def initialize_ufw():
"""Initialize the UFW firewall
Ensure critical ports have explicit allows
:return: None
"""
if not config('enable-firewall'):
log("Firewall has been administratively disabled", "DEBUG")
return
# this charm will monitor exclusively the ports used, using 'allow' as
# default policy enables sharing the machine with other services
ufw.default_policy('allow', 'incoming')
ufw.default_policy('allow', 'outgoing')
ufw.default_policy('allow', 'routed')
# Rsync manages its own ACLs
ufw.service('rsync', 'open')
# Guarantee SSH access
ufw.service('ssh', 'open')
# Enable
ufw.enable(soft_fail=config('allow-ufw-ip6-softfail'))
# Allow GRE traffic
add_ufw_gre_rule(os.path.join(UFW_DIR, 'before.rules'))
ufw.reload()
def test_reload_fail(self, modprobe, check_output, log):
msg = 'This did not work\n'
check_output.return_value = msg
self.assertFalse(ufw.reload())
check_output.assert_any_call(['ufw', 'reload'],
universal_newlines=True,
env={'LANG': 'en_US',
'PATH': os.environ['PATH']})
log.assert_any_call(msg, level='DEBUG')
log.assert_any_call("ufw couldn't be reloaded", level='WARN')
def test_reload_ok(self, modprobe, check_output, log):
msg = 'Firewall reloaded\n'
check_output.return_value = msg
self.assertTrue(ufw.reload())
check_output.assert_any_call(['ufw', 'reload'],
universal_newlines=True,
env={'LANG': 'en_US',
'PATH': os.environ['PATH']})
log.assert_any_call(msg, level='DEBUG')
log.assert_any_call('ufw reloaded', level='INFO')