mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-20 02:07:23 +01:00
fixes #939 Add backup ssh access rule to the "stop" section of generated iptables script. Now with dialog control to make this optional
This commit is contained in:
Vadim Kurland
parent
73b4e92d4f
commit
37db19faf9
@ -146,6 +146,8 @@ iptAdvancedDialog::iptAdvancedDialog(QWidget *parent,FWObject *o)
|
||||
|
||||
data.registerOption(m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh");
|
||||
data.registerOption(m_dialog->mgmt_addr, fwoptions, "mgmt_addr");
|
||||
data.registerOption(m_dialog->add_mgmt_ssh_rule_when_stoped,
|
||||
fwoptions, "add_mgmt_ssh_rule_when_stoped");
|
||||
data.registerOption(m_dialog->addVirtualsforNAT,
|
||||
fwoptions, "manage_virtual_addr");
|
||||
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
<x>0</x>
|
||||
<y>0</y>
|
||||
<width>671</width>
|
||||
<height>772</height>
|
||||
<height>812</height>
|
||||
</rect>
|
||||
</property>
|
||||
<property name="sizePolicy" >
|
||||
@ -24,7 +24,7 @@
|
||||
<property name="sizeGripEnabled" >
|
||||
<bool>false</bool>
|
||||
</property>
|
||||
<layout class="QGridLayout" >
|
||||
<layout class="QGridLayout" name="gridLayout_6" >
|
||||
<item row="0" column="0" >
|
||||
<widget class="QTabWidget" name="tabWidget" >
|
||||
<property name="sizePolicy" >
|
||||
@ -34,16 +34,13 @@
|
||||
</sizepolicy>
|
||||
</property>
|
||||
<property name="currentIndex" >
|
||||
<number>4</number>
|
||||
<number>0</number>
|
||||
</property>
|
||||
<widget class="QWidget" name="tab0" >
|
||||
<attribute name="title" >
|
||||
<string>Compiler</string>
|
||||
</attribute>
|
||||
<layout class="QGridLayout" name="gridLayout_5" >
|
||||
<property name="verticalSpacing" >
|
||||
<number>-1</number>
|
||||
</property>
|
||||
<item row="0" column="0" colspan="3" >
|
||||
<widget class="QLabel" name="compilerLabel" >
|
||||
<property name="text" >
|
||||
@ -57,7 +54,7 @@
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="0" column="4" colspan="2" >
|
||||
<item row="0" column="3" colspan="2" >
|
||||
<widget class="QLineEdit" name="compiler" >
|
||||
<property name="maximumSize" >
|
||||
<size>
|
||||
@ -86,7 +83,7 @@
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="1" column="4" colspan="2" >
|
||||
<item row="1" column="3" colspan="2" >
|
||||
<widget class="QLineEdit" name="compilerArgs" >
|
||||
<property name="maximumSize" >
|
||||
<size>
|
||||
@ -96,7 +93,7 @@
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="2" column="0" colspan="6" >
|
||||
<item row="2" column="0" colspan="5" >
|
||||
<widget class="QLabel" name="textLabel1_5" >
|
||||
<property name="sizePolicy" >
|
||||
<sizepolicy vsizetype="Preferred" hsizetype="Expanding" >
|
||||
@ -115,7 +112,7 @@
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="3" column="4" colspan="2" >
|
||||
<item row="3" column="3" colspan="2" >
|
||||
<widget class="QLineEdit" name="outputFileName" >
|
||||
<property name="maximumSize" >
|
||||
<size>
|
||||
@ -125,7 +122,7 @@
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="4" column="0" colspan="6" >
|
||||
<item row="4" column="0" colspan="5" >
|
||||
<widget class="QLabel" name="label_4" >
|
||||
<property name="text" >
|
||||
<string>Generated script can be copied to the firewall machine under different name. If this field is left blank, the file name does not change.</string>
|
||||
@ -145,7 +142,7 @@
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="5" column="4" colspan="2" >
|
||||
<item row="5" column="3" colspan="2" >
|
||||
<widget class="QLineEdit" name="fileNameOnFw" >
|
||||
<property name="maximumSize" >
|
||||
<size>
|
||||
@ -155,7 +152,7 @@
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item rowspan="2" row="6" column="0" colspan="6" >
|
||||
<item row="6" column="0" colspan="5" >
|
||||
<widget class="Line" name="line4_2" >
|
||||
<property name="frameShape" >
|
||||
<enum>QFrame::HLine</enum>
|
||||
@ -168,7 +165,36 @@
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item rowspan="6" row="10" column="0" >
|
||||
<item rowspan="2" row="7" column="0" >
|
||||
