annotate mod_firewall.wiki @ 441:80ce8d7f7f56

mod_s2s_auth_dane.wiki: more text, examples and links
author Kim Alvefur <zash@zash.se>
date Sat, 22 Mar 2014 13:30:47 +0100
parents 4e1a0785c0e4
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
335
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
1 #summary A rule-based stanza filtering module
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
2 #labels Stage-Alpha
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
3
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
4 ----
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
5
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
6 *Note:* mod_firewall is in its very early stages. This documentation is liable to change, and some described functionality may be missing, incomplete or contain bugs. Feedback is welcome in the comments section at the bottom of this page.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
7
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
8 ----
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
9
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
10 = Introduction =
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
11
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
12 A firewall is an invaluable tool in the sysadmin's toolbox. However while low-level firewalls such as iptables and pf are incredibly good at what they do, they are generally not able to handle application-layer rules.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
13
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
14 The goal of mod_firewall is to provide similar services at the XMPP layer. Based on rule scripts it can efficiently block, bounce, drop, forward, copy, redirect stanzas and more! Furthermore all rules can be applied and updated dynamically at runtime without restarting the server.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
15
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
16 = Details =
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
17
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
18 mod_firewall loads one or more scripts, and compiles these to Lua code that reacts to stanzas flowing through Prosody. The firewall script syntax is unusual, but straightforward.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
19
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
20 A firewall script is dominated by rules. Each rule has two parts: conditions, and actions. When a stanza matches all of the conditions, all of the actions are executed in order.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
21
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
22 Here is a simple example to block stanzas from spammer@example.com:
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
23
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
24 {{{
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
25 FROM: spammer@example.com
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
26 DROP.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
27 }}}
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
28
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
29 FROM is a condition, and DROP is an action. This is about as simple as it gets. How about heading to the other extreme? Let's demonstrate something more complex that mod_firewall can do for you:
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
30
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
31 {{{
353
2396160dca7c Fix examples of zone and rate definitions
MWild1@gmail.com
parents: 341
diff changeset
32 %ZONE myorganisation: staff.myorg.example, support.myorg.example
335
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
33
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
34 ENTERING: myorganisation
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
35 KIND: message
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
36 TIME: 12am-9am, 5pm-12am, Saturday, Sunday
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
37 REPLY=Sorry, I am afraid our office is closed at the moment. If you need assistance, please call our 24-hour support line on 123-456-789.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
38 }}}
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
39
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
40 This rule will reply with a short message whenever someone tries to send a message to someone at any of the hosts defined in the 'myorganisation' outside of office hours.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
41
428
4e1a0785c0e4 Edited wiki page mod_firewall through web user interface.
florob@babelmonkeys.de
parents: 353
diff changeset
42 Firewall rules should be written to a {{{ruleset.pfw}}} file. Multiple such rule
4e1a0785c0e4 Edited wiki page mod_firewall through web user interface.
florob@babelmonkeys.de
parents: 353
diff changeset
43 files can be specified in the configuration using:
4e1a0785c0e4 Edited wiki page mod_firewall through web user interface.
florob@babelmonkeys.de
parents: 353
diff changeset
44
4e1a0785c0e4 Edited wiki page mod_firewall through web user interface.
florob@babelmonkeys.de
parents: 353
diff changeset
45 {{{
4e1a0785c0e4 Edited wiki page mod_firewall through web user interface.
florob@babelmonkeys.de
parents: 353
diff changeset
46 firewall_scripts = { "path/to/ruleset.pfw" }
4e1a0785c0e4 Edited wiki page mod_firewall through web user interface.
florob@babelmonkeys.de
parents: 353
diff changeset
47 }}}
4e1a0785c0e4 Edited wiki page mod_firewall through web user interface.
