def buildOutgoing(self, layout, row, col):
outgoing = QGroupBox(self)
outgoing.setTitle(tr('Outgoing emails'))
outgoing_layout = QGridLayout(outgoing)
relayed_net = NetworkListEdit(self)
relayed_net.setMaximumHeight(relayed_net.fontMetrics().height() * 5)
self.connect(relayed_net, SIGNAL("textChanged()"), self.setMailModified)
outgoing_layout.addWidget(QLabel(tr('Networks for which EdenWall relays emails')), 0, 0)
outgoing_layout.addWidget(relayed_net, 1, 0, 1, 2)
outgoing_layout.addWidget(QLabel(tr(
"""If outgoing mail should be relayed through a 'smarthost', configure this host in the "Contact" page of the "Services" tab."""
)))
layout.addWidget(outgoing, row, col)
return relayed_net
def _mkPushedRoutes(self, lines):
pushed_routes = NetworkListEdit()
pushed_routes.setMaximumHeight(
pushed_routes.fontMetrics().height() * lines
)
return pushed_routes
def buildInterface(self):
frame = QFrame()
grid = QGridLayout(frame)
self.setWidget(frame)
self.setWidgetResizable(True)
title = u'<h1>%s</h1>' % self.tr('Intrusion detection/prevention system')
grid.addWidget(QLabel(title), 0, 0, 1, 2) #fromrow, fromcol, rowspan, colspan
self.activation_box = self.mkCheckBox(tr('Enable IDS-IPS'))
self.connect(self.activation_box, SIGNAL('stateChanged(int)'), self.config.setEnabled)
grid.addWidget(self.activation_box, 1, 0)
alerts, sub_form = mkGroupBox(tr('Alerts (IDS)'))
self.alert_threshold = QDoubleSpinBox()
sub_form.addRow(tr('Threshold for rule selection'), self.alert_threshold)
self.connect(self.alert_threshold, SIGNAL('valueChanged(double)'),
self.setAlertThreshold)
self.connect(self.alert_threshold, SIGNAL('valueChanged(double)'), self.setModified)
self.threshold_message = QLabel()
self.threshold_message.setWordWrap(True)
sub_form.addRow(self.threshold_message)
self.alert_count_message = QLabel()
self.alert_count_message.setWordWrap(True)
sub_form.addRow(self.alert_count_message)
self.threshold_range = MessageArea()
sub_form.addRow(self.threshold_range)
grid.addWidget(alerts, 2, 0)
blocking, sub_form = mkGroupBox(tr('Blocking (IPS)'))
self.block = self.mkCheckBox(tr('Block'))
self.connect(self.block, SIGNAL('stateChanged(int)'), self.config.setBlockingEnabled)
sub_form.addRow(self.block)
self.drop_threshold = QDoubleSpinBox()
sub_form.addRow(tr('Rule selection threshold for blocking'), self.drop_threshold)
self.drop_count_message = QLabel()
self.drop_count_message.setWordWrap(True)
sub_form.addRow(self.drop_count_message)
self.connect(self.drop_threshold, SIGNAL('valueChanged(double)'), self.setDropThreshold)
self.connect(self.drop_threshold, SIGNAL('valueChanged(double)'), self.setModified)
self.connect(
self.block,
SIGNAL('stateChanged(int)'),
self.drop_threshold.setEnabled
)
grid.addWidget(blocking, 2, 1)
antivirus, sub_form = mkGroupBox(tr('Antivirus'))
self.antivirus_toggle = self.mkCheckBox(tr('Enable antivirus '))
self.connect(self.antivirus_toggle, SIGNAL('stateChanged(int)'), self.config.setAntivirusEnabled)
self.antivirus_message = QLabel()
self.antivirus_message.setWordWrap(True)
sub_form.addRow(self.antivirus_toggle)
sub_form.addRow(self.antivirus_message)
network, sub_form = mkGroupBox(tr('Protected networks'))
self.networks = NetworkListEdit()
self.connect(self.networks, SIGNAL('textChanged()'), self.setProtectedNetworks)
self.networks_message = QLabel()
