FERM(1) | FIREWALL RULES MADE EASY | FERM(1) |
ferm - a firewall rule parser for linux
ferm options inputfile
ferm is a frontend for iptables. It reads the rules from a structured configuration file and calls iptables(8) to insert them into the running kernel.
ferm's goal is to make firewall rules easy to write and easy to read. It tries to reduce the tedious task of writing down rules, thus enabling the firewall administrator to spend more time on developing good rules than the proper implementation of the rule.
To achieve this, ferm uses a simple but powerful configuration language, which allows variables, functions, arrays, and blocks. It also allows you to include other files, allowing you to create libraries of commonly used structures and functions.
ferm, pronounced "firm", stands for "For Easy Rule Making".
This manual page does not intend to teach you how firewalling works and how to write good rules. There is already enough documentation on this topic.
Let's start with a simple example:
chain INPUT { proto tcp ACCEPT; }
This will add a rule to the predefined input chain, matching and accepting all TCP packets. Ok, let's make it more complicated:
chain (INPUT OUTPUT) { proto (udp tcp) ACCEPT; }
This will insert 4 rules, namely 2 in chain input, and 2 in chain output, matching and accepting both UDP and TCP packets. Normally you would type this:
iptables -A INPUT -p tcp -j ACCEPT iptables -A OUTPUT -p tcp -j ACCEPT iptables -A INPUT -p udp -j ACCEPT iptables -A OUTPUT -p udp -j ACCEPT
Note how much less typing we need to do? :-)
Basically, this is all there is to it, although you can make it quite more complex. Something to look at:
chain INPUT { policy ACCEPT; daddr 10.0.0.0/8 proto tcp dport ! ftp jump mychain sport :1023 TOS 4 settos 8 mark 2; daddr 10.0.0.0/8 proto tcp dport ftp REJECT; }
My point here is, that *you* need to make nice rules, keep them readable to you and others, and not make it into a mess.
It would aid the reader if the resulting firewall rules were placed here for reference. Also, you could include the nested version with better readability.
Try using comments to show what you are doing:
# this line enables transparent http-proxying for the internal network: proto tcp if eth0 daddr ! 192.168.0.0/255.255.255.0 dport http REDIRECT to-ports 3128;
You will be thankful for it later!
chain INPUT { policy ACCEPT; interface (eth0 ppp0) { # deny access to notorious hackers, return here if no match # was found to resume normal firewalling jump badguys; protocol tcp jump fw_tcp; protocol udp jump fw_udp; } }
The more you nest, the better it looks. Make sure the order you specify is correct, you would not want to do this:
chain FORWARD { proto ! udp DROP; proto tcp dport ftp ACCEPT; }
because the second rule will never match. The best way is to first specify everything that is allowed, and then deny everything else. Look at the examples for more good snapshots. Most people do something like this:
proto tcp { dport ( ssh http ftp ) ACCEPT; dport 1024:65535 ! syn ACCEPT; DROP; }
The structure of a proper firewall file looks like simplified C-code. Only a few syntactic characters are used in ferm- configuration files. Besides these special characters, ferm uses 'keys' and 'values', think of them as options and parameters, or as variables and values, whatever.
With these words, you define the characteristics of your firewall. Every firewall consists of two things: First, look if network traffic matches certain conditions, and second, what to do with that traffic.
You may specify conditions that are valid for the kernel interface program you are using, probably iptables(8). For instance, in iptables, when you are trying to match TCP packets, you would say:
iptables --protocol tcp
In ferm, this will become:
protocol tcp;
Just typing this in ferm doesn't do anything, you need to tell ferm (actually, you need to tell iptables(8) and the kernel) what to do with any traffic that matches this condition:
iptables --protocol tcp -j ACCEPT
Or, translated to ferm:
protocol tcp ACCEPT;
The ; character is at the end of every ferm rule. Ferm ignores line breaks, meaning the above example is identical to the following:
protocol tcp ACCEPT;
Here's a list of the special characters:
Separated by semicolons, you may write multiple rules in one line, although this decreases readability:
protocol tcp ACCEPT; protocol udp DROP;
The curly brackets contain any number of nested rules. All matches before the block are carried forward to these.
