nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-03-11 09:04:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

firewall: Add diagnostic check for passthroughs

Browse Source 
Check that there are at least 12 direct passthroughs.

Tests:
- The diagnostic is passed.
- Manually remove a direct passthrough. The diagnostic is failed.

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
This commit is contained in:
James Valleroy 2023-06-22 17:23:14 -04:00 committed by Sunil Mohan Adapa
parent be91d8e4e4
commit 64d6356c2f
No known key found for this signature in database
GPG Key ID: 43EA1CFF0AA7C5F2
2 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
plinth/modules/firewall/__init__.py
View File

@ -101,6 +101,7 @@ class FirewallApp(app_module.App):
config = privileged.get_config()
results.append(_diagnose_default_zone(config))
results.append(_diagnose_firewall_backend(config))
results.append(_diagnose_direct_passthroughs(config))
return results
@ -275,3 +276,14 @@ def _diagnose_firewall_backend(config):
testname = gettext('Firewall backend is nftables')
result = 'passed' if config['backend'] == 'nftables' else 'failed'
return [testname, result]
def _diagnose_direct_passthroughs(config):
"""Diagnose direct passthroughs for local service protection.
Currently, we just check that the number of passthroughs is at least 12,
which are the number that are added by firewall's setup.
"""
testname = gettext('Direct passthrough rules exist')
result = 'passed' if len(config['passthroughs']) >= 12 else 'failed'
return [testname, result]

8
plinth/modules/firewall/privileged.py
View File

@ -136,9 +136,11 @@ def get_config():
"""Return firewalld configuration for diagnostics."""
config = {}
# Get the default zone.
output = subprocess.check_output(['firewall-cmd', '--get-default-zone'])
config['default_zone'] = output.decode().strip()
# Load Augeas lens.
conf_file = '/etc/firewalld/firewalld.conf'
aug = augeas.Augeas(flags=augeas.Augeas.NO_LOAD +
augeas.Augeas.NO_MODL_AUTOLOAD)
@ -146,6 +148,12 @@ def get_config():
aug.set('/augeas/context', '/files' + conf_file)
aug.load()
# Get the firewall backend.
config['backend'] = aug.get('FirewallBackend')
# Get the list of direct passthroughs.
output = subprocess.check_output(
['firewall-cmd', '--direct', '--get-all-passthroughs'])
config['passthroughs'] = output.decode().strip().split('\n')
return config