summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeremy Katz <katzj@redhat.com>2004-06-18 04:52:58 +0000
committerJeremy Katz <katzj@redhat.com>2004-06-18 04:52:58 +0000
commit87d9b3563d67e50a3a40234c59d9a2580de319e5 (patch)
treed1c64576c65b10ad28a01f5ef19fb2158d6e3d7e
parent9197b56503dd9fb1fa33c162215cd47b0825d518 (diff)
downloadanaconda-87d9b3563d67e50a3a40234c59d9a2580de319e5.tar.gz
anaconda-87d9b3563d67e50a3a40234c59d9a2580de319e5.tar.xz
anaconda-87d9b3563d67e50a3a40234c59d9a2580de319e5.zip
major simplification of the firewall code. lose the trusted devices and
other ports selection. make the list of services easy to change and shared between gui and text. lose dead code, update copyrights
Diffstat
-rw-r--r--firewall.py80
-rw-r--r--installclass.py31
-rw-r--r--iw/firewall_gui.py130
-rw-r--r--kickstart.py32
-rw-r--r--textw/firewall_text.py126
5 files changed, 113 insertions, 286 deletions
diff --git a/firewall.py b/firewall.py
index ae2fbcad5..fec28247e 100644
--- a/firewall.py
+++ b/firewall.py
@@ -2,8 +2,9 @@
# firewall.py - firewall install data and installation
#
# Bill Nottingham <notting@redhat.com>
+# Jeremy Katz <katzj@redhat.com>
#
-# Copyright 2003 Red Hat, Inc.
+# Copyright 2004 Red Hat, Inc.
#
# This software may be freely redistributed under the terms of the GNU
# library public license.
@@ -19,19 +20,42 @@ import string
from flags import flags
from rhpl.log import log
+from rhpl.translate import _, N_
+
+class Service:
+ def __init__ (self, key, name, ports):
+ self.key = key
+ self.name = name
+ self.allowed = 0
+
+ if type(ports) == type(""):
+ self.ports = [ ports ]
+ else:
+ self.ports = ports
+
+
+ def set_enabled(self, val):
+ self.allowed = val
+
+ def get_enabled(self):
+ return self.allowed
+
+ def get_name(self):
+ return self.name
+
+ def get_ports(self):
+ return self.ports
class Firewall:
def __init__ (self):
self.enabled = 1
- self.ssh = 0
- self.telnet = 0
- self.smtp = 0
- self.http = 0
- self.ftp = 0
- self.portlist = ""
- self.ports = []
- self.trustdevs = []
- self.selinux = ""
+ self.trusteddevs = []
+ self.portlist = []
+ self.services = [ Service("ssh", N_("Remote Login (SSH)"), "22:tcp"),
+ Service("http", N_("Web Server (HTTP, HTTPS)"), "80:tcp"),
+ Service("ftp", N_("File Transfer (FTP)"), "21:tcp"),
+
+ Service("smtp", N_("Mail Server (SMTP)"), "25:tcp") ]
def writeKS(self, f):
f.write("firewall")
@@ -53,33 +77,17 @@ class Firewall:
args.append("--disabled")
return args
- if self.portlist:
- ports = string.split(self.portlist,',')
- for port in ports:
- port = string.strip(port)
- try:
- if not string.index(port,':'):
- port = '%s:tcp' % port
- except:
- pass
- self.ports.append(port)
- for port in self.ports:
- args = args + [ "--port=%s" %(port,) ]
- if self.smtp:
- args = args + [ "--port=smtp:tcp" ]
- if self.http:
- args = args + [ "--port=http:tcp" ]
- if self.ftp:
- args = args + [ "--port=ftp:tcp" ]
- if self.ssh:
- args = args + [ "--port=ssh:tcp" ]
- if self.telnet:
- args = args + [ "--port=telnet:tcp" ]
- if self.selinux:
- args = args + [ "--selinux=%s" % self.selinux ]
- for dev in self.trustdevs:
- args = args + [ "--trust=%s" %(dev,) ]
+ for service in self.services:
+ if service.get_enabled():
+ for p in service.get_ports():
+ args = args + [ "--port=%s" %(p,) ]
+
+ for dev in self.trustdevs:
+ args = args + [ "--trust=%s" %(dev,) ]
+ for port in self.portlist:
+ args = args + [ "--port=%s" %(port,) ]
+
return args
def write (self, instPath):
diff --git a/installclass.py b/installclass.py
index a0010d295..3286ee56a 100644
--- a/installclass.py
+++ b/installclass.py
@@ -4,7 +4,7 @@
# The interface to BaseInstallClass is *public* -- ISVs/OEMs can customize the
# install by creating a new derived type of this class.
#
-# Copyright 1999-2002 Red Hat, Inc.
