Michael Schwarz [Mon, 11 Jun 2018 12:41:21 +0000 (14:41 +0200)]
DHCRelay uses port 67 as sourceport
Michael Schwarz [Mon, 16 Oct 2017 10:58:36 +0000 (12:58 +0200)]
Update changelog for 0.2.3
Michael Schwarz [Mon, 16 Oct 2017 10:52:28 +0000 (12:52 +0200)]
Checks for portdefinitions in services
Michael Schwarz [Fri, 13 Oct 2017 11:34:59 +0000 (13:34 +0200)]
Delayed commit of changelog for version 0.2.1
Michael Schwarz [Fri, 13 Oct 2017 11:29:59 +0000 (13:29 +0200)]
Accept portranges in service definitions
Michael Schwarz [Mon, 15 Aug 2016 09:24:34 +0000 (11:24 +0200)]
Fixed generation of network based rules
Michael Schwarz [Thu, 21 Jan 2016 08:29:30 +0000 (09:29 +0100)]
Update Changelog to version 0.2.1
Michael Schwarz [Thu, 21 Jan 2016 08:28:56 +0000 (09:28 +0100)]
Implement hooks at push also
Michael Schwarz [Wed, 20 Jan 2016 15:27:44 +0000 (16:27 +0100)]
Update example files
Michael Schwarz [Wed, 20 Jan 2016 15:18:47 +0000 (16:18 +0100)]
Implement execution of hooks
With alff 0.1.0, hooks could be called before and after generation
of rules. While alff 0.2.0 can handle sites, the proceudre which calls
this hooks must become rewritten.
From now on, hooks can be called before all sites and per site.
Therefore the hooks for e.g. pregenerate must resist in
<alff-config-dir>/hooks.d/pregenerate/[ ALL | <site> ]
Hooks must end with an exitcode. Hooks ending with exitcode != 0
cause the rule generation to abort. STDOUT is given on success, STDERR
will be displayed on termination with exitcode != 0.
Michael Schwarz [Mon, 18 Jan 2016 13:32:22 +0000 (14:32 +0100)]
Damn typo
Michael Schwarz [Thu, 14 Jan 2016 13:37:16 +0000 (14:37 +0100)]
Making lintian not crying any more
Michael Schwarz [Thu, 14 Jan 2016 12:29:45 +0000 (13:29 +0100)]
Update changelog for relase
Michael Schwarz [Thu, 14 Jan 2016 12:28:29 +0000 (13:28 +0100)]
Create rules dir on setup
Michael Schwarz [Tue, 2 Jun 2015 15:00:41 +0000 (17:00 +0200)]
Update alff agent config (missing config statement)
Michael Schwarz [Tue, 2 Jun 2015 14:58:35 +0000 (16:58 +0200)]
Update plugin generateServiceChains.py to new config format
Maximilian Wilhelm [Sat, 30 May 2015 16:12:09 +0000 (18:12 +0200)]
Use std POSIX shell instead of bash and remove old dependencies for alff-rulegen.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Thu, 28 May 2015 21:55:46 +0000 (23:55 +0200)]
Update handleUdpTraceroute plugin to new boolean option handling.
See
e44e6fac7a524add8331ca5c812fe0e46eee7d8d.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Thu, 28 May 2015 21:49:26 +0000 (23:49 +0200)]
There now is an iptables rule parser :)
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Thu, 28 May 2015 21:39:46 +0000 (23:39 +0200)]
Add very basic config check function which leverages the build in config validator.
This function is intended to be used to basicly validate the configuration
for syntactical correctness and such without the need to run the generate
function. This function might be extended to do further plausibility checks.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Thu, 28 May 2015 21:37:57 +0000 (23:37 +0200)]
Make sure even mixed vlan/network/prefix specifications are handled correctly.
See
fd4b798b4dbddad51869f0d1db9215cebbf3c239 for details.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Thu, 28 May 2015 21:08:37 +0000 (23:08 +0200)]
Reflect alff.config API changes in classify_inter_vlan_traffic plugin.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Thu, 28 May 2015 20:58:15 +0000 (22:58 +0200)]
Rename "vlan"/"network" attributes to "network"/"prefix" and deprecate old ones.
As the old 'vlan' name as been from old times and somewhat misleading it was
about time to restart with new config paramter names which should be more
generic and clear. So the old
<vlan>
<network> 1.2.3.4/5 </network>
</vlan>
is now deprecated in favour of
<network>
<prefix> 1.2.3.4/5 </prefix
</network>
thereby still accepting the old format but kindly nagging about it pointing to
the problem. With this commit the internal API in the alff.config module has
been changed as well to reflect the naming change, still providing the former
names, too.
