diff options
author | kali kaneko (leap communications) <kali@leap.se> | 2021-05-13 13:04:15 +0200 |
---|---|---|
committer | kali kaneko (leap communications) <kali@leap.se> | 2021-05-17 17:52:36 +0200 |
commit | de23c5e6b840b18450096f4b3f23b3142eaa5a89 (patch) | |
tree | a579fea0c1f031e3d26b078b46fddf59e7a2a0d1 | |
parent | 53683e99236898174dba0fec774169e28173c222 (diff) |
[feat] remove email firewall
this has been officially deprecated for some time
-rw-r--r-- | helpers/bitmask-root | 144 |
1 files changed, 1 insertions, 143 deletions
diff --git a/helpers/bitmask-root b/helpers/bitmask-root index 13ba407..054613a 100644 --- a/helpers/bitmask-root +++ b/helpers/bitmask-root @@ -36,8 +36,6 @@ USAGE: bitmask-root firewall start [restart] GATEWAY1 GATEWAY2 ... bitmask-root openvpn stop bitmask-root openvpn start CONFIG1 CONFIG1 ... - bitmask-root fw-email stop - bitmask-root fw-email start uid All actions return exit code 0 for success, non-zero otherwise. @@ -85,7 +83,7 @@ def get_no_group_name(): def tostr(s): return s.decode('utf-8') -VERSION = "11" +VERSION = "12" SCRIPT = "bitmask-root" NAMESERVER_TCP = "10.41.0.1" NAMESERVER_UDP = "10.42.0.1" @@ -94,11 +92,7 @@ NAMESERVER = NAMESERVER_TCP BITMASK_CHAIN = "bitmask" BITMASK_CHAIN_NAT_OUT = "bitmask" BITMASK_CHAIN_NAT_POST = "bitmask_postrouting" -BITMASK_CHAIN_EMAIL = "bitmask_email" -BITMASK_CHAIN_EMAIL_OUT = "bitmask_email_output" LOCAL_INTERFACE = "lo" -IMAP_PORT = "1984" -SMTP_PORT = "2013" def swhich(binary): """ @@ -880,119 +874,6 @@ def firewall_stop(): "Please try `firewall stop` again.") -def fw_email_start(args): - """ - Bring up the email firewall. - - :param args: the user uid of the bitmask process - :type args: list - """ - # add custom chain "bitmask_email" to front of INPUT chain - if not ipv4_chain_exists(BITMASK_CHAIN_EMAIL): - ip4tables("--new-chain", BITMASK_CHAIN_EMAIL) - if not ipv6_chain_exists(BITMASK_CHAIN_EMAIL): - ip6tables("--new-chain", BITMASK_CHAIN_EMAIL) - iptables("--insert", "INPUT", "--jump", BITMASK_CHAIN_EMAIL) - - # add custom chain "bitmask_email_output" to front of OUTPUT chain - if not ipv4_chain_exists(BITMASK_CHAIN_EMAIL_OUT): - ip4tables("--new-chain", BITMASK_CHAIN_EMAIL_OUT) - if not ipv6_chain_exists(BITMASK_CHAIN_EMAIL_OUT): - ip6tables("--new-chain", BITMASK_CHAIN_EMAIL_OUT) - iptables("--insert", "OUTPUT", "--jump", BITMASK_CHAIN_EMAIL_OUT) - - # Disable the access to imap and smtp from outside - iptables("--append", BITMASK_CHAIN_EMAIL, - "--in-interface", LOCAL_INTERFACE, "--protocol", "tcp", - "--dport", IMAP_PORT, "--jump", "ACCEPT") - iptables("--append", BITMASK_CHAIN_EMAIL, - "--in-interface", LOCAL_INTERFACE, "--protocol", "tcp", - "--dport", SMTP_PORT, "--jump", "ACCEPT") - iptables("--append", BITMASK_CHAIN_EMAIL, - "--protocol", "tcp", "--dport", IMAP_PORT, "--jump", "REJECT") - iptables("--append", BITMASK_CHAIN_EMAIL, - "--protocol", "tcp", "--dport", SMTP_PORT, "--jump", "REJECT") - - if not args or not PARAM_FORMATS["UID"](args[0]): - raise Exception("No uid given") - uid = args[0] - - # Only the unix 'uid' have access to the email imap and smtp ports - iptables("--append", BITMASK_CHAIN_EMAIL_OUT, - "--out-interface", LOCAL_INTERFACE, - "--match", "owner", "--uid-owner", uid, "--protocol", "tcp", - "--dport", IMAP_PORT, "--jump", "ACCEPT") - iptables("--append", BITMASK_CHAIN_EMAIL_OUT, - "--out-interface", LOCAL_INTERFACE, - "--match", "owner", "--uid-owner", uid, "--protocol", "tcp", - "--dport", SMTP_PORT, "--jump", "ACCEPT") - iptables("--append", BITMASK_CHAIN_EMAIL_OUT, - "--out-interface", LOCAL_INTERFACE, - "--protocol", "tcp", "--dport", IMAP_PORT, "--jump", "REJECT") - iptables("--append", BITMASK_CHAIN_EMAIL_OUT, - "--out-interface", LOCAL_INTERFACE, - "--protocol", "tcp", "--dport", SMTP_PORT, "--jump", "REJECT") - - -def fw_email_stop(): - """ - Stop the email firewall. - """ - ok = True - - try: - iptables("--delete", "INPUT", "--jump", BITMASK_CHAIN_EMAIL, - throw=True) - except subprocess.CalledProcessError as exc: - debug("INFO: not able to remove bitmask email firewall from INPUT " - "chain (maybe it is already removed?)", exc) - ok = False - - try: - iptables("--delete", "OUTPUT", "--jump", BITMASK_CHAIN_EMAIL_OUT, - throw=True) - except subprocess.CalledProcessError as exc: - debug("INFO: not able to remove bitmask email firewall from OUTPUT " - "chain (maybe it is already removed?)", exc) - ok = False - - try: - ip4tables("--flush", BITMASK_CHAIN_EMAIL, throw=True) - ip4tables("--delete-chain", BITMASK_CHAIN_EMAIL, throw=True) - except subprocess.CalledProcessError as exc: - debug("INFO: not able to flush and delete bitmask ipv4 email firewall " - "chain (maybe it is already destroyed?)", exc) - ok = False - - try: - ip6tables("--flush", BITMASK_CHAIN_EMAIL, throw=True) - ip6tables("--delete-chain", BITMASK_CHAIN_EMAIL, throw=True) - except subprocess.CalledProcessError as exc: - debug("INFO: not able to flush and delete bitmask ipv6 email firewall " - "chain (maybe it is already destroyed?)", exc) - ok = False - - try: - ip4tables("--flush", BITMASK_CHAIN_EMAIL_OUT, throw=True) - ip4tables("--delete-chain", BITMASK_CHAIN_EMAIL_OUT, throw=True) - except subprocess.CalledProcessError as exc: - debug("INFO: not able to flush and delete bitmask ipv4 email firewall " - "chain (maybe it is already destroyed?)", exc) - ok = False - - try: - ip6tables("--flush", BITMASK_CHAIN_EMAIL_OUT, throw=True) - ip6tables("--delete-chain", BITMASK_CHAIN_EMAIL_OUT, throw=True) - except subprocess.CalledProcessError as exc: - debug("INFO: not able to flush and delete bitmask ipv6 email firewall " - "chain (maybe it is already destroyed?)", exc) - ok = False - - if not (ok or ipv4_chain_exists or ipv6_chain_exists): - raise Exception("email firewall might still be left up. " - "Please try `fw-email stop` again.") - - # # MAIN # @@ -1012,9 +893,6 @@ Commands: {SCRIPT} firewall start <args> {SCRIPT} firewall stop {SCRIPT} firewall isup -{SCRIPT} fw-email start -{SCRIPT} fw-email stop -{SCRIPT} fw-email isup """.format(SCRIPT=SCRIPT, VERSION=VERSION) @@ -1072,26 +950,6 @@ def main(): else: bail("INFO: bitmask firewall is down") - elif command == "fw-email_start": - try: - fw_email_start(args) - except Exception as ex: - if not is_restart: - fw_email_stop() - bail("ERROR: could not start email firewall", ex) - - elif command == "fw-email_stop": - try: - fw_email_stop() - except Exception as ex: - bail("ERROR: could not stop email firewall", ex) - - elif command == "fw-email_isup": - if ipv4_chain_exists(BITMASK_CHAIN_EMAIL): - log("%s: INFO: bitmask email firewall is up" % (SCRIPT,)) - else: - bail("INFO: bitmask email firewall is down") - else: bail("ERROR: No such command. Try bitmask-root help") else: |