Apache HTTP Server Version 1.3

Module mod_firewall

This module is contained in the mod_firewall.h and mod_firewall.c files, and is compiled in when the user adds it to Configuration file. It provides a kind of firewall protection based on client IP address and request time.

With this module, you can protect sensitive URL such as CGI script to overload : many accesses by a single host in a short time !
For example, if you protect url mycgi.cgi for 10 requests within 10 sec, then if a host requests it more than 10 times in less than 10 sec, it will be rejected. Access will be allowed again after 10 sec.

How to install this module firewall directive firewall handler How to configure the firewall

How to install this module :

To compile this module with apache :

Add it to Configuration file in the src directory of apache.
You should add a line like this :

AddModule modules/firewall/mod_firewall.o

at the end of the module list to make it first in the priority order !.

Then do a Configure and make.

Firewall directives

Syntax: Firewall_database database_filename
Context: access.conf
Override:
Status:
Module: mod_firewall

This directive specifies the database filename which describes which hosts are to be protected and how.
For exmple you can add that line to access.conf :

Firewall_database /home/maxyoyo/internet/www/conf/urls

Filename format is : (each entry protects one URL)

URL number_max_access max_time_interval number_max_access is the maximum request allowed during the time interval. If there are more request during time interval : the server does not answer the request.

Syntax: Firewall_maxhosts maximum_number_of_hosts
Context: access.conf
Override:
Status:
Module: mod_firewall

This number is the size of hash table which contains all the IP records.
The server can handle a maximum number of different hosts at a time. For exmple you can add that line to access.conf :

Firewall_maxhosts 200

Firewall handler

Displays the current status of the firewall.
It shows a table with for each url which host has accessed it, how many times and time elapsed since the last access.
To install it you shoul add something like that :


<Location /Firewall>

 SetHandler firewall-handler 

 order deny,allow 

 allow from .essi.fr 

 allow from .cica.fr 

 deny from all	

</Location>

to access.conf file.
NOTE : Of course, you should protect access to this handler by adding a password protection. (authentification directive).
If this module is enabled you can test it now : Firewall

How to configure the firewall :

Use firewall directive to specify a database filename.

You may add entries using an editor

or by using a CGI script : firewall_conf.cgi.
Before using this script, you must edit it to set where the configuration file is located.
This script updates this file with the script firewall_update.cgi which restarts the Apache Server (resets firewall table).
NOTE : Of course, you should protect access to these cgi script by adding a password protection. (authentification directive).

Apache HTTP Server Version 1.3

legas@essi.fr and dousse@essi.fr