GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  HLFL (1)

NAME

hlfl - High Level Firewall Language

CONTENTS

Synopsis
Description
Hlfl - The ’language’
Example
Note
Other Infos
Authors

SYNOPSIS

hlfl
-t or --type= [ipchains | ipfw | ipfw4 | ipfwadm | ipfilter | netfilter | cisco ] RULEFILE
-o or --output= FILE (stdout is the default)
-h or --help prints help
-V or --version prints version
-c or --check check netmasks before computing
-v or --verbose be verbose, print comments

DESCRIPTION

hlfl is a tool which can produce several types of firewalls from a given set of rules written in a special language also called hlfl (however awkward it is).

hlfl attempts to make the best use of the features of the underlying firewall, so that the conversion of a stateless to a stateful requires no modification to the original script

HLFL - THE ’LANGUAGE’

A complete description of the hlfl syntax is in ${prefix}/share/hlfl/syntax.txt Each order must fit on one line. The syntax is :

protocol (local) operator (remote) [interface] keywords

Where :
protocol must be one of tcp , udp , icmp or all

(local) and (remote) contain the IP addresses (and tcp and udp ports) of both side. Multiple IPs may be specified. For instance :
                (192.168.1.1 21 | 192.168.2.1 80)

Means ’port 21 of 192.168.1.1 or port 80 of 192.168.2.1’. The port range syntax is the same as, say, nmap(1). The next statements are valid :
        tcp (192.168.1.1 21,22,1024-3128,4000-) -> (any)
       tcp ((192.168.1.1|192.168.2.1) 21,22,1024-) -> (any)

Note : it is very important to understand that local and remote can not be exchanged. local is the thing you want to protect, and remote is the other party. Be sure to understand that or your rules will not work and you won’t like hlfl.

operator

must be one of the defined operators. The following list of operators has been defined :
-> : accept outgoing
<- : accept incoming
<-> : accept outgoing and incoming
<=>> : accept outgoing and incoming if the communication was established by the local side first
<<=> : same as above except that the communication must be established by the remote side first
X-> : deny outgoing
X!-> : reject outgoing
<-X : deny incoming
<-X! : reject incoming
X : deny outgoing and incoming
X! : reject outgoing and incoming

Full text operators are allowed. The syntax is :
operator ::= "accept" | "deny" | "reject" [ "from" | "to" | "and" | "established" | "log" ]

It is possible to combine full text operators with symbolic ones. This can be done for logging support.

[interface]

interface is the name of the interface to apply the rule to

keyword

additional keyword. At this time, only the keyword nomix has been defined. Imagine you write the rule:

        tcp (192.168.1.1 | 192.168.2.1) <-> (172.22.0.1 | 172.22.0.2)

If the keyword nomix is not added at the end of the rule, then this rule means :
- accept tcp traffic between 192.168.1.1 and 172.22.0.1
- accept tcp traffic between 192.168.1.1 and 172.22.0.2
- accept tcp traffic between 192.168.2.1 and 172.22.0.1
- accept tcp traffic between 192.168.2.1 and 172.22.0.2

Now, if nomix is added at the end of the rule, then it means :
- accept tcp traffic between 192.168.1.1 and 172.22.0.1
- accept tcp traffic between 192.168.2.1 and 172.22.0.2

It is possible to define words using the define instruction :
        define my_net 192.168.1.0/24
        define ssh 22
        define my_interface ne1
        tcp (my_net 22) <<=> (any 1020-) [my_interface]

The include keyword allows you to include other files.

        include /path/to/my/file.hlfl
        include file.hlfl

The second include statement will include the file hflf.fl which is in the current working directory.

It is also possible to include ’systems’ file, using brackets :
        include <services.hlfl>

This statement includes the file ${prefix}/share/hlfl/services.hlfl, which contains the definition of common tcp and udp services.

Lines starting with ’#’ or ’%’ are treated as comments. ’#’ comments will be integrated in the final file, whereas ’%’ comments will be dropped :
% include myfile.hlfl which contains useful defintions
include myfile.hlfl
# deny tcp
tcp (any) X (any)

Will give, in ipfw :
# deny tcp
ipfw -f add deny tcp from any to any

Lines starting with a ’!’ will be included as commands in the generated file. This reduces portability, but this allow you to have all your firewall configuration stored in one .hlfl file. For instance, I use at home :
!ipchains -s 192.168.1.0 -d 0/0 -i eth1 -j MASQ
tcp (any) -> (any) [eth1]

I use ipchains, so I included my ipchains masquerading policy in my configuration file. If I wanted to change my firewall to something else (top-notch ipfilter because ipfilter is _the_ way to go), then I’ll have to change (remove actually) the line starting by ’!’.

It is possible to define conditional inclusion. For instance, this rule makes no sense if I am generating an ipf firewall, so the ’if( type )’ statement exists :

% only include the following in the case we are generating an
% ipchains firewall. Generate a warning if we are not using
% ipchains

!if(ipchains) ipchains -s 192.168.1.0 -d 0/0 -i eth1 -j MASQ
! else echo "Warning - NAT is not handled in this configuration"

EXAMPLE

see ${prefix}/share/hlfl/ for real-life examples.

NOTE

By default, the rules are permissives, everything is allowed to pass to anywhere. If you want to change that default, add

all (any) X (any)

at the end of your rules.

OTHER INFOS

If you find some bug, please mail it to hlfl’s mailing list, <hlfl@hlfl.org>. More details at http://www.hlfl.org/

AUTHORS

hlfl was written by Renaud Deraison <deraison@hlfl.org> because the day he had to convert his ipfw firewall to ipfilter, he sweared he’d never do that again.
Arnaud Launay <launay@hlfl.org> joined later on, and took actively part in the project.

Search for    or go to Top of page |  Section 1 |  Main Index


HLFL (1) June 8, 2003

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.