def __init__(self, dryrun, iptablesbin, fwconfigpath, rulesfile, ipt_xmlconfig, xmlconfig, echocmd, logfile, verbose):
self.naptime = 10 # milliseconds
self.dryrun = dryrun
self.iptablesbin = iptablesbin
self.fwconfigpath = fwconfigpath
self.rulesfile = rulesfile
self.ipt_xmlconfig = ipt_xmlconfig
self.xmlconfig = xmlconfig
self.logfile = logfile
self.verbose = verbose
self.executioner = abyle_execute()
self.echocmd = echocmd
global_config = abyle_config_parse(fwconfigpath, "default", xmlconfig)
self.excludedInterfaces = global_config.getConfig("excluded_interfaces")
try:
self.tcpabort_file = global_config.getConfig("tcpabortfile")
except IndexError:
self.tcpabort_file = "/proc/sys/net/ipv4/tcpicmpbcastfile_abort_on_overflow"
try:
self.icmpbcastreply_file = global_config.getConfig("icmpbcastfile")
except IndexError:
self.icmpbcastreply_file = "/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"
try:
self.dynaddresshack_file = global_config.getConfig("dynaddresshackfile")
except IndexError:
self.dynaddresshack_file = "/proc/sys/net/ipv4/ip_dynaddr"
try:
self.ipv4conf_path = global_config.getConfig("ipv4confpath")
except IndexError:
self.ipv4conf_path = "/proc/sys/net/ipv4/conf/"
try:
self.antispoofing_file = global_config.getConfig("antispoofingfile")
except IndexError:
self.antispoofing_file = "rp_filter"
try:
self.syncookiefile = global_config.getConfig("syncookiefile")
except IndexError:
self.syncookiefile = "/proc/sys/net/ipv4/tcp_syncookies"
try:
self.ipv4forwardfile = global_config.getConfig("ipv4forwardfile")
except IndexError:
self.ipv4forwardfile = "/proc/sys/net/ipv4/ip_forward"
try:
self.syncookie = string.upper(global_config.getConfig("syncookie"))
except IndexError:
self.syncookie = "YES"
try:
self.ipv4forward = string.upper(global_config.getConfig("ipv4forward"))
except IndexError:
self.syncookie = "NO"
try:
self.tcpabort = string.upper(global_config.getConfig("aborttcp"))
except IndexError:
self.tcpabort = "NO"
try:
self.icmpbcastreply = string.upper(global_config.getConfig("answericmpbroadcast"))
except IndexError:
self.icmpbcastreply = "NO"
try:
self.dynaddresshack = string.upper(global_config.getConfig("dynaddresshack"))
except IndexError:
self.dynaddresshack = "NO"
try:
self.proxyarp_file = global_config.getConfig("proxyarpfile")
except IndexError:
self.proxyarp_file = "proxy_arp"
try:
self.srouting_file = global_config.getConfig("sroutingfile")
except IndexError:
self.srouting_file = "accept_source_route"
try:
self.icmpredirects_file = global_config.getConfig("icmprdrsfile")
except IndexError:
self.icmpredirects_file = "accept_redirects"
try:
self.secureicmpredirects_file = global_config.getConfig("icmpsecurerdrsfile")
except IndexError:
self.secureicmpredirects_file = "secure_redirects"
try:
self.martians_file = global_config.getConfig("martiansfile")
except IndexError:
self.martians_file = "log_martians"
try:
self.bootprelay_file = global_config.getConfig("bootprelayfile")
except IndexError:
self.bootprelay_file = "bootp_relay"
now = datetime.datetime.now()
now = now.strftime("%Y/%m/%d %H:%M:%S")
abyle_output("", "", "", "","blue", self.logfile, self.verbose)
abyle_output("", "", "", "######################################### STARTUP #########################################","green", self.logfile, self.verbose)
abyle_output("", "", "", "","blue", self.logfile, self.verbose)
abyle_output("", "", "", "startup time: "+now,"default", self.logfile, self.verbose)
abyle_output("", "", "", "","blue", self.logfile, self.verbose)
abyle_output("","","","IPv4 send RST on full tcp buffer:", "blue", self.logfile, self.verbose)
if not self.tcpabort == "NO":
stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.tcpabort_file, self.dryrun)
abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 send TCP-RST on full buffer is activated","default", self.logfile, self.verbose)
else:
stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.tcpabort_file, self.dryrun)
abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 send TCP-RST on full buffer is deactivated","default", self.logfile, self.verbose)
abyle_output("","","","IPv4 Reply to ICMP Broadcast:", "blue", self.logfile, self.verbose)
