def _close_and_stop(self): context = Context.fromComponent(self) localfw = LocalFW('ids_ips') try: yield localfw.execute(self.core, context) except Exception, err: self.writeError(err, 'Error while handling firewall rules for the ids-ips') raise
def _stopvpn(self): yield deferToThread(vpnrules, self, False) localfw = LocalFW('vpn_support') # don't create any rule: just clear existing rules context = Context.fromComponent(self) try: yield localfw.execute(self.core, context) except Exception, err: self.writeError(err, 'Error while disabling firewall rules for the VPN support') raise
def _startvpn(self): if isVpnSupportRunningOrPending(self): returnValue(False) yield deferToThread(vpnrules, self, True) localfw = LocalFW('vpn_support') localfw.call('addFilterIptable', False, '-I FORWARD -i support -j DROP') localfw.call('addFilterIptable', False, '-I INPUT -i support -p udp --dport 8080 -j ACCEPT') for dport in ["8443", "22"]: localfw.call('addFilterIptable', False, '-I INPUT -i support -p tcp --dport %s -j ACCEPT' % dport) context = Context.fromComponent(self) try: yield localfw.execute(self.core, context) except Exception, err: self.writeError(err, 'Error while enabling firewall rules for the VPN support') raise
def _open_firewall(self): localfw = LocalFW('ids_ips') localfw.call('addMangleIptable', False, '-A POSTROUTING -m mark --mark 0x20000/0x20000 -j MARK --and-mark 0xfffdffff') localfw.call('addFilterIptable', False, '-N IPS_NETS') for network in self.ids_ips_cfg.networks: localfw.call('addFilterIptable', False, '-A IPS_NETS -d %s -j NFQUEUE --queue-num %d' % (network.strNormal(1), IDS_IPS_QUEUE_NUM)) # Snort_inline inspects the trafic both ways: localfw.call('addFilterIptable', False, '-A IPS_NETS -s %s -j NFQUEUE --queue-num %d' % (network.strNormal(1), IDS_IPS_QUEUE_NUM)) localfw.call('addFilterIptable', False, '-I FORWARD -m mark ! --mark 0x20000/0x20000 -j IPS_NETS') context = Context.fromComponent(self) try: yield localfw.execute(self.core, context) except Exception, err: self.writeError(err, 'Error while handling firewall rules for the ids-ips') raise