prosody-wiki: mod_firewall.wiki annotate

annotate mod_firewall.wiki @ 390:2ad6225d937f

mod_smacks: Update to reflect Swift releases

author	Kim Alvefur <zash@zash.se>
date	Mon, 15 Jul 2013 02:00:29 +0200
parents	2396160dca7c
children	4e1a0785c0e4

rev	line source
335 225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	1 #summary A rule-based stanza filtering module
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	2 #labels Stage-Alpha
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	3
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	4 ----
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	5
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	6 Note: mod_firewall is in its very early stages. This documentation is liable to change, and some described functionality may be missing, incomplete or contain bugs. Feedback is welcome in the comments section at the bottom of this page.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	7
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	8 ----
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	9
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	10 = Introduction =
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	11
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	12 A firewall is an invaluable tool in the sysadmin's toolbox. However while low-level firewalls such as iptables and pf are incredibly good at what they do, they are generally not able to handle application-layer rules.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	13
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	14 The goal of mod_firewall is to provide similar services at the XMPP layer. Based on rule scripts it can efficiently block, bounce, drop, forward, copy, redirect stanzas and more! Furthermore all rules can be applied and updated dynamically at runtime without restarting the server.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	15
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	16 = Details =
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	17
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	18 mod_firewall loads one or more scripts, and compiles these to Lua code that reacts to stanzas flowing through Prosody. The firewall script syntax is unusual, but straightforward.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	19
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	20 A firewall script is dominated by rules. Each rule has two parts: conditions, and actions. When a stanza matches all of the conditions, all of the actions are executed in order.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	21
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	22 Here is a simple example to block stanzas from spammer@example.com:
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	23
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	24 {{{
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	25 FROM: spammer@example.com
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	26 DROP.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	27 }}}
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	28
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	29 FROM is a condition, and DROP is an action. This is about as simple as it gets. How about heading to the other extreme? Let's demonstrate something more complex that mod_firewall can do for you:
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	30
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	31 {{{
353 2396160dca7c Fix examples of zone and rate definitions MWild1@gmail.com parents: 341 diff changeset	32 %ZONE myorganisation: staff.myorg.example, support.myorg.example
335 225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	33
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	34 ENTERING: myorganisation
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	35 KIND: message
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	36 TIME: 12am-9am, 5pm-12am, Saturday, Sunday
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	37 REPLY=Sorry, I am afraid our office is closed at the moment. If you need assistance, please call our 24-hour support line on 123-456-789.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	38 }}}
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	39
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	40 This rule will reply with a short message whenever someone tries to send a message to someone at any of the hosts defined in the 'myorganisation' outside of office hours.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	41
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	42 == Conditions ==
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	43 All conditions must come before any action in a rule block. The condition name is followed by a colon (':'), and the value to test for.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	44
341 206f6bf2356c Add about 'NOT' in conditions MWild1@gmail.com parents: 340 diff changeset	45 A condition can be preceded or followed by `NOT` to negate its match. For example:
206f6bf2356c Add about 'NOT' in conditions MWild1@gmail.com parents: 340 diff changeset	46
206f6bf2356c Add about 'NOT' in conditions MWild1@gmail.com parents: 340 diff changeset	47 {{{
206f6bf2356c Add about 'NOT' in conditions MWild1@gmail.com parents: 340 diff changeset	48 NOT FROM: user@example.com
206f6bf2356c Add about 'NOT' in conditions MWild1@gmail.com parents: 340 diff changeset	49 KIND NOT: message
206f6bf2356c Add about 'NOT' in conditions MWild1@gmail.com parents: 340 diff changeset	50 }}}
206f6bf2356c Add about 'NOT' in conditions MWild1@gmail.com parents: 340 diff changeset	51
335 225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	52 === Zones ===
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	53
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	54 A 'zone' is one or more hosts or JIDs. It is possible to match when a stanza is entering or leaving a zone, while at the same time not matching traffic passing between JIDs in the same zone.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	55
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	56 Zones are defined at the top of a script with the following syntax (they are not part of a rule block):
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	57
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	58 {{{
353 2396160dca7c Fix examples of zone and rate definitions MWild1@gmail.com parents: 341 diff changeset	59 %ZONE myzone: host1, host2, user@host3, foo.bar.example
335 225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	60 }}}
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	61
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	62 A host listed in a zone also matches all users on that host (but not subdomains).
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	63
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	64 The following zone-matching conditions are supported:
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	65
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	66 \|\| Condition \|\| Matches \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	67 \|\| `ENTERING` \|\| When a stanza is entering the named zone \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	68 \|\| `LEAVING` \|\| When a stanza is leaving the named zone \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	69
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	70 === Stanza matching ===
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	71
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	72 \|\| Condition \|\| Matches \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	73 \|\| `KIND` \|\| The kind of stanza. May be 'message', 'presence' or 'iq' \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	74 \|\| `TYPE` \|\| The type of stanza. This varies depending on the kind of stanza. See 'Stanza types' below for more information. \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	75 \|\| `PAYLOAD` \|\| The stanza contains a child with the given namespace. Useful for determining the type of an iq request, or whether a message contains a certain extension. \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	76 \|\| `INSPECT` \|\| The node at the specified path exists or matches a given string. This allows you to look anywhere inside a stanza. See below for examples and more. \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	77