The closing curly bracket finalizes the rule set. You should not write a ';' after that because that would be an empty rule.
Example:
chain INPUT proto icmp { icmp-type echo-request ACCEPT; DROP; }
This block shows two rules inside a block, which will both be merged with anything in front of it so you will get two rules:
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp -j DROP
There can be multiple nesting levels:
chain INPUT { proto icmp { icmp-type echo-request ACCEPT; DROP; } daddr 172.16.0.0/12 REJECT; }
Note that the 'REJECT' rule is not affected by 'proto icmp', although there is no ';' after the closing curly brace. Translated to iptables:
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp -j DROP iptables -A INPUT -d 172.16.0.0/12 -j REJECT
Example:
protocol ( tcp udp icmp )
this will result in three rules:
... -p tcp ... ... -p udp ... ... -p icmp ...
Only values can be 'listed', so you cannot do something like this:
proto tcp ( ACCEPT LOG );
but you can do this:
chain (INPUT OUTPUT FORWARD) proto (icmp udp tcp) DROP;
(which will result in nine rules!)
Values are separated by spaces. The array symbol is both left- and right-associative, in contrast with the nesting block, which is left-associative only.
LOG log-prefix ' hey, this is my log prefix!';
DNAT to "$myhost:$myport";
In the previous section, we already introduced some basic keywords like "chain", "protocol" and "ACCEPT". Let's explore their nature.
There are three kinds of keywords:
Most matches are followed by a parameter: "proto tcp", "daddr 172.16.0.0/12".
Some targets define more keywords to specify details: "REJECT reject-with icmp-net-unreachable".
Every rule consists of a location and a target, plus any number of matches:
table filter # location proto tcp dport (http https) # match ACCEPT; # target
Strictly speaking, there is a fourth kind: ferm keywords (which control ferm's internal behaviour), but they will be explained later.
Many keywords take parameters. These can be specified as literals, variable references or lists (arrays):
proto udp saddr $TRUSTED_HOSTS; proto tcp dport (http https ssh); LOG log-prefix "funky wardriver alert: ";
Some of them can be negated (lists cannot be negated):
proto !esp; proto udp dport !domain;
Keywords which take no parameters are negated by a prefixed '!':
proto tcp !syn;
Read iptables(8) to see where the ! can be used.
If you specify a non-existing chain here, ferm will add the rule to a custom chain with that name.
To avoid ambiguity, always specify the policies of all predefined chains explicitly.
In many cases, this is faster than just a block, because the kernel may skip a huge block of rules when a precondition is false. Imagine the following example:
table filter chain INPUT { saddr (1.2.3.4 2.3.4.5 3.4.5.6 4.5.6.7 5.6.7.8) { proto tcp dport (http https ssh) ACCEPT; proto udp dport domain ACCEPT; } }
This generates 20 rules. When a packet arrives which does not pass the saddr match, it nonetheless checks all 20 rules. With @subchain, this check is done once, resulting in faster network filtering and less CPU load:
table filter chain INPUT { saddr (1.2.3.4 2.3.4.5 3.4.5.6 4.5.6.7 5.6.7.8) @subchain { proto tcp dport (http https ssh) ACCEPT; proto udp dport domain ACCEPT; } }
Optionally, you may define the name of the sub chain:
saddr (1.2.3.4 2.3.4.5 3.4.5.6) @subchain "foobar" { proto tcp dport (http https ssh) ACCEPT; proto udp dport domain ACCEPT; }
The name can either be a quoted string literal, or an expanded ferm expression such as @cat("interface_", $iface) or @substr($var,0,20).
You can achieve the same by explicitly declaring a custom chain, but you may feel that using @subchain requires less typing.
chain (foo bar) @preserve;
With this option, ferm loads the previous rule set using iptables-save, extracts all "preserved" chains and inserts their data into the output.
"Preserved" chains must not be modified with ferm: no rules and no policies.
Instead of protocol, you can also use the shortcut proto.
Examples:
saddr 192.168.0.0/24 ACCEPT; # (identical to the next one:) saddr 192.168.0.0/255.255.255.0 ACCEPT; daddr my.domain.com ACCEPT;
Fragments are frequently used in DOS attacks because there is no way of finding out the origin of a fragment packet.
