summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorkali kaneko (leap communications) <kali@leap.se>2021-05-13 13:04:15 +0200
committerkali kaneko (leap communications) <kali@leap.se>2021-05-17 17:52:36 +0200
commitde23c5e6b840b18450096f4b3f23b3142eaa5a89 (patch)
treea579fea0c1f031e3d26b078b46fddf59e7a2a0d1
parent53683e99236898174dba0fec774169e28173c222 (diff)
[feat] remove email firewall
this has been officially deprecated for some time
-rw-r--r--helpers/bitmask-root144
1 files changed, 1 insertions, 143 deletions
diff --git a/helpers/bitmask-root b/helpers/bitmask-root
index 13ba407..054613a 100644
--- a/helpers/bitmask-root
+++ b/helpers/bitmask-root
@@ -36,8 +36,6 @@ USAGE:
bitmask-root firewall start [restart] GATEWAY1 GATEWAY2 ...
bitmask-root openvpn stop
bitmask-root openvpn start CONFIG1 CONFIG1 ...
- bitmask-root fw-email stop
- bitmask-root fw-email start uid
All actions return exit code 0 for success, non-zero otherwise.
@@ -85,7 +83,7 @@ def get_no_group_name():
def tostr(s):
return s.decode('utf-8')
-VERSION = "11"
+VERSION = "12"
SCRIPT = "bitmask-root"
NAMESERVER_TCP = "10.41.0.1"
NAMESERVER_UDP = "10.42.0.1"
@@ -94,11 +92,7 @@ NAMESERVER = NAMESERVER_TCP
BITMASK_CHAIN = "bitmask"
BITMASK_CHAIN_NAT_OUT = "bitmask"
BITMASK_CHAIN_NAT_POST = "bitmask_postrouting"
-BITMASK_CHAIN_EMAIL = "bitmask_email"
-BITMASK_CHAIN_EMAIL_OUT = "bitmask_email_output"
LOCAL_INTERFACE = "lo"
-IMAP_PORT = "1984"
-SMTP_PORT = "2013"
def swhich(binary):
"""
@@ -880,119 +874,6 @@ def firewall_stop():
"Please try `firewall stop` again.")
-def fw_email_start(args):
- """
- Bring up the email firewall.
-
- :param args: the user uid of the bitmask process
- :type args: list
- """
- # add custom chain "bitmask_email" to front of INPUT chain
- if not ipv4_chain_exists(BITMASK_CHAIN_EMAIL):
- ip4tables("--new-chain", BITMASK_CHAIN_EMAIL)
- if not ipv6_chain_exists(BITMASK_CHAIN_EMAIL):
- ip6tables("--new-chain", BITMASK_CHAIN_EMAIL)
- iptables("--insert", "INPUT", "--jump", BITMASK_CHAIN_EMAIL)
-
- # add custom chain "bitmask_email_output" to front of OUTPUT chain
- if not ipv4_chain_exists(BITMASK_CHAIN_EMAIL_OUT):
- ip4tables("--new-chain", BITMASK_CHAIN_EMAIL_OUT)
- if not ipv6_chain_exists(BITMASK_CHAIN_EMAIL_OUT):
- ip6tables("--new-chain", BITMASK_CHAIN_EMAIL_OUT)
- iptables("--insert", "OUTPUT", "--jump", BITMASK_CHAIN_EMAIL_OUT)
-
- # Disable the access to imap and smtp from outside
- iptables("--append", BITMASK_CHAIN_EMAIL,
- "--in-interface", LOCAL_INTERFACE, "--protocol", "tcp",
- "--dport", IMAP_PORT, "--jump", "ACCEPT")
- iptables("--append", BITMASK_CHAIN_EMAIL,
- "--in-interface", LOCAL_INTERFACE, "--protocol", "tcp",
- "--dport", SMTP_PORT, "--jump", "ACCEPT")
- iptables("--append", BITMASK_CHAIN_EMAIL,
- "--protocol", "tcp", "--dport", IMAP_PORT, "--jump", "REJECT")
- iptables("--append", BITMASK_CHAIN_EMAIL,
- "--protocol", "tcp", "--dport", SMTP_PORT, "--jump", "REJECT")
-
- if not args or not PARAM_FORMATS["UID"](args[0]):
- raise Exception("No uid given")
- uid = args[0]
-
- # Only the unix 'uid' have access to the email imap and smtp ports
- iptables("--append", BITMASK_CHAIN_EMAIL_OUT,
- "--out-interface", LOCAL_INTERFACE,
- "--match", "owner", "--uid-owner", uid, "--protocol", "tcp",
- "--dport", IMAP_PORT, "--jump", "ACCEPT")
- iptables("--append", BITMASK_CHAIN_EMAIL_OUT,
- "--out-interface", LOCAL_INTERFACE,
- "--match", "owner", "--uid-owner", uid, "--protocol", "tcp",
- "--dport", SMTP_PORT, "--jump", "ACCEPT")
- iptables("--append", BITMASK_CHAIN_EMAIL_OUT,
- "--out-interface", LOCAL_INTERFACE,
- "--protocol", "tcp", "--dport", IMAP_PORT, "--jump", "REJECT")
- iptables("--append", BITMASK_CHAIN_EMAIL_OUT,
- "--out-interface", LOCAL_INTERFACE,
- "--protocol", "tcp", "--dport", SMTP_PORT, "--jump", "REJECT")
-
-
-def fw_email_stop():
- """
- Stop the email firewall.
