def _discover_iptables(self): """ Look for running docker service. If found, check for containers that require firewall rules. :return: """ rules = list() docker = which('docker') if not docker: _logger.debug("{0}: Failed to find 'docker' executable.".format( self._module)) return rules if not is_service_running('docker'): _logger.debug("{0}: Docker service not running.".format( self._module)) return rules p = subprocess.Popen([u'ntpq', u'-p', u'-n'], stdout=subprocess.PIPE) stdoutdata, stderrdata = p.communicate() result = p.wait() if stderrdata is None: data = stdoutdata.decode('utf-8') for line in data.split('\n'): items = line.split('|')
def _discover_iptables(self): rules = list() ntpq = which(u'ntpq') if not ntpq: _logger.debug('Failed to find program path for "{0}"'.format('ntpq')) return rules # Check to see if ntpd is running if not is_service_running('ntpd'): _logger.debug('ntpd is not running.') return rules p = subprocess.Popen(shlex.split('ntpq -p -n'), stdout=subprocess.PIPE) stdoutdata, stderrdata = p.communicate() result = p.wait() if stderrdata is None: data = stdoutdata.decode('utf-8') for line in data.split('\n'): item = line.split(' ', 1) if item[0][:1] == '+' or item[0][:1] == '-' or item[0][:1] == '*' or item[0][:1] == 'x' or \ item[0][:1] == '.' or item[0][:1] == '#' or item[0][:1] == 'o': ipaddr = item[0][1:] _logger.debug('{0}: adding NTP Client Rules for {1}'.format(self.get_name(), ipaddr)) rules.append(create_iptables_udp_egress_ingress_rule( ipaddr, 123, self._slot, transport=ipt.TRANSPORT_AUTO)) return rules
def disable_previous_firewall(self): """ Disable the previous firewall service. :return: True if successful, otherwise False. """ if not self.node_info.previous_firewall_service or self.node_info.previous_firewall_service == 'sdc-firewall': return True # Check to see if the previous firewall service is running. if not is_service_running(self.node_info.previous_firewall_service): _logger.info('The current firewall service does not seem to be running.') return True self.cwrite('Stopping the current firewall service...') # Stop and Disable the previous firewall service. if not self.node_info.stop_service(self.node_info.previous_firewall_service): self.cwriteline('[Error]', 'Unable to stop the current firewall service.') return False self.cwriteline('[OK]', 'Successfully stopped the current firewall service.') self.cwrite('Disabling the current firewall service...') if not self.node_info.disable_service(self.node_info.previous_firewall_service): self.cwriteline('[Error]', 'Unable to disable the current firewall service.') return False self.cwriteline('[OK]', 'Successfully disabled the current firewall service.') return True
def _discover_iptables(self): """ Look for running docker service. If found, check for containers that require firewall rules. :return: """ rules = list() docker = which('docker') if not docker: _logger.debug("{0}: Failed to find 'docker' executable.".format(self._module)) return rules if not is_service_running('docker'): _logger.debug("{0}: Docker service not running.".format(self._module)) return rules p = subprocess.Popen([u'ntpq', u'-p', u'-n'], stdout=subprocess.PIPE) stdoutdata, stderrdata = p.communicate() result = p.wait() if stderrdata is None: data = stdoutdata.decode('utf-8') for line in data.split('\n'): items = line.split('|')
def process_loop(self): # _logger.debug('{0} processing loop called'.format(self.get_name())) # Add SSH access rules. if self._startup: # Add loopback rules self.add_firewall_rule(self.get_loopback_rules()) # Add sshd service rules if is_service_running('sshd'): self._sshd_rules = self.create_ssh_rules() self.add_firewall_rule(self._sshd_rules) self._sshd_running = True # Add rejection rules. self.add_firewall_rule(self.create_reject_rules()) # Add network isolation rules if self._allowed_networks: self.add_firewall_rule(self.create_network_isolation_rules()) self.write_rules_to_iptables_file() self.restore_iptables() self._startup = False # Check to see if sshd is running or not. if is_service_running('sshd'): if not self._sshd_running: self._sshd_rules = self.create_ssh_rules() self.add_firewall_rule(self._sshd_rules) self._sshd_running = True self.write_rules_to_iptables_file() self.restore_iptables() else: if self._sshd_running and self._sshd_rules: _logger.debug('{0}: removing sshd service rules.'.format(self.get_name())) self.del_firewall_rule(self._sshd_rules) self._sshd_running = False self.write_rules_to_iptables_file() self.restore_iptables()
def _firewall_check(self): """ Get the currently running firewall service """ self.previous_firewall_service = get_active_firewall() if not self.previous_firewall_service: return True if not is_service_running(self.previous_firewall_service): if self.console_debug: print('Info: no firewall service is currently running.') else: _logger.debug('Info: no firewall service is currently running.') return True
def remove_service(self): # Remove the systemd service file. if self.node_info.sysd_installed: if is_service_running('sdc-firewall'): if not self.node_info.stop_service('sdc-firewall'): _logger.debug('Firewall service failed to stop.') if not self.node_info.disable_service('sdc-firewall'): _logger.debug('Unable to disable firewall service.') if os.path.exists(self.service_out_file): os.remove(self.service_out_file) if self.node_info.sysv_installed: # TODO: Write the sysv service removal code. pass self.cwriteline('[OK]', 'Firewall service removed.')
