def _discover_iptables(self):
"""
Look for running docker service. If found, check for containers that require firewall rules.
:return:
"""
rules = list()
docker = which('docker')
if not docker:
_logger.debug("{0}: Failed to find 'docker' executable.".format(
self._module))
return rules
if not is_service_running('docker'):
_logger.debug("{0}: Docker service not running.".format(
self._module))
return rules
p = subprocess.Popen([u'ntpq', u'-p', u'-n'], stdout=subprocess.PIPE)
stdoutdata, stderrdata = p.communicate()
result = p.wait()
if stderrdata is None:
data = stdoutdata.decode('utf-8')
for line in data.split('\n'):
items = line.split('|')
def _discover_iptables(self):
rules = list()
ntpq = which(u'ntpq')
if not ntpq:
_logger.debug('Failed to find program path for "{0}"'.format('ntpq'))
return rules
# Check to see if ntpd is running
if not is_service_running('ntpd'):
_logger.debug('ntpd is not running.')
return rules
p = subprocess.Popen(shlex.split('ntpq -p -n'), stdout=subprocess.PIPE)
stdoutdata, stderrdata = p.communicate()
result = p.wait()
if stderrdata is None:
data = stdoutdata.decode('utf-8')
for line in data.split('\n'):
item = line.split(' ', 1)
if item[0][:1] == '+' or item[0][:1] == '-' or item[0][:1] == '*' or item[0][:1] == 'x' or \
item[0][:1] == '.' or item[0][:1] == '#' or item[0][:1] == 'o':
ipaddr = item[0][1:]
_logger.debug('{0}: adding NTP Client Rules for {1}'.format(self.get_name(), ipaddr))
rules.append(create_iptables_udp_egress_ingress_rule(
ipaddr, 123, self._slot, transport=ipt.TRANSPORT_AUTO))
return rules
def disable_previous_firewall(self):
"""
Disable the previous firewall service.
:return: True if successful, otherwise False.
"""
if not self.node_info.previous_firewall_service or self.node_info.previous_firewall_service == 'sdc-firewall':
return True
# Check to see if the previous firewall service is running.
if not is_service_running(self.node_info.previous_firewall_service):
_logger.info('The current firewall service does not seem to be running.')
return True
self.cwrite('Stopping the current firewall service...')
# Stop and Disable the previous firewall service.
if not self.node_info.stop_service(self.node_info.previous_firewall_service):
self.cwriteline('[Error]', 'Unable to stop the current firewall service.')
return False
self.cwriteline('[OK]', 'Successfully stopped the current firewall service.')
self.cwrite('Disabling the current firewall service...')
if not self.node_info.disable_service(self.node_info.previous_firewall_service):
self.cwriteline('[Error]', 'Unable to disable the current firewall service.')
return False
self.cwriteline('[OK]', 'Successfully disabled the current firewall service.')
return True
def _discover_iptables(self):
"""
Look for running docker service. If found, check for containers that require firewall rules.
:return:
"""
rules = list()
docker = which('docker')
if not docker:
_logger.debug("{0}: Failed to find 'docker' executable.".format(self._module))
return rules
if not is_service_running('docker'):
_logger.debug("{0}: Docker service not running.".format(self._module))
return rules
p = subprocess.Popen([u'ntpq', u'-p', u'-n'], stdout=subprocess.PIPE)
stdoutdata, stderrdata = p.communicate()
result = p.wait()
if stderrdata is None:
data = stdoutdata.decode('utf-8')
for line in data.split('\n'):
items = line.split('|')
def disable_previous_firewall(self):
"""
Disable the previous firewall service.
:return: True if successful, otherwise False.
"""
if not self.node_info.previous_firewall_service or self.node_info.previous_firewall_service == 'sdc-firewall':
return True
# Check to see if the previous firewall service is running.
if not is_service_running(self.node_info.previous_firewall_service):
_logger.info('The current firewall service does not seem to be running.')
return True
self.cwrite('Stopping the current firewall service...')
# Stop and Disable the previous firewall service.
if not self.node_info.stop_service(self.node_info.previous_firewall_service):
self.cwriteline('[Error]', 'Unable to stop the current firewall service.')
return False
self.cwriteline('[OK]', 'Successfully stopped the current firewall service.')
self.cwrite('Disabling the current firewall service...')
if not self.node_info.disable_service(self.node_info.previous_firewall_service):
self.cwriteline('[Error]', 'Unable to disable the current firewall service.')
return False
self.cwriteline('[OK]', 'Successfully disabled the current firewall service.')
return True
def _discover_iptables(self):
rules = list()
ntpq = which(u'ntpq')
if not ntpq:
_logger.debug('Failed to find program path for "{0}"'.format('ntpq'))
return rules
# Check to see if ntpd is running
if not is_service_running('ntpd'):
_logger.debug('ntpd is not running.')
