def ensure_rules_files(cfg):
"""the function creates several files if they don't exist"""
for ruletype in ["blacklist", "whitelist", "tcp", "udp", "custom"]:
filepath = cfg.get_value("RULES", "filepath")
filename = cfg.get_value("RULES", ruletype)
create_folder_if_not_exists(filepath)
create_file_if_not_exists(filepath + "/" + filename)
def __init__(self, loglevel: str, to_stdout: bool, to_files: bool, logpath: str, logfile: str):
self.loglevel = self.correct_level(loglevel)
# create logger
root = logging.getLogger()
root.handlers.clear() # workaround for default stdout handler
root.setLevel(self.loglevel)
# create formatter and add it to the handlers
formatter = logging.Formatter(
'[%(asctime)s] [%(levelname)s] [%(filename)s:%(lineno)d] %(message)s')
# create console handler -> logs are always written to stdout
if to_stdout:
std_handler = logging.StreamHandler(stdout)
std_handler.setLevel(self.loglevel)
std_handler.setFormatter(formatter)
root.addHandler(std_handler)
# create file handler if enabled in configuration
if to_files:
# create log filepath if not exists
fullpath = "{}/{}".format(logpath, logfile)
create_folder_if_not_exists(logpath)
create_file_if_not_exists(fullpath)
file_handler = logging.FileHandler(fullpath)
file_handler.setLevel(self.loglevel)
file_handler.setFormatter(formatter)
root.addHandler(file_handler)
def setUp(self):
self.config_file = "test_easywall.ini"
content = """[LOG]
level = info
to_files = false
to_stdout = true
filepath =
filename =
[IPV6]
enabled = true
[ACCEPTANCE]
enabled = true
duration = 1
[EXEC]
iptables = /sbin/iptables
ip6tables = /sbin/ip6tables
iptables-save = /sbin/iptables-save
ip6tables-save = /sbin/ip6tables-save
iptables-restore = /sbin/iptables-restore
ip6tables-restore = /sbin/ip6tables-restore
[BACKUP]
filepath = ./backup
ipv4filename = iptables_v4_backup
ipv6filename = iptables_v6_backup
"""
create_file_if_not_exists(self.config_file)
write_into_file(self.config_file, content)
self.cfg = Config(self.config_file)
self.easywall = Easywall(self.cfg)
self.easywall.rules.rules_firstrun()
def set_status(self, status: str) -> None:
"""
TODO: Doku
"""
filename = ".acceptance_status"
create_file_if_not_exists(filename)
write_into_file(filename, status)
self.mystatus = status
def setUp(self) -> None:
self.config_file = "test_easywall.ini"
content = """[LOG]
level = info
to_files = no
to_stdout = yes
filepath = /var/log
filename = easywall.log
[IPTABLES]
log_blocked_connections = yes
log_blocked_connections_log_limit = 60
log_blacklist_connections = yes
log_blacklist_connections_log_limit = 60
drop_broadcast_packets = yes
drop_multicast_packets = yes
drop_anycast_packets = yes
ssh_brute_force_prevention = yes
ssh_brute_force_prevention_log = yes
ssh_brute_force_prevention_connection_limit = 5
ssh_brute_force_prevention_log_limit = 60
icmp_flood_prevention = yes
icmp_flood_prevention_log = yes
icmp_flood_prevention_connection_limit = 5
icmp_flood_prevention_log_limit = 60
drop_invalid_packets = yes
drop_invalid_packets_log = yes
drop_invalid_packets_log_limit = 60
port_scan_prevention = yes
port_scan_prevention_log = yes
port_scan_prevention_log_limit = 60
[IPV6]
enabled = true
icmp_allow_router_advertisement = yes
icmp_allow_neighbor_advertisement = yes
[ACCEPTANCE]
enabled = yes
duration = 1
timestamp =
[EXEC]
iptables = /sbin/iptables
ip6tables = /sbin/ip6tables
iptables-save = /sbin/iptables-save
ip6tables-save = /sbin/ip6tables-save
iptables-restore = /sbin/iptables-restore
ip6tables-restore = /sbin/ip6tables-restore
"""
create_file_if_not_exists(self.config_file)
write_into_file(self.config_file, content)
self.cfg = Config(self.config_file)
self.easywall = Easywall(self.cfg)
self.easywall.rules.ensure_files_exist()
def test_constructor_file_not_read(self) -> None:
"""TODO: Doku."""