self.networks_message.setWordWrap(True)
sub_form.addRow(self.networks)
sub_form.addRow(self.networks_message)
grid.addWidget(antivirus, 3, 0)
grid.addWidget(network, 3, 1)
if HAVE_NULOG:
fragment = Fragment('IDSIPSTable')
fragment.load({'type': 'IDSIPSTable',
'title': tr('IDS-IPS Logs'),
'view': 'table',
'args': {}
})
fragwidget = FragmentFrame(fragment, {}, self.client, parent=self)
grid.addWidget(fragwidget, 4, 0, 1, 2) #fromrow, fromcol, rowspan, colspan
fragwidget.updateData()
self.frag = fragwidget
self.mainwindow.writeAccessNeeded(
self.activation_box,
self.alert_threshold,
self.block,
self.drop_threshold,
self.antivirus_toggle,
self.networks,
)
class IdsIpsFrontend(ScrollArea):
COMPONENT = 'ids_ips'
LABEL = tr('IDS/IPS')
REQUIREMENTS = ('ids_ips',)
ICON = ':/icons/monitoring.png'
def __init__(self, client, parent):
ScrollArea.__init__(self)
if not EDENWALL:
raise NuConfModuleDisabled("idsips")
self.client = client
self.mainwindow = parent
self._modified = False
self.error_message = ''
self._not_modifying = True
self.config = None
self.resetConf(no_interface=True)
self.buildInterface()
self.updateView()
@staticmethod
def get_calls():
"""
services called by initial multicall
"""
return (("ids_ips", 'getIdsIpsConfig'),)
def setModified(self):
if self._modified or self._not_modifying:
return
self._modified = True
self.emit(SIGNAL('modified'))
self.mainwindow.setModified(self)
def mkCheckBox(self, title):
checkbox = QCheckBox(title)
self.connect(checkbox, SIGNAL('stateChanged(int)'), self.setModified)
return checkbox
def buildInterface(self):
frame = QFrame()
grid = QGridLayout(frame)
self.setWidget(frame)
self.setWidgetResizable(True)
title = u'<h1>%s</h1>' % self.tr('Intrusion detection/prevention system')
grid.addWidget(QLabel(title), 0, 0, 1, 2) #fromrow, fromcol, rowspan, colspan
self.activation_box = self.mkCheckBox(tr('Enable IDS-IPS'))
self.connect(self.activation_box, SIGNAL('stateChanged(int)'), self.config.setEnabled)
grid.addWidget(self.activation_box, 1, 0)
alerts, sub_form = mkGroupBox(tr('Alerts (IDS)'))
self.alert_threshold = QDoubleSpinBox()
sub_form.addRow(tr('Threshold for rule selection'), self.alert_threshold)
self.connect(self.alert_threshold, SIGNAL('valueChanged(double)'),
self.setAlertThreshold)
self.connect(self.alert_threshold, SIGNAL('valueChanged(double)'), self.setModified)
self.threshold_message = QLabel()
self.threshold_message.setWordWrap(True)
sub_form.addRow(self.threshold_message)
self.alert_count_message = QLabel()
self.alert_count_message.setWordWrap(True)
sub_form.addRow(self.alert_count_message)
self.threshold_range = MessageArea()
sub_form.addRow(self.threshold_range)
grid.addWidget(alerts, 2, 0)
blocking, sub_form = mkGroupBox(tr('Blocking (IPS)'))
self.block = self.mkCheckBox(tr('Block'))
self.connect(self.block, SIGNAL('stateChanged(int)'), self.config.setBlockingEnabled)
sub_form.addRow(self.block)
self.drop_threshold = QDoubleSpinBox()
sub_form.addRow(tr('Rule selection threshold for blocking'), self.drop_threshold)
self.drop_count_message = QLabel()
self.drop_count_message.setWordWrap(True)
sub_form.addRow(self.drop_count_message)
self.connect(self.drop_threshold, SIGNAL('valueChanged(double)'), self.setDropThreshold)
self.connect(self.drop_threshold, SIGNAL('valueChanged(double)'), self.setModified)
