def _close_and_stop(self):
context = Context.fromComponent(self)
localfw = LocalFW('ids_ips')
try:
yield localfw.execute(self.core, context)
except Exception, err:
self.writeError(err,
'Error while handling firewall rules for the ids-ips')
raise
def _stopvpn(self):
yield deferToThread(vpnrules, self, False)
localfw = LocalFW('vpn_support')
# don't create any rule: just clear existing rules
context = Context.fromComponent(self)
try:
yield localfw.execute(self.core, context)
except Exception, err:
self.writeError(err,
'Error while disabling firewall rules for the VPN support')
raise
def _startvpn(self):
if isVpnSupportRunningOrPending(self):
returnValue(False)
yield deferToThread(vpnrules, self, True)
localfw = LocalFW('vpn_support')
localfw.call('addFilterIptable', False, '-I FORWARD -i support -j DROP')
localfw.call('addFilterIptable', False, '-I INPUT -i support -p udp --dport 8080 -j ACCEPT')
for dport in ["8443", "22"]:
localfw.call('addFilterIptable', False,
'-I INPUT -i support -p tcp --dport %s -j ACCEPT' % dport)
context = Context.fromComponent(self)
try:
yield localfw.execute(self.core, context)
except Exception, err:
self.writeError(err,
'Error while enabling firewall rules for the VPN support')
raise
def _open_firewall(self):
localfw = LocalFW('ids_ips')
localfw.call('addMangleIptable', False,
'-A POSTROUTING -m mark --mark 0x20000/0x20000 -j MARK --and-mark 0xfffdffff')
localfw.call('addFilterIptable', False, '-N IPS_NETS')
for network in self.ids_ips_cfg.networks:
localfw.call('addFilterIptable', False,
'-A IPS_NETS -d %s -j NFQUEUE --queue-num %d' %
(network.strNormal(1), IDS_IPS_QUEUE_NUM))
# Snort_inline inspects the trafic both ways:
localfw.call('addFilterIptable', False,
'-A IPS_NETS -s %s -j NFQUEUE --queue-num %d' %
(network.strNormal(1), IDS_IPS_QUEUE_NUM))
localfw.call('addFilterIptable', False,
'-I FORWARD -m mark ! --mark 0x20000/0x20000 -j IPS_NETS')
context = Context.fromComponent(self)
try:
yield localfw.execute(self.core, context)
except Exception, err:
self.writeError(err,
'Error while handling firewall rules for the ids-ips')
raise
def setup_portal(self, responsible):
try:
yield deferToThread(
self.runCommandAsRootAndCheck,
os.path.join(
self.script_dir,
"portal_ipset"
)
)
except RunCommandError:
self.error("Could not create captive portal IP set.")
localfw = LocalFW('portal')
if self.auth_cert_cfg.portal_enabled:
try:
os.chmod(IPSET_EXE, 04755)
except Exception, err:
self.critical('Could not add setuid on %s (%s).' %
(IPSET_EXE, err))
localfw.call('addNatIptable', False, '-N PORTAL')
for network in self.auth_cert_cfg.portal_nets:
localfw.call('addNatIptable', False,
'-A PREROUTING -p tcp --dport 80 -s %s -j PORTAL' %
network)
localfw.call('addFilterIptable', False,
'-A INPUT -p tcp --dport 80 -s %s -j ACCEPT' %
network)
localfw.call('addNatIptable', False,
'-A PORTAL -m set --set nuauth src,src -j RETURN')
localfw.call('addNatIptable', False,
'-A PORTAL -j REDIRECT')
