def getZones(self):
zones = self.sysconf.Shorewall.get('zones', {})
baseZones = [("all", "Any"), ('fw', "Firewall")]
if self.sysconf.ProxyConfig.get('captive'):
for zo in Utils.getLanZones(self.sysconf):
baseZones.append(("c%s" % zo, "Authenticted %s" % zo))
return baseZones + [(zo, zo) for zo in zones.keys()
] # Build something we can se for drop downs
def writeConfig(self, *a):
rules = ""
ruleList = [
[1, 'Ping/ACCEPT all all'],
[1, 'AllowICMPs all all'],
[1, 'ACCEPT all all udp 33434:33463'],
]
ruleList.extend(config.Shorewall.get('redirect', []))
ruleList.extend(config.Shorewall.get('rules', []))
ruleList.extend(config.Shorewall.get('dnat', []))
for enable, rule in ruleList:
if not enable:
rules += "#"
rules += "%s\n" % rule
if config.Shorewall.get('blockp2p', False):
rules += "REJECT all all ipp2p:tcp\n"
rules += "REJECT all all ipp2p:udp\n"
rules += "\n#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE\n"
l = open('/etc/shorewall/rules', 'wt')
l.write(rules)
l.close()
tos = "###############################################################################\n"
tos += "#SOURCE DEST PROTOCOL SOURCE DEST TOS\n"
tos += "# PORTS PORTS\n"
for p, proto, t in config.Shorewall.get('qos', []):
tos += "all all %s - %s %s\n" % (
proto, p, t)
tos += "all all %s %s - %s\n" % (
proto, p, t)
tos += "\n#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE\n"
l = open('/etc/shorewall/tos', 'wt')
l.write(tos)
l.close()
policies = """fw all ACCEPT
loc fw ACCEPT
loc loc ACCEPT\n"""
interfaces = ""
zones = "fw firewall\n"
for zone in config.Shorewall.get('zones', {}):
zoneifaces = config.Shorewall['zones'][zone]['interfaces']
policy = config.Shorewall['zones'][zone]['policy']
log = config.Shorewall['zones'][zone]['log']
zones += "%s ipv4\n" % (zone, )
policies += "%s all %s %s\n" % (zone, policy, log)
for interface in zoneifaces:
interfaces += "%s %s\n" % (zone, interface)
for zone in Utils.getLanZones(config):
if config.ProxyConfig.get('captive'):
zones += "c%s:%s\n" % (zone, zone)
if config.ProxyConfig.get('captiveblock'):
policies += "c%s all DROP $LOG\n" % (zone, )
else:
policies += "c%s all ACCEPT\n" % (zone, )
policies += "\n#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE\n"
interfaces += "\n#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE\n"
zones += "\n#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE\n"
params = "LOG=ULOG\n#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE\n"
# SNAT configuration
nat = """###############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES\n"""
for ru in config.Shorewall.get('snat', []):
nat += ru + '\n'
nat += "#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE\n"
l = open('/etc/shorewall/nat', 'wt')
l.write(nat)
l.close()
# Masqeurading
masq = ""
for dest, sources in config.Shorewall.get('masq', {}).items():
for source in sources:
if type(source) == list:
# New style rule...
dstnet = source[0].replace('-', '')
if dstnet:
dstnet = ':' + dstnet
srcnet = source[1].replace('-', '')
srcif = source[2].replace('-', '')
if srcif:
# Ignore the srcnet rule...
srcnet = srcif
using = source[3].replace('-', '')
proto = source[4].replace('-', '')
port = source[5].replace('-', '')
if proto and not using:
using = '-'
masq += "%s%s %s %s %s %s\n" % (
dest, dstnet, srcnet, using, proto, port)
else:
masq += "%s %s \n" % (dest, source)
masq += "#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE\n"
wl = {
'policy': policies,
'interfaces': interfaces,
'zones': zones,
'params': params,
'masq': masq
}
for i in wl:
l = open('/etc/shorewall/%s' % i, 'wt')
l.write(wl[i])
l.close()
providers = "#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY\n"
i = 0
lans = ','.join(Utils.getLans(config))
for inter in config.ShorewallBalance:
i += 1
interzone = config.Shorewall['zones'][
inter[0]]['interfaces'][0].split()[0]
providers += "%s %s %s main %s %s %s,optional %s \n" % (
inter[0], i, i, interzone, inter[1], inter[2], lans)
providers += "#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE\n"
l = open('/etc/shorewall/providers', 'wt')
l.write(providers)
l.close()
routes = "#SOURCE DEST PROVIDER PRIORITY\n"
for ru in config.ShorewallSourceRoutes:
if len(ru) > 2:
prio = ru[2]
else:
prio = 1000
routes += "%s - %s %s\n" % (
ru[0], ru[1], prio)
routes += "#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE\n"
l = open('/etc/shorewall/route_rules', 'wt')
l.write(routes)
l.close()
parp = """
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
"""
for arps in config.Shorewall.get('proxyarp', {}):
parp += "%s %s %s no yes\n" % tuple(arps)
parp += "#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE\n"
l = open('/etc/shorewall/proxyarp', 'wt')
l.write(parp)
l.close()
routes = ""
# Check if there are any routes to be added
for interface, defin in config.EthernetDevices.items():
for dest, gw in defin.get('routes', []):
if dest != 'default':
for inter in config.ShorewallBalance:
# Add a route to all shorewall balancing table
routes += "ip ro add %s via %s table %s\n" % (dest, gw,
inter[0])
init = """use Shorewall::Chains;
insert_rule $filter_table->{FORWARD}, 1, "-j ULOG --ulog-nlgroup 2";
insert_rule $filter_table->{INPUT}, 1, "-j ULOG --ulog-nlgroup 2";
insert_rule $filter_table->{OUTPUT}, 1, "-j ULOG --ulog-nlgroup 2";
1;\n"""
l = open('/etc/shorewall/initdone', 'wt')
l.write(init)
l.close()
tcdevices = ""
tcclasses = ""
for dev, det in config.Shaping.items():
tcdevices += "%s %s %s\n" % (dev, det['ratein'],
det['rateout'])
for cls in det['classes']:
tcclasses += "%s %s %s %s %s %s\n" % (
dev, cls[0], cls[1], cls[2], cls[3], cls[4])
tcclasses += "\n#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE\n"
tcrules = ""
for i in config.ShaperRules:
tcrules += "%s\n" % i
tcrules += "\n#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE\n"
l = open('/etc/shorewall/tcdevices', 'wt')
l.write(tcdevices)
l.write(
'\n#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE\n'
)
l.close()
l = open('/etc/shorewall/tcclasses', 'wt')
l.write(tcclasses)
l.close()
l = open('/etc/shorewall/tcrules', 'wt')
l.write(tcrules)
l.close()
ipup = """#!/bin/sh -e
killall shorewall
/sbin/shorewall restart
/etc/init.d/quagga restart
/usr/local/tcs/tums/networkManager up $1 || true
exit 0\n"""
l = open('/etc/ppp/ip-up.d/shorewall', 'wt')
l.write(ipup)
l.close()
ipdown = """#!/bin/sh -e
killall shorewall
/sbin/shorewall restart
/etc/init.d/quagga restart
/usr/local/tcs/tums/networkManager down $1 || true
exit 0\n"""
l = open('/etc/ppp/ip-down.d/shorewall', 'wt')
l.write(ipdown)
l.close()
os.system('chmod a+x /etc/ppp/ip-up.d/shorewall')
os.system('chmod a+x /etc/ppp/ip-down.d/shorewall')
# Update shorewall.conf
os.system(
'cp /usr/local/tcs/tums/configs/shorewall.conf /etc/shorewall/')