With vim you could easily update your alff.conf with
% s/\<network\>/prefix/
% s/\<vlan\>/network/
Please update your local plugins as well to get rid of the deprecation warnings :)
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Thu, 28 May 2015 20:52:43 +0000 (22:52 +0200)]
Enrich example alff.conf with unified style and more comments.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Thu, 28 May 2015 20:34:15 +0000 (22:34 +0200)]
Add AlffDeprecated() call to inform about and shame use of deprecated functions and options.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Thu, 28 May 2015 18:17:11 +0000 (20:17 +0200)]
Parse boolean looking config values as boolean and add default for option 'support_ipv6_nat'.
Parsing config values look like boolean values ('yes', 'no', 'true', 'false')
matched case-insensitive as booleans unifies the parsing problem and simplifies
handling these options.
The option 'support_ipv6_nat' (default False) controles wether a 'nat' table
for IPv6 is created as IPv6 NAT isn't available in older Kernel versions
still active in the wild.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Tue, 26 May 2015 13:14:39 +0000 (15:14 +0200)]
Clean-up alff-cat.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Tue, 26 May 2015 13:07:59 +0000 (15:07 +0200)]
Fix typos.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Tue, 26 May 2015 13:02:52 +0000 (15:02 +0200)]
Style pimp-up for ruleset module.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Tue, 26 May 2015 13:02:21 +0000 (15:02 +0200)]
Allow option defaulting.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Tue, 26 May 2015 11:58:39 +0000 (13:58 +0200)]
Style pimp-up for service module.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Michael Schwarz [Tue, 24 Feb 2015 15:55:31 +0000 (16:55 +0100)]
Fixes suppression of some vlans which are not at the same site
Michael Schwarz [Mon, 26 Jan 2015 13:31:01 +0000 (14:31 +0100)]
Think before you commit ...
Michael Schwarz [Mon, 26 Jan 2015 12:55:29 +0000 (13:55 +0100)]
* Fixed loading of iptables-rules at systemboot
* Fixed creation of hookins for security classes
* Fixed suppress x_to_x chains
Michael Schwarz [Wed, 17 Dec 2014 09:09:35 +0000 (10:09 +0100)]
Update changelog for 0.2.0-rc1 release
Michael Schwarz [Tue, 9 Dec 2014 13:23:50 +0000 (14:23 +0100)]
Create md5sums to prove rulesets
Michael Schwarz [Tue, 2 Dec 2014 12:10:37 +0000 (13:10 +0100)]
Changed path of alff-cat
Michael Schwarz [Tue, 2 Dec 2014 11:53:35 +0000 (12:53 +0100)]
Some changes in loading Rulesets
Michael Schwarz [Tue, 2 Dec 2014 11:52:27 +0000 (12:52 +0100)]
Delete token on firewalls
Michael Schwarz [Wed, 17 Sep 2014 13:33:48 +0000 (15:33 +0200)]
Changed debian files for first version of NEW alff ;)
Michael Schwarz [Wed, 17 Sep 2014 13:33:07 +0000 (15:33 +0200)]
Fixed path in function module, installed wrapper to call alff.py
Michael Schwarz [Wed, 17 Sep 2014 12:32:54 +0000 (14:32 +0200)]
Changed the cat a little bit to load the new iptables-save rules
Michael Schwarz [Wed, 17 Sep 2014 12:32:17 +0000 (14:32 +0200)]
Updated alff.conf sample config to new format
Michael Schwarz [Wed, 10 Sep 2014 14:26:06 +0000 (16:26 +0200)]
First version of push function
Michael Schwarz [Wed, 10 Sep 2014 14:25:30 +0000 (16:25 +0200)]
Do not create table nat for ipv6 unless the user wants this
Michael Schwarz [Wed, 27 Aug 2014 13:41:07 +0000 (15:41 +0200)]
Test if allow_from_world is set, otherwise plugins may break
Michael Schwarz [Wed, 27 Aug 2014 13:40:52 +0000 (15:40 +0200)]
Fix wrong indent
Michael Schwarz [Wed, 27 Aug 2014 13:14:18 +0000 (15:14 +0200)]
Be a little more verbose when suppressing chains
Michael Schwarz [Wed, 27 Aug 2014 12:55:42 +0000 (14:55 +0200)]
Fixed some typos
Michael Schwarz [Wed, 27 Aug 2014 12:30:53 +0000 (14:30 +0200)]
Simple script to convert old service definitions to new json format
Michael Schwarz [Wed, 20 Aug 2014 11:54:22 +0000 (13:54 +0200)]
Whiped out old perl-stuff
Michael Schwarz [Wed, 20 Aug 2014 11:53:41 +0000 (13:53 +0200)]
Some more plugins
Michael Schwarz [Wed, 20 Aug 2014 11:52:49 +0000 (13:52 +0200)]
Plugin for generation of servicechains
Michael Schwarz [Wed, 20 Aug 2014 11:50:46 +0000 (13:50 +0200)]
Rewritten class Service as Configwrapper for Servicedefinitions
Michael Schwarz [Wed, 20 Aug 2014 09:11:08 +0000 (11:11 +0200)]
Fix errormessage
Michael Schwarz [Thu, 14 Aug 2014 08:17:46 +0000 (10:17 +0200)]
Moved plugin out of pythontree, to store all the plugins in one
directory
Michael Schwarz [Thu, 14 Aug 2014 08:14:30 +0000 (10:14 +0200)]
Wiped out old perl-stuff, will be completely rewritten in python
Michael Schwarz [Fri, 1 Aug 2014 09:25:31 +0000 (11:25 +0200)]
Really wait for termination of the subprocess, not just check
Maximilian Wilhelm [Tue, 12 Aug 2014 10:38:25 +0000 (12:38 +0200)]
Add base work for push function.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Tue, 12 Aug 2014 10:36:13 +0000 (12:36 +0200)]
Add first draft to services module.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Fri, 18 Apr 2014 21:24:50 +0000 (23:24 +0200)]
Add Copyright notice and GPLv2 license header for every new file.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Fri, 18 Apr 2014 21:02:50 +0000 (23:02 +0200)]
Add support to remove empty chains and refs from ruleset.