self.connect(
self.block,
SIGNAL('stateChanged(int)'),
self.drop_threshold.setEnabled
)
grid.addWidget(blocking, 2, 1)
antivirus, sub_form = mkGroupBox(tr('Antivirus'))
self.antivirus_toggle = self.mkCheckBox(tr('Enable antivirus '))
self.connect(self.antivirus_toggle, SIGNAL('stateChanged(int)'), self.config.setAntivirusEnabled)
self.antivirus_message = QLabel()
self.antivirus_message.setWordWrap(True)
sub_form.addRow(self.antivirus_toggle)
sub_form.addRow(self.antivirus_message)
network, sub_form = mkGroupBox(tr('Protected networks'))
self.networks = NetworkListEdit()
self.connect(self.networks, SIGNAL('textChanged()'), self.setProtectedNetworks)
self.networks_message = QLabel()
self.networks_message.setWordWrap(True)
sub_form.addRow(self.networks)
sub_form.addRow(self.networks_message)
grid.addWidget(antivirus, 3, 0)
grid.addWidget(network, 3, 1)
if HAVE_NULOG:
fragment = Fragment('IDSIPSTable')
fragment.load({'type': 'IDSIPSTable',
'title': tr('IDS-IPS Logs'),
'view': 'table',
'args': {}
})
fragwidget = FragmentFrame(fragment, {}, self.client, parent=self)
grid.addWidget(fragwidget, 4, 0, 1, 2) #fromrow, fromcol, rowspan, colspan
fragwidget.updateData()
self.frag = fragwidget
self.mainwindow.writeAccessNeeded(
self.activation_box,
self.alert_threshold,
self.block,
self.drop_threshold,
self.antivirus_toggle,
self.networks,
)
def closeEvent(self, event):
if hasattr(self, 'frag'):
self.frag.destructor()
def setAlertThreshold(self):
self.config.alert_threshold = self.alert_threshold.value()
def setProtectedNetworks(self):
if self.networks.isValid():
self.config.networks = self.networks.value()
self.setModified()
def setDropThreshold(self):
self.config.drop_threshold = self.drop_threshold.value()
def resetConf(self, no_interface=False):
serialized = self.mainwindow.init_call("ids_ips", u'getIdsIpsConfig')
self.config = IdsIpsCfg.deserialize(serialized)
self._modified = False
if no_interface:
return
self.updateView()
def isValid(self):
self.error_message = ""
if self.config.block and \
self.config.drop_threshold < self.config.alert_threshold:
self.error_message = \
tr('Inconsistent configuration (IDS-IPS thresholds): ') + \
tr("the threshold for blocking rules must be greater than the threshold for alerting.")
return False
if self.config.enabled and not self.networks.value():
self.error_message = tr('You must add some networks in the "Protected networks" area before you can enable the IDS-IPS service.')
return False
ok, msg = self.config.isValidWithMsg()
if not ok:
self.error_message = msg
return False
return True
def saveConf(self, message):
serialized = self.config.serialize()
self.client.call("ids_ips", 'setIdsIpsConfig', serialized, message)
self.mainwindow.addNeutralMessage(tr("IDS - IPS configuration saved"))
self._modified = False
self.update_counts()
def updateView(self):
self._not_modifying = True
italic_start = u'<span style="font-style:italic;">'
close_span = u'</span>'
self.activation_box.setChecked(
Qt.Checked if self.config.enabled else Qt.Unchecked
)
self.block.setChecked(
Qt.Checked if self.config.block else Qt.Unchecked
)
try:
(score_min, score_max) = self.client.call("ids_ips",
'minmaxScores')
except RpcdError:
(score_min, score_max) = (-1, -1)
self.mainwindow.addToInfoArea(tr('IDS-IPS: Could not compute the min/max scores.'))