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	78 ==== Stanza types ====
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	79
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	80 \|\| Stanza \|\| Valid types \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	81 \|\| iq \|\| get, set, result, error \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	82 \|\| presence \|\| _available_, unavailable, probe, subscribe, subscribed, unsubscribe, unsubscribed, error \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	83 \|\| message \|\| normal, chat, groupchat, headline, error \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	84
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	85 Note: The type 'available' for presence does not actually appear in the protocol. Available presence is signalled by the omission of a type. Similarly, a message stanza with no type is equivalent to one of type 'normal'. mod_firewall handles these cases for you automatically.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	86
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	87 ==== INSPECT ====
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	88
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	89 INSPECT takes a 'path' through the stanza to get a string (an attribute value or text content). An example is the best way to explain. Let's check that a user is not trying to register an account with the username 'admin'. This stanza comes from [http://xmpp.org/extensions/xep-0077.html#example-4 XEP-0077: In-band Registration]:
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	90
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	91 {{{
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	92 <iq type='set' id='reg2'>
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	93 <query xmlns='jabber:iq:register'>
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	94 <username>bill</username>
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	95 <password>Calliope</password>
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	96 <email>bard@shakespeare.lit</email>
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	97 </query>
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	98 </iq>
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	99 }}}
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	100
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	101 {{{
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	102 KIND: iq
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	103 TYPE: set
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	104 PAYLOAD: jabber:iq:register
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	105 INSPECT: {jabber:iq:register}query/username#=admin
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	106 BOUNCE=not-allowed The username 'admin' is reserved.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	107 }}}
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	108
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	109 That weird string deserves some explanation. It is a path, divided into segments by '/'. Each segment describes an element by its name, optionally prefixed by its namespace in curly braces ('{...}'). If the path ends with a '#' then the text content of the last element will be returned. If the path ends with '@name' then the value of the attribute 'name' will be returned.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	110
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	111 INSPECT is somewhat slower than the other stanza matching conditions. To minimise performance impact, always place it below other faster condition checks where possible (e.g. above we first checked KIND, TYPE and PAYLOAD matched before INSPECT).
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	112
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	113 === Sender/recipient matching ===
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	114
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	115 \|\| Condition \|\| Matches \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	116 \|\| `FROM` \|\| The JID in the 'from' attribute matches the given JID \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	117 \|\| `TO` \|\| The JID in the 'to' attribute matches the given JID \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	118
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	119 These conditions both accept wildcards in the JID when the wildcard expression is enclosed in angle brackets ('<...>'). For example:
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	120
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	121 {{{
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	122 # All users at example.com
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	123 FROM: <*>@example.com
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	124 }}}
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	125 {{{
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	126 # The user 'admin' on any subdomain of example.com
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	127 FROM: admin@<*.example.com>
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	128 }}}
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	129
336 b33e70726d6a Describe Lua pattern-matching capabilities in JID matching MWild1@gmail.com parents: 335 diff changeset	130 You can also use [http://www.lua.org/manual/5.1/manual.html#5.4.1 Lua's pattern matching] for more powerful matching abilities. Patterns are a lightweight regular-expression alternative. Simply contain the pattern in double angle brackets. The pattern is automatically anchored at the start and end (so it must match the entire portion of the JID).
b33e70726d6a Describe Lua pattern-matching capabilities in JID matching MWild1@gmail.com parents: 335 diff changeset	131
b33e70726d6a Describe Lua pattern-matching capabilities in JID matching MWild1@gmail.com parents: 335 diff changeset	132 {{{
b33e70726d6a Describe Lua pattern-matching capabilities in JID matching MWild1@gmail.com parents: 335 diff changeset	133 # Match admin@example.com, and admin1@example.com, etc.
b33e70726d6a Describe Lua pattern-matching capabilities in JID matching MWild1@gmail.com parents: 335 diff changeset	134 FROM: <<admin%d*>>@example.com
b33e70726d6a Describe Lua pattern-matching capabilities in JID matching MWild1@gmail.com parents: 335 diff changeset	135 }}}
b33e70726d6a Describe Lua pattern-matching capabilities in JID matching MWild1@gmail.com parents: 335 diff changeset	136
335 225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	137 Note: It is important to know that 'example.com' is a valid JID on its own, and does not match 'user@example.com'. To perform domain whitelists or blacklists, use Zones.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	138
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	139 Note: Some chains execute before Prosody has performed any normalisation or validity checks on the to/from JIDs on an incoming stanza. It is not advisable to perform access control or similar rules on JIDs in these chains (see the chain documentation for more info).
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	140
340 ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	141 === Time and date ===
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	142 ==== TIME ====
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	143 Matches stanzas sent during certain time periods.
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	144 \|\| Condition \|\| Matches \|\|
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	145 \|\| TIME \|\| When the current server local time is within one of the comma-separated time ranges given \|\|
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	146
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	147 {{{
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	148 TIME: 10pm-6am, 14:00-15:00
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	149 REPLY=Zzzz.
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	150 }}}
