mirror of
https://github.com/freedombox/FreedomBox.git
synced 2026-01-21 07:55:00 +00:00
7f608cd570
- Now that we have a mechanism for properly collecting, transmitting, and display the stdout and stderr. There is no reason not to collect all of the stdin and stderr. - Also, the stdin/stderr=subprocess.PIPE is redundant and prevents the output from getting collected for debugging. So, remove it. Tests: - Ran functional tests on backups, calibre, ejabberd, email, gitweb, ikiwiki, infinoted, kiwix, mediawiki, mumble, nextcloud,, openvpn, samba, wireguard, zoph. 2-3 issues were found but did not seem like new errors. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: Veiko Aasa <veiko17@disroot.org>
199 lines
7.3 KiB
Python
199 lines
7.3 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""Configuration helper for FreedomBox firewall interface."""
|
|
|
|
import subprocess
|
|
from typing import TypeAlias
|
|
|
|
import augeas
|
|
|
|
from plinth import action_utils
|
|
from plinth.actions import privileged
|
|
|
|
FirewallConfig: TypeAlias = dict[str, str | list[str]]
|
|
|
|
|
|
def _flush_iptables_rules():
|
|
"""Flush firewalld iptables rules before restarting it.
|
|
|
|
This is workaround for
|
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694
|
|
|
|
This workaround can be removed if the bug is fixed or if firewalld starts
|
|
defaulting to nftables again.
|
|
|
|
The bug leads to firewalld failing to flush rules when there are custom
|
|
chains in the rules. This only happens on firewalld iptables backend when
|
|
nftables is running with iptables compatibility.
|
|
|
|
Flushing the tables before a restart will make the restart succeed and
|
|
after the restart nftables backend is used avoiding the problem.
|
|
|
|
"""
|
|
rule_template = '*{table}\n-F\n-X\n-Z\nCOMMIT\n'
|
|
iptables_rules = ''
|
|
ip6tables_rules = ''
|
|
for table in ['security', 'raw', 'mangle', 'nat', 'filter']:
|
|
iptables_rules += rule_template.format(table=table)
|
|
ip6tables_rules += rule_template.format(table=table)
|
|
|
|
action_utils.run(['iptables-restore'], input=iptables_rules.encode(),
|
|
check=True)
|
|
action_utils.run(['ip6tables-restore'], input=iptables_rules.encode(),
|
|
check=True)
|
|
|
|
|
|
def set_firewall_backend(backend):
|
|
"""Set FirewallBackend attribute to the specified string."""
|
|
conf_file = '/etc/firewalld/firewalld.conf'
|
|
aug = augeas.Augeas(flags=augeas.Augeas.NO_LOAD +
|
|
augeas.Augeas.NO_MODL_AUTOLOAD)
|
|
|
|
# lens for shell-script config file
|
|
aug.set('/augeas/load/Shellvars/lens', 'Shellvars.lns')
|
|
aug.set('/augeas/load/Shellvars/incl[last() + 1]', conf_file)
|
|
aug.load()
|
|
|
|
old_backend = aug.get('/files/{}/FirewallBackend'.format(conf_file))
|
|
aug.set('/files/{}/FirewallBackend'.format(conf_file),
|
|
'{}'.format(backend))
|
|
aug.save()
|
|
|
|
if old_backend == 'iptables':
|
|
_flush_iptables_rules()
|
|
|
|
if backend != old_backend:
|
|
action_utils.service_restart('firewalld')
|
|
|
|
|
|
def _run_firewall_cmd(args):
|
|
"""Run firewall-cmd command, discard output and check return value."""
|
|
action_utils.run(['firewall-cmd'] + args, check=True)
|
|
|
|
|
|
def _setup_local_service_protection():
|
|
"""Create the basic set of direct rules for protecting local services.
|
|
|
|
Local service protection means that only administrators and Apache web
|
|
server should be able to access certain services and not other users who
|
|
have logged into the system. This is needed because some of the services
|
|
are protected with authentication and authorization provided by Apache web
|
|
server. If services are contacted directly then auth can be bypassed by all
|
|
local users.
|
|
|
|
Firewalld does not have a mechanism to do this directly but it allows
|
|
inserting 'direct' rules into firewall. nftables is our default backend by
|
|
'direct' rules always invoke 'ip(6)tables' commands. Luckily, ip(6)tables
|
|
are compatibility wrappers provided by nftables. Hence we must use iptables
|
|
syntax even though we deal with nftables.