create_file_if_not_exists("test.ini")
content = """[DEFAULT]
goodcontent = test
badcontent
"""
write_into_file("test.ini", content)
with self.assertRaises(ParsingError):
Config("test.ini")
def setUp(self):
content = """[ACCEPTANCE]
enabled = true
duration = 1
"""
create_file_if_not_exists("acceptance.ini")
write_into_file("acceptance.ini", content)
self.config = Config("acceptance.ini")
self.acceptance = Acceptance(self.config)
def create_rule_files(cfg: Config):
"""
the function checks if the rule files exist and creates them if they don't exist
"""
filepath = cfg.get_value("RULES", "filepath")
create_folder_if_not_exists(filepath)
filename = ""
for ruletype in ["blacklist", "whitelist", "tcp", "udp", "custom"]:
filename = cfg.get_value("RULES", ruletype)
create_file_if_not_exists("{}/{}".format(filepath, filename))
def setUp(self):
content = """[TEST]
teststring = string
testboolean = true
testint = 1
testfloat = 1.1
"""
create_file_if_not_exists("test.ini")
write_into_file("test.ini", content)
self.config = Config("test.ini")
def start(self) -> None:
"""
the start of the acceptance process is triggered by this function
the function checks the internal status of the class.
the internal status can be ready, accepted or not accepted.
if the status is disabled the function does nothing
"""
if self.mystatus in ["ready", "accepted", "not accepted"]:
create_file_if_not_exists(self.filename)
write_into_file(self.filename, "false")
self.set_status("started")
info("Acceptance Process has been started.")
def test_disabled(self):
"""
TODO: Doku
"""
content = """[ACCEPTANCE]
enabled = false
duration = 1
"""
create_file_if_not_exists("acceptance.ini")
write_into_file("acceptance.ini", content)
self.config = Config("acceptance.ini")
self.acceptance = Acceptance(self.config)
self.assertEqual(self.acceptance.status(), "disabled")
def ensure_file_exists(self) -> None:
"""TODO: Doku."""
if not file_exists(self.filepath):
create_file_if_not_exists(self.filepath)
template: dict = {}
for state in self.states:
template[state] = {}
for ruletype in self.types:
template[state][ruletype] = []
self.rules = template
self.save()
def rules_firstrun(self) -> None:
"""
TODO: Doku
"""
create_folder_if_not_exists(self.rulesfolder)
for state in self.states:
create_folder_if_not_exists("{}/{}".format(self.rulesfolder,
state))
for ruletype in self.types:
create_file_if_not_exists("{}/{}/{}".format(
self.rulesfolder, state, ruletype))
def test_file(self):
assert not file_exists("testfile")
create_file_if_not_exists("testfile")
assert file_exists("testfile")
write_into_file("testfile", "testcontent")
assert file_get_contents("testfile") == "testcontent"
assert len(get_abs_path_of_filepath("testfile")) > 0
rename_file("testfile", "testfilenew")
assert not file_exists("testfile")
assert file_exists("testfilenew")
delete_file_if_exists("testfilenew")
assert not file_exists("testfile")
assert not file_exists("testfilenew")
def test_file(self) -> None:
"""TODO: Doku."""
