Esempio n. 1
0
    def call(self, macl):
        in_acl = []
        out_acl = []

        for ip in [self.dns_servers, self.dns_servers + self.dns_servers_old
                   ][self.args == ['old']]:
            in_acl.append(
                metacl.Rule('permit',
                            metacl.Filter(['tcp', 'udp'],
                                          macl.context.get_alias('local'),
                                          IPv4Descriptor(ip),
                                          dports=metacl.Ports('53'),
                                          parent=self),
                            parent=self))

            out_acl.append(
                metacl.Rule('permit',
                            metacl.Filter(['tcp', 'udp'],
                                          IPv4Descriptor(ip),
                                          macl.context.get_alias('local'),
                                          sports=metacl.Ports('53'),
                                          parent=self),
                            parent=self))

        macl.acl_in = in_acl + macl.acl_in
        macl.acl_out = out_acl + macl.acl_out

        return macl
Esempio n. 2
0
    def call(self, macl):
        if self.args == ['old']:
            for ip in self.dns_servers_old:
                macl.acl_in.insert(
                    0,
                    metacl.Rule('permit',
                                metacl.Filter(['tcp', 'udp'],
                                              macl.context.get_alias('local'),
                                              IPv4Descriptor(ip),
                                              dports=metacl.Ports('53'),
                                              parent=self),
                                parent=self))

                macl.acl_out.insert(
                    0,
                    metacl.Rule('permit',
                                metacl.Filter(['tcp', 'udp'],
                                              IPv4Descriptor(ip),
                                              macl.context.get_alias('local'),
                                              sports=metacl.Ports('53'),
                                              parent=self),
                                parent=self))

        macl.acl_in.insert(
            0,
            metacl.Rule('permit',
                        metacl.Filter(['tcp', 'udp'],
                                      macl.context.get_alias('local'),
                                      macl.context.get_alias('dns_server'),
                                      dports=metacl.Ports('53'),
                                      parent=self),
                        parent=self))

        macl.acl_out.insert(
            0,
            metacl.Rule('permit',
                        metacl.Filter(['tcp', 'udp'],
                                      macl.context.get_alias('dns_server'),
                                      macl.context.get_alias('local'),
                                      sports=metacl.Ports('53'),
                                      parent=self),
                        parent=self))
Esempio n. 3
0
    def call(self, macl):
        local6 = macl.context.get_alias('local', ip_versions='ipv6')[0]
        first = [ipaddr.IPNetwork(local6[1]), ipaddr.IPNetwork(local6[2])]

        macl.acl_in.insert(
            0,
            metacl.Rule('permit',
                        metacl.Filter(['udp'],
                                      macl.context.get_alias('local'),
                                      first,
                                      dports=metacl.Ports('546,547'),
                                      parent=self),
                        parent=self))
Esempio n. 4
0
    def call(self, macl):
        #        if len(self.args) == 0:
        for h in self.args:
            # Open only given hosts to nagios
            h = metacl.string_to_ips(h, context=macl.context)

            macl.acl_in.insert(
                0,
                metacl.Rule('permit',
                            metacl.Filter(['ip'],
                                          h,
                                          macl.context.get_alias('faucam'),
                                          parent=self),
                            parent=self))
            macl.acl_in.insert(
                1,
                metacl.Rule('deny',
                            metacl.Filter(['ip'],
                                          h,
                                          macl.context.get_alias('any'),
                                          parent=self),
                            parent=self))
            macl.acl_out.insert(
                0,
                metacl.Rule('permit',
                            metacl.Filter(['ip'],
                                          macl.context.get_alias('faucam'),
                                          h,
                                          parent=self),
                            parent=self))
            macl.acl_out.insert(
                1,
                metacl.Rule('deny',
                            metacl.Filter(['ip'],
                                          macl.context.get_alias('any'),
                                          h,
                                          parent=self),
                            parent=self))
Esempio n. 5
0
    def call(self, macl):
        local = macl.context.get_alias('local')
        x = map(lambda x: metacl.string_to_ips(x, context=macl.context),
                self.args)
        ips = list(itertools.chain(*x))

