Enhancement #3043

Firewall: avoid user lock out

Added by Giacomo Sanchietti over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.6
Resolution: NEEDINFO:No

Description

Sometimes Shorewall can't apply a new configuration due to bad configuration files.
For example, given a blue interface and a rule for this zone, if the blue interface is deleted Shorewall raises an error.
Rules are not applied, but in case of reboot the system become unreachable.

The system should avoid this behavior and always allow access at least to SSH and the web interface.
Moreover the Dashboard should report a warning and suggest to check all firewall rules.

Associated revisions

Revision ca568a15
Added by Giacomo Sanchietti over 6 years ago

Templates: add template for stoppedrules. Refs #3043

Revision 2cf996a5
Added by Giacomo Sanchietti over 6 years ago

Web UI: add shorewall check rules. Refs #3043

Addedd:
  • new todo script: display a message if Shorewall is not running
  • new CheckRules page: display output from 'shorewall check' command

Revision 98ddcc2e
Added by Giacomo Sanchietti over 6 years ago

todo.d: add it and en catalogs. Refs #3043

History

#1 Updated by Giacomo Sanchietti over 6 years ago

When Shorewall is stopped, it can apply all rules listed in etc/shorewall/stoppedrules.

Simple template which opens ssh, httpd-admin and ping services:

# Always keep httpd-admin, SSH and ping available

ACCEPT  -  $FW  icmp
ACCEPT  -  $FW  tcp  {$sshd{'TCPPort'}}
ACCEPT  -  $FW  tcp  {${'httpd-admin'}{'TCPPort'}}

#2 Updated by Giacomo Sanchietti over 6 years ago

Quick and dirty implementation of Shorewall check rules from web interface.

Controller:

<?php
namespace NethServer\Module\FirewallRules;

class CheckRules extends \Nethgui\Controller\AbstractController
{
    private $output = "";

    public function process()
    {
        $this->output = $this->getPlatform()->exec('/usr/bin/sudo /usr/libexec/nethserver/shorewall-check')->getOutput();
        parent::process();
    }

    public function prepareView(\Nethgui\View\ViewInterface $view)
    {
         $view['check-rules'] = $this->output; 
    }
}

Template:

<?php

echo $view->header()->setAttribute('template', $T('check-rules_Header'));

echo "<pre>";
echo $view->textLabel('check-rules');
echo "</pre>";

Helper script (/usr/libexec/nethserver/shorewall-check):

#!/bin/bash

/usr/sbin/shorewall check 2>&1

To access the page: http:/_server_/en/FirewallRules/CheckRules

#3 Updated by Giacomo Sanchietti over 6 years ago

  • Category set to nethserver-firewall-base
  • Status changed from NEW to TRIAGED
  • Target version set to v6.6
  • % Done changed from 0 to 20

#4 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#5 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#6 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-firewall-base-2.2.3-1.7.g98ddcc2.ns6.noarch.rpm
Test case 1
  • Try to stop shorewall with command line shorewall stop
  • Check httpd-admin and ssh service are still reachable, also check the server is pingable
Test case 2
  • Try to stop shorewall with command line shorewall stop
  • Open the web interface, check the dashboard display a TODO
  • Click on the TODO and verity the output from "shorewall check" command
Test case 3
  • Create a broken rule:
    mkdir -p /etc/e-smith/templates-custom/etc/shorewall/rules
    echo "A" >  /etc/e-smith/templates-custom/etc/shorewall/rules/99break
    signal-event firewall-adjust
    
  • Reboot the server
  • Open the web interface, check the todo is displayed as in previous test case

#7 Updated by Filippo Carletti over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

After stopping shorewall I can still login via ssh or server-manager: verified case 1.
If shorewall is stopped, the dashboard DOES NOT show a todo.
If I break the rules and reboot, the dashboard shows the todo.

#8 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-base:
  • nethserver-firewall-base-2.3.0-1.ns6.noarch.rpm

Also available in: Atom PDF