<spacer name="verticalSpacer" >
|
||||
<property name="orientation" >
|
||||
<enum>Qt::Vertical</enum>
|
||||
</property>
|
||||
<property name="sizeType" >
|
||||
<enum>QSizePolicy::Maximum</enum>
|
||||
</property>
|
||||
<property name="sizeHint" stdset="0" >
|
||||
<size>
|
||||
<width>0</width>
|
||||
<height>0</height>
|
||||
</size>
|
||||
</property>
|
||||
</spacer>
|
||||
</item>
|
||||
<item row="8" column="1" colspan="2" >
|
||||
<widget class="QCheckBox" name="assumeFwIsPartOfAny" >
|
||||
<property name="sizePolicy" >
|
||||
<sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
|
||||
<horstretch>0</horstretch>
|
||||
<verstretch>0</verstretch>
|
||||
</sizepolicy>
|
||||
</property>
|
||||
<property name="text" >
|
||||
<string>Assume firewall is part of 'any'</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item rowspan="6" row="9" column="0" >
|
||||
<spacer>
|
||||
<property name="orientation" >
|
||||
<enum>Qt::Horizontal</enum>
|
||||
@ -184,7 +210,7 @@
|
||||
</property>
|
||||
</spacer>
|
||||
</item>
|
||||
<item row="10" column="1" colspan="5" >
|
||||
<item row="9" column="1" colspan="4" >
|
||||
<widget class="QCheckBox" name="acceptSessions" >
|
||||
<property name="sizePolicy" >
|
||||
<sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
|
||||
@ -197,7 +223,7 @@
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="11" column="1" colspan="5" >
|
||||
<item row="10" column="1" colspan="4" >
|
||||
<widget class="QCheckBox" name="acceptESTBeforeFirst" >
|
||||
<property name="sizePolicy" >
|
||||
<sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
|
||||
@ -210,7 +236,7 @@
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="12" column="1" colspan="2" >
|
||||
<item row="11" column="1" colspan="2" >
|
||||
<widget class="QCheckBox" name="dropInvalid" >
|
||||
<property name="text" >
|
||||
<string>Drop packets that are associated with
|
||||
@ -218,14 +244,14 @@ no known connection</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="12" column="3" colspan="2" >
|
||||
<item row="11" column="3" >
|
||||
<widget class="QCheckBox" name="logInvalid" >
|
||||
<property name="text" >
|
||||
<string>and log them</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="12" column="5" >
|
||||
<item row="11" column="4" >
|
||||
<spacer>
|
||||
<property name="orientation" >
|
||||
<enum>Qt::Horizontal</enum>
|
||||
@ -241,7 +267,7 @@ no known connection</string>
|
||||
</property>
|
||||
</spacer>
|
||||
</item>
|
||||
<item row="13" column="1" colspan="5" >
|
||||
<item row="12" column="1" colspan="4" >
|
||||
<widget class="QCheckBox" name="bridge" >
|
||||
<property name="sizePolicy" >
|
||||
<sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
|
||||
@ -254,7 +280,7 @@ no known connection</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="14" column="1" colspan="5" >
|
||||
<item row="13" column="1" colspan="4" >
|
||||
<widget class="QCheckBox" name="shadowing" >
|
||||
<property name="sizePolicy" >
|
||||
<sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
|
||||
@ -267,7 +293,7 @@ no known connection</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="15" column="1" colspan="5" >
|
||||
<item row="14" column="1" colspan="4" >
|
||||
<widget class="QCheckBox" name="emptyGroups" >
|
||||
<property name="sizePolicy" >
|
||||
<sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
|
||||
@ -280,7 +306,7 @@ no known connection</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="16" column="1" colspan="5" >
|
||||
<item row="15" column="1" colspan="4" >
|
||||
<widget class="QCheckBox" name="localNAT" >
|
||||
<property name="sizePolicy" >
|
||||
<sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
|
||||
@ -293,7 +319,7 @@ no known connection</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="17" column="1" colspan="5" >
|
||||
<item row="16" column="1" colspan="4" >
|
||||
<widget class="QCheckBox" name="clampMSStoMTU" >
|
||||
<property name="sizePolicy" >
|
||||
<sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
|
||||
@ -313,14 +339,14 @@ in host settings dialog.
