Mercurial > prosody-wiki

comparison mod_firewall.wiki @ 340:ecf8bfe998ec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add documentation on DAY, TIME, RATE and LIMIT firewall conditions
author MWild1@gmail.com
date Sat, 06 Apr 2013 23:28:14 +0000
parents b33e70726d6a
children 206f6bf2356c
comparison
equal deleted inserted replaced
339:53771c083c19 340:ecf8bfe998ec
128 }}} 128 }}}
129 129
130 *Note:* It is important to know that 'example.com' is a valid JID on its own, and does *not* match 'user@example.com'. To perform domain whitelists or blacklists, use Zones. 130 *Note:* It is important to know that 'example.com' is a valid JID on its own, and does *not* match 'user@example.com'. To perform domain whitelists or blacklists, use Zones.
131 131
132 *Note:* Some chains execute before Prosody has performed any normalisation or validity checks on the to/from JIDs on an incoming stanza. It is not advisable to perform access control or similar rules on JIDs in these chains (see the chain documentation for more info). 132 *Note:* Some chains execute before Prosody has performed any normalisation or validity checks on the to/from JIDs on an incoming stanza. It is not advisable to perform access control or similar rules on JIDs in these chains (see the chain documentation for more info).
133
134 === Time and date ===
135 ==== TIME ====
136 Matches stanzas sent during certain time periods.
137 || *Condition* || *Matches* ||
138 || TIME || When the current server local time is within one of the comma-separated time ranges given ||
139
140 {{{
141 TIME: 10pm-6am, 14:00-15:00
142 REPLY=Zzzz.
143 }}}
144
145 ==== DAY ====
146 It is also possible to match only on certain days of the week.
147
148 || *Condition* || *Matches* ||
149 || DAY || When the current day matches one, or falls within a rage, in the given comma-separated list of days ||
150
151 Example:
152 {{{
153 DAY: Sat-Sun, Wednesday
154 REPLY=Sorry, I'm out enjoying life!
155 }}}
156
157
158 === Rate-limiting ===
159 It is possible to selectively rate-limit stanzas, and use rules to decide what to do with stanzas when over the limit.
160
161 First, you must define any rate limits that you are going to use in your script. Here we create a limiter called 'normal' that will allow 2 stanzas per second, and then we define a rule to bounce messages when over this limit. Note that the `RATE` definition is not part of a rule (multiple rules can share the same limiter).
162
163 {{{
164 RATE normal: 2 (burst 3)
165
166 KIND: message
167 LIMIT: normal
168 BOUNCE=policy-violation (Sending too fast!)
169 }}}
170
171 The 'burst' parameter on the rate limit allows you to spread the limit check over a given time period. For example the definition shown above will allow the limit to be temporarily surpassed, as long as it is within the limit after 3 seconds. You will almost always want to specify a burst factor.
172
173 Both the rate and the burst can be fractional values. For example a rate of 0.1 means only one event is allowed every 10 seconds.
174
175 The LIMIT condition actually does two things; first it counts against the given limiter, and then it checks to see if the limiter over its limit yet. If it is, the condition matches, otherwise it will not.
176
177 || *Condition* || *Matches* ||
178 || `LIMIT` || When the named limit is 'used up'. Using this condition automatically counts against that limit. ||
179
180 *Note:* Reloading mod_firewall resets the current state of any limiters.
133 181
134 == Actions == 182 == Actions ==
135 Actions come after all conditions in a rule block. There must be at least one action, though conditions are optional. 183 Actions come after all conditions in a rule block. There must be at least one action, though conditions are optional.
136 184
137 An action without parameters ends with a full-stop/period ('.'), and one with parameters uses an equals sign ('='): 185 An action without parameters ends with a full-stop/period ('.'), and one with parameters uses an equals sign ('='):