iptables-restore.
## Configuration File Processing
Awall reads its configuration from multiple JSON-formatted files,
called *policy files*. The files located in directory
`/usr/share/awall/mandatory` are *mandatory* policies shipped with APK
packages. In addition, there can be installation-specific mandatory
policies in `/etc/awall`.
The latter directory may also contain symbolic links to policy files
located in `/usr/share/awall/optional` and
`/etc/awall/optional`. These are *optional* policies, which can be
enabled on need basis. Such symbolic links are easily created and
destroyed using the `awall enable` and `awall disable`
commands. `awall list` shows which optional policies are enabled and
disabled. The command also prints the description of the optional
policy if defined in the file using a top-level attribute named
**description**.
Sometimes a policy file depends on other policy files. In this case,
the policy file must have a top-level attribute **import**, the value
of which is a list of policy names, which correspond to the file names
without the `.json` suffix. The imported policies may be either
optional policies or *private* policies, located in
`/usr/share/awall/private` or `/etc/awall/private`. By default, the
policies listed there are processed before the importing policy.
The order of the generated iptables rules generally reflects the
processing order of their corresponding awall policies. The processing
order of policies can be adjusted by defining top-level attributes
**after** and **before** in policy files. These attributes are lists
of policies, after or before which the declaring policy shall be
processed. Putting a policy name to either of these lists does not by
itself import the policy. The ordering directives are ignored with
respect to those policies that are not enabled by the user or imported
by other policies. If not defined, **after** is assumed to be equal to
the relative complement of the **before** definition in the **import**
definition of the policy.
As the import directive does not require the path name to be
specified, awall expects policies to have unique names, even if
located in different directories. It is allowed to import optional
policies that are not explicitly enabled by the user. Such policies
show up with the `required` status in the output of `awall list`.
## List Parameters
Several awall parameters are defined as lists of values. In order to
facilitate manual editing of policy files, awall also accepts single
values in place of lists. Such values are semantically equivalent to
lists containing one element.
## Variable Expansion
Awall allows variable definitions in policy files. The top-level
attribute **variable** is a dictionary containing the definitions. The
value of a variable can be of any type (string, integer, list, or
dictionary).
A variable is referenced in policy files by a string which equals the
variable name prepended with the **$** character. If the value of the
variable is a string, the reference can be embedded into a longer
string in order to substitute some part of that string (in shell
style). Variable references can be used when defining other variables,
as long as the definitions are not circular.
Policy files can reference variables defined in other policy
files. Policy files can also override variables defined elsewhere by
redefining them. In this case, the new definition affects all policy
files, also those processed before the overriding policy. Awall
variables are in fact simple macros, since each variable remains
constant thoughout a single processing round. If multiple files define
the same variable, the definition in the file processed last takes
effect.
If defined as an empty string, all non-embedded references to a
variable evaluate as if the attribute in question was not present in
the configuration. This is also the case when a string containing
embedded variable references finally evaluates to an empty string.
## Configuration Objects
Configuration objects can be divided into two main types. *Auxiliary
objects* model high-level concepts such as services and zones. *Rule
objects* translate into one or more iptables rules, and are often
defined with the help of some auxiliary objects.
### Services
A *service* represents a set of network protocols. A top-level
attribute **service** is a dictionary that maps service names to
service definition objects, or lists thereof in more complex cases.
A service definition object contains an attribute named **proto**,
which corresponds to the `--protocol` option of iptables. The protocol
can be defined as a numerical value or string as defined in
`/etc/protocols`. If the protocol is **tcp** or **udp**, the scope of
the service definition may be constrained by defining an attribute
named **port**, which is a list of TCP or UDP port numbers or ranges
thereof, separated by the **-** character. If the protocol is **icmp**
or **icmpv6**, an analogous **type** attribute may be used. The
replies to ICMP messages have their own type codes, which may be
specified using the **reply-type** attribute.
If the protocol is **icmp** or **icmpv6**, the scope of the rule is
also automatically limited to IPv4 or IPv6, respectively. There are
also other services which are specific to IPv4 or IPv6. To constrain
the scope of the service definition to either protocol version, an
optional **family** attribute can be set to value **inet** or
**inet6**, respectively.
Some services require the server or client to open additional
connections to dynamically allocated ports or even different
hosts. *Connection tracking helpers* are used to make the firewall
aware of such additional connections. The **ct-helper** attribute is
used to associate such a helper to a service definition when required
by the service.
All rule objects, except for policies, may have an attribute named
**service**, constraining the rule's scope to specific services
only. This attribute is a list of service names, referring to the keys
of the top-level service dictionary.
### Zones
A *zone* represents a set of network hosts. A top-level attribute
**zone** is a dictionary that maps zone names to zone objects. A zone
object has any combination of attributes named **iface**, **addr**,
and **ipsec**. **iface** is a list of network interfaces and **addr**
is a list of IPv4/IPv6 host and network addresses (CIDR notation).