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	151
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	152 ==== DAY ====
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	153 It is also possible to match only on certain days of the week.
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	154
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	155 \|\| Condition \|\| Matches \|\|
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	156 \|\| DAY \|\| When the current day matches one, or falls within a rage, in the given comma-separated list of days \|\|
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	157
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	158 Example:
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	159 {{{
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	160 DAY: Sat-Sun, Wednesday
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	161 REPLY=Sorry, I'm out enjoying life!
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	162 }}}
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	163
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	164
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	165 === Rate-limiting ===
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	166 It is possible to selectively rate-limit stanzas, and use rules to decide what to do with stanzas when over the limit.
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	167
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	168 First, you must define any rate limits that you are going to use in your script. Here we create a limiter called 'normal' that will allow 2 stanzas per second, and then we define a rule to bounce messages when over this limit. Note that the `RATE` definition is not part of a rule (multiple rules can share the same limiter).
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	169
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	170 {{{
353 2396160dca7c Fix examples of zone and rate definitions MWild1@gmail.com parents: 341 diff changeset	171 %RATE normal: 2 (burst 3)
340 ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	172
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	173 KIND: message
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	174 LIMIT: normal
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	175 BOUNCE=policy-violation (Sending too fast!)
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	176 }}}
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	177
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	178 The 'burst' parameter on the rate limit allows you to spread the limit check over a given time period. For example the definition shown above will allow the limit to be temporarily surpassed, as long as it is within the limit after 3 seconds. You will almost always want to specify a burst factor.
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	179
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	180 Both the rate and the burst can be fractional values. For example a rate of 0.1 means only one event is allowed every 10 seconds.
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	181
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	182 The LIMIT condition actually does two things; first it counts against the given limiter, and then it checks to see if the limiter over its limit yet. If it is, the condition matches, otherwise it will not.
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	183
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	184 \|\| Condition \|\| Matches \|\|
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	185 \|\| `LIMIT` \|\| When the named limit is 'used up'. Using this condition automatically counts against that limit. \|\|
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	186
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	187 Note: Reloading mod_firewall resets the current state of any limiters.
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions MWild1@gmail.com parents: 336 diff changeset	188
335 225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	189 == Actions ==
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	190 Actions come after all conditions in a rule block. There must be at least one action, though conditions are optional.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	191
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	192 An action without parameters ends with a full-stop/period ('.'), and one with parameters uses an equals sign ('='):
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	193
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	194 {{{
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	195 # An action with no parameters:
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	196 DROP.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	197
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	198 # An action with a parameter:
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	199 REPLY=Hello, this is a reply.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	200 }}}
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	201
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	202 === Route modification ===
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	203 The most common actions modify the stanza's route in some way. Currently the first matching rule to do so will halt further processing of actions and rules (this may change in the future).
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	204
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	205 \|\| Action \|\| Description \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	206 \|\| `PASS.` \|\| Stop executing actions and rules on this stanza, and let it through this chain. \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	207 \|\| `DROP.` \|\| Stop executing actions and rules on this stanza, and discard it. \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	208 \|\| `REDIRECT=jid` \|\| Redirect the stanza to the given JID. \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	209 \|\| `REPLY=text` \|\| Reply to the stanza (assumed to be a message) with the given text. \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	210 \|\| `BOUNCE.` \|\| Bounce the stanza with the default error (usually service-unavailable) \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	211 \|\| `BOUNCE=error` \|\| Bounce the stanza with the given error (MUST be a defined XMPP stanza error, see [http://xmpp.org/rfcs/rfc6120.html#stanzas-error-conditions RFC6120]. \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	212 \|\| `BOUNCE=error (text)` \|\| As above, but include the supplied human-readable text with a description of the error \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	213 \|\| `COPY=jid` \|\| Make a copy of the stanza and send the copy to the specified JID. \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	214
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	215 === Stanza modification ===
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	216 These actions make it possible to modify the content and structure of a stanza.
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	217
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	218 \|\| Action \|\| Description \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	219 \|\| `STRIP=name` \|\| Remove any child elements with the given name in the default namespace \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	220 \|\| `STRIP=name namespace` \|\| Remove any child elements with the given name and the given namespace \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	221 \|\| `INJECT=xml` \|\| Inject the given XML into the stanza as a child element \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	222
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	223 === Informational ===
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	224 \|\| Action \|\| Description \|\|
225827f3940e Created wiki page through web user interface. Phew. MWild1@gmail.com parents: diff changeset	225 \|\| `LOG=message` \|\| Logs the given message to Prosody's log file. Optionally prefix it with a log level in square brackets, e.g. `[debug]`\|\|

Mercurial > prosody-wiki

annotate mod_firewall.wiki @ 390:2ad6225d937f