florob@babelmonkeys.de
parents: 353
diff changeset
48
335
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
49 == Conditions ==
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
50 All conditions must come before any action in a rule block. The condition name is followed by a colon (':'), and the value to test for.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
51
341
206f6bf2356c Add about 'NOT' in conditions
MWild1@gmail.com
parents: 340
diff changeset
52 A condition can be preceded or followed by `NOT` to negate its match. For example:
206f6bf2356c Add about 'NOT' in conditions
MWild1@gmail.com
parents: 340
diff changeset
53
206f6bf2356c Add about 'NOT' in conditions
MWild1@gmail.com
parents: 340
diff changeset
54 {{{
206f6bf2356c Add about 'NOT' in conditions
MWild1@gmail.com
parents: 340
diff changeset
55 NOT FROM: user@example.com
206f6bf2356c Add about 'NOT' in conditions
MWild1@gmail.com
parents: 340
diff changeset
56 KIND NOT: message
206f6bf2356c Add about 'NOT' in conditions
MWild1@gmail.com
parents: 340
diff changeset
57 }}}
206f6bf2356c Add about 'NOT' in conditions
MWild1@gmail.com
parents: 340
diff changeset
58
335
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
59 === Zones ===
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
60
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
61 A 'zone' is one or more hosts or JIDs. It is possible to match when a stanza is entering or leaving a zone, while at the same time not matching traffic passing between JIDs in the same zone.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
62
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
63 Zones are defined at the top of a script with the following syntax (they are not part of a rule block):
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
64
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
65 {{{
353
2396160dca7c Fix examples of zone and rate definitions
MWild1@gmail.com
parents: 341
diff changeset
66 %ZONE myzone: host1, host2, user@host3, foo.bar.example
335
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
67 }}}
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
68
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
69 A host listed in a zone also matches all users on that host (but not subdomains).
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
70
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
71 The following zone-matching conditions are supported:
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
72
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
73 || *Condition* || *Matches* ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
74 || `ENTERING` || When a stanza is entering the named zone ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
75 || `LEAVING` || When a stanza is leaving the named zone ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
76
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
77 === Stanza matching ===
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
78
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
79 || *Condition* || *Matches* ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
80 || `KIND` || The kind of stanza. May be 'message', 'presence' or 'iq' ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
81 || `TYPE` || The type of stanza. This varies depending on the kind of stanza. See 'Stanza types' below for more information. ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
82 || `PAYLOAD` || The stanza contains a child with the given namespace. Useful for determining the type of an iq request, or whether a message contains a certain extension. ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
83 || `INSPECT` || The node at the specified path exists or matches a given string. This allows you to look anywhere inside a stanza. See below for examples and more. ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
84
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
85 ==== Stanza types ====
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
86
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
87 || *Stanza* || *Valid types* ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
88 || iq || get, set, result, error ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
89 || presence || _available_, unavailable, probe, subscribe, subscribed, unsubscribe, unsubscribed, error ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
90 || message || normal, chat, groupchat, headline, error ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
91
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
92 *Note:* The type 'available' for presence does not actually appear in the protocol. Available presence is signalled by the omission of a type. Similarly, a message stanza with no type is equivalent to one of type 'normal'. mod_firewall handles these cases for you automatically.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
93
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
94 ==== INSPECT ====
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
95
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
96 INSPECT takes a 'path' through the stanza to get a string (an attribute value or text content). An example is the best way to explain. Let's check that a user is not trying to register an account with the username 'admin'. This stanza comes from [http://xmpp.org/extensions/xep-0077.html#example-4 XEP-0077: In-band Registration]:
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
97
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
98 {{{
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
99 <iq type='set' id='reg2'>
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
100 <query xmlns='jabber:iq:register'>
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
101 <username>bill</username>
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
102 <password>Calliope</password>
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
103 <email>bard@shakespeare.lit</email>
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
104 </query>
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
105 </iq>
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
106 }}}
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
107
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
108 {{{
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
109 KIND: iq
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
110 TYPE: set
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
111 PAYLOAD: jabber:iq:register
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
112 INSPECT: {jabber:iq:register}query/username#=admin
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
113 BOUNCE=not-allowed The username 'admin' is reserved.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
114 }}}
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
115
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
116 That weird string deserves some explanation. It is a path, divided into segments by '/'. Each segment describes an element by its name, optionally prefixed by its namespace in curly braces ('{...}'). If the path ends with a '#' then the text content of the last element will be returned. If the path ends with '@name' then the value of the attribute 'name' will be returned.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
117
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
118 INSPECT is somewhat slower than the other stanza matching conditions. To minimise performance impact, always place it below other faster condition checks where possible (e.g. above we first checked KIND, TYPE and PAYLOAD matched before INSPECT).
