Updated README.
This commit is contained in:
Christian Deacon
109
README.md
109
README.md
@@ -1,6 +1,113 @@
|
|||||||
# XDP Firewall
|
# XDP Firewall
|
||||||
## Description
|
## Description
|
||||||
A program made using XDP that is capable of filtering traffic based off of a config file.
|
An XDP firewall designed to read filtering rules based off of a config file. Only supports IPv4 and protocols TCP, UDP, and ICMP at the moment. With that said, the program comes with accepted and blocked packet statistics which can be disabled.
|
||||||
|
|
||||||
|
## Command Line Usage
|
||||||
|
The following command line arguments are supported:
|
||||||
|
|
||||||
|
* `--config -c` => Location to config file. Default => **/etc/xdpfw/xdpfw.conf**.
|
||||||
|
* `--list -l` => List all filtering rules scanned from config file.
|
||||||
|
* `--help -h` => Print help menu for command line options.
|
||||||
|
|
||||||
|
## Configuration File Options
|
||||||
|
### Main
|
||||||
|
* `interface` => The interface for the XDP program to attach to.
|
||||||
|
* `updatetime` => How often to update the config and filtering rules. Leaving this at 0 disables auto-updating.
|
||||||
|
* `nostats` => If true, no accepted/blocked packet statistics will show.
|
||||||
|
|
||||||
|
### Filters
|
||||||
|
Config option `filters` is an array. Each filter includes the following options:
|
||||||
|
|
||||||
|
**Main**
|
||||||
|
* `enabled` => If true, this rule is enabled.
|
||||||
|
* `action` => What action to perform against the packet if matched. 0 = Block. 1 = Allow.
|
||||||
|
* `srcip` => The source IP to match (e.g. 10.50.0.3).
|
||||||
|
* `dstip` => The destination IP to match (e.g. 10.50.0.4).
|
||||||
|
* `min_ttl` => The minimum TTL (time to live) the packet can has to match.
|
||||||
|
* `max_ttl` => The maximum TTL (time to live) the packet can has to match.
|
||||||
|
* `max_len` => The maximum packet length the packet can has to match. This includes the entire frame (ethernet header, IP header, L4 header, and data).
|
||||||
|
* `min_len` => The minimum packet length the packet can has to match. This includes the entire frame (ethernet header, IP header, L4 header, and data).
|
||||||
|
* `tos` => The TOS (type of service) the packet has to match.
|
||||||
|
* `payloadmatch` => The payload (L4 data) the packet has to match. The format is in hexadecimal and each byte is separated by a space. An example includes: `FF FF FF FF 59`.
|
||||||
|
|
||||||
|
**TCP Options**
|
||||||
|
The config option `tcpopts` within a filter is an array including TCP options. This should only be one array per filter. Options include:
|
||||||
|
|
||||||
|
* `enabled` => If true, check for TCP-specific matches.
|
||||||
|
* `sport` => The source port the packet must match.
|
||||||
|
* `dport` => The destination port the packet must match.
|
||||||
|
* `urg` => If true, the packet must have the `URG` flag set to match.
|
||||||
|
* `ack` => If true, the packet must have the `ACK` flag set to match.
|
||||||
|
* `rst` => If true, the packet must have the `RST` flag set to match.
|
||||||
|
* `psh` => If true, the packet must have the `PSH` flag set to match.
|
||||||
|
* `syn` => If true, the packet must have the `SYN` flag set to match.
|
||||||
|
* `fin` => If true, the packetm ust have the `FIN` flag set to match.
|
||||||
|
|
||||||
|
**UDP Options**
|
||||||
|
The config option `udpopts` within a filter is an array including UDP options. This should only be one array per filter. Options include:
|
||||||
|
|
||||||
|
* `enabled` => If true, check for UDP-specific matches.
|
||||||
|
* `sport` => The source port the packet must match.
|
||||||
|
* `dport` => The destination port the packet must match.
|
||||||
|
|
||||||
|
**ICMP Options**
|
||||||
|
The config option `icmpopts` within a filter is an array including ICMP options. This should only be one array per filter. Options include:
|
||||||
|
|
||||||
|
* `enabled` => If true, check for ICMP-specific matches.
|
||||||
|
* `code` => The ICMP code the packet must match.
|
||||||
|
* `type` => The ICMP type the packet must match.
|
||||||
|
|
||||||
|
**Note** - Everything besides the main `enabled` and `action` options within a filter are **not** required. This means you do not have to define them within your config.
|
||||||
|
|
||||||
|
## Configuration Example
|
||||||
|
Here's an example of a config:
|
||||||
|
|
||||||
|
```
|
||||||
|
interface = "ens18";
|
||||||
|
updatetime = 15;
|
||||||
|
|
||||||
|
filters = (
|
||||||
|
{
|
||||||
|
enabled = true,
|
||||||
|
action = 0,
|
||||||
|
|
||||||
|
udpopts = (
|
||||||
|
{
|
||||||
|
enabled = true,
|
||||||
|
dport = 27015
|
||||||
|
}
|
||||||
|
)
|
||||||
|
},
|
||||||
|
{
|
||||||
|
enabled = true,
|
||||||
|
action = 1,
|
||||||
|
|
||||||
|
tcpopts = (
|
||||||
|
{
|
||||||
|
enabled = true,
|
||||||
|
syn = true,
|
||||||
|
dport = 27015
|
||||||
|
}
|
||||||
|
)
|
||||||
|
},
|
||||||
|
{
|
||||||
|
enabled = true,
|
||||||
|
action = 0,
|
||||||
|
|
||||||
|
icmpopts = (
|
||||||
|
{
|
||||||
|
enabled = true,
|
||||||
|
code = 0
|
||||||
|
}
|
||||||
|
)
|
||||||
|
},
|
||||||
|
{
|
||||||
|
enabled = true,
|
||||||
|
action = 0,
|
||||||
|
srcip = "10.50.0.4"
|
||||||
|
}
|
||||||
|
);
|
||||||
|
```
|
||||||
|
|
||||||
## Status
|
## Status
|
||||||
Not Finished.
|
Not Finished.
|
||||||
|
|||||||
Reference in New Issue
Block a user