 If the path does not match (e.g. the element isn't found, or the attribute doesn't exist) or any of the functions fail to produce an output (e.g. an invalid | |
597 JID was passed to a function that only handles valid JIDs) the expression will return the text `<undefined>`. You can override this by ending the expression | |
598 with a double pipe ('||') followed by a quoted string to use as a default instead. E.g. to default to the string "normal" when there is no 'type' attribute: | |
599 | |
600 LOG=Stanza type is $<@type||"normal"> | |
601 | |
602 ### Code expressions | |
518 | 603 |
519 Code expressions use `$(...)` syntax. Code expressions are powerful, and allow unconstrained access to Prosody's internal environment. Therefore | 604 Code expressions use `$(...)` syntax. Code expressions are powerful, and allow unconstrained access to Prosody's internal environment. Therefore |
520 code expressions are typically for advanced use-cases only. You may want to refer to Prosody's [developer documentation](https://prosody.im/doc/developers) | 605 code expressions are typically for advanced use-cases only. You may want to refer to Prosody's [developer documentation](https://prosody.im/doc/developers) |
521 for more information. In particular, within code expressions you may access the 'session' object, which is the session object of the origin of the stanza, | 606 for more information. In particular, within code expressions you may access the 'session' object, which is the session object of the origin of the stanza, |
522 and the 'stanza' object, which is the stanza being considered within the current rule. Whatever value the expression returns will be converted to a string. | 607 and the 'stanza' object, which is the stanza being considered within the current rule. Whatever value the expression returns will be converted to a string. |