if not self.icmpbcastreply == "NO":
stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.icmpbcastreply_file, self.dryrun)
abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 reply to ICMP Broadcasts is deactivated","default", self.logfile, self.verbose)
else:
stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.icmpbcastreply_file, self.dryrun)
abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 reply to ICMP Broadcasts is activated","default", self.logfile, self.verbose)
abyle_output("","","","IPv4 Dynamic-Address-Hack:", "blue", self.logfile, self.verbose)
if not self.dynaddresshack == "NO":
stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.dynaddresshack_file, self.dryrun)
abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 dynamic address hack activated","default", self.logfile, self.verbose)
else:
stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.dynaddresshack_file, self.dryrun)
abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 dynamic address hack deactivated","default", self.logfile, self.verbose)
abyle_output("","","","IPv4 FORWARDING:", "blue", self.logfile, self.verbose)
if not self.ipv4forward == "NO":
stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.ipv4forwardfile, self.dryrun)
abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 forwarding activated","default", self.logfile, self.verbose)
else:
stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.ipv4forwardfile, self.dryrun)
abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 forwarding deactivated","default", self.logfile, self.verbose)
abyle_output("","","","SYNCOOKIE:", "blue", self.logfile, self.verbose)
if not self.syncookie == "NO":
stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.syncookiefile, self.dryrun)
abyle_output("abyle_firewall", stdErr, stdOut, "syncookie activated","default", self.logfile, self.verbose)
else:
stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.syncookiefile, self.dryrun)
abyle_output("abyle_firewall", stdErr, stdOut, "syncookie deactivated","default", self.logfile, self.verbose)
self.default_config = abyleparse(self.fwconfigpath, "default", self.rulesfile, self.ipt_xmlconfig, self.excludedInterfaces)
self.defaultrules = self.default_config.getDefaultRules("head")
for drule in self.defaultrules:
abyle_output("abyle_firewall_buildUpFinish_head", "", "", "default-rule: "+drule,"default", self.logfile, self.verbose)
stdOut, stdErr = self.executioner.run(self.iptablesbin+' '+drule, self.dryrun)
def __init__(self, dryrun, iptablesbin, fwconfigpath, rulesfile,
ipt_xmlconfig, xmlconfig, echocmd, logfile, verbose):
self.naptime = 10 # milliseconds
self.dryrun = dryrun
self.iptablesbin = iptablesbin
self.fwconfigpath = fwconfigpath
self.rulesfile = rulesfile
self.ipt_xmlconfig = ipt_xmlconfig
self.xmlconfig = xmlconfig
self.logfile = logfile
self.verbose = verbose
self.executioner = abyle_execute()
self.echocmd = echocmd
global_config = abyle_config_parse(fwconfigpath, "default", xmlconfig,
self.verbose)
self.excludedInterfaces = global_config.getConfig(
"excluded_interfaces")
try:
self.tcpabort_file = global_config.getConfig("tcpabortfile")
except IndexError:
self.tcpabort_file = "/proc/sys/net/ipv4/tcpicmpbcastfile_abort_on_overflow"
try:
self.icmpbcastreply_file = global_config.getConfig("icmpbcastfile")
except IndexError:
self.icmpbcastreply_file = "/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"
try:
self.dynaddresshack_file = global_config.getConfig(
"dynaddresshackfile")
except IndexError:
self.dynaddresshack_file = "/proc/sys/net/ipv4/ip_dynaddr"
try:
self.ipv4conf_path = global_config.getConfig("ipv4confpath")
except IndexError:
self.ipv4conf_path = "/proc/sys/net/ipv4/conf/"
try:
self.antispoofing_file = global_config.getConfig(
"antispoofingfile")
except IndexError:
self.antispoofing_file = "rp_filter"
try:
self.syncookiefile = global_config.getConfig("syncookiefile")
except IndexError:
self.syncookiefile = "/proc/sys/net/ipv4/tcp_syncookies"
try:
self.ipv4forwardfile = global_config.getConfig("ipv4forwardfile")
except IndexError:
self.ipv4forwardfile = "/proc/sys/net/ipv4/ip_forward"
try:
self.syncookie = str(global_config.getConfig("syncookie")).upper()