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
119
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
120 === Sender/recipient matching ===
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
121
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
122 || *Condition* || *Matches* ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
123 || `FROM` || The JID in the 'from' attribute matches the given JID ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
124 || `TO` || The JID in the 'to' attribute matches the given JID ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
125
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
126 These conditions both accept wildcards in the JID when the wildcard expression is enclosed in angle brackets ('<...>'). For example:
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
127
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
128 {{{
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
129 # All users at example.com
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
130 FROM: <*>@example.com
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
131 }}}
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
132 {{{
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
133 # The user 'admin' on any subdomain of example.com
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
134 FROM: admin@<*.example.com>
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
135 }}}
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
136
336
b33e70726d6a Describe Lua pattern-matching capabilities in JID matching
MWild1@gmail.com
parents: 335
diff changeset
137 You can also use [http://www.lua.org/manual/5.1/manual.html#5.4.1 Lua's pattern matching] for more powerful matching abilities. Patterns are a lightweight regular-expression alternative. Simply contain the pattern in double angle brackets. The pattern is automatically anchored at the start and end (so it must match the entire portion of the JID).
b33e70726d6a Describe Lua pattern-matching capabilities in JID matching
MWild1@gmail.com
parents: 335
diff changeset
138
b33e70726d6a Describe Lua pattern-matching capabilities in JID matching
MWild1@gmail.com
parents: 335
diff changeset
139 {{{
b33e70726d6a Describe Lua pattern-matching capabilities in JID matching
MWild1@gmail.com
parents: 335
diff changeset
140 # Match admin@example.com, and admin1@example.com, etc.
b33e70726d6a Describe Lua pattern-matching capabilities in JID matching
MWild1@gmail.com
parents: 335
diff changeset
141 FROM: <<admin%d*>>@example.com
b33e70726d6a Describe Lua pattern-matching capabilities in JID matching
MWild1@gmail.com
parents: 335
diff changeset
142 }}}
b33e70726d6a Describe Lua pattern-matching capabilities in JID matching
MWild1@gmail.com
parents: 335
diff changeset
143
335
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
144 *Note:* It is important to know that 'example.com' is a valid JID on its own, and does *not* match 'user@example.com'. To perform domain whitelists or blacklists, use Zones.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
145
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
146 *Note:* Some chains execute before Prosody has performed any normalisation or validity checks on the to/from JIDs on an incoming stanza. It is not advisable to perform access control or similar rules on JIDs in these chains (see the chain documentation for more info).
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
147
340
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
148 === Time and date ===
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
149 ==== TIME ====
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
150 Matches stanzas sent during certain time periods.
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
151 || *Condition* || *Matches* ||
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
152 || TIME || When the current server local time is within one of the comma-separated time ranges given ||
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
153
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
154 {{{
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
155 TIME: 10pm-6am, 14:00-15:00
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
156 REPLY=Zzzz.
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
157 }}}
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
158
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
159 ==== DAY ====
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
160 It is also possible to match only on certain days of the week.
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
161
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
162 || *Condition* || *Matches* ||
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
163 || DAY || When the current day matches one, or falls within a rage, in the given comma-separated list of days ||
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
164
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
165 Example:
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
166 {{{
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
167 DAY: Sat-Sun, Wednesday
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
168 REPLY=Sorry, I'm out enjoying life!
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
169 }}}
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
170
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
171
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
172 === Rate-limiting ===
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
173 It is possible to selectively rate-limit stanzas, and use rules to decide what to do with stanzas when over the limit.