self.assertFalse(file_exists("testfile"))
create_file_if_not_exists("testfile")
self.assertTrue(file_exists("testfile"))
write_into_file("testfile", "testcontent")
self.assertEqual(file_get_contents("testfile"), "testcontent")
self.assertGreater(len(get_abs_path_of_filepath("testfile")), 0)
rename_file("testfile", "testfilenew")
self.assertFalse(file_exists("testfile"))
self.assertTrue(file_exists("testfilenew"))
delete_file_if_exists("testfilenew")
self.assertFalse(file_exists("testfile"))
self.assertFalse(file_exists("testfilenew"))
def test_file(self):
"""
TODO: Doku
"""
assert not file_exists("testfile")
create_file_if_not_exists("testfile")
assert file_exists("testfile")
write_into_file("testfile", "testcontent")
assert file_get_contents("testfile") == "testcontent"
self.assertGreater(len(get_abs_path_of_filepath("testfile")), 0)
rename_file("testfile", "testfilenew")
assert not file_exists("testfile")
assert file_exists("testfilenew")
delete_file_if_exists("testfilenew")
assert not file_exists("testfile")
assert not file_exists("testfilenew")
def prepare_configuration() -> None:
"""
TODO: Doku
"""
if file_exists(CONFIG_PATH):
rename_file(CONFIG_PATH, CONFIG_BACKUP_PATH)
content = """[LOG]
level = info
to_files = no
to_stdout = yes
filepath = log
filename = easywall-web.log
[WEB]
username = demo
password = xxx
bindip = 0.0.0.0
bindport = 12227
login_attempts = 10
login_bantime = 1800
[VERSION]
version = 0.0.0
sha = 12345
date = 2020-01-01T00:00:00Z
timestamp = 1234
[uwsgi]
https-socket = 0.0.0.0:12227,easywall.crt,easywall.key
processes = 5
threads = 2
callable = APP
master = false
wsgi-file = easywall_web/__main__.py
need-plugin = python3
"""
create_file_if_not_exists(CONFIG_PATH)
write_into_file(CONFIG_PATH, content)
config = Config(CONFIG_PATH)
config.set_value("VERSION", "timestamp", str(int(time())))
def save(self) -> None:
"""Save the current iptables state into a file."""
create_folder_if_not_exists(self.backup_path)
create_file_if_not_exists("{}/{}".format(self.backup_path,
self.backup_file_ipv4))
execute_os_command("{} >> {}/{}".format(self.iptables_bin_save,
self.backup_path,
self.backup_file_ipv4))
debug("backup for ipv4 rules created")
if self.ipv6 is True:
create_file_if_not_exists("{}/{}".format(self.backup_path,
self.backup_file_ipv6))
execute_os_command("{} >> {}/{}".format(self.ip6tables_bin_save,
self.backup_path,
self.backup_file_ipv6))
debug("backup of ipv6 rules created")
info("backup of iptables configuration created")
def setUp(self) -> None:
content = """[EXEC]
iptables = /sbin/iptables
ip6tables = /sbin/ip6tables
iptables-save = /sbin/iptables-save
ip6tables-save = /sbin/ip6tables-save
iptables-restore = /sbin/iptables-restore
ip6tables-restore = /sbin/ip6tables-restore
[IPV6]
enabled = yes
[BACKUP]
filepath = ./backup
ipv4filename = iptables_v4_backup
ipv6filename = iptables_v6_backup
"""
create_file_if_not_exists("iptables.ini")
write_into_file("iptables.ini", content)
self.config = Config("iptables.ini")
self.iptables = Iptables(self.config)
def save(self) -> None:
"""
the function saves the current iptables state into a file
"""
backup_path = self.cfg.get_value("BACKUP", "filepath")
create_folder_if_not_exists(backup_path)
backup_file = self.cfg.get_value("BACKUP", "ipv4filename")
create_file_if_not_exists("{}/{}".format(backup_path, backup_file))
execute_os_command("{} >> {}/{}".format(self.iptables_bin_save,
backup_path, backup_file))
debug("backup for ipv4 rules created")
if self.ipv6 is True:
backup_file = self.cfg.get_value("BACKUP", "ipv6filename")
create_file_if_not_exists("{}/{}".format(backup_path, backup_file))
execute_os_command("{} >> {}/{}".format(self.ip6tables_bin_save,
backup_path, backup_file))
debug("backup of ipv6 rules created")
info("backup of iptables configuration created")
def setUp(self) -> None:
self.config_backup_path = "config/easywall.ini.backup"
if file_exists(CONFIG_PATH):
rename_file(CONFIG_PATH, self.config_backup_path)
content = """[LOG]
level = info
to_files = false
to_stdout = true
filepath =
filename =
[IPV6]
enabled = true
[ACCEPTANCE]
enabled = false
duration = 120
timestamp =
[EXEC]
iptables = /sbin/iptables
ip6tables = /sbin/ip6tables
iptables-save = /sbin/iptables-save
ip6tables-save = /sbin/ip6tables-save
iptables-restore = /sbin/iptables-restore
ip6tables-restore = /sbin/ip6tables-restore
[BACKUP]
filepath = ./backup
ipv4filename = iptables_v4_backup
ipv6filename = iptables_v6_backup
"""
create_file_if_not_exists(CONFIG_PATH)
write_into_file(CONFIG_PATH, content)
delete_folder_if_exists("rules")
def reset(self):
"""the function is called then the user did not accept the changes"""
if self.enabled:
create_file_if_not_exists(self.filename)
write_into_file(self.filename, "false")
debug("Acceptance has been reset.")
