def __init__(self, dryrun, iptablesbin, fwconfigpath, rulesfile, ipt_xmlconfig, xmlconfig, echocmd, logfile, verbose): self.naptime = 10 # milliseconds self.dryrun = dryrun self.iptablesbin = iptablesbin self.fwconfigpath = fwconfigpath self.rulesfile = rulesfile self.ipt_xmlconfig = ipt_xmlconfig self.xmlconfig = xmlconfig self.logfile = logfile self.verbose = verbose self.executioner = abyle_execute() self.echocmd = echocmd global_config = abyle_config_parse(fwconfigpath, "default", xmlconfig) self.excludedInterfaces = global_config.getConfig("excluded_interfaces") try: self.tcpabort_file = global_config.getConfig("tcpabortfile") except IndexError: self.tcpabort_file = "/proc/sys/net/ipv4/tcpicmpbcastfile_abort_on_overflow" try: self.icmpbcastreply_file = global_config.getConfig("icmpbcastfile") except IndexError: self.icmpbcastreply_file = "/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" try: self.dynaddresshack_file = global_config.getConfig("dynaddresshackfile") except IndexError: self.dynaddresshack_file = "/proc/sys/net/ipv4/ip_dynaddr" try: self.ipv4conf_path = global_config.getConfig("ipv4confpath") except IndexError: self.ipv4conf_path = "/proc/sys/net/ipv4/conf/" try: self.antispoofing_file = global_config.getConfig("antispoofingfile") except IndexError: self.antispoofing_file = "rp_filter" try: self.syncookiefile = global_config.getConfig("syncookiefile") except IndexError: self.syncookiefile = "/proc/sys/net/ipv4/tcp_syncookies" try: self.ipv4forwardfile = global_config.getConfig("ipv4forwardfile") except IndexError: self.ipv4forwardfile = "/proc/sys/net/ipv4/ip_forward" try: self.syncookie = string.upper(global_config.getConfig("syncookie")) except IndexError: self.syncookie = "YES" try: self.ipv4forward = string.upper(global_config.getConfig("ipv4forward")) except IndexError: self.syncookie = "NO" try: self.tcpabort = string.upper(global_config.getConfig("aborttcp")) except IndexError: self.tcpabort = "NO" try: self.icmpbcastreply = string.upper(global_config.getConfig("answericmpbroadcast")) except IndexError: self.icmpbcastreply = "NO" try: self.dynaddresshack = string.upper(global_config.getConfig("dynaddresshack")) except IndexError: self.dynaddresshack = "NO" try: self.proxyarp_file = global_config.getConfig("proxyarpfile") except IndexError: self.proxyarp_file = "proxy_arp" try: self.srouting_file = global_config.getConfig("sroutingfile") except IndexError: self.srouting_file = "accept_source_route" try: self.icmpredirects_file = global_config.getConfig("icmprdrsfile") except IndexError: self.icmpredirects_file = "accept_redirects" try: self.secureicmpredirects_file = global_config.getConfig("icmpsecurerdrsfile") except IndexError: self.secureicmpredirects_file = "secure_redirects" try: self.martians_file = global_config.getConfig("martiansfile") except IndexError: self.martians_file = "log_martians" try: self.bootprelay_file = global_config.getConfig("bootprelayfile") except IndexError: self.bootprelay_file = "bootp_relay" now = datetime.datetime.now() now = now.strftime("%Y/%m/%d %H:%M:%S") abyle_output("", "", "", "","blue", self.logfile, self.verbose) abyle_output("", "", "", "######################################### STARTUP #########################################","green", self.logfile, self.verbose) abyle_output("", "", "", "","blue", self.logfile, self.verbose) abyle_output("", "", "", "startup time: "+now,"default", self.logfile, self.verbose) abyle_output("", "", "", "","blue", self.logfile, self.verbose) abyle_output("","","","IPv4 send RST on full tcp buffer:", "blue", self.logfile, self.verbose) if not self.tcpabort == "NO": stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.tcpabort_file, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 send TCP-RST on full buffer is activated","default", self.logfile, self.verbose) else: stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.tcpabort_file, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 send TCP-RST on full buffer is deactivated","default", self.logfile, self.verbose) abyle_output("","","","IPv4 Reply to ICMP Broadcast:", "blue", self.logfile, self.verbose) if not self.icmpbcastreply == "NO": stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.icmpbcastreply_file, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 reply to ICMP Broadcasts is deactivated","default", self.logfile, self.verbose) else: stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.icmpbcastreply_file, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 reply to ICMP Broadcasts is activated","default", self.logfile, self.verbose) abyle_output("","","","IPv4 Dynamic-Address-Hack:", "blue", self.logfile, self.verbose) if not self.dynaddresshack == "NO": stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.dynaddresshack_file, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 dynamic address hack activated","default", self.logfile, self.verbose) else: stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.dynaddresshack_file, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 dynamic address hack deactivated","default", self.logfile, self.verbose) abyle_output("","","","IPv4 FORWARDING:", "blue", self.logfile, self.verbose) if not self.ipv4forward == "NO": stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.ipv4forwardfile, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 forwarding activated","default", self.logfile, self.verbose) else: stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.ipv4forwardfile, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 forwarding deactivated","default", self.logfile, self.verbose) abyle_output("","","","SYNCOOKIE:", "blue", self.logfile, self.verbose) if not self.syncookie == "NO": stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.syncookiefile, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "syncookie activated","default", self.logfile, self.verbose) else: stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.syncookiefile, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "syncookie deactivated","default", self.logfile, self.verbose) self.default_config = abyleparse(self.fwconfigpath, "default", self.rulesfile, self.ipt_xmlconfig, self.excludedInterfaces) self.defaultrules = self.default_config.getDefaultRules("head") for drule in self.defaultrules: abyle_output("abyle_firewall_buildUpFinish_head", "", "", "default-rule: "+drule,"default", self.logfile, self.verbose) stdOut, stdErr = self.executioner.run(self.iptablesbin+' '+drule, self.dryrun)
def __init__(self, dryrun, iptablesbin, fwconfigpath, rulesfile, ipt_xmlconfig, xmlconfig, echocmd, logfile, verbose): self.naptime = 10 # milliseconds self.dryrun = dryrun self.iptablesbin = iptablesbin self.fwconfigpath = fwconfigpath self.rulesfile = rulesfile self.ipt_xmlconfig = ipt_xmlconfig self.xmlconfig = xmlconfig self.logfile = logfile self.verbose = verbose self.executioner = abyle_execute() self.echocmd = echocmd global_config = abyle_config_parse(fwconfigpath, "default", xmlconfig, self.verbose) self.excludedInterfaces = global_config.getConfig( "excluded_interfaces") try: self.tcpabort_file = global_config.getConfig("tcpabortfile") except IndexError: self.tcpabort_file = "/proc/sys/net/ipv4/tcpicmpbcastfile_abort_on_overflow" try: self.icmpbcastreply_file = global_config.getConfig("icmpbcastfile") except IndexError: self.icmpbcastreply_file = "/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" try: self.dynaddresshack_file = global_config.getConfig( "dynaddresshackfile") except IndexError: self.dynaddresshack_file = "/proc/sys/net/ipv4/ip_dynaddr" try: self.ipv4conf_path = global_config.getConfig("ipv4confpath") except IndexError: self.ipv4conf_path = "/proc/sys/net/ipv4/conf/" try: self.antispoofing_file = global_config.getConfig( "antispoofingfile") except IndexError: self.antispoofing_file = "rp_filter" try: self.syncookiefile = global_config.getConfig("syncookiefile") except IndexError: self.syncookiefile = "/proc/sys/net/ipv4/tcp_syncookies" try: self.ipv4forwardfile = global_config.getConfig("ipv4forwardfile") except IndexError: self.ipv4forwardfile = "/proc/sys/net/ipv4/ip_forward" try: self.syncookie = str(global_config.getConfig("syncookie")).upper() except IndexError: self.syncookie = "YES" try: self.ipv4forward = str( global_config.getConfig("ipv4forward")).upper() except IndexError: self.syncookie = "NO" try: self.tcpabort = str(global_config.getConfig("aborttcp")).upper() except IndexError: self.tcpabort = "NO" try: self.icmpbcastreply = str( global_config.getConfig("answericmpbroadcast")).upper() except IndexError: self.icmpbcastreply = "NO" try: self.dynaddresshack = str( global_config.getConfig("dynaddresshack")).upper() except IndexError: self.dynaddresshack = "NO" try: self.proxyarp_file = global_config.getConfig("proxyarpfile") except IndexError: self.proxyarp_file = "proxy_arp" try: self.srouting_file = global_config.getConfig("sroutingfile") except IndexError: self.srouting_file = "accept_source_route" try: self.icmpredirects_file = global_config.getConfig("icmprdrsfile") except IndexError: self.icmpredirects_file = "accept_redirects" try: self.secureicmpredirects_file = global_config.getConfig( "icmpsecurerdrsfile") except IndexError: self.secureicmpredirects_file = "secure_redirects" try: self.martians_file = global_config.getConfig("martiansfile") except IndexError: self.martians_file = "log_martians" try: self.bootprelay_file = global_config.getConfig("bootprelayfile") except IndexError: self.bootprelay_file = "bootp_relay" log = logger("firewall") if not self.tcpabort == "NO": stdOut, stdErr = self.executioner.run( self.echocmd + ' 1 > ' + self.tcpabort_file, self.dryrun) log.info("ipv4 send TCP-RST on full buffer is activated") else: stdOut, stdErr = self.executioner.run( self.echocmd + ' 0 > ' + self.tcpabort_file, self.dryrun) log.info("ipv4 send TCP-RST on full buffer is deactivated") if not self.icmpbcastreply == "NO": stdOut, stdErr = self.executioner.run( self.echocmd + ' 1 > ' + self.icmpbcastreply_file, self.dryrun) log.info("ipv4 reply to ICMP Broadcasts is deactivated") else: stdOut, stdErr = self.executioner.run( self.echocmd + ' 0 > ' + self.icmpbcastreply_file, self.dryrun) log.info("ipv4 reply to ICMP Broadcasts is activated") if not self.dynaddresshack == "NO": stdOut, stdErr = self.executioner.run( self.echocmd + ' 1 > ' + self.dynaddresshack_file, self.dryrun) log.info("ipv4 dynamic address hack activated") else: stdOut, stdErr = self.executioner.run( self.echocmd + ' 0 > ' + self.dynaddresshack_file, self.dryrun) log.info("ipv4 dynamic address hack deactivated") if not self.ipv4forward == "NO": stdOut, stdErr = self.executioner.run( self.echocmd + ' 1 > ' + self.ipv4forwardfile, self.dryrun) log.info("ipv4 forwarding activated") else: stdOut, stdErr = self.executioner.run( self.echocmd + ' 0 > ' + self.ipv4forwardfile, self.dryrun) log.info("ipv4 forwarding deactivated") if not self.syncookie == "NO": stdOut, stdErr = self.executioner.run( self.echocmd + ' 1 > ' + self.syncookiefile, self.dryrun) log.info("syncookie activated") else: stdOut, stdErr = self.executioner.run( self.echocmd + ' 0 > ' + self.syncookiefile, self.dryrun) log.info("syncookie deactivated") self.default_config = abyleparse(self.fwconfigpath, "default", self.rulesfile, self.ipt_xmlconfig, self.excludedInterfaces, self.verbose) self.defaultrules = self.default_config.getDefaultRules("head") for drule in self.defaultrules: log.info("default-rule: " + drule) stdOut, stdErr = self.executioner.run( self.iptablesbin + ' ' + drule, self.dryrun)
def __init__( self, dryrun, iptablesbin, fwconfigpath, rulesfile, ipt_xmlconfig, xmlconfig, echocmd, logfile, verbose ): self.naptime = 10 # milliseconds self.dryrun = dryrun self.iptablesbin = iptablesbin self.fwconfigpath = fwconfigpath self.rulesfile = rulesfile self.ipt_xmlconfig = ipt_xmlconfig self.xmlconfig = xmlconfig self.logfile = logfile self.verbose = verbose self.executioner = abyle_execute() self.echocmd = echocmd global_config = abyle_config_parse(fwconfigpath, "default", xmlconfig, self.verbose) self.excludedInterfaces = global_config.getConfig("excluded_interfaces") try: self.tcpabort_file = global_config.getConfig("tcpabortfile") except IndexError: self.tcpabort_file = "/proc/sys/net/ipv4/tcpicmpbcastfile_abort_on_overflow" try: self.icmpbcastreply_file = global_config.getConfig("icmpbcastfile") except IndexError: self.icmpbcastreply_file = "/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" try: self.dynaddresshack_file = global_config.getConfig("dynaddresshackfile") except IndexError: self.dynaddresshack_file = "/proc/sys/net/ipv4/ip_dynaddr" try: self.ipv4conf_path = global_config.getConfig("ipv4confpath") except IndexError: self.ipv4conf_path = "/proc/sys/net/ipv4/conf/" try: self.antispoofing_file = global_config.getConfig("antispoofingfile") except IndexError: self.antispoofing_file = "rp_filter" try: self.syncookiefile = global_config.getConfig("syncookiefile") except IndexError: self.syncookiefile = "/proc/sys/net/ipv4/tcp_syncookies" try: self.ipv4forwardfile = global_config.getConfig("ipv4forwardfile") except IndexError: self.ipv4forwardfile = "/proc/sys/net/ipv4/ip_forward" try: self.syncookie = str(global_config.getConfig("syncookie")).upper() except IndexError: self.syncookie = "YES" try: self.ipv4forward = str(global_config.getConfig("ipv4forward")).upper() except IndexError: self.syncookie = "NO" try: self.tcpabort = str(global_config.getConfig("aborttcp")).upper() except IndexError: self.tcpabort = "NO" try: self.icmpbcastreply = str(global_config.getConfig("answericmpbroadcast")).upper() except IndexError: self.icmpbcastreply = "NO" try: self.dynaddresshack = str(global_config.getConfig("dynaddresshack")).upper() except IndexError: self.dynaddresshack = "NO" try: self.proxyarp_file = global_config.getConfig("proxyarpfile") except IndexError: self.proxyarp_file = "proxy_arp" try: self.srouting_file = global_config.getConfig("sroutingfile") except IndexError: self.srouting_file = "accept_source_route" try: self.icmpredirects_file = global_config.getConfig("icmprdrsfile") except IndexError: self.icmpredirects_file = "accept_redirects" try: self.secureicmpredirects_file = global_config.getConfig("icmpsecurerdrsfile") except IndexError: self.secureicmpredirects_file = "secure_redirects" try: self.martians_file = global_config.getConfig("martiansfile") except IndexError: self.martians_file = "log_martians" try: self.bootprelay_file = global_config.getConfig("bootprelayfile") except IndexError: self.bootprelay_file = "bootp_relay" log = logger("firewall") if not self.tcpabort == "NO": stdOut, stdErr = self.executioner.run(self.echocmd + " 1 > " + self.tcpabort_file, self.dryrun) log.info("ipv4 send TCP-RST on full buffer is activated") else: stdOut, stdErr = self.executioner.run(self.echocmd + " 0 > " + self.tcpabort_file, self.dryrun) log.info("ipv4 send TCP-RST on full buffer is deactivated") if not self.icmpbcastreply == "NO": stdOut, stdErr = self.executioner.run(self.echocmd + " 1 > " + self.icmpbcastreply_file, self.dryrun) log.info("ipv4 reply to ICMP Broadcasts is deactivated") else: stdOut, stdErr = self.executioner.run(self.echocmd + " 0 > " + self.icmpbcastreply_file, self.dryrun) log.info("ipv4 reply to ICMP Broadcasts is activated") if not self.dynaddresshack == "NO": stdOut, stdErr = self.executioner.run(self.echocmd + " 1 > " + self.dynaddresshack_file, self.dryrun) log.info("ipv4 dynamic address hack activated") else: stdOut, stdErr = self.executioner.run(self.echocmd + " 0 > " + self.dynaddresshack_file, self.dryrun) log.info("ipv4 dynamic address hack deactivated") if not self.ipv4forward == "NO": stdOut, stdErr = self.executioner.run(self.echocmd + " 1 > " + self.ipv4forwardfile, self.dryrun) log.info("ipv4 forwarding activated") else: stdOut, stdErr = self.executioner.run(self.echocmd + " 0 > " + self.ipv4forwardfile, self.dryrun) log.info("ipv4 forwarding deactivated") if not self.syncookie == "NO": stdOut, stdErr = self.executioner.run(self.echocmd + " 1 > " + self.syncookiefile, self.dryrun) log.info("syncookie activated") else: stdOut, stdErr = self.executioner.run(self.echocmd + " 0 > " + self.syncookiefile, self.dryrun) log.info("syncookie deactivated") self.default_config = abyleparse( self.fwconfigpath, "default", self.rulesfile, self.ipt_xmlconfig, self.excludedInterfaces, self.verbose ) self.defaultrules = self.default_config.getDefaultRules("head") for drule in self.defaultrules: log.info("default-rule: " + drule) stdOut, stdErr = self.executioner.run(self.iptablesbin + " " + drule, self.dryrun)