Enhancement #3043
Firewall: avoid user lock out
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.6 | |||
Resolution: | NEEDINFO: | No |
Description
Sometimes Shorewall can't apply a new configuration due to bad configuration files.
For example, given a blue interface and a rule for this zone, if the blue interface is deleted Shorewall raises an error.
Rules are not applied, but in case of reboot the system become unreachable.
The system should avoid this behavior and always allow access at least to SSH and the web interface.
Moreover the Dashboard should report a warning and suggest to check all firewall rules.
Associated revisions
Templates: add template for stoppedrules. Refs #3043
Web UI: add shorewall check rules. Refs #3043
Addedd:- new todo script: display a message if Shorewall is not running
- new CheckRules page: display output from 'shorewall check' command
todo.d: add it and en catalogs. Refs #3043
History
#1 Updated by Giacomo Sanchietti over 6 years ago
When Shorewall is stopped, it can apply all rules listed in etc/shorewall/stoppedrules
.
Simple template which opens ssh, httpd-admin and ping services:
# Always keep httpd-admin, SSH and ping available ACCEPT - $FW icmp ACCEPT - $FW tcp {$sshd{'TCPPort'}} ACCEPT - $FW tcp {${'httpd-admin'}{'TCPPort'}}
#2 Updated by Giacomo Sanchietti over 6 years ago
Quick and dirty implementation of Shorewall check rules from web interface.
Controller:
<?php namespace NethServer\Module\FirewallRules; class CheckRules extends \Nethgui\Controller\AbstractController { private $output = ""; public function process() { $this->output = $this->getPlatform()->exec('/usr/bin/sudo /usr/libexec/nethserver/shorewall-check')->getOutput(); parent::process(); } public function prepareView(\Nethgui\View\ViewInterface $view) { $view['check-rules'] = $this->output; } }
Template:
<?php echo $view->header()->setAttribute('template', $T('check-rules_Header')); echo "<pre>"; echo $view->textLabel('check-rules'); echo "</pre>";
Helper script (/usr/libexec/nethserver/shorewall-check
):
#!/bin/bash /usr/sbin/shorewall check 2>&1
To access the page: http:/_server_/en/FirewallRules/CheckRules
#3 Updated by Giacomo Sanchietti over 6 years ago
- Category set to nethserver-firewall-base
- Status changed from NEW to TRIAGED
- Target version set to v6.6
- % Done changed from 0 to 20
#4 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#5 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#6 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-firewall-base-2.2.3-1.7.g98ddcc2.ns6.noarch.rpm
- Try to stop shorewall with command line
shorewall stop
- Check httpd-admin and ssh service are still reachable, also check the server is pingable
- Try to stop shorewall with command line
shorewall stop
- Open the web interface, check the dashboard display a TODO
- Click on the TODO and verity the output from "shorewall check" command
- Create a broken rule:
mkdir -p /etc/e-smith/templates-custom/etc/shorewall/rules echo "A" > /etc/e-smith/templates-custom/etc/shorewall/rules/99break signal-event firewall-adjust
- Reboot the server
- Open the web interface, check the todo is displayed as in previous test case
#7 Updated by Filippo Carletti over 6 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
After stopping shorewall I can still login via ssh or server-manager: verified case 1.
If shorewall is stopped, the dashboard DOES NOT show a todo.
If I break the rules and reboot, the dashboard shows the todo.
#8 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-firewall-base-2.3.0-1.ns6.noarch.rpm