        macl.acl_out.insert(
            0,
            metacl.Rule('deny',
                        metacl.Filter(['ip'],
                                      macl.context.get_alias('any'),
                                      ips,
                                      parent=self),
                        parent=self))

        macl.acl_in.insert(
            0,
            metacl.Rule('deny',
                        metacl.Filter(['ip'],
                                      ips,
                                      macl.context.get_alias('any'),
                                      parent=self),
                        parent=self))
Esempio n. 6
0
    def call(self, macl):
        if len(self.args) == 0:
            # Open whole net to nagios
            macl.acl_in.insert(
                0,
                metacl.Rule.from_string('permit icmp,tcp,udp local $nagios',
                                        context=macl.context,
                                        parent=self))

            macl.acl_out.insert(
                0,
                metacl.Rule.from_string('permit icmp,tcp,udp $nagios local',
                                        context=macl.context,
                                        parent=self))
        else:
            for h in self.args:
                # Open only given hosts to nagios
                h = metacl.string_to_ips(h, context=macl.context)

                macl.acl_in.insert(
                    0,
                    metacl.Rule('permit',
                                metacl.Filter(['icmp', 'tcp', 'udp'],
                                              h,
                                              macl.context.get_alias('nagios'),
                                              parent=self),
                                parent=self))

                macl.acl_out.insert(
                    0,
                    metacl.Rule('permit',
                                metacl.Filter(['icmp', 'tcp', 'udp'],
                                              macl.context.get_alias('nagios'),
                                              h,
                                              parent=self),
                                parent=self))
Esempio n. 7
0
    def call(self, macl):
        bc = IPv4Descriptor('255.255.255.255') + \
            map(lambda x: ipaddr.IPNetwork(x.broadcast),
                macl.context.get_alias('local', ip_versions='ipv4'))

        macl.acl_in.insert(
            0,
            metacl.Rule('deny',
                        metacl.Filter(['ip'],
                                      macl.context.get_alias(
                                          'any', ip_versions='ipv4'),
                                      bc,
                                      parent=self),
                        parent=self))

        macl.acl_out.insert(
            0,
            metacl.Rule('deny',
                        metacl.Filter(['ip'],
                                      macl.context.get_alias(
                                          'any', ip_versions='ipv4'),
                                      bc,
                                      parent=self),
                        parent=self))
Esempio n. 8
0
    def call(self, macl):
        if len(self.args) == 0:
            # Open whole net to netbackup
            macl.acl_in.insert(
                0,
                metacl.Rule.from_string(
                    'permit tcp local 13782 $netbackup established',
                    context=macl.context,
                    parent=self))

            macl.acl_in.insert(
                0,
                metacl.Rule.from_string('permit tcp local $netbackup 13782',
                                        context=macl.context,
                                        parent=self))

            macl.acl_in.insert(
                0,
                metacl.Rule.from_string('permit tcp local $netbackup 13724',
                                        context=macl.context,
                                        parent=self))

            macl.acl_in.insert(
                0,
                metacl.Rule.from_string('permit tcp local $netbackup 13720',
                                        context=macl.context,
                                        parent=self))

            macl.acl_out.insert(
                0,
                metacl.Rule.from_string(
                    'permit tcp $netbackup 13782 local established',
                    context=macl.context,
                    parent=self))

            macl.acl_out.insert(
                0,
                metacl.Rule.from_string(
                    'permit tcp $netbackup 13724 local established',
                    context=macl.context,
                    parent=self))

            macl.acl_out.insert(
                0,
                metacl.Rule.from_string(
                    'permit tcp $netbackup 13720 local established',
                    context=macl.context,
                    parent=self))

            macl.acl_out.insert(
                0,
                metacl.Rule.from_string('permit tcp $netbackup local 13782',
                                        context=macl.context,
                                        parent=self))

        else:
            for h in self.args:
                # Open only given hosts to netbackup
                h = metacl.string_to_ips(h, context=macl.context)

                macl.acl_in.insert(
                    0,
                    metacl.Rule('permit',
                                metacl.Filter(
                                    ['tcp'],
                                    h,
                                    macl.context.get_alias('netbackup'),
                                    sports=metacl.Ports('13782'),
                                    parent=self),
                                extensions=['established'],
                                parent=self))

