pasture projects

You are here -> XmlFilter
MainPage :: LoGin :: You are ec2-54-156-67-164.compute-1.amazonaws.com


tree



Last version : 0.5 / 08 2004



DESCRIPTION


Features :

XMLFILTER is a structured treelike configuration model for Netfilter. XMLFILTER does a bit the same for Netfilter as m4 does for sendmail.

There is four main ideas behind XMLFILTER :

* Automating most of the Iptables configuration building and kernel hardening
* Increase reliability and security (structured document)
* Increase performance (automatically buids user-defined chains to decrease the number of crossed rules)
* Be as simple as possible

See the Iptables tutorial for informations about the usual way to configure Netfilter


Below are some of XMLFILTER features :

* builds a complete Iptables script and run/save it
* set the no source-routing mode
* set kernel to ignore redirects from hosts not listed as gateways
* set the statefull inspection cache size
* set or unset the IP forwarding mode
* enables to drop or log orphean fragments (not related to any connexion)
* enables to drop or log syn-scans
* enables to drop or log martians packets (faked source IP)
* enables to drop or log invalid packets (wrong header)
* enables to do anti-spoofing : drop packets pretending to originate from secured net but coming to the wrong interface

TODO :

* write a GUI to build the XML file (a rebol GUI, first release coming soon...)
* complete nat and filter support

How it works

The XML file is parsed to generate an iptables script which is run to configure Netfilter and IP security related kernel flags.

An XSLT transform sheet is used for the transformation. See the w3c recommandation for informations about XSLT transformations :


A perl utility program (xmlfilter.pl) take the XML file as argument, generate the iptables script, and run it. The gnome parser is used as it's more quick and reliable than the native XML PERL module. See the Gnome project XML and CPAN pages for informations :

The XML C library for Gnome - http://xmlsoft.org/
The PERL module API for Gnome XML C library - http://search.cpan.org/author/PHISH/XML-LibXML-1.54/LibXML.pm
The PERL module API for Gnome XSLT parser - http://search.cpan.org/author/MSERGEANT/XML-LibXSLT-1.53/LibXSLT.pm

Synopsis :

xmlfilter -c [netfilter_config.xml]


Exemple of what an XMLFILTER config file looks like (edited with JAXE) :

xmlfilter.gif



SPECIFICATIONS


XMLFILTER DTD :

See the XMLFILTER DTD

XMLFILTER XSLT transform :

See the XMLFILTER XSLT transform sheet




Branch elements

There are three branch elements :

    * <GATEWAY>
    * <FW_HOST>
    * <POLICY>

GATEWAY branch

      The <GATEWAY> branch contains everything about forwarded packets.

      Its members are one or more <FORWARD> flow elements depending on the number of interfaces.

FW_HOST branch

      The <FW_HOST> branch contains everything about packets destinated or coming from a local process of the firewall.

      Its members are one or more <INPUT> and <OUTPUT> flow elements depending on the number of interfaces.

POLICY branch

      The <POLICY> branch (mandatory) is used to set general parameters and kernel options.

It contains the following policy elements :

    * <ROUTING>
    * <INPUT_POLICY>
    * <OUTPUT_POLICY>
    * <FORWARD_POLICY>
    * <IDS>
    * <ANTISPOOF>
    * <STATEFULL>


policy elements

Element <ROUTING> has the following attributes :

ip_forwarding : set to "yes" enable routing between interfaces
no_source_routing : set to "yes" tell the kernel to ignore source routed packets
secure_redirects : set to "yes" tell the kernel to ignore ICMP redirects from sources that are not known gateways
Element <INPUT_POLICY> has the folowing attributes :

policy : set the default rule for incoming packets destinated to the firewall host to : "ACCEPT" (accept packet, disadvised ;), "DROP" (silently trash the packet) or "REJECT" (trash packet and send ICMP unreachable information)
Element <OUTPUT_POLICY> has the folowing attributes :

policy : set the default rule for outgoing packets from the firewall host to : "ACCEPT" (accept packet, disadvised ;), "DROP" (silently trash the packet) or "REJECT" (trash packet and send ICMP unreachable information)
Element <FORWARD_POLICY> has the folowing attributes :

policy : set the default rule for forwarded packets to : "ACCEPT" (accept packet, disadvised ;), "DROP" (silently trash the packet) or "REJECT" (trash packet and send ICMP unreachable information)
Element <IDS> has the folowing attributes :

catch_orpheans : set to "yes" drop or log framents of packets that are not related to any tracked connexion
catch_synscan : set to "yes" drop or log synscan attempts
catch_invalid : set to "yes" drop or log invalids packets
catch_invalid : set to "yes" drop or log invalids packets
log : set to "yes" tell if we should log packets before dropping
log_martians : set to "yes" log packets with impossible IP address
Element <ANTISPOOF> has the folowing attributes :

homenet : set the network address and mask of the protected network in the www.xxx.yyy.zzz/mm format
extern_if : set the name of extern interface where to apply antispoofing
Element <STATEFULL> has the folowing attributes :

statefull_inspection : set to "yes" activate connexion tracking
conntrack_max : set the max connexion tracking cache size value (usually 16535 is a good value)


Flow elements

FORWARD element

      The element <FORWARD> is used to set the filtering rules concerning forwarded packets for a given set of two interfaces.