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="18" column="1" colspan="5" >
|
||||
<item row="17" column="1" colspan="4" >
|
||||
<widget class="QCheckBox" name="makeTagClassifyTerminating" >
|
||||
<property name="text" >
|
||||
<string>Make Tag and Classify actions terminating</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="19" column="1" colspan="5" >
|
||||
<item row="18" column="1" colspan="4" >
|
||||
<widget class="QCheckBox" name="ipv6NeighborDiscovery" >
|
||||
<property name="toolTip" >
|
||||
<string>Compiler will automatically generate rules to permit ICMP6 packets used in IPv6
|
||||
@ -332,7 +358,7 @@ the rule that drops packets in state INVALID.</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="20" column="1" >
|
||||
<item row="19" column="1" >
|
||||
<widget class="QLabel" name="textLabel9" >
|
||||
<property name="text" >
|
||||
<string>Default action on 'Reject':</string>
|
||||
@ -342,10 +368,10 @@ the rule that drops packets in state INVALID.</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="20" column="2" colspan="3" >
|
||||
<item row="19" column="2" colspan="2" >
|
||||
<widget class="QComboBox" name="actionOnReject" />
|
||||
</item>
|
||||
<item row="20" column="5" >
|
||||
<item row="19" column="4" >
|
||||
<spacer>
|
||||
<property name="orientation" >
|
||||
<enum>Qt::Horizontal</enum>
|
||||
@ -361,7 +387,7 @@ the rule that drops packets in state INVALID.</string>
|
||||
</property>
|
||||
</spacer>
|
||||
</item>
|
||||
<item rowspan="2" row="21" column="0" colspan="6" >
|
||||
<item row="20" column="0" colspan="5" >
|
||||
<widget class="Line" name="line4" >
|
||||
<property name="frameShape" >
|
||||
<enum>QFrame::HLine</enum>
|
||||
@ -374,7 +400,7 @@ the rule that drops packets in state INVALID.</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="23" column="0" >
|
||||
<item rowspan="2" row="21" column="0" >
|
||||
<spacer>
|
||||
<property name="orientation" >
|
||||
<enum>Qt::Horizontal</enum>
|
||||
@ -390,16 +416,14 @@ the rule that drops packets in state INVALID.</string>
|
||||
</property>
|
||||
</spacer>
|
||||
</item>
|
||||
<item rowspan="2" row="22" column="1" colspan="2" >
|
||||
<item row="21" column="1" colspan="4" >
|
||||
<widget class="QCheckBox" name="mgmt_ssh" >
|
||||
<property name="text" >
|
||||
<string>Always permit ssh access from
|
||||
the management workstation
|
||||
with this address:</string>
|
||||
<string>Always permit ssh access from the management workstation with this address:</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="23" column="4" colspan="2" >
|
||||
<item row="22" column="1" colspan="4" >
|
||||
<widget class="QLineEdit" name="mgmt_addr" >
|
||||
<property name="sizePolicy" >
|
||||
<sizepolicy vsizetype="Fixed" hsizetype="Expanding" >
|
||||
@ -415,6 +439,14 @@ with this address:</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="23" column="1" colspan="4" >
|
||||
<widget class="QCheckBox" name="add_mgmt_ssh_rule_when_stoped" >
|
||||
<property name="text" >
|
||||
<string>Install the rule for ssh access from the management workstation when the firewall
|
||||