This match can be used only after you specified "protocol tcp" or "protocol udp" because only these two protocols actually have ports.
And some examples of valid ports/ranges:
dport 80 ACCEPT; dport http ACCEPT; dport ssh:http ACCEPT; dport 0:1023 ACCEPT; # equivalent to :1023 dport 1023:65535 ACCEPT;
Instead of module, you can also use the shortcut mod.
REJECT; # default to icmp-port-unreachable REJECT reject-with icmp-net-unreachable;
Type "iptables -j REJECT -h" for details.
Netfilter is modular. Modules may provide additional targets and match keywords. The list of netfilter modules is constantly growing, and ferm tries to keep up with supporting them all. This chapter describes modules which are currently supported.
mod account aname mynetwork aaddr 192.168.1.0/24 ashort NOP;
mod addrtype src-type BROADCAST; mod addrtype dst-type LOCAL;
Type "iptables -m addrtype -h" for details.
mod ah ahspi 0x101; mod ah ahspi ! 0x200:0x2ff;
Additional arguments for IPv6:
mod ah ahlen 32 ACCEPT; mod ah ahlen !32 ACCEPT; mod ah ahres ACCEPT;
mod bpf bytecode "4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0";
mod cgroup path ! example/path ACCEPT;
The path is relative to the root of the cgroupsv2 hierarchy and is compared against the initial portion of a process' path in the hierarchy.
mod cgroup cgroup 10:10 DROP; mod cgroup cgroup 1048592 DROP;
Matches against the value of "net_cls.classid" set on the process' legacy net_cls cgroup. The class may be specified as a hexadecimal major:minor pair (see tc(8)), or as a decimal, so those two rules are equivalent.
mod comment comment "This is my comment." ACCEPT;
The "mod comment" can be omitted, because ferm inserts it automatically.
mod condition condition (abc def) ACCEPT; mod condition condition !foo ACCEPT;
mod connbytes connbytes 65536: connbytes-dir both connbytes-mode bytes ACCEPT; mod connbytes connbytes !1024:2048 connbytes-dir reply connbytes-mode packets ACCEPT;
Valid values for connbytes-dir: original, reply, both; for connbytes-mode: packets, bytes, avgpkt.
mod connlabel label "name"; mod connlabel label "name" set;
mod connlimit connlimit-above 4 REJECT; mod connlimit connlimit-above !4 ACCEPT; mod connlimit connlimit-above 4 connlimit-mask 24 REJECT; mod connlimit connlimit-upto 4 connlimit-saddr REJECT; mod connlimit connlimit-above 4 connlimit-daddr REJECT;
mod connmark mark 64; mod connmark mark 6/7;
mod conntrack ctstate (ESTABLISHED RELATED); mod conntrack ctproto tcp; mod conntrack ctorigsrc 192.168.0.2; mod conntrack ctorigdst 1.2.3.0/24; mod conntrack ctorigsrcport 67; mod conntrack ctorigdstport 22; mod conntrack ctreplsrc 2.3.4.5; mod conntrack ctrepldst ! 3.4.5.6; mod conntrack ctstatus ASSURED; mod conntrack ctexpire 60; mod conntrack ctexpire 180:240;
Type "iptables -m conntrack -h" for details.
mod cpu cpu 0;
proto dccp sport 1234 dport 2345 ACCEPT; proto dccp dccp-types (SYNCACK ACK) ACCEPT; proto dccp dccp-types !REQUEST DROP; proto dccp dccp-option 2 ACCEPT;
mod dscp dscp 11; mod dscp dscp-class AF41;
mod dst dst-len 10; mod dst dst-opts (type1 type2 ...);
mod ecn ecn-tcp-cwr; mod ecn ecn-tcp-ece; mod ecn ecn-ip-ect 2;
Type "iptables -m ecn -h" for details.