|
|
|
|
In nftables, there is no direct way to write the blocking rules. To deal
|
|
with traffic for incoming services, we have to write the rules an 'input'
|
|
chain. However, this chain does not have the information about the user who
|
|
originated this traffic. Only the 'output' chain has this information. This
|
|
may be fixed in the future. See:
|
|
https://github.com/firewalld/firewalld/issues/725
|
|
|
|
Our workaround for the situation is to mark the packets in the 'output'
|
|
chain and then use that wmark in the 'input'. Since we have a fixed set of
|
|
users want to allow, a single bit in the 32bit 'mark' property of the
|
|
packet is sufficient.
|
|
"""
|
|
|
|
def _add_rule(permanent, *rule):
|
|
try:
|
|
_run_firewall_cmd(permanent + ['--direct', '--query-passthrough'] +
|
|
list(rule))
|
|
except subprocess.CalledProcessError:
|
|
_run_firewall_cmd(permanent + ['--direct', '--add-passthrough'] +
|
|
list(rule))
|
|
|
|
for permanent in [[], ['--permanent']]:
|
|
for ip_type in ['ipv4', 'ipv6']:
|
|
for owner_type in ['--uid-owner', '--gid-owner']:
|
|
for user_group in ['root', 'www-data', 'mail']:
|
|
_add_rule(permanent, ip_type, '-A', 'OUTPUT', '-m',
|
|
'owner', owner_type, user_group, '-j', 'MARK',
|
|
'--or-mark', '0x800000')
|
|
|
|
for permanent in [[], ['--permanent']]:
|
|
for ip_type in ['ipv4', 'ipv6']:
|
|
_add_rule(permanent, ip_type, '-A', 'INPUT', '-m', 'conntrack',
|
|
'--ctstate', 'ESTABLISHED,RELATED', '-j', 'ACCEPT')
|
|
_add_rule(permanent, ip_type, '-A', 'INPUT', '-m', 'mark',
|
|
'--mark', '0x800000/0x800000', '-j', 'ACCEPT')
|
|
|
|
|
|
def _setup_inter_zone_forwarding():
|
|
"""Create a new policy that allows forwarding between zones.
|
|
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=2016864#c8
|
|
"""
|
|
|
|
def _run(args):
|
|
"""Run a firewall command with --permanent argument."""
|
|
return _run_firewall_cmd(['--permanent'] + args)
|
|
|
|
policy_name = 'fbx_int_to_ext_fwd'
|
|
try:
|
|
_run(['--new-policy', policy_name])
|
|
except subprocess.CalledProcessError as exception:
|
|
if exception.returncode != 26: # NAME_CONFLICT
|
|
raise
|
|
|
|
_run(['--policy', policy_name, '--add-ingress-zone', 'internal'])
|
|
_run(['--policy', policy_name, '--add-egress-zone', 'external'])
|
|
_run(['--policy', policy_name, '--set-priority', '100'])
|
|
_run(['--policy', policy_name, '--set-target', 'ACCEPT'])
|
|
|
|
# Enable masquerade on external zone
|
|
_run(['--zone=external', '--add-masquerade'])
|
|
|
|
# Enable intra-zone forwarding on internal zone
|
|
_run(['--zone=internal', '--add-forward'])
|
|
|
|
# Restart firewalld
|
|
action_utils.service_reload('firewalld')
|
|
|
|
|
|
@privileged
|
|
def setup():
|
|
"""Perform basic firewalld setup."""
|
|
action_utils.service_enable('firewalld')
|
|
action_utils.run(['firewall-cmd', '--set-default-zone=external'],
|
|
check=True)
|
|
set_firewall_backend('nftables')
|
|
|
|
_setup_local_service_protection()
|
|
|
|
_setup_inter_zone_forwarding()
|
|
|
|
|
|
@privileged
|
|
def get_config() -> FirewallConfig:
|
|
"""Return firewalld configuration for diagnostics."""
|
|
config: FirewallConfig = {}
|
|
|
|
# Get the default zone.
|
|
output = action_utils.run(['firewall-cmd', '--get-default-zone'],
|
|
check=True).stdout
|
|
config['default_zone'] = output.decode().strip()
|
|
|
|
# Load Augeas lens.
|
|
conf_file = '/etc/firewalld/firewalld.conf'
|
|
aug = augeas.Augeas(flags=augeas.Augeas.NO_LOAD +
|
|
augeas.Augeas.NO_MODL_AUTOLOAD)
|
|
aug.transform('Shellvars', conf_file)
|
|
aug.set('/augeas/context', '/files' + conf_file)
|
|
aug.load()
|
|
|
|
# Get the firewall backend.
|
|
config['backend'] = aug.get('FirewallBackend')
|
|
|
|
# Get the list of direct passthroughs.
|
|
output = action_utils.run(
|
|
['firewall-cmd', '--direct', '--get-all-passthroughs'],
|
|
check=True).stdout
|
|
config['passthroughs'] = output.decode().strip().split('\n')
|
|
|
|
return config
|