is stopped</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="24" column="1" >
|
||||
<spacer>
|
||||
<property name="orientation" >
|
||||
@ -431,35 +463,6 @@ with this address:</string>
|
||||
</property>
|
||||
</spacer>
|
||||
</item>
|
||||
<item row="8" column="0" >
|
||||
<spacer name="verticalSpacer" >
|
||||
<property name="orientation" >
|
||||
<enum>Qt::Vertical</enum>
|
||||
</property>
|
||||
<property name="sizeType" >
|
||||
<enum>QSizePolicy::Maximum</enum>
|
||||
</property>
|
||||
<property name="sizeHint" stdset="0" >
|
||||
<size>
|
||||
<width>0</width>
|
||||
<height>0</height>
|
||||
</size>
|
||||
</property>
|
||||
</spacer>
|
||||
</item>
|
||||
<item row="9" column="1" >
|
||||
<widget class="QCheckBox" name="assumeFwIsPartOfAny" >
|
||||
<property name="sizePolicy" >
|
||||
<sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
|
||||
<horstretch>0</horstretch>
|
||||
<verstretch>0</verstretch>
|
||||
</sizepolicy>
|
||||
</property>
|
||||
<property name="text" >
|
||||
<string>Assume firewall is part of 'any'</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
</layout>
|
||||
</widget>
|
||||
<widget class="QWidget" name="tab1" >
|
||||
@ -1609,7 +1612,6 @@ with this address:</string>
|
||||
<tabstop>ipv4before</tabstop>
|
||||
<tabstop>buttonHelp</tabstop>
|
||||
</tabstops>
|
||||
<includes/>
|
||||
<resources/>
|
||||
<connections>
|
||||
<connection>
|
||||
|
||||
@ -605,13 +605,16 @@ string CompilerDriver_ipt::run(const std::string &cluster_id,
|
||||
Configlet stop_action(fw, "linux24", "stop_action");
|
||||
stop_action.collapseEmptyStrings(true);
|
||||
|
||||
std::auto_ptr<PolicyCompiler_ipt> policy_compiler = createPolicyCompiler(
|
||||
fw, false, NULL, NULL);
|
||||
PolicyCompiler_ipt::PrintRule* print_rule =
|
||||
policy_compiler->createPrintRuleProcessor();
|
||||
|
||||
print_rule->setContext(policy_compiler.get());
|
||||
print_rule->_printBackupSSHAccessRules(&stop_action);
|
||||
if (fw->getOptionsObject()->getBool("add_mgmt_ssh_rule_when_stoped"))
|
||||
{
|
||||
std::auto_ptr<PolicyCompiler_ipt> policy_compiler = createPolicyCompiler(
|
||||
fw, false, NULL, NULL);
|
||||
PolicyCompiler_ipt::PrintRule* print_rule =
|
||||
policy_compiler->createPrintRuleProcessor();
|
||||
print_rule->setContext(policy_compiler.get());
|
||||
print_rule->_printBackupSSHAccessRules(&stop_action);
|
||||
} else
|
||||
stop_action->setVariable("mgmt_access", 0);
|
||||
|
||||
script_skeleton.setVariable("stop_action", stop_action.expand());
|
||||
|
||||
|
||||
@ -2942,7 +2942,7 @@
|
||||
</ServiceGroup>
|
||||
</ServiceGroup>
|
||||
<ObjectGroup id="stdid12_1" name="Firewalls" comment="" ro="False">
|
||||
<Firewall id="fw-firewall2" host_OS="linux24" inactive="False" lastCompiled="1251648535" lastInstalled="1142003872" lastModified="1257712157" platform="iptables" version="" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
|
||||
<Firewall id="fw-firewall2" host_OS="linux24" inactive="False" lastCompiled="1261179871" lastInstalled="1142003872" lastModified="1261179770" platform="iptables" version="" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
|
