From c07290571790ed0865d43b280073f23000e4d920 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 10 Jun 2020 01:18:39 -0400 Subject: [PATCH] Initial firewall management script --- salt/common/tools/sbin/so-firewall | 129 +++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) create mode 100755 salt/common/tools/sbin/so-firewall diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall new file mode 100755 index 000000000..56b07e2f2 --- /dev/null +++ b/salt/common/tools/sbin/so-firewall @@ -0,0 +1,129 @@ +#!/usr/bin/env python3 + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import sys +import yaml + +hostgroupsFilename = "/opt/so/saltstack/local/salt/firewall/hostgroups.local.yaml" + +def showUsage(args): + print('Usage: {} [ARGS...]'.format(sys.argv[0])) + print(' Available commands:'); + print(' help - Prints this usage information.'); + print(' included - Lists the IPs included in the given hostgroup. Args: '); + print(' excluded - Lists the IPs excluded from the given hostgroup. Args: '); + print(' include - Adds the given IP (or CIDR) to the given hostgroup. Args: '); + print(' exclude - Removes the given IP (or CIDR) from the given hostgroup. Args: '); + print(' addgroup - Adds a new hostgroup. Args: '); + sys.exit(1) + +def loadYaml(filename): + file = open(filename, "r") + return yaml.load(file.read()) + +def writeYaml(filename, content): + file = open(filename, "w") + return yaml.dump(content, file) + +def listIps(name, mode): + content = loadYaml(hostgroupsFilename) + if name not in content['firewall']['hostgroups']: + print('Hostgroup does not exist', file=sys.stderr) + return 4 + hostgroup = content['firewall']['hostgroups'][name] + ips = hostgroup['ips'][mode] + if ips is not None: + for ip in ips: + print(ip) + return 0 + +def addIp(name, ip, mode): + content = loadYaml(hostgroupsFilename) + if name not in content['firewall']['hostgroups']: + print('Hostgroup does not exist', file=sys.stderr) + return 4 + hostgroup = content['firewall']['hostgroups'][name] + ips = hostgroup['ips'][mode] + if ips is None: + ips = [] + hostgroup['ips'][mode] = ips + if ip not in ips: + ips.append(ip) + else: + print('Already exists', file=sys.stderr) + return 3 + writeYaml(hostgroupsFilename, content) + return 0 + +def addgroup(args): + if len(args) != 1: + print('Missing hostgroup name argument', file=sys.stderr) + showUsage(args) + + name = args[0] + content = loadYaml(hostgroupsFilename) + if name in content['firewall']['hostgroups']: + print('Already exists', file=sys.stderr) + return 3 + content['firewall']['hostgroups'][name] = { 'ips': { 'insert': [], 'delete': [] }} + writeYaml(hostgroupsFilename, content) + return 0 + +def included(args): + if len(args) != 1: + print('Missing hostgroup name argument', file=sys.stderr) + showUsage(args) + return listIps(args[0], 'insert') + +def excluded(args): + if len(args) != 1: + print('Missing hostgroup name argument', file=sys.stderr) + showUsage(args) + return listIps(args[0], 'delete') + +def include(args): + if len(args) != 2: + print('Missing hostgroup name or ip argument', file=sys.stderr) + showUsage(args) + return addIp(args[0], args[1], 'insert') + +def exclude(args): + if len(args) != 2: + print('Missing hostgroup name or ip argument', file=sys.stderr) + showUsage(args) + return addIp(args[0], args[1], 'delete') + +def main(): + args = sys.argv[1:] + if len(args) == 0: + showUsage(None) + + commands = { + "help": showUsage, + "included": included, + "excluded": excluded, + "include": include, + "exclude": exclude, + "addgroup": addgroup + } + + cmd = commands.get(args[0], showUsage) + code = cmd(args[1:]) + sys.exit(code) + +if __name__ == "__main__": + main()