**addr** may also contain domain names, which are expanded to IP
addresses using DNS resolution. If not defined, **addr** defaults to
the entire address space and **iface** to all interfaces. An empty
zone can be defined by setting either **addr** or **iface** to an
empty list.
Rule objects contain two attributes, **in** and **out**, which are
lists of zone names. These attributes control whether a packet matches
the rule or not. If a particular zone is referenced by the **in**
attribute, the rule applies to packets whose ingress interface and
source address are covered by the zone definition. Correspondingly, if
a zone is referenced by the **out** attribute, the rule applies to
packets whose egress interface and destination address are included in
the zone. If both **in** and **out** are defined, the packet must
fulfill both criteria in order to match the rule.
The firewall host itself can be referred to using the special value
**_fw** as the zone name.
In general, it is not necessary to define rules for both directions of
traffic. Awall policies are supposed to declare explicit rules in one
direction, such that the **in** zone points to the client and **out**
to the server side of the service, that is, the side where the TCP/UDP
port or ICMP type matches the [service definition](#service). The
necessary iptables rules for the opposite direction are automatically
deduced.
By default, awall does not generate iptables rules with identical
ingress and egress interfaces. This behavior can be changed per zone
by setting the optional **route-back** attribute of the zone to
**true**. Note that this attribute can have an effect also in the case
where **in** and **out** attributes of a rule are not equal but their
definitions overlap. In this case, the **route-back** attribute of the
**out** zone determines the behavior.
If used, the **ipsec** attribute is used to exclude from the zone any
traffic that is or is not subject to IPsec processing. If set to
**true** in the **in** zone, only the packets subject to IPsec
decapsulation are considered originating from the zone. In the **out**
zone, only the packets subject to IPsec encapsulation will be included
if **ipsec** is set to **true**. The value of **false** would exclude
any traffic requiring IPsec processing towards the respective
direction.
### Limits
A *limit* specifies the maximum rate for a flow of packets or new
connections. Unlike the other auxiliary objects, limits are not named
members of a top-level dictionary but are embedded into other objects.
In its simplest form, a limit definition is an integer specifying the
maximum number of packets or connections per second. More complex
limits are defined as objects, where the **count** attribute defines
the maximum during an interval defined by the **interval**
attribute. The unit of the **interval** attribute is second, and the
default value is 1. The default value for **count** is 1 as well.
The maximum rate defined by a limit may be absolute or specific to
blocks of IP addresses or pairs thereof. The number of most
significant bits taken into account when mapping the source and
destination IP addresses to blocks can be specified with the
**src-mask** and **dest-mask** attributes, respectively. If set to
**true** (boolean), all bits are considered. The value of **false**
causes the respective address to be ignored. Address
family–specific prefix lengths can be set by defining the mask
as an object with attributes named **inet** and **inet6**.
The default behavior with respect to the masks depends on the type of
the enclosing object. For [filters](#filter), the default behavior is
to apply the limit for each source address separately. For [logging
classes](#log), the limit is considered absolute by default.
The packet rates contributing to the limit may be summed over multiple
[filters](#filter). This can be achieved by setting the optional
**name** attribute to equal values among the related limits. If the
**update** attribute is set to **false** (boolean), the rates measured
at this limit are not included in the sum, but the referred sum is
used to make the limiting decision. Named limits may be specific only
to fixed-size blocks of either the source or the destination address,
not both. However, the address to be considered may vary among the
rules using the limit and may be selected by setting an attribute
named **addr** to either **src** (default) or **dest**. By default,
all bits of the selected address are taken into account, but address
family–specific prefix lengths can be set via the top-level
**limit** dictionary, where the keys correspond to limit names and
values follow the syntax of **src-mask** and **dest-mask**.
### Logging Classes
A *logging class* specifies how packets matching certain rules are
logged. A top-level attribute **log** is a dictionary that maps
logging class names to setting objects.
A setting object may have an attribute named **mode**, which specifies
which logging facility to use. Allowed values are **log**, **nflog**,
**ulog**, and **none**. The default is **log**, i.e. in-kernel
logging.
The following table shows the optional attributes valid for all
logging modes:
| Attribute | Description |
|---|---|
| every | Divide successive packets into groups, the size of which is specified by the value of this attribute, and log only the first packet of each group |
| limit | Maximum number of packets to be logged defined as limit |
| prefix | String with which the log entries are prefixed |
| probability | Probability for logging an individual packet (default: 1) |
| Attribute | Description |
|---|---|
| group | Netlink group to be used |
| range | Number of bytes to be copied |
| threshold | Number of packets to queue inside the kernel before copying them |
| Attribute | Description | Effect |
|---|---|---|
| src | Similar to addr attribute of zone objects | Packet's source address matches the value |
| dest | Similar to addr attribute of zone objects | Packet's destination address matches the value |
| ipset | Object containing two attributes: name referring to an IP set and args, which is a list of strings in and out | Packet matches the IP set referred here when the match arguments are taken from the source (in) and destination (out) address or port in the order specified by args |
| string | String or object containing at least an attribute named match and optionally one or more of the following: algo, from, and to. | Packet contains the given plain string or the one defined by the match attribute. Attributes from and to can be used to constrain the search to the specific byte range of the packet. The used algorithm may be selected using the algo attribute. The allowed values are bm for Boyer–Moore (default) and kmp for Knuth–Pratt–Morris. |
| Value | Action |
|---|---|
| accept | Accept the packet (default) |
| reject | Reject the packet with an ICMP error message |
| drop | Silently drop the packet |
| tarpit | Put incoming TCP connections into persist state and ignore attempts to close them. Silently drop non-TCP packets. (Connection tracking bypass is automatically enabled for the matching packets.) |
| pass | No action |
iptables-restore before overwriting the old
files.
Specifying the output directory allows testing awall policies without
overwriting the current iptables and ipset configuration files. By
default, awall generates the configuration to `/etc/iptables` and
`/etc/ipset.d`, which are read by the init scripts.
### Run-Time Configuration of Firewall
**awall activate** \[**-f** | **--force**\]
This command genereates firewall configuration from the policy files
and enables it. If the user confirms the new configuration by hitting
the Return key within 10 seconds or the `--force` option is used, the
configuration is saved to the files. Otherwise, the old configuration
is restored.
**awall flush** \[**-a** | **--all**\]
Normally, this command deletes all firewall rules and configures it to
drop all packets.
If awall is configured to [co-exist with other firewall management
tools](#dedicated), this command flushes only the rules installed by
awall. Specifying `--all` overrides this behavior and causes all rules
to be flushed.
### Optional Policies
Optional policies can be enabled or disabled using this command:
**awall** {**enable** | **disable**} POLICY...
Optional policies can be listed using this command:
**awall list** \[**-a** | **--all**\]
The **enabled** status means that the policy has been enabled by the
user. The **disabled** status means that the policy is not in use. The
**required** status means that the policy has not been enabled by the
user but is in use because it is required by another policy which is
in use.
Normally, the command lists only optional policies. Specifying `--all`
makes it list all policies and more information about them.
### Debugging Policies
This command can be used to dump variable, zone, and other definitions
as well as their source policies:
**awall dump** \[LEVEL\]
The level is an integer in range 0–5 and defaults to 0. More
information is displayed on higher levels.
**awall diff** \[ **-o** | **--output** DIRECTORY]
Displays the difference in the input policy files and generated output
files since the last **translate** or **activate** command.
When the `--output` option is used, the updated configuration is
compared to the generated files in the specified directory (generated
by the equivalent **translate** command).
## Default Policies
Awall ships with a set of optional policies, which can be used as the
basis for firewall configuration:
| Name | Description |
|---|---|
| adp-clamp-mss | Clamp MSS on WAN |
| adp-dhcp | Allow DHCP on specified zones |
| adp-http-server | Allow HTTP server on the firewall host |
| adp-local-outbound | Policy for local outbound traffic |
| adp-ntp-client | Allow DNS and NTP clients on the firewall host |
| adp-ping | Allow ICMP echo request. On WAN, rate is limited to 3 packets per second. |
| adp-router | Routing policy from LAN to WAN, possibly with NAT. Prevent LAN address spoofing from WAN. |
| adp-ssh-client | Allow SSH clients on the firewall host |
| adp-ssh-server | Allow SSH server on the firewall host. On WAN, rate is limited to 1 connection per 10 seconds. |
| adp-web-client | Allow DNS, HTTP, and HTTPS from specified zones to WAN |
| Name | Used by | Description |
|---|---|---|
| adp-lan | adp-router | Local Area Network (LAN), defined by variables prefixed with adp_lan_ |
| adp-wan |
adp-clamp-mss adp-ping adp-router adp-ssh-server adp-web-client |
Wide Area Network (WAN), to be defined in adp-config |
| Name | Used by | Description |
|---|---|---|
| adp_dhcp_zones | adp-dhcp | Zones on which DHCP is allowed |
| adp_lan_addrs | adp-router | LAN addresses |
| adp_lan_ifaces | adp-router | LAN interfaces | adp_lan_private_addrs | adp-router | Private LAN addresses for which NAT must be applied when routing to WAN |
| adp_local_policy | adp-local-outbound | Policy for local outbound traffic, defaults to reject |
| adp_router_policy | adp-router | Routing policy from LAN to WAN |
| adp_web_client_zones | adp-web-client | Zones on which web clients are allowed, defaults to the firewall host only |