self.alert_threshold.setRange(score_min, score_max)
self.drop_threshold.setRange(score_min, score_max)
self.threshold_range.setMessage(tr('Current range'), "%s %s %s %s" %(
tr("The scores for the current rules range from"),
score_min, tr("to"), score_max)
)
self.alert_threshold.setValue(self.config.alert_threshold)
self.drop_threshold.setValue(self.config.drop_threshold)
self.drop_threshold.setEnabled(self.block.checkState())
help = u'%s %s %s' % (
italic_start,
tr("The rules are selected according to a level of confidence with regard to "
"false positives (the greater the threshold, the fewer rules selected)."),
close_span
)
self.threshold_message.setText(help)
warning = italic_start + tr('Warning: This may degrade the performances of the firewall') + u'</span>'
self.antivirus_message.setText(warning)
self.antivirus_toggle.setChecked(
Qt.Checked if self.config.antivirus_enabled else Qt.Unchecked
)
self.networks_message.setText(u'%s%s%s' % (
italic_start,
tr('You may add a network definition per line'),
close_span
)
)
self.networks.setIpAddrs(self.config.networks)
self.update_counts()
self._not_modifying = False
def isModified(self):
return self._modified
def update_counts(self):
try:
(alert_count, drop_count, available_count) = \
self.client.call("ids_ips", 'getSelectedRulesCounts',
[self.alert_threshold.value(),
self.drop_threshold.value()])
except RpcdError:
(alert_count, drop_count, available_count) = (-1, -1, -1)
self.mainwindow.addToInfoArea(tr('IDS-IPS: Could not count the selected rules.'))
self.alert_count_message.setText(
tr('A threshold of ') + unicode(self.config.alert_threshold) +
tr(' selects ') + unicode(alert_count) +
tr(' rules out of ') + unicode(available_count)
+ tr('.'))
if self.config.block:
self.drop_count_message.setText(
tr('A threshold of ') + unicode(self.config.drop_threshold) +
tr(' selects ') + unicode(drop_count) +
tr(' blocking rules out of ') + unicode(available_count)
+ tr('.'))
else:
self.drop_count_message.setText('')
def __init__(self, client, parent):
self.__loading = True
ScrollArea.__init__(self)
self.mainwindow = parent
self.client = client
self.modified = False
self.qauthcertobject = QAuthCertObject.getInstance()
frame = QFrame(self)
layout = QVBoxLayout(frame)
layout.addWidget(QLabel('<H1>%s</H1>' % tr('Authentication server') ))
head_box = QGroupBox(tr("How the authentication server handles certificates"))
head = QFormLayout(head_box)
self.strictCheckBox = QCheckBox()
head.addRow(QLabel(tr("Strict mode (check the client's certificate against the installed CA)")), self.strictCheckBox)
self.connect(self.strictCheckBox, SIGNAL('toggled(bool)'),
self.setStrict)
self.cl_auth_box = QGroupBox(tr("Client authentication with a certificate is"))
cl_auth = QVBoxLayout(self.cl_auth_box)
self.auth_by_cert = QButtonGroup()
self.auth_by_cert.setExclusive(True)
self.mainwindow.writeAccessNeeded(self.strictCheckBox)
labels = [tr('forbidden'), tr('allowed'), tr('mandatory')]
for index, label_button in enumerate(labels):
button = QRadioButton(label_button)
self.auth_by_cert.addButton(button, index)
cl_auth.addWidget(button)
self.mainwindow.writeAccessNeeded(button)
self.auth_by_cert.button(0).setChecked(Qt.Checked)
self.connect(self.auth_by_cert, SIGNAL('buttonClicked(int)'),
self.auth_by_cert_modified)
# Captive portal
# --------------
self.portal_groupbox = QGroupBox(tr("Captive portal"))
self.portal_groupbox.setLayout(QVBoxLayout())
# Enabled checkbox:
self.portal_checkbox = QCheckBox(tr("Enable captive portal"))