return rules
p = subprocess.Popen(shlex.split('ntpq -p -n'), stdout=subprocess.PIPE)
stdoutdata, stderrdata = p.communicate()
result = p.wait()
if stderrdata is None:
data = stdoutdata.decode('utf-8')
for line in data.split('\n'):
item = line.split(' ', 1)
if item[0][:1] == '+' or item[0][:1] == '-' or item[0][:1] == '*' or item[0][:1] == 'x' or \
item[0][:1] == '.' or item[0][:1] == '#' or item[0][:1] == 'o':
ipaddr = item[0][1:]
_logger.debug('{0}: adding NTP Client Rules for {1}'.format(self.get_name(), ipaddr))
rules.append(create_iptables_udp_egress_ingress_rule(
ipaddr, 123, self._slot, transport=ipt.TRANSPORT_AUTO))
return rules
def process_loop(self):
# _logger.debug('{0} processing loop called'.format(self.get_name()))
# Add SSH access rules.
if self._startup:
# Add loopback rules
self.add_firewall_rule(self.get_loopback_rules())
# Add sshd service rules
if is_service_running('sshd'):
self._sshd_rules = self.create_ssh_rules()
self.add_firewall_rule(self._sshd_rules)
self._sshd_running = True
# Add rejection rules.
self.add_firewall_rule(self.create_reject_rules())
# Add network isolation rules
if self._allowed_networks:
self.add_firewall_rule(self.create_network_isolation_rules())
self.write_rules_to_iptables_file()
self.restore_iptables()
self._startup = False
# Check to see if sshd is running or not.
if is_service_running('sshd'):
if not self._sshd_running:
self._sshd_rules = self.create_ssh_rules()
self.add_firewall_rule(self._sshd_rules)
self._sshd_running = True
self.write_rules_to_iptables_file()
self.restore_iptables()
else:
if self._sshd_running and self._sshd_rules:
_logger.debug('{0}: removing sshd service rules.'.format(self.get_name()))
self.del_firewall_rule(self._sshd_rules)
self._sshd_running = False
self.write_rules_to_iptables_file()
self.restore_iptables()
def process_loop(self):
# _logger.debug('{0} processing loop called'.format(self.get_name()))
# Add SSH access rules.
if self._startup:
# Add loopback rules
self.add_firewall_rule(self.get_loopback_rules())
# Add sshd service rules
if is_service_running('sshd'):
self._sshd_rules = self.create_ssh_rules()
self.add_firewall_rule(self._sshd_rules)
self._sshd_running = True
# Add rejection rules.
self.add_firewall_rule(self.create_reject_rules())
# Add network isolation rules
if self._allowed_networks:
self.add_firewall_rule(self.create_network_isolation_rules())
self.write_rules_to_iptables_file()
self.restore_iptables()
self._startup = False
# Check to see if sshd is running or not.
if is_service_running('sshd'):
if not self._sshd_running:
self._sshd_rules = self.create_ssh_rules()
self.add_firewall_rule(self._sshd_rules)
self._sshd_running = True
self.write_rules_to_iptables_file()
self.restore_iptables()
else:
if self._sshd_running and self._sshd_rules:
_logger.debug('{0}: removing sshd service rules.'.format(self.get_name()))
self.del_firewall_rule(self._sshd_rules)
self._sshd_running = False
self.write_rules_to_iptables_file()
self.restore_iptables()
def _firewall_check(self):
"""
Get the currently running firewall service
"""
self.previous_firewall_service = get_active_firewall()
if not self.previous_firewall_service:
return True
if not is_service_running(self.previous_firewall_service):
if self.console_debug:
print('Info: no firewall service is currently running.')
else:
_logger.debug('Info: no firewall service is currently running.')
return True
def _firewall_check(self):
"""
Get the currently running firewall service
"""
self.previous_firewall_service = get_active_firewall()
if not self.previous_firewall_service:
return True
if not is_service_running(self.previous_firewall_service):
if self.console_debug:
print('Info: no firewall service is currently running.')
else:
_logger.debug('Info: no firewall service is currently running.')
return True
def remove_service(self):
# Remove the systemd service file.
if self.node_info.sysd_installed:
if is_service_running('sdc-firewall'):
if not self.node_info.stop_service('sdc-firewall'):
_logger.debug('Firewall service failed to stop.')
if not self.node_info.disable_service('sdc-firewall'):
_logger.debug('Unable to disable firewall service.')
if os.path.exists(self.service_out_file):
os.remove(self.service_out_file)
if self.node_info.sysv_installed:
# TODO: Write the sysv service removal code.
pass
self.cwriteline('[OK]', 'Firewall service removed.')
def remove_service(self):
# Remove the systemd service file.
if self.node_info.sysd_installed:
if is_service_running('sdc-firewall'):
if not self.node_info.stop_service('sdc-firewall'):
_logger.debug('Firewall service failed to stop.')
if not self.node_info.disable_service('sdc-firewall'):
_logger.debug('Unable to disable firewall service.')
if os.path.exists(self.service_out_file):
os.remove(self.service_out_file)
if self.node_info.sysv_installed:
# TODO: Write the sysv service removal code.
pass
self.cwriteline('[OK]', 'Firewall service removed.')
def check_service(self, name):
"""
Check the service for rules and add them to the firewall.
:param name: Service discovery module name
"""
module_name, class_name = name.rsplit('.', 1)
_logger.debug('{0}: Loading auto discover object {1}'.format(self.get_name(), class_name))
module = import_by_str(name)
cls = module(config=self.config)
disabled = getattr(self, cls.get_config_property_name())
if type(disabled) is str: # Python 2.7 returns string type from getattr(), Python 3.4 returns bool.
disabled = ast.literal_eval(disabled)
# _logger.debug('Property: {0}: Value: {1}'.format(cls.get_config_property_name(), disabled))
# See if this discovery service has been disabled. Name value must match one of our property names.
if disabled:
_logger.debug('{0}: {1} discovery service disabled by config.'.format(self.get_name(), class_name))
return 0
rules, slot = cls.discover(self)
rules = self.flatten_rules(rules)
if rules:
# Notify the firewall module to delete the old rules.
task = QueueTask(TASK_FIREWALL_DELETE_SLOT,
src_module=self.get_name(),
dest_module=SilentDuneClientFirewallModule().get_name(),
data=slot)
self.send_parent_task(task)
# Notify the firewall module to load the new rules.
task = QueueTask(TASK_FIREWALL_INSERT_RULES,
src_module=self.get_name(),
dest_module=SilentDuneClientFirewallModule().get_name(),
data=rules)
self.send_parent_task(task)
time.sleep(1) # Let the firewall apply the rule changes
else:
_logger.info('{0}: {1}: discovery service did not return any rules.'.format(
self.get_name(), class_name))
_logger.debug('SLOTS: {0}: {1}'.format(Slots.ntp, slot))
# If there were no rules discovered for NTP, open up access to all NTP servers.
# In self._t_ntp_check_interval seconds we will check to see if any NTP servers are active.
if slot == Slots.ntp and is_service_running('ntpd'):
self._all_ntp_access_enabled = True
_logger.debug('{0}: Asking Firewall Module to enable generic NTP access.'.format(self.get_name()))
task = QueueTask(TASK_FIREWALL_ALLOW_ALL_NTP_ACCESS,
src_module=self.get_name(),
dest_module=SilentDuneClientFirewallModule().get_name())
self.send_parent_task(task)
return 0
return len(rules)
def check_service(self, name):
"""
Check the service for rules and add them to the firewall.
:param name: Service discovery module name
"""
module_name, class_name = name.rsplit('.', 1)
_logger.debug('{0}: Loading auto discover object {1}'.format(
self.get_name(), class_name))
module = import_by_str(name)
cls = module(config=self.config)
disabled = getattr(self, cls.get_config_property_name())
if type(
disabled
) is str: # Python 2.7 returns string type from getattr(), Python 3.4 returns bool.
disabled = ast.literal_eval(disabled)
# _logger.debug('Property: {0}: Value: {1}'.format(cls.get_config_property_name(), disabled))
# See if this discovery service has been disabled. Name value must match one of our property names.
if disabled:
_logger.debug(
'{0}: {1} discovery service disabled by config.'.format(
self.get_name(), class_name))
return 0
rules, slot = cls.discover(self)
rules = self.flatten_rules(rules)
if rules:
# Notify the firewall module to delete the old rules.
task = QueueTask(
TASK_FIREWALL_DELETE_SLOT,
src_module=self.get_name(),
dest_module=SilentDuneClientFirewallModule().get_name(),
data=slot)
self.send_parent_task(task)
# Notify the firewall module to load the new rules.
task = QueueTask(
TASK_FIREWALL_INSERT_RULES,
src_module=self.get_name(),
dest_module=SilentDuneClientFirewallModule().get_name(),
data=rules)
self.send_parent_task(task)
time.sleep(1) # Let the firewall apply the rule changes
else:
_logger.info(
'{0}: {1}: discovery service did not return any rules.'.format(
self.get_name(), class_name))
_logger.debug('SLOTS: {0}: {1}'.format(Slots.ntp, slot))
# If there were no rules discovered for NTP, open up access to all NTP servers.
# In self._t_ntp_check_interval seconds we will check to see if any NTP servers are active.
if slot == Slots.ntp and is_service_running('ntpd'):
self._all_ntp_access_enabled = True
_logger.debug(
'{0}: Asking Firewall Module to enable generic NTP access.'
.format(self.get_name()))
task = QueueTask(
TASK_FIREWALL_ALLOW_ALL_NTP_ACCESS,
src_module=self.get_name(),
dest_module=SilentDuneClientFirewallModule().get_name())
self.send_parent_task(task)
return 0
return len(rules)
