root/5100R/branches/dev/ui/base-firewall.mod/constructor/50_initialize_ruleset.pl
| Revision 201, 5.4 kB (checked in by will, 7 years ago) | |
|---|---|
| |
| Line | |
|---|---|
| 1 | #!/usr/bin/perl -I /usr/sausalito/perl |
| 2 | # $Id$ |
| 3 | # Copyright 2002, Sun Microsystems, Inc., All rights reserved. |
| 4 | # |
| 5 | # Builds a set of good-practice firewall rules. |
| 6 | # Opens listed ports to restricted_nics. Denies all connections to |
| 7 | # closed_nics, and allows all access to nics. |
| 8 | # |
| 9 | # Ports are hash integer ranges; base => upper |
| 10 | # |
| 11 | # This is run once, on first activation of CCE. Error detection for |
| 12 | # failed cce transactions are ignored--They have no context in a |
| 13 | # factory constructor. Oh well. |
| 14 | |
| 15 | my $DEBUG = 0; |
| 16 | my $chain = 'input'; |
| 17 | |
| 18 | # default description, not used in UI as of 8/02 |
| 19 | my $description = 'Default Ruleset'; |
| 20 | |
| 21 | # The owner is essential to identifying this default firewall config |
| 22 | my $owner = 'default'; |
| 23 | |
| 24 | # wide-open, restricted, and closed network interfaces |
| 25 | my @nics = ('lo', 'eth0', 'ipsec0', 'ipsec1', 'ipsec2'); |
| 26 | my @restricted_nics = ('eth1', 'ppp0'); # WAN, selective |
| 27 | my @closed_nics = (); # Denies all |
| 28 | |
| 29 | # each protocol must have a hash port map of the same name |
| 30 | my @protocols = ('tcp', 'udp', 'icmp', 'all'); |
| 31 | |
| 32 | my %pr; # port range |
| 33 | $pr{'udp'} = { |
| 34 | 7 => 7, # echo |
| 35 | 20 => 23, # ftp, telnet, ssh |
| 36 | 25 => 25, # smtp |
| 37 | 42 => 42, # nameserver |
| 38 | 53 => 53, # dns |
| 39 | 110 => 110, # pop |
| 40 | 123 => 123, # ntp |
| 41 | 143 => 143, # imap |
| 42 | 220 => 220, # imap3 |
| 43 | 389 => 389, # ldap |
| 44 | 161 => 162, # snmp and snmp-trap |
| 45 | 520 => 520, # RIP; not used ??? |
| 46 | 1024 => 65535, # active mode ftp |
| 47 | }; |
| 48 | $pr{'tcp'} = { |
| 49 | 7 => 7, # echo |
| 50 | 20 => 23, # ftp, telnet, ssh |
| 51 | 25 => 25, # smtp |
| 52 | 42 => 42, # nameserver |
| 53 | 53 => 53, # dns |
| 54 | 110 => 110, # pop |
| 55 | 123 => 123, # ntp |
| 56 | 143 => 143, # imap |
| 57 | 220 => 220, # imap3 |
| 58 | 389 => 389, # ldap |
| 59 | 443 => 444, # Cobalt admserv |
| 60 | 1024 => 65535, # user apps |
| 61 | }; |
| 62 | $pr{'icmp'} = { |
| 63 | }; |
| 64 | $pr{'all'} = { |
| 65 | }; |
| 66 | |
| 67 | use CCE; |
| 68 | my $cce = new CCE; |
| 69 | $cce->connectuds(); |
| 70 | |
| 71 | my $sysoid = ($cce->find('System'))[0]; |
| 72 | my ($ok, $fw) = $cce->get($sysoid, 'Firewall'); |
| 73 | |
| 74 | if(!$ok || $fw->{initialized}) { |
| 75 | $cce->bye('SUCCESS'); |
| 76 | exit 0; |
| 77 | } |
| 78 | |
| 79 | # delete an existing default ruleset (Will's paranoia) |
| 80 | foreach my $rip ($cce->find('FirewallRule', {'owner' => $owner})) { |
| 81 | $cce->destroy($rip); |
| 82 | } |
| 83 | |
| 84 | # cycle through each nic, adding rules as necessary |
| 85 | foreach my $nic (@nics) { |
| 86 | $DEBUG && warn "opening access to $nic"; |
| 87 | # add all-accept rule |
| 88 | $cce->create('FirewallRule', { |
| 89 | 'policy' => 'ACCEPT', |
| 90 | 'interface' => $nic, |
| 91 | 'protocol' => 'all', |
| 92 | 'owner' => $owner, |
| 93 | 'description' => $description, |
| 94 | }, undef); |
| 95 | } |
| 96 | foreach my $nic (@restricted_nics) { |