mod esp espspi 0x101; mod esp espspi ! 0x200:0x2ff;
mod eui64 ACCEPT;
mod fuzzy lower-limit 10 upper-limit 20 ACCEPT;
mod geoip src-cc "CN,VN,KR,BH,BR,AR,TR,IN,HK" REJECT; mod geoip dst-cc "DE,FR,CH,AT" ACCEPT;
mod hbh hbh-len 8 ACCEPT; mod hbh hbh-len !8 ACCEPT; mod hbh hbh-opts (1:4 2:8) ACCEPT;
mod hl hl-eq (8 10) ACCEPT; mod hl hl-eq !5 ACCEPT; mod hl hl-gt 15 ACCEPT; mod hl hl-lt 2 ACCEPT;
mod helper helper irc ACCEPT; mod helper helper ftp-21 ACCEPT;
proto icmp icmp-type echo-request ACCEPT;
This option can also be used in be ip6 domain, although this is called icmpv6 in ip6tables.
Use "iptables -p icmp "-h"" to obtain a list of valid ICMP types.
mod iprange src-range 192.168.2.0-192.168.3.255; mod iprange dst-range ! 192.168.6.0-192.168.6.255;
mod ipv4options ssrr ACCEPT; mod ipv4options lsrr ACCEPT; mod ipv4options no-srr ACCEPT; mod ipv4options !rr ACCEPT; mod ipv4options !ts ACCEPT; mod ipv4options !ra ACCEPT; mod ipv4options !any-opt ACCEPT;
mod ipv6header header !(hop frag) ACCEPT; mod ipv6header header (auth dst) ACCEPT;
mod hashlimit hashlimit 10/minute hashlimit-burst 30/minute hashlimit-mode dstip hashlimit-name foobar ACCEPT;
Possible values for hashlimit-mode: dstip dstport srcip srcport (or a list with more than one of these).
There are more possible settings, type "iptables -m hashlimit -h" for documentation.
mod ipvs ipvs ACCEPT; # packet belongs to an IPVS connection mod ipvs vproto tcp ACCEPT; # VIP protocol to match; by number or name, e.g. "tcp mod ipvs vaddr 1.2.3.4/24 ACCEPT; # VIP address to match mod ipvs vport http ACCEPT; # VIP port to match mod ipvs vdir ORIGINAL ACCEPT; # flow direction of packet mod ipvs vmethod GATE ACCEPT; # IPVS forwarding method used mod ipvs vportctl 80; # VIP port of the controlling connection to match
mod length length 128; # exactly 128 bytes mod length length 512:768; # range mod length length ! 256; # negated
mod limit limit 1/second; mod limit limit 15/minute limit-burst 10;
Type "iptables -m limit -h" for details.
mod mac mac-source 01:23:45:67:89;
mod mark mark 42;
proto mh mh-type binding-update ACCEPT;
mod multiport source-ports (https ftp); mod multiport destination-ports (mysql domain);
This rule has a big advantage over "dport" and "sport": it generates only one rule for up to 15 ports instead of one rule for every port.
As a shortcut, you can use "sports" and "dports" (without "mod multiport"):
sports (https ftp); dports (mysql domain);
mod nth every 3; mod nth counter 5 every 2; mod nth start 2 every 3; mod nth start 5 packet 2 every 6;
Type "iptables -m nth -h" for details.
mod osf genre Linux; mod osf ! genre FreeBSD ttl 1 log 1;
Type "iptables -m osf -h" for details.
mod owner uid-owner 0; mod owner gid-owner 1000; mod owner pid-owner 5432; mod owner sid-owner 6543; mod owner cmd-owner "sendmail";
("cmd-owner", "pid-owner" and "sid-owner" require special kernel patches not included in the vanilla Linux kernel)
mod physdev physdev-in ppp1; mod physdev physdev-out eth2; mod physdev physdev-is-in; mod physdev physdev-is-out; mod physdev physdev-is-bridged;
mod pkttype pkt-type unicast; mod pkttype pkt-type broadcast; mod pkttype pkt-type multicast;
mod policy dir out pol ipsec ACCEPT; mod policy strict reqid 23 spi 0x10 proto ah ACCEPT; mod policy mode tunnel tunnel-src 192.168.1.2 ACCEPT; mod policy mode tunnel tunnel-dst 192.168.2.1 ACCEPT; mod policy strict next reqid 24 spi 0x11 ACCEPT;
Note that the keyword proto is also used as a shorthand version of protocol (built-in match module). You can fix this conflict by always using the long keyword protocol.
mod psd psd-weight-threshold 21 psd-delay-threshold 300 psd-lo-ports-weight 3 psd-hi-ports-weight 1 DROP;
mod quota quota 65536 ACCEPT;
mod random average 70;
mod realm realm 3;
mod recent set; mod recent rcheck seconds 60; mod recent set rsource name "badguy"; mod recent set rdest; mod recent rcheck rsource name "badguy" seconds 60; mod recent update seconds 120 hitcount 3 rttl; mod recent mask 255.255.255.0 reap;
This netfilter module has a design flaw: although it is implemented as a match module, it has target-like behaviour when using the "set" keyword.
<http://snowman.net/projects/ipt_recent/>
mod rpfilter proto tcp loose RETURN; mod rpfilter validmark accept-local RETURN; mod rpfilter invert DROP;
This netfilter module is the preferred way to perform reverse path filtering for IPv6, and a powerful alternative to checks controlled by sysctl net.ipv4.conf.*.rp_filter.
mod rt rt-type 2 rt-len 20 ACCEPT; mod rt rt-type !2 rt-len !20 ACCEPT; mod rt rt-segsleft 2:3 ACCEPT; mod rt rt-segsleft !4:5 ACCEPT; mod rt rt-0-res rt-0-addrs (::1 ::2) rt-0-not-strict ACCEPT;
proto sctp sport 1234 dport 2345 ACCEPT; proto sctp chunk-types only DATA:Be ACCEPT; proto sctp chunk-types any (INIT INIT_ACK) ACCEPT; proto sctp chunk-types !all (HEARTBEAT) ACCEPT;
Use "iptables -p sctp "-h"" to obtain a list of valid chunk types.
mod set set badguys src DROP;
See <http://ipset.netfilter.org/> for more information.
mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT;
Type "iptables -m state -h" for details.
mod statistic mode random probability 0.8 ACCEPT; mod statistic mode nth every 5 packet 0 DROP;
mod string string "foo bar" ACCEPT; mod string algo kmp from 64 to 128 hex-string "deadbeef" ACCEPT;
proto tcp sport 1234; proto tcp dport 2345; proto tcp tcp-flags (SYN ACK) SYN; proto tcp tcp-flags ! (SYN ACK) SYN; proto tcp tcp-flags ALL (RST ACK); proto tcp syn; proto tcp tcp-option 2; proto tcp mss 512;
Type "iptables -p tcp -h" for details.
mod tcpmss mss 123 ACCEPT; mod tcpmss mss 234:567 ACCEPT;
mod time timestart 12:00; mod time timestop 13:30; mod time timestart 22:00 timestop 07:00 contiguous; mod time days (Mon Wed Fri); mod time datestart 2005:01:01; mod time datestart 2005:01:01:23:59:59; mod time datestop 2005:04:01; mod time monthday (30 31); mod time weekdays (Wed Thu); mod time timestart 12:00; mod time timestart 12:00 kerneltz;
Type "iptables -m time -h" for details.
mod tos tos Minimize-Cost ACCEPT; mod tos tos !Normal-Service ACCEPT;
Type "iptables -m tos -h" for details.
