def _close_and_stop(self): context = Context.fromComponent(self) localfw = LocalFW('ids_ips') try: yield localfw.execute(self.core, context) except Exception, err: self.writeError(err, 'Error while handling firewall rules for the ids-ips') raise
def _stopvpn(self): yield deferToThread(vpnrules, self, False) localfw = LocalFW('vpn_support') # don't create any rule: just clear existing rules context = Context.fromComponent(self) try: yield localfw.execute(self.core, context) except Exception, err: self.writeError(err, 'Error while disabling firewall rules for the VPN support') raise
def _startvpn(self): if isVpnSupportRunningOrPending(self): returnValue(False) yield deferToThread(vpnrules, self, True) localfw = LocalFW('vpn_support') localfw.call('addFilterIptable', False, '-I FORWARD -i support -j DROP') localfw.call('addFilterIptable', False, '-I INPUT -i support -p udp --dport 8080 -j ACCEPT') for dport in ["8443", "22"]: localfw.call('addFilterIptable', False, '-I INPUT -i support -p tcp --dport %s -j ACCEPT' % dport) context = Context.fromComponent(self) try: yield localfw.execute(self.core, context) except Exception, err: self.writeError(err, 'Error while enabling firewall rules for the VPN support') raise
def _open_firewall(self): localfw = LocalFW('ids_ips') localfw.call('addMangleIptable', False, '-A POSTROUTING -m mark --mark 0x20000/0x20000 -j MARK --and-mark 0xfffdffff') localfw.call('addFilterIptable', False, '-N IPS_NETS') for network in self.ids_ips_cfg.networks: localfw.call('addFilterIptable', False, '-A IPS_NETS -d %s -j NFQUEUE --queue-num %d' % (network.strNormal(1), IDS_IPS_QUEUE_NUM)) # Snort_inline inspects the trafic both ways: localfw.call('addFilterIptable', False, '-A IPS_NETS -s %s -j NFQUEUE --queue-num %d' % (network.strNormal(1), IDS_IPS_QUEUE_NUM)) localfw.call('addFilterIptable', False, '-I FORWARD -m mark ! --mark 0x20000/0x20000 -j IPS_NETS') context = Context.fromComponent(self) try: yield localfw.execute(self.core, context) except Exception, err: self.writeError(err, 'Error while handling firewall rules for the ids-ips') raise
def setup_portal(self, responsible): try: yield deferToThread( self.runCommandAsRootAndCheck, os.path.join( self.script_dir, "portal_ipset" ) ) except RunCommandError: self.error("Could not create captive portal IP set.") localfw = LocalFW('portal') if self.auth_cert_cfg.portal_enabled: try: os.chmod(IPSET_EXE, 04755) except Exception, err: self.critical('Could not add setuid on %s (%s).' % (IPSET_EXE, err)) localfw.call('addNatIptable', False, '-N PORTAL') for network in self.auth_cert_cfg.portal_nets: localfw.call('addNatIptable', False, '-A PREROUTING -p tcp --dport 80 -s %s -j PORTAL' % network) localfw.call('addFilterIptable', False, '-A INPUT -p tcp --dport 80 -s %s -j ACCEPT' % network) localfw.call('addNatIptable', False, '-A PORTAL -m set --set nuauth src,src -j RETURN') localfw.call('addNatIptable', False, '-A PORTAL -j REDIRECT')