def initialize_ufw():
"""Initialize the UFW firewall
Ensure critical ports have explicit allows
:return: None
"""
# this charm will monitor exclusively the ports used, using 'allow' as
# default policy enables sharing the machine with other services
ufw.default_policy('allow', 'incoming')
# Rsync manages its own ACLs
ufw.service('rsync', 'open')
# Guarantee SSH access
ufw.service('ssh', 'open')
# Enable
ufw.enable(soft_fail=config('allow-ufw-ip6-softfail'))
def initialize_ufw():
"""Initialize the UFW firewall
Ensure critical ports have explicit allows
:return: None
"""
if not config('enable-firewall'):
log("Firewall has been administratively disabled", "DEBUG")
return
# this charm will monitor exclusively the ports used, using 'allow' as
# default policy enables sharing the machine with other services
ufw.default_policy('allow', 'incoming')
ufw.default_policy('allow', 'outgoing')
ufw.default_policy('allow', 'routed')
# Rsync manages its own ACLs
ufw.service('rsync', 'open')
# Guarantee SSH access
ufw.service('ssh', 'open')
# Enable
ufw.enable(soft_fail=config('allow-ufw-ip6-softfail'))
# Allow GRE traffic
add_ufw_gre_rule(os.path.join(UFW_DIR, 'before.rules'))
ufw.reload()
def test_change_default_policy_unexpected_output(self, check_output, log):
check_output.return_value = "asdf"
self.assertFalse(ufw.default_policy())
def test_change_default_policy_allow_outgoing(self, check_output, log):
check_output.return_value = DEFAULT_POLICY_OUTPUT_OUTGOING
self.assertTrue(ufw.default_policy('allow', 'outgoing'))
check_output.asser_any_call(['ufw', 'default', 'allow', 'outgoing'])
def test_change_default_policy(self, check_output, log):
check_output.return_value = DEFAULT_POLICY_OUTPUT
self.assertTrue(ufw.default_policy())
check_output.asser_any_call(['ufw', 'default', 'deny', 'incoming'])