||||
<NAT id="nat-firewall2" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<NATRule id="nat-firewall2-0" disabled="False" position="0" action="Translate" comment="">
|
||||
<OSrc neg="False">
|
||||
@ -4799,14 +4799,21 @@
|
||||
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
||||
<Option name="action_on_reject">ICMP net unreachable</Option>
|
||||
<Option name="activationCmd"></Option>
|
||||
<Option name="add_mgmt_ssh_rule_when_stoped">True</Option>
|
||||
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
|
||||
<Option name="admUser"></Option>
|
||||
<Option name="altAddress"></Option>
|
||||
<Option name="bridging_fw">False</Option>
|
||||
<Option name="check_shading">False</Option>
|
||||
<Option name="clamp_mss_to_mtu">False</Option>
|
||||
<Option name="classify_mark_terminating">False</Option>
|
||||
<Option name="clear_unknown_interfaces">False</Option>
|
||||
<Option name="cmdline">-v</Option>
|
||||
<Option name="compiler"></Option>
|
||||
<Option name="configure_bonding_interfaces">False</Option>
|
||||
<Option name="configure_bridge_interfaces">False</Option>
|
||||
<Option name="configure_interfaces">True</Option>
|
||||
<Option name="configure_vlan_interfaces">False</Option>
|
||||
<Option name="debug">False</Option>
|
||||
<Option name="drop_invalid">True</Option>
|
||||
<Option name="dyn_addr">False</Option>
|
||||
@ -4818,6 +4825,7 @@
|
||||
<Option name="inst_cmdline"></Option>
|
||||
<Option name="inst_script"></Option>
|
||||
<Option name="install_script"></Option>
|
||||
<Option name="ipv4_6_order">ipv4_first</Option>
|
||||
<Option name="limit_suffix">/second</Option>
|
||||
<Option name="limit_value">5</Option>
|
||||
<Option name="linux24_accept_redirects"></Option>
|
||||
@ -4863,7 +4871,9 @@
|
||||
<Option name="platform">iptables</Option>
|
||||
<Option name="prolog_place">top</Option>
|
||||
<Option name="prolog_script"></Option>
|
||||
<Option name="scpArgs"></Option>
|
||||
<Option name="script_env_path"></Option>
|
||||
<Option name="script_name_on_firewall"></Option>
|
||||
<Option name="snmp_contact"></Option>
|
||||
<Option name="snmp_description"></Option>
|
||||
<Option name="snmp_location"></Option>
|
||||
@ -45401,7 +45411,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
|
||||
<Option name="verify_interfaces">False</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall id="id304832X79913" host_OS="linux24" inactive="False" lastCompiled="1260914872" lastInstalled="0" lastModified="1260914853" platform="iptables" version="1.4.0" name="firewall-ipv6-7" comment="one interface has dynamic address, testing functions that get the address at run time" ro="False">
|
||||
<Firewall id="id304832X79913" host_OS="linux24" inactive="False" lastCompiled="1261179782" lastInstalled="0" lastModified="1260914853" platform="iptables" version="1.4.0" name="firewall-ipv6-7" comment="one interface has dynamic address, testing functions that get the address at run time" ro="False">
|
||||
<NAT id="id304996X79913" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
||||
<RuleSetOptions/>
|
||||
</NAT>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user