- """
- ok = True
-
- try:
- iptables("--delete", "INPUT", "--jump", BITMASK_CHAIN_EMAIL,
- throw=True)
- except subprocess.CalledProcessError as exc:
- debug("INFO: not able to remove bitmask email firewall from INPUT "
- "chain (maybe it is already removed?)", exc)
- ok = False
-
- try:
- iptables("--delete", "OUTPUT", "--jump", BITMASK_CHAIN_EMAIL_OUT,
- throw=True)
- except subprocess.CalledProcessError as exc:
- debug("INFO: not able to remove bitmask email firewall from OUTPUT "
- "chain (maybe it is already removed?)", exc)
- ok = False
-
- try:
- ip4tables("--flush", BITMASK_CHAIN_EMAIL, throw=True)
- ip4tables("--delete-chain", BITMASK_CHAIN_EMAIL, throw=True)
- except subprocess.CalledProcessError as exc:
- debug("INFO: not able to flush and delete bitmask ipv4 email firewall "
- "chain (maybe it is already destroyed?)", exc)
- ok = False
-
- try:
- ip6tables("--flush", BITMASK_CHAIN_EMAIL, throw=True)
- ip6tables("--delete-chain", BITMASK_CHAIN_EMAIL, throw=True)
- except subprocess.CalledProcessError as exc:
- debug("INFO: not able to flush and delete bitmask ipv6 email firewall "
- "chain (maybe it is already destroyed?)", exc)
- ok = False
-
- try:
- ip4tables("--flush", BITMASK_CHAIN_EMAIL_OUT, throw=True)
- ip4tables("--delete-chain", BITMASK_CHAIN_EMAIL_OUT, throw=True)
- except subprocess.CalledProcessError as exc:
- debug("INFO: not able to flush and delete bitmask ipv4 email firewall "
- "chain (maybe it is already destroyed?)", exc)
- ok = False
-
- try:
- ip6tables("--flush", BITMASK_CHAIN_EMAIL_OUT, throw=True)
- ip6tables("--delete-chain", BITMASK_CHAIN_EMAIL_OUT, throw=True)
- except subprocess.CalledProcessError as exc:
- debug("INFO: not able to flush and delete bitmask ipv6 email firewall "
- "chain (maybe it is already destroyed?)", exc)
- ok = False
-
- if not (ok or ipv4_chain_exists or ipv6_chain_exists):
- raise Exception("email firewall might still be left up. "
- "Please try `fw-email stop` again.")
-
-
#
# MAIN
#
@@ -1012,9 +893,6 @@ Commands:
{SCRIPT} firewall start <args>
{SCRIPT} firewall stop
{SCRIPT} firewall isup
-{SCRIPT} fw-email start
-{SCRIPT} fw-email stop
-{SCRIPT} fw-email isup
""".format(SCRIPT=SCRIPT, VERSION=VERSION)
@@ -1072,26 +950,6 @@ def main():
else:
bail("INFO: bitmask firewall is down")
- elif command == "fw-email_start":
- try:
- fw_email_start(args)
- except Exception as ex:
- if not is_restart:
- fw_email_stop()
- bail("ERROR: could not start email firewall", ex)
-
- elif command == "fw-email_stop":
- try:
- fw_email_stop()
- except Exception as ex:
- bail("ERROR: could not stop email firewall", ex)
-
- elif command == "fw-email_isup":
- if ipv4_chain_exists(BITMASK_CHAIN_EMAIL):
- log("%s: INFO: bitmask email firewall is up" % (SCRIPT,))
- else:
- bail("INFO: bitmask email firewall is down")
-
else:
bail("ERROR: No such command. Try bitmask-root help")
else: