This section describes how to use the HIP firewall.
If firewall is killed, it leaves rules dangling which may drop some traffic. Check with "iptables -L -n" if there are some HIPFW rules there and no hipfw running ("ps axu|grep hipfw"). You can flush the rules with "hipfw -k" and then pressing CTRL + C. Alternatively, you can just run "/etc/init.d/hipfw stop".
Firewall can be started with "hipfw <file_name>". By default, it drops all HIP traffic and allows all other traffic. You can change the defaults with hipfw command line flags. To get a list of command line flags, give the -h option to hipfw. When you start the firewall the first time, it creates /etc/hip/firewall.conf file which contains an example usage template.
The hipfw must be started before hipd. The correct way to shutdown is to stop hipd first and hipfw then. If you are running the hipfw in a router, you may also need to set /proc/sys/net/ipv6/conf/all/forwarding and /proc/sys/net/ipv4/conf/all/forwarding to 1.
Rules follow (loosely) the syntax of Linux Iptables with following syntax.
Basic format of rule is: HOOK [match] TARGET
Here HOOK is one of the netfilter hooks: "INPUT", "OUTPUT", "FORWARD". Target is either "ACCEPT" or "DROP", whether packet should be allowed or not. Match is a combination of filtering option described below.
Filtering options:
Matches source HIT of packet. HI can be given with --hi option and by defining path to a public key file as an argument. This causes sender signatures to be verified. The file name must contain either "_rsa_" or "_dsa_" to define whether RSA or DSA is used as algorithm.
Matches destination HIT of packet.
Matches HIP packet type. Type is one of following: "I1", "R1", "I2", "R2", "CER", "UPDATE", "NOTIFY", "CLOSE", "CLOSE_ACK"
Matches incoming interface. Argument contains name of the interface. Can not be used for rules in OUTPUT hook as packet has no incoming interface in that case.
Matches outgoing interface. Argument contains name of the interface. Can not be used for rules in INPUT hook as packet has no outgoing interface in that case.
Matches state of HIP association: "NEW" or "ESTABLISHED". ESP packets are also filtered as part of the connection. With "--verify_responder" option the firewall stores responder HI from R1 packet and uses it for verifying signatures in the packets. With --accept_mobile option, the firewall may establish state for existing connection when a mobile host enters the network protected by the firewall. Please see the section called “Hackers Guide to Testing Handovers Manually” to see how mobility events can be tested.
If you get "No buffer space available" errors, please disable all of the firewall debug messages (./configure --disable-debug; make clean all). This can occur when moving large files and the firewall cannot serve with sufficient speed when it has to display debug messages.
Management interface:
Firewall management interface contains functions for altering rules of running firewall. Functions are defined in firewall/rule_management.h and implemented in firewall/rule_management.c. Rule_management.c also contains functions for copying, comparing and freeing rules, etc. If any functions are needed outside the rule_management, they can be defined in the header file.
The argument "hook" in the rule is the Netfilter hook for which rule is intended. The hooks are defined in linux/netfilter_ipv6.h as NF_IP6_LOCAL_IN, NF_IP6_FORWARD, NF_IP6_LOCAL_OUT.
The argument rule is structure describing the rule defined in rule_management.h. The structure contains pointers to options. The pointer value must be NULL, when option is not defined. The structures for options are also defined in rule_management.h. Function: rule * parse_rule(char * string) can be used for creating a rule structure from a string. This also inspects that the rule syntax is correct.
void insert_rule(const struct rule * rule, int hook): Inserts argument rule into with the hook. Insert makes local copy of the argument rule.
int delete_rule(const struct rule * rule, int hook): Deletes the local rule that is equal to the argument rule.
GList * list_rules(int hook): creates a copy of the rule list and returns it. Caller must take care of freeing the returned list.
int flush(int hook): Clears all rules.