self.connect(self.portal_checkbox, SIGNAL('toggled(bool)'),
self.setPortalEnabled)
# List of networks redirected to the captive portal:
self.portal_nets_groupbox = QGroupBox(
tr("Networks handled by the captive portal"))
self.portal_nets_groupbox.setLayout(QVBoxLayout())
self.portal_nets_edit = NetworkListEdit()
self.connect(self.portal_nets_edit, SIGNAL('textChanged()'), self.setPortalNets)
self.portal_nets_groupbox.layout().addWidget(self.portal_nets_edit)
# Pack the widgets:
for widget in (self.portal_checkbox, self.portal_nets_groupbox):
self.portal_groupbox.layout().addWidget(widget)
self.mainwindow.writeAccessNeeded(self.portal_checkbox)
self.mainwindow.writeAccessNeeded(self.portal_nets_edit)
if not EDENWALL:
self.portal_groupbox.setVisible(False)
# authentication server
self.pki_widget = PkiEmbedWidget(self.client, self, 'auth_cert', PkiEmbedWidget.SHOW_ALL|PkiEmbedWidget.CRL_OPTIONAL, self.setModified)
self.mainwindow.writeAccessNeeded(self.pki_widget)
layout.addWidget(head_box)
layout.addWidget(self.cl_auth_box)
layout.addWidget(self.portal_groupbox)
layout.addWidget(self.pki_widget)
layout.addStretch()
self.setWidget(frame)
self.setWidgetResizable(True)
self.resetConf()
self.__loading = False
class AuthenticationFrontend(ScrollArea):
COMPONENT = 'auth_cert'
LABEL = tr('Authentication server')
REQUIREMENTS = ('auth_cert',)
ICON = ':/icons/auth_protocol.png'
def __init__(self, client, parent):
self.__loading = True
ScrollArea.__init__(self)
self.mainwindow = parent
self.client = client
self.modified = False
self.qauthcertobject = QAuthCertObject.getInstance()
frame = QFrame(self)
layout = QVBoxLayout(frame)
layout.addWidget(QLabel('<H1>%s</H1>' % tr('Authentication server') ))
head_box = QGroupBox(tr("How the authentication server handles certificates"))
head = QFormLayout(head_box)
self.strictCheckBox = QCheckBox()
head.addRow(QLabel(tr("Strict mode (check the client's certificate against the installed CA)")), self.strictCheckBox)
self.connect(self.strictCheckBox, SIGNAL('toggled(bool)'),
self.setStrict)
self.cl_auth_box = QGroupBox(tr("Client authentication with a certificate is"))
cl_auth = QVBoxLayout(self.cl_auth_box)
self.auth_by_cert = QButtonGroup()
self.auth_by_cert.setExclusive(True)
self.mainwindow.writeAccessNeeded(self.strictCheckBox)
labels = [tr('forbidden'), tr('allowed'), tr('mandatory')]
for index, label_button in enumerate(labels):
button = QRadioButton(label_button)
self.auth_by_cert.addButton(button, index)
cl_auth.addWidget(button)
self.mainwindow.writeAccessNeeded(button)
self.auth_by_cert.button(0).setChecked(Qt.Checked)
self.connect(self.auth_by_cert, SIGNAL('buttonClicked(int)'),
self.auth_by_cert_modified)
# Captive portal
# --------------
self.portal_groupbox = QGroupBox(tr("Captive portal"))
self.portal_groupbox.setLayout(QVBoxLayout())
# Enabled checkbox:
self.portal_checkbox = QCheckBox(tr("Enable captive portal"))
self.connect(self.portal_checkbox, SIGNAL('toggled(bool)'),
self.setPortalEnabled)
# List of networks redirected to the captive portal:
self.portal_nets_groupbox = QGroupBox(
tr("Networks handled by the captive portal"))
self.portal_nets_groupbox.setLayout(QVBoxLayout())
self.portal_nets_edit = NetworkListEdit()
self.connect(self.portal_nets_edit, SIGNAL('textChanged()'), self.setPortalNets)
self.portal_nets_groupbox.layout().addWidget(self.portal_nets_edit)
# Pack the widgets:
for widget in (self.portal_checkbox, self.portal_nets_groupbox):
self.portal_groupbox.layout().addWidget(widget)