                macl.acl_in.insert(
                    0,
                    metacl.Rule('permit',
                                metacl.Filter(
                                    ['tcp'],
                                    h,
                                    macl.context.get_alias('netbackup'),
                                    dports=metacl.Ports('13720,13724,13782'),
                                    parent=self),
                                parent=self))

                macl.acl_out.insert(
                    0,
                    metacl.Rule('permit',
                                metacl.Filter(
                                    ['tcp'],
                                    macl.context.get_alias('netbackup'),
                                    h,
                                    sports=metacl.Ports('13720,13724,13782'),
                                    parent=self),
                                extensions=['established'],
                                parent=self))

                macl.acl_out.insert(
                    0,
                    metacl.Rule('permit',
                                metacl.Filter(
                                    ['tcp'],
                                    macl.context.get_alias('netbackup'),
                                    h,
                                    dports=metacl.Ports('13782'),
                                    parent=self),
                                parent=self))
Esempio n. 9
0
    def call(self, macl):
        if 'ipv6' in macl.context.ip_versions:
            local6 = macl.context.get_alias('local', ip_versions='ipv6')[0]
            first = [ipaddr.IPNetwork(local6[1]), ipaddr.IPNetwork(local6[2])]

            macl.acl_out.insert(
                0,
                metacl.Rule.from_string('permit ip any fe80::/10',
                                        context=macl.context,
                                        parent=self))
            macl.acl_out.insert(
                1,
                metacl.Rule('permit',
                            metacl.Filter(['icmp'],
                                          macl.context.get_alias('local'),
                                          first,
                                          parent=self),
                            parent=self))
            macl.acl_in.insert(
                0,
                metacl.Rule.from_string('permit ip fe80::/10 any',
                                        context=macl.context,
                                        parent=self))
            macl.acl_in.insert(
                1,
                metacl.Rule.from_string('permit ip local fe80::/10',
                                        context=macl.context,
                                        parent=self))
            macl.acl_in.insert(
                2,
                metacl.Rule('permit',
                            metacl.Filter(['icmp'],
                                          macl.context.get_alias('local'),
                                          first,
                                          parent=self),
                            parent=self))

        if 'ipv4' in macl.context.ip_versions:
            local = macl.context.get_alias('local', ip_versions='ipv4')[0]
            first = [ipaddr.IPNetwork(local[1])]
            last = [ipaddr.IPNetwork(local[-3]), ipaddr.IPNetwork(local[-2])]
            temp_aliases = {
                'first': first,
                'last': last,
                'firstlast': first + last
            }

            # Rules to be inserted at top of IN list:
            rules_in = [
                'permit ip $firstlast 224.0.0.1',
                'permit udp $firstlast 1985 224.0.0.2 1985',
                'permit udp $firstlast 1985 224.0.0.102 1985',
                'permit ip $firstlast 224.0.0.13',
                'permit tcp local $firstlast established',
                'permit icmp local $firstlast',
                'permit udp local $ntp_server 123',
                'permit udp local $first 123',
                'deny ip any $firstlast',
            ]

            # We have to reverse the order, since insertion will be done at beginning of list
            rules_in.reverse()
            # Injecting rules into acl_in
            for r in rules_in:
                macl.acl_in.insert(
                    0,
                    metacl.Rule.from_string(r,
                                            context=macl.context,
                                            temp_aliases=temp_aliases,
                                            parent=self))

            # Rules to be inserted at top of OUT list:
            rules_out = [
                'permit ip $firstlast local',
                'permit icmp local $firstlast',
                'permit udp $ntp_server 123 local',
                'permit ip any 224.0.0.0/4',
            ]

            # We have to reverse the order, since insertion will be done at beginning of list
            rules_out.reverse()
            # Injecting rules into acl_out
            for r in rules_out:
                macl.acl_out.insert(
                    0,
                    metacl.Rule.from_string(r,
                                            context=macl.context,
                                            temp_aliases=temp_aliases,
                                            parent=self))