mod ttl ttl-eq 12; # ttl equals mod ttl ttl-gt 10; # ttl greater than mod ttl ttl-lt 16; # ttl less than
mod u32 u32 '6&0xFF=1' ACCEPT; mod u32 u32 ('27&0x8f=7' '31=0x527c4833') DROP;
The following additional targets are available in ferm, provided that you enabled them in your kernel:
CHECKSUM checksum-fill;
CLASSIFY set-class 3:50;
CLUSTERIP new hashmode sourceip clustermac 00:12:34:45:67:89 total-nodes 4 local-node 2 hash-init 12345;
CONNMARK set-xmark 42/0xff; CONNMARK set-mark 42; CONNMARK save-mark; CONNMARK restore-mark; CONNMARK save-mark nfmask 0xff ctmask 0xff; CONNMARK save-mark mask 0x7fff; CONNMARK restore-mark mask 0x8000; CONNMARK and-mark 0x7; CONNMARK or-mark 0x4; CONNMARK xor-mark 0x7; CONNMARK and-mark 0x7;
CONNSECMARK save; CONNSECMARK restore;
DNAT to 10.0.0.4; DNAT to 10.0.0.4:80; DNAT to 10.0.0.4:1024-2048; DNAT to 10.0.1.1-10.0.1.20;
DNPT src-pfx 2001:42::/16 dst-pfx 2002:42::/16;
ECN ecn-tcp-remove;
HL hl-set 5; HL hl-dec 2; HL hl-inc 1;
HMARK hmark-tuple "src" hmark-mod "1" hmark-offset "1" hmark-src-prefix 192.168.1.0/24 hmark-dst-prefix 192.168.2.0/24 hmark-sport-mask 0x1234 hmark-dport-mask 0x2345 hmark-spi-mask 0xdeadbeef hmark-proto-mask 0x42 hmark-rnd 0xcoffee;
IDLETIMER timeout 60 label "foo";
IPV4OPTSSTRIP;
LED led-trigger-id "foo" led-delay 100 led-always-blink;
LOG log-level warning log-prefix "Look at this: "; LOG log-tcp-sequence log-tcp-options; LOG log-ip-options;
MARK set-mark 42; MARK set-xmark 7/3; MARK and-mark 31; MARK or-mark 1; MARK xor-mark 12;
MASQUERADE; MASQUERADE to-ports 1234:2345; MASQUERADE to-ports 1234:2345 random;
MIRROR;
NETMAP to 192.168.2.0/24;
proto tcp dport (135:139 445) NOTRACK;
RATEEST rateest-name "foo" rateest-interval 60s rateest-ewmalog 100; proto tcp dport (135:139 445) NOTRACK;
NFLOG nflog-group 5 nflog-prefix "Look at this: "; NFLOG nflog-range 256; NFLOG nflog-threshold 10;
proto tcp dport ftp NFQUEUE queue-num 20;
proto tcp dport ftp QUEUE;
proto tcp dport http REDIRECT to-ports 3128; proto tcp dport http REDIRECT to-ports 3128 random;
SAME to 1.2.3.4-1.2.3.7; SAME to 1.2.3.8-1.2.3.15 nodst; SAME to 1.2.3.16-1.2.3.31 random;
SECMARK selctx "system_u:object_r:httpd_packet_t:s0";
proto icmp icmp-type echo-request SET add-set badguys src; SET add-set "foo" timeout 60 exist;
SNAT to 1.2.3.4; SNAT to 1.2.3.4:20000-30000; SNAT to 1.2.3.4 random;
SNPT src-pfx 2001:42::/16 dst-pfx 2002:42::/16;
SYNPROXY wscale 7 mss 1460 timestamp sack-perm
TCPMSS set-mss 1400; TCPMSS clamp-mss-to-pmtu;
TCPOPTSTRIP strip-options (option1 option2 ...);
TOS set-tos Maximize-Throughput; TOS and-tos 7; TOS or-tos 1; TOS xor-tos 4;
Type "iptables -j TOS -h" for details.
TTL ttl-set 16; TTL ttl-dec 1; # decrease by 1 TTL ttl-inc 4; # increase by 4
ULOG ulog-nlgroup 5 ulog-prefix "Look at this: "; ULOG ulog-cprange 256; ULOG ulog-qthreshold 10;
Since version 2.0, ferm supports not only ip and ip6, but also arp (ARP tables) and eb (ethernet bridging tables). The concepts are similar to iptables.
chain INPUT h-length 64 ACCEPT;
opcode 9 ACCEPT;
h-type 1 ACCEPT;
proto-type 0x800 ACCEPT;
Please note that there is a conflict between --mark from the mark_m match module and -j mark. Since both would be implemented with the ferm keyword mark, we decided to solve this by writing the target's name in uppercase, like in the other domains. The following example rewrites mark 1 to 2:
mark 1 MARK 2;
In complex firewall files, it is helpful to use variables, e.g. to give a network interface a meaningful name.
To set variables, write:
@def $DEV_INTERNET = eth0; @def $PORTS = (http ftp); @def $MORE_PORTS = ($PORTS 8080);
In the real ferm code, variables are used like any other keyword parameter:
chain INPUT interface $DEV_INTERNET proto tcp dport $MORE_PORTS ACCEPT;
Note that variables can only be used in keyword parameters ("192.168.1.1", "http"); they cannot contain ferm keywords like "proto" or "interface".
Variables are only valid in the current block:
@def $DEV_INTERNET = eth1; chain INPUT { proto tcp { @def $DEV_INTERNET = ppp0; interface $DEV_INTERNET dport http ACCEPT; } interface $DEV_INTERNET DROP; }
will be expanded to:
chain INPUT { proto tcp { interface ppp0 dport http ACCEPT; } interface eth1 DROP; }
The "def $DEV_INTERNET = ppp0" is only valid in the "proto tcp" block; the parent block still knows "set $DEV_INTERNET = eth1".
Include files are special - variables declared in an included file are still available in the calling block. This is useful when you include a file which only declares variables.
Some variables are set internally by ferm. Ferm scripts can use them just like any other variable.
@def &log($msg) = { LOG log-prefix "rule=$msg:$LINE "; } . . . &log("log message");
Functions are similar to variables, except that they may have parameters, and they provide ferm commands, not values.
@def &FOO() = proto (tcp udp) dport domain; &FOO() ACCEPT; @def &TCP_TUNNEL($port, $dest) = { table filter chain FORWARD interface ppp0 proto tcp dport $port daddr $dest outerface eth0 ACCEPT; table nat chain PREROUTING interface ppp0 proto tcp dport $port daddr 1.2.3.4 DNAT to $dest; } &TCP_TUNNEL(http, 192.168.1.33); &TCP_TUNNEL(ftp, 192.168.1.30); &TCP_TUNNEL((ssh smtp), 192.168.1.2);
A function call which contains a block (like '{...}') must be the last command in a ferm rule, i.e. it must be followed by ';'. The '&FOO()' example does not contain a block, thus you may write 'ACCEPT' after the call. To circumvent this, you can reorder the keywords:
@def &IPSEC() = { proto (esp ah); proto udp dport 500; } chain INPUT ACCEPT &IPSEC();
With backticks, you may use the output of an external command:
@def $DNSSERVERS = `grep nameserver /etc/resolv.conf | awk '{print $2}'`; chain INPUT proto tcp saddr $DNSSERVERS ACCEPT;
The command is executed with the shell (/bin/sh), just like backticks in Perl. ferm does not do any variable expansion here.
The output is then tokenized and saved as a ferm list (array). Lines beginning with '#' are ignored; the other lines may contain any number of values, separated by whitespace.
The @include keyword allows you to include external files:
@include 'vars.ferm';
The file name is relative to the calling file, e.g. when including from /etc/ferm/ferm.conf, the above statement includes /etc/ferm/vars.ferm. Variables and functions declared in an included file are still available in the calling file.
include works within a block:
chain INPUT { @include 'input.ferm'; }
If you specify a directory (with a trailing '/'), all files in this directory are included, sorted alphabetically:
@include 'ferm.d/';
The function @glob can be used to expand wildcards:
@include @glob('*.include');
With a trailing pipe symbol, ferm executes a shell command and parses its output:
@include "/root/generate_ferm_rules.sh $HOSTNAME|"
ferm aborts, if return code is not 0.
The keyword @if introduces a conditional expression:
@if $condition DROP;
A value is evaluated true just like in Perl: zero, empty list, empty string are false, everything else is true. Examples for true values:
(a b); 1; 'foo'; (0 0)
Examples for false values:
(); 0; '0'; ''
There is also @else:
@if $condition DROP; @else REJECT;
Note the semicolon before the @else.
It is possible to use curly braces after either @if or @else:
@if $condition { MARK set-mark 2; RETURN; } @else { MARK set-mark 3; }
Since the closing curly brace also finishes the command, there is no need for a semicolon.
There is no @elsif, use @else @if instead.