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
174
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
175 First, you must define any rate limits that you are going to use in your script. Here we create a limiter called 'normal' that will allow 2 stanzas per second, and then we define a rule to bounce messages when over this limit. Note that the `RATE` definition is not part of a rule (multiple rules can share the same limiter).
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
176
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
177 {{{
353
2396160dca7c Fix examples of zone and rate definitions
MWild1@gmail.com
parents: 341
diff changeset
178 %RATE normal: 2 (burst 3)
340
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
179
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
180 KIND: message
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
181 LIMIT: normal
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
182 BOUNCE=policy-violation (Sending too fast!)
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
183 }}}
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
184
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
185 The 'burst' parameter on the rate limit allows you to spread the limit check over a given time period. For example the definition shown above will allow the limit to be temporarily surpassed, as long as it is within the limit after 3 seconds. You will almost always want to specify a burst factor.
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
186
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
187 Both the rate and the burst can be fractional values. For example a rate of 0.1 means only one event is allowed every 10 seconds.
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
188
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
189 The LIMIT condition actually does two things; first it counts against the given limiter, and then it checks to see if the limiter over its limit yet. If it is, the condition matches, otherwise it will not.
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
190
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
191 || *Condition* || *Matches* ||
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
192 || `LIMIT` || When the named limit is 'used up'. Using this condition automatically counts against that limit. ||
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
193
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
194 *Note:* Reloading mod_firewall resets the current state of any limiters.
ecf8bfe998ec Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
MWild1@gmail.com
parents: 336
diff changeset
195
335
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
196 == Actions ==
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
197 Actions come after all conditions in a rule block. There must be at least one action, though conditions are optional.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
198
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
199 An action without parameters ends with a full-stop/period ('.'), and one with parameters uses an equals sign ('='):
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
200
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
201 {{{
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
202 # An action with no parameters:
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
203 DROP.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
204
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
205 # An action with a parameter:
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
206 REPLY=Hello, this is a reply.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
207 }}}
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
208
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
209 === Route modification ===
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
210 The most common actions modify the stanza's route in some way. Currently the first matching rule to do so will halt further processing of actions and rules (this may change in the future).
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
211
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
212 || *Action* || *Description* ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
213 || `PASS.` || Stop executing actions and rules on this stanza, and let it through this chain. ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
214 || `DROP.` || Stop executing actions and rules on this stanza, and discard it. ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
215 || `REDIRECT=jid` || Redirect the stanza to the given JID. ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
216 || `REPLY=text` || Reply to the stanza (assumed to be a message) with the given text. ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
217 || `BOUNCE.` || Bounce the stanza with the default error (usually service-unavailable) ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
218 || `BOUNCE=error` || Bounce the stanza with the given error (MUST be a defined XMPP stanza error, see [http://xmpp.org/rfcs/rfc6120.html#stanzas-error-conditions RFC6120]. ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
219 || `BOUNCE=error (text)` || As above, but include the supplied human-readable text with a description of the error ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
220 || `COPY=jid` || Make a copy of the stanza and send the copy to the specified JID. ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
221
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
222 === Stanza modification ===
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
223 These actions make it possible to modify the content and structure of a stanza.
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
224
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
225 || *Action* || *Description* ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
226 || `STRIP=name` || Remove any child elements with the given name in the default namespace ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
227 || `STRIP=name namespace` || Remove any child elements with the given name and the given namespace ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
228 || `INJECT=xml` || Inject the given XML into the stanza as a child element ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
229
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
230 === Informational ===
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
231 || *Action* || *Description* ||
225827f3940e Created wiki page through web user interface. Phew.
MWild1@gmail.com
parents:
diff changeset
232 || `LOG=message` || Logs the given message to Prosody's log file. Optionally prefix it with a log level in square brackets, e.g. `[debug]`||