except IndexError:
self.syncookie = "YES"
try:
self.ipv4forward = str(
global_config.getConfig("ipv4forward")).upper()
except IndexError:
self.syncookie = "NO"
try:
self.tcpabort = str(global_config.getConfig("aborttcp")).upper()
except IndexError:
self.tcpabort = "NO"
try:
self.icmpbcastreply = str(
global_config.getConfig("answericmpbroadcast")).upper()
except IndexError:
self.icmpbcastreply = "NO"
try:
self.dynaddresshack = str(
global_config.getConfig("dynaddresshack")).upper()
except IndexError:
self.dynaddresshack = "NO"
try:
self.proxyarp_file = global_config.getConfig("proxyarpfile")
except IndexError:
self.proxyarp_file = "proxy_arp"
try:
self.srouting_file = global_config.getConfig("sroutingfile")
except IndexError:
self.srouting_file = "accept_source_route"
try:
self.icmpredirects_file = global_config.getConfig("icmprdrsfile")
except IndexError:
self.icmpredirects_file = "accept_redirects"
try:
self.secureicmpredirects_file = global_config.getConfig(
"icmpsecurerdrsfile")
except IndexError:
self.secureicmpredirects_file = "secure_redirects"
try:
self.martians_file = global_config.getConfig("martiansfile")
except IndexError:
self.martians_file = "log_martians"
try:
self.bootprelay_file = global_config.getConfig("bootprelayfile")
except IndexError:
self.bootprelay_file = "bootp_relay"
log = logger("firewall")
if not self.tcpabort == "NO":
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 1 > ' + self.tcpabort_file, self.dryrun)
log.info("ipv4 send TCP-RST on full buffer is activated")
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 0 > ' + self.tcpabort_file, self.dryrun)
log.info("ipv4 send TCP-RST on full buffer is deactivated")
if not self.icmpbcastreply == "NO":
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 1 > ' + self.icmpbcastreply_file, self.dryrun)
log.info("ipv4 reply to ICMP Broadcasts is deactivated")
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 0 > ' + self.icmpbcastreply_file, self.dryrun)
log.info("ipv4 reply to ICMP Broadcasts is activated")
if not self.dynaddresshack == "NO":
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 1 > ' + self.dynaddresshack_file, self.dryrun)
log.info("ipv4 dynamic address hack activated")
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 0 > ' + self.dynaddresshack_file, self.dryrun)
log.info("ipv4 dynamic address hack deactivated")
if not self.ipv4forward == "NO":
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 1 > ' + self.ipv4forwardfile, self.dryrun)
log.info("ipv4 forwarding activated")
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 0 > ' + self.ipv4forwardfile, self.dryrun)
log.info("ipv4 forwarding deactivated")
if not self.syncookie == "NO":
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 1 > ' + self.syncookiefile, self.dryrun)
log.info("syncookie activated")
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 0 > ' + self.syncookiefile, self.dryrun)
log.info("syncookie deactivated")
self.default_config = abyleparse(self.fwconfigpath, "default",
self.rulesfile, self.ipt_xmlconfig,
self.excludedInterfaces, self.verbose)
self.defaultrules = self.default_config.getDefaultRules("head")
for drule in self.defaultrules:
log.info("default-rule: " + drule)
stdOut, stdErr = self.executioner.run(
self.iptablesbin + ' ' + drule, self.dryrun)
def __init__(
self, dryrun, iptablesbin, fwconfigpath, rulesfile, ipt_xmlconfig, xmlconfig, echocmd, logfile, verbose
):
self.naptime = 10 # milliseconds
self.dryrun = dryrun
self.iptablesbin = iptablesbin
self.fwconfigpath = fwconfigpath
self.rulesfile = rulesfile
self.ipt_xmlconfig = ipt_xmlconfig
self.xmlconfig = xmlconfig
self.logfile = logfile
self.verbose = verbose
self.executioner = abyle_execute()
self.echocmd = echocmd
global_config = abyle_config_parse(fwconfigpath, "default", xmlconfig, self.verbose)
self.excludedInterfaces = global_config.getConfig("excluded_interfaces")
try:
self.tcpabort_file = global_config.getConfig("tcpabortfile")
except IndexError:
self.tcpabort_file = "/proc/sys/net/ipv4/tcpicmpbcastfile_abort_on_overflow"
try:
self.icmpbcastreply_file = global_config.getConfig("icmpbcastfile")
except IndexError:
self.icmpbcastreply_file = "/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"
try:
self.dynaddresshack_file = global_config.getConfig("dynaddresshackfile")
except IndexError:
self.dynaddresshack_file = "/proc/sys/net/ipv4/ip_dynaddr"
try:
self.ipv4conf_path = global_config.getConfig("ipv4confpath")
except IndexError:
self.ipv4conf_path = "/proc/sys/net/ipv4/conf/"
try:
self.antispoofing_file = global_config.getConfig("antispoofingfile")
except IndexError:
self.antispoofing_file = "rp_filter"
try:
self.syncookiefile = global_config.getConfig("syncookiefile")
except IndexError:
self.syncookiefile = "/proc/sys/net/ipv4/tcp_syncookies"
try:
self.ipv4forwardfile = global_config.getConfig("ipv4forwardfile")
except IndexError:
self.ipv4forwardfile = "/proc/sys/net/ipv4/ip_forward"
try:
self.syncookie = str(global_config.getConfig("syncookie")).upper()
except IndexError:
self.syncookie = "YES"
try:
self.ipv4forward = str(global_config.getConfig("ipv4forward")).upper()
except IndexError:
self.syncookie = "NO"
try:
self.tcpabort = str(global_config.getConfig("aborttcp")).upper()
except IndexError:
self.tcpabort = "NO"
try:
self.icmpbcastreply = str(global_config.getConfig("answericmpbroadcast")).upper()
except IndexError:
self.icmpbcastreply = "NO"
try:
self.dynaddresshack = str(global_config.getConfig("dynaddresshack")).upper()
except IndexError:
self.dynaddresshack = "NO"
try:
self.proxyarp_file = global_config.getConfig("proxyarpfile")
except IndexError:
self.proxyarp_file = "proxy_arp"
try:
self.srouting_file = global_config.getConfig("sroutingfile")
except IndexError:
self.srouting_file = "accept_source_route"
try:
self.icmpredirects_file = global_config.getConfig("icmprdrsfile")
except IndexError:
self.icmpredirects_file = "accept_redirects"
try:
self.secureicmpredirects_file = global_config.getConfig("icmpsecurerdrsfile")
except IndexError:
self.secureicmpredirects_file = "secure_redirects"
try:
self.martians_file = global_config.getConfig("martiansfile")
except IndexError:
self.martians_file = "log_martians"
try:
self.bootprelay_file = global_config.getConfig("bootprelayfile")
except IndexError:
self.bootprelay_file = "bootp_relay"
log = logger("firewall")
if not self.tcpabort == "NO":
stdOut, stdErr = self.executioner.run(self.echocmd + " 1 > " + self.tcpabort_file, self.dryrun)
log.info("ipv4 send TCP-RST on full buffer is activated")
else:
stdOut, stdErr = self.executioner.run(self.echocmd + " 0 > " + self.tcpabort_file, self.dryrun)
log.info("ipv4 send TCP-RST on full buffer is deactivated")
if not self.icmpbcastreply == "NO":
stdOut, stdErr = self.executioner.run(self.echocmd + " 1 > " + self.icmpbcastreply_file, self.dryrun)
log.info("ipv4 reply to ICMP Broadcasts is deactivated")
else:
stdOut, stdErr = self.executioner.run(self.echocmd + " 0 > " + self.icmpbcastreply_file, self.dryrun)
log.info("ipv4 reply to ICMP Broadcasts is activated")
if not self.dynaddresshack == "NO":
stdOut, stdErr = self.executioner.run(self.echocmd + " 1 > " + self.dynaddresshack_file, self.dryrun)
log.info("ipv4 dynamic address hack activated")
else:
stdOut, stdErr = self.executioner.run(self.echocmd + " 0 > " + self.dynaddresshack_file, self.dryrun)
log.info("ipv4 dynamic address hack deactivated")
if not self.ipv4forward == "NO":
stdOut, stdErr = self.executioner.run(self.echocmd + " 1 > " + self.ipv4forwardfile, self.dryrun)
log.info("ipv4 forwarding activated")
else:
stdOut, stdErr = self.executioner.run(self.echocmd + " 0 > " + self.ipv4forwardfile, self.dryrun)
log.info("ipv4 forwarding deactivated")
if not self.syncookie == "NO":
stdOut, stdErr = self.executioner.run(self.echocmd + " 1 > " + self.syncookiefile, self.dryrun)
log.info("syncookie activated")
else:
stdOut, stdErr = self.executioner.run(self.echocmd + " 0 > " + self.syncookiefile, self.dryrun)
log.info("syncookie deactivated")
self.default_config = abyleparse(
self.fwconfigpath, "default", self.rulesfile, self.ipt_xmlconfig, self.excludedInterfaces, self.verbose
)
self.defaultrules = self.default_config.getDefaultRules("head")
for drule in self.defaultrules:
log.info("default-rule: " + drule)
stdOut, stdErr = self.executioner.run(self.iptablesbin + " " + drule, self.dryrun)