def check_service(self, name): """ Check the service for rules and add them to the firewall. :param name: Service discovery module name """ module_name, class_name = name.rsplit('.', 1) _logger.debug('{0}: Loading auto discover object {1}'.format(self.get_name(), class_name)) module = import_by_str(name) cls = module(config=self.config) disabled = getattr(self, cls.get_config_property_name()) if type(disabled) is str: # Python 2.7 returns string type from getattr(), Python 3.4 returns bool. disabled = ast.literal_eval(disabled) # _logger.debug('Property: {0}: Value: {1}'.format(cls.get_config_property_name(), disabled)) # See if this discovery service has been disabled. Name value must match one of our property names. if disabled: _logger.debug('{0}: {1} discovery service disabled by config.'.format(self.get_name(), class_name)) return 0 rules, slot = cls.discover(self) rules = self.flatten_rules(rules) if rules: # Notify the firewall module to delete the old rules. task = QueueTask(TASK_FIREWALL_DELETE_SLOT, src_module=self.get_name(), dest_module=SilentDuneClientFirewallModule().get_name(), data=slot) self.send_parent_task(task) # Notify the firewall module to load the new rules. task = QueueTask(TASK_FIREWALL_INSERT_RULES, src_module=self.get_name(), dest_module=SilentDuneClientFirewallModule().get_name(), data=rules) self.send_parent_task(task) time.sleep(1) # Let the firewall apply the rule changes else: _logger.info('{0}: {1}: discovery service did not return any rules.'.format( self.get_name(), class_name)) _logger.debug('SLOTS: {0}: {1}'.format(Slots.ntp, slot)) # If there were no rules discovered for NTP, open up access to all NTP servers. # In self._t_ntp_check_interval seconds we will check to see if any NTP servers are active. if slot == Slots.ntp and is_service_running('ntpd'): self._all_ntp_access_enabled = True _logger.debug('{0}: Asking Firewall Module to enable generic NTP access.'.format(self.get_name())) task = QueueTask(TASK_FIREWALL_ALLOW_ALL_NTP_ACCESS, src_module=self.get_name(), dest_module=SilentDuneClientFirewallModule().get_name()) self.send_parent_task(task) return 0 return len(rules)
def check_service(self, name): """ Check the service for rules and add them to the firewall. :param name: Service discovery module name """ module_name, class_name = name.rsplit('.', 1) _logger.debug('{0}: Loading auto discover object {1}'.format( self.get_name(), class_name)) module = import_by_str(name) cls = module(config=self.config) disabled = getattr(self, cls.get_config_property_name()) if type( disabled ) is str: # Python 2.7 returns string type from getattr(), Python 3.4 returns bool. disabled = ast.literal_eval(disabled) # _logger.debug('Property: {0}: Value: {1}'.format(cls.get_config_property_name(), disabled)) # See if this discovery service has been disabled. Name value must match one of our property names. if disabled: _logger.debug( '{0}: {1} discovery service disabled by config.'.format( self.get_name(), class_name)) return 0 rules, slot = cls.discover(self) rules = self.flatten_rules(rules) if rules: # Notify the firewall module to delete the old rules. task = QueueTask( TASK_FIREWALL_DELETE_SLOT, src_module=self.get_name(), dest_module=SilentDuneClientFirewallModule().get_name(), data=slot) self.send_parent_task(task) # Notify the firewall module to load the new rules. task = QueueTask( TASK_FIREWALL_INSERT_RULES, src_module=self.get_name(), dest_module=SilentDuneClientFirewallModule().get_name(), data=rules) self.send_parent_task(task) time.sleep(1) # Let the firewall apply the rule changes else: _logger.info( '{0}: {1}: discovery service did not return any rules.'.format( self.get_name(), class_name)) _logger.debug('SLOTS: {0}: {1}'.format(Slots.ntp, slot)) # If there were no rules discovered for NTP, open up access to all NTP servers. # In self._t_ntp_check_interval seconds we will check to see if any NTP servers are active. if slot == Slots.ntp and is_service_running('ntpd'): self._all_ntp_access_enabled = True _logger.debug( '{0}: Asking Firewall Module to enable generic NTP access.' .format(self.get_name())) task = QueueTask( TASK_FIREWALL_ALLOW_ALL_NTP_ACCESS, src_module=self.get_name(), dest_module=SilentDuneClientFirewallModule().get_name()) self.send_parent_task(task) return 0 return len(rules)