The global option 'suppress_empty_chains' controls wether chains
which don't contain any rules as well as rules containing a jump
to such a chain will be suppressed when generating the ruleset.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Fri, 18 Apr 2014 20:26:59 +0000 (22:26 +0200)]
Add support to remove unreferenced chains from ruleset.
The global option 'suppress_unreferenced_chains' controls wether chains
which aren't referenced by any rule will be suppressed when generating
the ruleset.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Fri, 18 Apr 2014 20:13:38 +0000 (22:13 +0200)]
Never ever at all remove empty table from the ruleset.
Alff must not remove any empty table from the ruleset as there might have
been rules in this table in the last ruleset and we would not flush these
outdated rules with a new ruleset.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Fri, 18 Apr 2014 20:09:09 +0000 (22:09 +0200)]
Add logging support to ruleset module.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Mon, 14 Apr 2014 23:45:50 +0000 (01:45 +0200)]
Add alff.py main programm providing full site awareness.
With all these shiny new modules Alff is now fully site aware and thereby
providing a powerful tool for managing the rulesets of a lot of distributed
firewall(s| clusters) all around the world controlled by one central set of
configuration files.
Donations welcome :)
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Mon, 14 Apr 2014 23:41:24 +0000 (01:41 +0200)]
Add classify_inter_vlan_traffic plugin.
This is one of Alff's main plugins generating the vlan traversal matrix
chains and loading the corresponding rules or default targets into these
chains. The plugin now it fully site aware and uses the vlan interfaces
configured for any given site. Using the site database and the internal
ruleset it is possible to further minimize the generated ruleset so no
useless or empty chains will be produced if configured accordingly.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Mon, 14 Apr 2014 23:34:49 +0000 (01:34 +0200)]
Add 'generate' function and base plugin.
The 'generate' function - one of Alff's two main functions - is responsible
for generating the ruleset. It now is fully site aware and will generate and
save one ruleset per site.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Mon, 14 Apr 2014 22:32:28 +0000 (00:32 +0200)]
Add basic function loading framework and base class.
Alff will load all function modules on startup and build up the command
line argument parser according all function configurations.
The resulting function will then be executed with all it's arguments.
The function framework allows the user to create own functions for whatever
purposes might come to mind and thereby extent Alff scope of operation
beyond the imaginable.
The current implementation lacks support of the hook concept available
in previous versions, which will be added again later as (mainly) the
"pregenerate" has been widely used.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Mon, 14 Apr 2014 22:31:07 +0000 (00:31 +0200)]
Add misc utils for module/class loading and other nifty stuff.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Mon, 14 Apr 2014 22:29:20 +0000 (00:29 +0200)]
Extent ruleset API to query and remove chains.
Added
* chain_exists (protocol, table, chain)
* chain_has_rules (protocol, table, chain)
* remove_chain (protocol, table, chain)
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Mon, 14 Apr 2014 22:28:30 +0000 (00:28 +0200)]
(Allow to and) print problematic rule in RulesetErrors.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Mon, 14 Apr 2014 22:26:39 +0000 (00:26 +0200)]
Allow plugins to provide default value for get_plugin_option().
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Mon, 14 Apr 2014 22:25:58 +0000 (00:25 +0200)]
Rename config.get_vlan_list() to get_vlans().