      It has two attributes :

in : name of the input interface (eth0, ppp0, ...)
out : name of the output interface (eth0, ppp0, ...)

      It can contain <FILTER_RULE> , <TOS_RULE> , <LOG_RULE> or <NAT_RULE> elements

INPUT element

      The element <INPUT> is used to set the filtering rules concerning incoming packets destinated to the firewall host, for a given interface.

      It has one attribute :

in : name of the input interface (eth0, ppp0, ...)

      It can contain <FILTER_RULE> , <TOS_RULE> or <LOG_RULE> elements

OUTPUT element

      The element <OUTPUT> is used to set the filtering rules concerning outgoing packets coming originating from the firewall (or firewalled host), for a given interface, process or user.

      It has the following attributes :

out : name of the output interface (eth0, ppp0, ...) - mandatory
process : process name (ssh, wget, ...) - optional
user : userid (0, 500, ...) - optional
group : groupid (0, 100, ...) - optional

      It can contain <FILTER_RULE> , <TOS_RULE> or <LOG_RULE> elements


Action elements

Element <FILTER_RULE> has the following attributes :

saddress : source IP address to match
daddress : destination IP address to match
proto : protocol (tcp, udp, icmp,..., or protocol number)
tcp_flag : TCP flag (syn, ack, rst, psh, urg, fin)
icmp_type : icmp type (number or name of icmp type, see IPTABLES documentation)
sport : source port number
dport : destination port number
limit : number of packets per time unit ex : 20/s, 3/minute, ...
burst : initial/burst number of packets
ttl : matches the IP time to live of the packet
tos : matches the TOS option of the packet
action : what to do with packet (ACCEPT, DROP, REJECT) (mandatory)

      The limit="X/T" and burst="Y" attributes manage a token bucket filter. The bucket is initially filled with Y tokens. Each time a packet match the rule, the bucket leaks 1 token. The bucket is refilled with X tokens per time-unit T. The result is true as long as the bucket is not empty. The maximum (burst) number of tokens is Y.

Element <NAT_RULE> has the following attributes :

saddress : source IP address to match
daddress : destination IP address to match
proto : protocol (tcp, udp, icmp,..., or protocol number)
tcp_flag : TCP flag (syn, ack, rst, psh, urg, fin)
icmp_type : icmp type (number or name of icmp type, see IPTABLES documentation)
sport : source port number
dport : destination port number
nat_to : translated IP, port number, or the www.xxx.yyy.zzz:mm format
action : what to do with packet (SNAT, DNAT, MASQUERADE) (mandatory)

      The DNAT action is used to do Destination Network Address Translation, which means that it is used to rewrite the Destination IP address and/or port number of a packet.

      The SNAT action is used to do Source Network Address Translation, which means that this action will rewrite the Source IP address in the IP header of the packet.

      The MASQUERADE action is used to do Dynamic Source Network Address and Port Translation (DSNAPT). When you masquerade a connection, it means that we set the source IP address used on a specific network interface.

Element <LOG_RULE> has the following attributes :

saddress : source IP address to match
daddress : destination IP address to match
chain : chain (INPUT, OUTPUT, FORWARD) (mandatory)
proto : protocol (tcp, udp, icmp,..., or protocol number)
tcp_flag : TCP flag (syn, ack, rst, psh, urg, fin)
icmp_type : icmp type (number or name of icmp type, see IPTABLES documentation)
sport : source port number
dport : destination port number
limit : number of packets per time unit ex : 20/s, 3/minute, ...
burst : initial/burst number of packets
ttl : matches the IP time to live of the packet
tos : matches the TOS option of the packet
prefix : text to be inserted at the begining of the log line
Element <TOS_RULE> has the following attributes :

saddress : source IP address to match
daddress : destination IP address to match
proto : protocol (tcp, udp, icmp,..., or protocol number)
tcp_flag : TCP flag (syn, ack, rst, psh, urg, fin)
icmp_type : icmp type (number or name of icmp type, see IPTABLES documentation)
sport : source port number
dport : destination port number
ttl : matches the IP time to live of the packet
tos : matches the TOS option of the packet
set_tos : type of service to set to the packet

      IP types of service can be set as follow : Minimize-Delay 16 (0x10), Maximize-Throughput 8 (0x08), Maximize-Reliability 4 (0x04), Minimize-Cost 2 (0x02), and Normal-Service 0 (0x00)




DOWNLOAD


XMLFILTER can be downloaded HERE

Depends on :

The following libraries are needed to run xmlfilter.pl :

Install :

The Lib-XML and Lib-XSLT Perl modules are included in the xmlfilter package, but more recent versions may be retrieved from CPAN (modification of Makefile will be needed). All modules are installed first by "make install" (some Perl modules need to compile their connector with the Gnome Libxml2?: so gcc is needed)

Do a "make install" in the "XMLFILTER" directory to install everything, do a "make uninstall" to uninstall Xmlfilter and the Perl modules ;))

Editor :

JAXE can be downloaded HERE



CONTACTS


jpgu~AT~users.sourceforge.net



LICENSE


Copyright Jean-Philippe Guillemin.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Please take a look at http://www.gnu.org/copyleft/gpl.html