Example:
@def $have_ipv6 = `test -f /proc/net/ip6_tables_names && echo 1 || echo`; @if $have_ipv6 { domain ip6 { # .... } }
To run custom commands, you may install hooks:
@hook pre "echo 0 >/proc/sys/net/ipv4/conf/eth0/forwarding"; @hook post "echo 1 >/proc/sys/net/ipv4/conf/eth0/forwarding"; @hook flush "echo 0 >/proc/sys/net/ipv4/conf/eth0/forwarding";
The specified command is executed using the shell. "pre" means run the command before applying the firewall rules, and "post" means run the command afterwards. "flush" hooks are run after ferm has flushed the firewall rules (option --flush). You may install any number of hooks.
There are several built-in functions which you might find useful.
Tests if the variable or function is defined.
@def $a = 'foo'; @if @defined($a) good; @if @not(@defined($a)) bad; @if @defined(&funcname) good;
Tests two values for equality. Example:
@if @eq($DOMAIN, ip6) DROP;
Similar to @eq, this tests for non-equality.
Negates a boolean value.
Usually, hostnames are resolved by iptables. To let ferm resolve hostnames, use the function @resolve:
saddr @resolve(my.host.foo) proto tcp dport ssh ACCEPT; saddr @resolve((another.host.foo third.host.foo)) proto tcp dport openvpn ACCEPT; daddr @resolve(ipv6.google.com, AAAA) proto tcp dport http ACCEPT;
Note the double parentheses in the second line: the inner pair for creating a ferm list, and the outer pair as function parameter delimiters.
The second parameter is optional and specifies the DNS record type. The default is "A" for domain ip and "AAAA" for domain ip6.
Be careful with resolved hostnames in the firewall configuration. DNS requests may block the firewall configuration for a long time, leaving the machine vulnerable, or they may fail.
Concatenate all parameters into one string.
Join all parameters into one string, separated by the given separator string.
Extracts a substring out of expression and returns it. First character is at offset 0. If OFFSET is negative, starts that far from the end of the string.
Returns the length in characters of the value of EXPR.
Return the base name of the file for a given path (File::Spec::splitpath).
Return the name of the last directory for a given path, assuming the last component is a file name (File::Spec::splitpath).
Expand shell wildcards in the given paths (assumed to be relative to the current script). Returns a list of matching files. This function is useful as a parameter of @include.
Filters out the IP addresses that obviously do not match the current domain. That is useful to create common variables and rules for IPv4 and IPv6:
@def $TRUSTED_HOSTS = (192.168.0.40 2001:abcd:ef::40); domain (ip ip6) chain INPUT { saddr @ipfilter($TRUSTED_HOSTS) proto tcp dport ssh ACCEPT; }
The ./examples/ directory contains numerous ferm configuration which can be used to begin a new firewall. This section contains more samples, recipes and tricks.
Ferm functions make routine tasks quick and easy:
@def &FORWARD_TCP($proto, $port, $dest) = { table filter chain FORWARD interface $DEV_WORLD outerface $DEV_DMZ daddr $dest proto $proto dport $port ACCEPT; table nat chain PREROUTING interface $DEV_WORLD daddr $HOST_STATIC proto $proto dport $port DNAT to $dest; } &FORWARD_TCP(tcp, http, 192.168.1.2); &FORWARD_TCP(tcp, smtp, 192.168.1.3); &FORWARD_TCP((tcp udp), domain, 192.168.1.4);
If the target machine is not able to run ferm for some reason (maybe an embedded device without Perl), you can edit the ferm configuration file on another computer and let ferm generate a shell script there.
Example for OpenWRT:
ferm --remote --shell mywrt/ferm.conf >mywrt/firewall.user chmod +x mywrt/firewall.user scp mywrt/firewall.user mywrt.local.net:/etc/ ssh mywrt.local.net /etc/firewall.user
Fast mode is enabled by default since ferm 2.0, deprecating this option.
Linux 2.4 or newer, with netfilter support and all netfilter modules used by your firewall script
iptables and perl 5.6
Bugs? What bugs?
If you find a bug, please report it on GitHub: <https://github.com/MaxKellermann/ferm/issues>
Copyright 2001-2017 Max Kellermann <max.kellermann@gmail.com>, Auke Kok <sofar@foo-projects.org> and various other contributors.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Max Kellermann <max.kellermann@gmail.com>, Auke Kok <sofar@foo-projects.org>
2022-10-15 | ferm 2.5.1 |