def create_running_file(self):
"""the function creates a file in the main directory called .running"""
create_file_if_not_exists(".running")
def apply_step_one() -> None:
"""
the function triggeres the easywall core to apply the new firewall rules
"""
create_file_if_not_exists(".apply")
def prepare_configuration() -> None:
"""TODO: Doku."""
if file_exists(EASYWALL_CONFIG_PATH):
rename_file(EASYWALL_CONFIG_PATH, EASYWALL_CONFIG_BACKUP_PATH)
if file_exists(WEB_CONFIG_PATH):
rename_file(WEB_CONFIG_PATH, WEB_CONFIG_BACKUP_PATH)
if file_exists(LOG_CONFIG_PATH):
rename_file(LOG_CONFIG_PATH, LOG_CONFIG_BACKUP_PATH)
content = """[IPTABLES]
log_blocked_connections = yes
log_blocked_connections_log_limit = 60
log_blacklist_connections = yes
log_blacklist_connections_log_limit = 60
drop_broadcast_packets = yes
drop_multicast_packets = yes
drop_anycast_packets = yes
ssh_brute_force_prevention = yes
ssh_brute_force_prevention_log = yes
ssh_brute_force_prevention_connection_limit = 5
ssh_brute_force_prevention_log_limit = 60
icmp_flood_prevention = yes
icmp_flood_prevention_log = yes
icmp_flood_prevention_connection_limit = 5
icmp_flood_prevention_log_limit = 60
drop_invalid_packets = yes
drop_invalid_packets_log = yes
drop_invalid_packets_log_limit = 60
port_scan_prevention = yes
port_scan_prevention_log = yes
port_scan_prevention_log_limit = 60
[IPV6]
enabled = yes
icmp_allow_router_advertisement = yes
icmp_allow_neighbor_advertisement = yes
[ACCEPTANCE]
enabled = yes
duration = 1
timestamp =
[EXEC]
iptables = /sbin/iptables
ip6tables = /sbin/ip6tables
iptables-save = /sbin/iptables-save
ip6tables-save = /sbin/ip6tables-save
iptables-restore = /sbin/iptables-restore
ip6tables-restore = /sbin/ip6tables-restore
"""
create_file_if_not_exists(EASYWALL_CONFIG_PATH)
write_into_file(EASYWALL_CONFIG_PATH, content)
content = """[WEB]
username = demo
password = xxx
bindip = 0.0.0.0
bindport = 12227
login_attempts = 100
login_bantime = 1800
[VERSION]
version = 0.0.0
sha = 12345
date = 2020-01-01T00:00:00Z
timestamp = 1234
[uwsgi]
ssl-option = 268435456
https-socket = 0.0.0.0:12227,ssl/easywall.crt,ssl/easywall.key,HIGH
processes = 5
threads = 2
callable = APP
master = yes
die-on-term = yes
wsgi-file = easywall/web/__main__.py
need-plugin = python3
buffer-size = 16384
"""
create_file_if_not_exists(WEB_CONFIG_PATH)
write_into_file(WEB_CONFIG_PATH, content)
config = Config(WEB_CONFIG_PATH)
config.set_value("VERSION", "timestamp", str(int(time())))
content = """[LOG]
level = info
to_files = no
to_stdout = yes
filepath = /var/log
filename = easywall.log
"""
create_file_if_not_exists(LOG_CONFIG_PATH)
write_into_file(LOG_CONFIG_PATH, content)