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Mon, 14 Apr 2014 19:24:07 +0000 (21:24 +0200)]
Use integer as internal protocol identifiers.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Mon, 14 Apr 2014 00:25:20 +0000 (02:25 +0200)]
Fix exception messages for missing chains in ruleset.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Sun, 13 Apr 2014 23:23:41 +0000 (01:23 +0200)]
Add support to read rules from file.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Sun, 13 Apr 2014 21:40:03 +0000 (23:40 +0200)]
Add handling of ruleset cache dirs and print rules into files.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Sun, 13 Apr 2014 01:01:01 +0000 (03:01 +0200)]
Improve option handling in new config module + small fixes.
* Add missing get_option() function.
* Use real boolean values for options if possible.
* Add get_config_dir() function.
* Fix some syntax errors.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Sun, 13 Apr 2014 00:53:25 +0000 (02:53 +0200)]
Add basic ruleset management.
This includes an ip(6)tables command line parser as far as needed for Alff
and an ip(6)tables-save like ruleset generation function which now already
generates identical rulesets when feeded manually :-)
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Sat, 4 Jan 2014 05:42:23 +0000 (06:42 +0100)]
Groundwork for Alff rewrite in Python.
Starting with config parser for XML config file with added site awareness
and error definitions.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Fri, 27 Dec 2013 16:25:32 +0000 (17:25 +0100)]
Remove configureFirewallNetworkOptions routine
The sysctl settings should be set on the firewall machine itself and
should not be part of every ruleset.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Fri, 27 Dec 2013 15:12:21 +0000 (16:12 +0100)]
Remove pre-push filter.d stuff.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Michael Schwarz [Wed, 22 May 2013 08:01:56 +0000 (10:01 +0200)]
update debian files for version 0.1.1
Michael Schwarz [Wed, 24 Apr 2013 13:53:16 +0000 (15:53 +0200)]
Adjusted some more plugins for ipv6
* create_chain_tcp_header_check
* create_chain_tcp_scan_handling
* handleICMP (Bugfix)
* handleTracerouteUdp
Michael Schwarz [Wed, 24 Apr 2013 13:52:26 +0000 (15:52 +0200)]
Enable DHCP on ipv6
Michael Schwarz [Wed, 24 Apr 2013 11:20:16 +0000 (13:20 +0200)]
Do some spoofcheks even in ipv6. This is probably not complete
Michael Schwarz [Wed, 24 Apr 2013 09:26:12 +0000 (11:26 +0200)]
Modified alff-cat to manage ipv6 rules
Michael Schwarz [Wed, 24 Apr 2013 08:42:06 +0000 (10:42 +0200)]
protocol should be ipv6-icmp
Michael Schwarz [Wed, 24 Apr 2013 08:40:59 +0000 (10:40 +0200)]
Added check for nasty routing header 0
Michael Schwarz [Wed, 24 Apr 2013 07:57:24 +0000 (09:57 +0200)]
First bucket of adjusted plugins
* acceptInterFirewallTraffic
* accept_established_connections_
* classifyInterVlanTraffic
* clear_filter_tables
* clear_table_
* create_chain_log_and_reject
* finish_FORWARD
* finish_INPUT
* handleICMP
* hookInBlackAndWhitelist
Michael Schwarz [Tue, 23 Apr 2013 14:19:26 +0000 (16:19 +0200)]
getIpVersion() didn't match on negated networks
Michael Schwarz [Mon, 22 Apr 2013 14:49:25 +0000 (16:49 +0200)]
Implemented basic ipv6 functionality
Michael Schwarz [Thu, 18 Apr 2013 13:45:59 +0000 (15:45 +0200)]
reduced lenth of service chains
With iptables 1.4.10, chain names are limited to a lenth of 28 chars.
Substituted Services with Srv, the lenth of the service chain names
is reduced by five chars. This should work for most cases. In fact,
that should be done more intelligent by a method in the future,
limiting the names to 28 chars while generating the ruleset.
Michael Schwarz [Fri, 12 Apr 2013 11:44:04 +0000 (13:44 +0200)]
Also changed /usr/bin/env sh to bash
Michael Schwarz [Fri, 12 Apr 2013 11:35:55 +0000 (13:35 +0200)]
On wheezy, we want to use bash instead of sh
Michael Schwarz [Wed, 13 Mar 2013 14:52:38 +0000 (15:52 +0100)]
fixed error while generating inter vlan rules
Michael Schwarz [Tue, 15 Jan 2013 15:30:47 +0000 (16:30 +0100)]
Fixed debian warnings, added multiple interface support
Maximilian Wilhelm [Tue, 15 Jan 2013 15:18:50 +0000 (16:18 +0100)]
Make sure alff-cat is executed by a real bash.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm [Fri, 7 Dec 2007 17:24:20 +0000 (18:24 +0100)]
Beatufied debian/rules files.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>