Using a single chain integrates with Puppet better, allowing it to
manage chains by default and fwtool rules being added to a pair of
explicitly unmanaged chains. If ferm is managing the entire firewall,
there's not much clarity lost over jumping to external user chains.
Adds a comment with the username to input/output rules as
well (missing from input before).
let
val users_tcp_out_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/users_tcp_out.conf")
val users_tcp_in_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/users_tcp_in.conf")
let
val users_tcp_out_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/users_tcp_out.conf")
val users_tcp_in_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/users_tcp_in.conf")
- val user_chains_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/user_chains.conf")
val users_tcp6_out_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/users_tcp6_out.conf")
val users_tcp6_in_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/users_tcp6_in.conf")
val users_tcp6_out_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/users_tcp6_out.conf")
val users_tcp6_in_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/users_tcp6_in.conf")
- val user_chains6_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/user_chains6.conf")
val nodeFermRules = generateNodeFermRules rules
val nodeFermRules = generateNodeFermRules rules
let
val _ = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname)))
in
let
val _ = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname)))
in
- TextIO.output (tcp_inf, "proto tcp {\n");
+ TextIO.output (tcp_inf, "proto tcp mod comment comment \"user:" ^ uname ^ "\" {\n");
TextIO.output (tcp_inf, concat lines);
TextIO.output (tcp_inf, "\n}\n\n")
end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n" (* no sense in opening ports for bad users *)
TextIO.output (tcp_inf, concat lines);
TextIO.output (tcp_inf, "\n}\n\n")
end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n" (* no sense in opening ports for bad users *)
- fun writeUserOutRules tcp_outf chains_outf (uname, lines) =
+ fun writeUserOutRules tcp_outf (uname, lines) =
let
val uid = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname)))
in
let
val uid = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname)))
in
- TextIO.output (tcp_outf, "mod owner uid-owner " ^ (Int.toString uid)
- ^ " { jump user_" ^ uname ^ "_tcp_out"
- ^ "; DROP; }\n");
-
- TextIO.output (chains_outf, "chain user_" ^ uname ^ "_tcp_out"
- ^ " proto tcp {\n");
- TextIO.output (chains_outf, concat lines);
- TextIO.output (chains_outf, "\n}\n\n")
+ TextIO.output (tcp_outf, "mod owner uid-owner " ^ (Int.toString uid) ^ " mod comment comment \"user:" ^ uname ^ "\" proto tcp {\n");
+ TextIO.output (tcp_outf, concat lines);
+ TextIO.output (tcp_outf, "\nDROP;\n}\n\n")
end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n"
in
write_tcp_in_conf_preamble (users_tcp_in_conf);
end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n"
in
write_tcp_in_conf_preamble (users_tcp_in_conf);
- StringMap.appi (writeUserOutRules users_tcp_out_conf user_chains_conf) (#output_rules nodeFermRules);
+ StringMap.appi (writeUserOutRules users_tcp_out_conf) (#output_rules nodeFermRules);
StringMap.appi (writeUserInRules users_tcp_in_conf) (#input_rules nodeFermRules);
write_tcp_in_conf_preamble (users_tcp6_in_conf);
StringMap.appi (writeUserInRules users_tcp_in_conf) (#input_rules nodeFermRules);
write_tcp_in_conf_preamble (users_tcp6_in_conf);
- StringMap.appi (writeUserOutRules users_tcp6_out_conf user_chains6_conf) (#output6_rules nodeFermRules);
+ StringMap.appi (writeUserOutRules users_tcp6_out_conf) (#output6_rules nodeFermRules);
StringMap.appi (writeUserInRules users_tcp6_in_conf) (#input6_rules nodeFermRules);
StringMap.appi (writeUserInRules users_tcp6_in_conf) (#input6_rules nodeFermRules);
- TextIO.closeOut user_chains_conf;
TextIO.closeOut users_tcp_out_conf;
TextIO.closeOut users_tcp_in_conf;
TextIO.closeOut users_tcp_out_conf;
TextIO.closeOut users_tcp_in_conf;
- TextIO.closeOut user_chains6_conf;
TextIO.closeOut users_tcp6_out_conf;
TextIO.closeOut users_tcp6_in_conf;
true
end
TextIO.closeOut users_tcp6_out_conf;
TextIO.closeOut users_tcp6_in_conf;
true
end
fun publishConfig _ =
Slave.shell [Config.Firewall.reload]
end
fun publishConfig _ =
Slave.shell [Config.Firewall.reload]
end