self.mainwindow.writeAccessNeeded(self.portal_checkbox)
self.mainwindow.writeAccessNeeded(self.portal_nets_edit)
if not EDENWALL:
self.portal_groupbox.setVisible(False)
# authentication server
self.pki_widget = PkiEmbedWidget(self.client, self, 'auth_cert', PkiEmbedWidget.SHOW_ALL|PkiEmbedWidget.CRL_OPTIONAL, self.setModified)
self.mainwindow.writeAccessNeeded(self.pki_widget)
layout.addWidget(head_box)
layout.addWidget(self.cl_auth_box)
layout.addWidget(self.portal_groupbox)
layout.addWidget(self.pki_widget)
layout.addStretch()
self.setWidget(frame)
self.setWidgetResizable(True)
self.resetConf()
self.__loading = False
def setModified(self, isModified=True, message=""):
if self.__loading:
return
if isModified:
self.modified = True
self.mainwindow.setModified(self, True)
if message:
self.mainwindow.addToInfoArea(message)
else:
self.modified = False
def setModifiedCallback(self, *unused):
self.setModified()
def isModified(self):
return self.modified
def saveConf(self, message):
self.qauthcertobject.auth_cert.auth_by_cert = self.auth_by_cert.checkedId()
conf = self.pki_widget.getConfig()
self.qauthcertobject.auth_cert.setSSLDict(conf)
serialized = self.qauthcertobject.auth_cert.serialize(downgrade=True)
self.client.call('auth_cert', 'setAuthCertConfig', serialized, message)
def resetConf(self):
auth_cert_loaded = self._reset_helper(
'auth_cert',
'getAuthCertConfig',
self.qauthcertobject,
tr("Authentication interface enabled"),
tr("Authentication disabled: backend not loaded")
)
self.setModified(False)
remote = self.qauthcertobject.auth_cert.getReceivedSerialVersion()
if remote < 3:
self.mainwindow.addWarningMessage(tr('Captive portal configuration disabled: this frontend and your appliance software versions are not compatible.'))
enable_portal = (
auth_cert_loaded
and EDENWALL
and remote >= 3
)
self.portal_groupbox.setVisible(enable_portal)
if not auth_cert_loaded:
return
self.strictCheckBox.setChecked(self.qauthcertobject.auth_cert.strict)
if not self.qauthcertobject.auth_cert.auth_by_cert:
self.qauthcertobject.auth_cert.auth_by_cert = 0
self.auth_by_cert.button(
self.qauthcertobject.auth_cert.auth_by_cert).setChecked(True)
# Captive portal:
self.portal_checkbox.setChecked(
self.qauthcertobject.auth_cert.portal_enabled)
self.portal_nets_edit.setIpAddrs(
self.qauthcertobject.auth_cert.portal_nets)
# Certificate (PKI):
pki_conf = self.qauthcertobject.auth_cert.getSSLDict()
self.pki_widget.setConfig(pki_conf)
def error(self, message):
self.mainwindow.addToInfoArea(message, category=COLOR_ERROR)
def auth_by_cert_modified(self, idbox):
button_name = self.auth_by_cert.button(idbox).text()
info = tr("Certificates - Authentication with client certificate : '%s'") % button_name
self.setModified(message=info)
def setPortalEnabled(self, value):
if value != self.qauthcertobject.auth_cert.portal_enabled:
self.qauthcertobject.auth_cert.setPortalEnabled(value)
self.setModified()
def setPortalNets(self):
if self.portal_nets_edit.isValid():
self.qauthcertobject.auth_cert.setPortalNets(
self.portal_nets_edit.value())
self.setModified()
def setStrict(self, value):
if value != self.qauthcertobject.auth_cert.strict:
self.qauthcertobject.auth_cert.setStrict(value)
self.setModified()
self.cl_auth_box.setEnabled(value)
def isValid(self):
cert_validity = self.pki_widget.validate()
if cert_validity is not None:
self.error_message = '<br/>' + cert_validity + '<br/>'
self.mainwindow.addToInfoArea(cert_validity, category=COLOR_ERROR)
return False
return True
def onApplyFinished(self):
self.pki_widget.feed()