| 97 | $DEBUG && warn "selectively access to $nic"; |
| 98 | foreach my $proto (@protocols) { |
| 99 | while (my($port,$up) = each %{$pr{$proto}}) { |
| 100 | $DEBUG && warn "protocol: $proto, base port: $port, upper: $up\n"; |
| 101 | $cce->create('FirewallRule', { |
| 102 | 'policy' => 'ACCEPT', |
| 103 | 'interface' => $nic, |
| 104 | 'dest_ports' => $port.':'.$up, |
| 105 | 'protocol' => $proto, |
| 106 | 'owner' => $owner, |
| 107 | 'description' => $description, |
| 108 | }, undef); |
| 109 | } |
| 110 | } |
| 111 | } |
| 112 | |
| 113 | |
| 114 | # Create/edit the $chain & set default policy and associate the default ruleset |
| 115 | my @chains = $cce->find('FirewallChain', {'name' => $chain}); |
| 116 | my @new = $cce->find('FirewallRule', {'owner' => $owner}); |
| 117 | if ($chains[0]) { |
| 118 | $DEBUG && warn "Found chain policy $oid, setting DENY"; |
| 119 | |
| 120 | my ($ok, $chain) = $cce->get($oid); |
| 121 | my @old = $cce->scalar_to_array( $chain->{rules} ); |
| 122 | push (@old, @new); |
| 123 | my $rules = $cce->array_to_scalar( @old ); |
| 124 | |
| 125 | $cce->set($chains[0], undef, { |
| 126 | 'default' => 'DENY', |
| 127 | 'rules' => $rules, |
| 128 | }); |
| 129 | } else { |
| 130 | $DEBUG && warn "Creating $chain chain policy"; |
| 131 | |
| 132 | my $rules = $cce->array_to_scalar( @new ); |
| 133 | $cce->create('FirewallChain', { |
| 134 | 'name' => $chain, |
| 135 | 'default' => 'DENY', |
| 136 | 'rules' => $rules, |
| 137 | }, undef); |
| 138 | } |
| 139 | |
| 140 | # Mark initialized, enable, commit |
| 141 | my $time = time(); |
| 142 | $DEBUG && warn "commit changes at $time"; |
| 143 | $cce->set($sysoid, 'Firewall', { |
| 144 | 'initialized' => 1, |
| 145 | 'enabled' => 1, |
| 146 | }); |
| 147 | $cce->set($sysoid, 'Firewall', { |
| 148 | 'commit' => $time, |
| 149 | }); |
| 150 | |
| 151 | $cce->bye('SUCCESS'); |
| 152 | exit 0; |
| 153 | |
| 154 | |
| 155 | # Copyright (c) 2003 Sun Microsystems, Inc. All Rights Reserved. |
| 156 | # |
| 157 | # Redistribution and use in source and binary forms, with or without |
| 158 | # modification, are permitted provided that the following conditions are met: |
| 159 | # |
| 160 | # -Redistribution of source code must retain the above copyright notice, |
| 161 | # this list of conditions and the following disclaimer. |
| 162 | # |
| 163 | # -Redistribution in binary form must reproduce the above copyright notice, |
| 164 | # this list of conditions and the following disclaimer in the documentation |
| 165 | # and/or other materials provided with the distribution. |
| 166 | # |
| 167 | # Neither the name of Sun Microsystems, Inc. or the names of contributors may |
| 168 | # be used to endorse or promote products derived from this software without |
| 169 | # specific prior written permission. |
| 170 | # |
| 171 | # This software is provided "AS IS," without a warranty of any kind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED. SUN MICROSYSTEMS, INC. ("SUN") AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF THE USE OF OR INABILITY TO USE THIS SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. |
| 172 | # |
| 173 | # You acknowledge that this software is not designed or intended for use in the design, construction, operation or maintenance of any nuclear facility. |
| 174 |
Note: See TracBrowser for help on using the browser.