+# Copyright 1999-2004 Red Hat, Inc.
#
# This software may be freely redistributed under the terms of the GNU
# library public license.
@@ -347,17 +347,28 @@ class BaseInstallClass:
def setSELinux(self, id, sel):
id.security.setSELinux(sel)
- def setFirewall(self, id, enable = 1, trusts = [], ports = "",
- ssh = 0, telnet = 0, smtp = 0, http = 0, ftp = 0):
+ def setFirewall(self, id, enable = 1, trusts = [], ports = []):
id.firewall.enabled = enable
id.firewall.trustdevs = trusts
- id.firewall.portlist = ports
- id.firewall.ssh = ssh
- id.firewall.telnet = telnet
- id.firewall.smtp = smtp
- id.firewall.http = http
- id.firewall.ftp = ftp
-
+ # this is a little ugly, but we want to let setting a service
+ # like --ssh enable the service in case they're doing an interactive
+ # kickstart install
+ for port in ports:
+ found = 0
+ for s in id.firewall.services:
+ p = s.get_ports()
+ # don't worry about the ones that are more than one,
+ # this is really for legacy use only
+ if len(p) > 1:
+ continue
+ if p[0] == port:
+ s.set_enabled(1)
+ found = 1
+ break
+
+ if not found:
+ id.firewall.portlist.append(port)
+
def setMiscXSettings(self, id, depth = None, resolution = None,
desktop = None, runlevel = None):
diff --git a/iw/firewall_gui.py b/iw/firewall_gui.py
index eac18007f..ada47240f 100644
--- a/iw/firewall_gui.py
+++ b/iw/firewall_gui.py
@@ -1,7 +1,7 @@
#
# firewall_gui.py: firewall setup screen
#
-# Copyright 2001-2003 Red Hat, Inc.
+# Copyright 2001-2004 Red Hat, Inc.
#
# This software may be freely redistributed under the terms of the GNU
# library public license.
@@ -49,86 +49,11 @@ class FirewallWindow (InstallWindow):
self.firewall.enabled = 1
count = 0
- for service in self.knownPorts.keys():
+ for service in self.firewall.services:
val = self.incoming.get_active(count)
- if service == "SSH":
- self.firewall.ssh = val
- elif service == "Telnet":
- self.firewall.telnet = val
- elif service == "WWW (HTTP)":
- self.firewall.http = val
- elif service == "Mail (SMTP)":
- self.firewall.smtp = val
- elif service == "FTP":
- self.firewall.ftp = val
+ service.set_enabled(val)
count = count + 1
- portstring = string.strip(self.ports.get_text())
- portlist = ""
- bad_token_found = 0
- bad_token = ""
- if portstring != "":
- tokens = string.split(portstring, ',')
- for token in tokens:
- try:
- #- if there's a colon in the token, it's valid
- if string.index(token,':'):
- parts = string.split(token, ':')
- try:
- portnum = string.atoi(parts[0])
- except:
- portnum = None
-
- if len(parts) > 2: # more than one colon
- bad_token_found = 1
- bad_token = token
- elif portnum is not None and (portnum < 1 or portnum > 65535):
- bad_token_found = 1
- bad_token = token
- else:
- # udp and tcp are the only valid protos
- if parts[1] == 'tcp' or parts[1] == 'udp':
- if portlist == "":
- portlist = token
- else:
- portlist = portlist + ',' + token
- else: # found protocol !tcp && !udp
- bad_token_found = 1
- bad_token = token
- pass
- except:
- if token != "":
- try:
- try:
- portnum = string.atoi(token)
- except:
- portnum = None
-
- if portnum is not None and (portnum < 1 or portnum > 65535):
- bad_token_found = 1
- bad_token = token
- else:
- if portlist == "":
- portlist = token + ":tcp"
- else:
- portlist = portlist + ',' + token + ':tcp'
- except:
- bad_token_found = 1
- bad_token = token
- else:
- pass
-
- if bad_token_found == 1: # raise a warning
- text = _("Invalid port given: %s. The proper format is "
- "'port:protocol', where port is between 1 and 65535, and protocol is either 'tcp' or 'udp'.\n\nFor example, "
- "'1234:udp'") % (bad_token,)
-
- self.intf.messageWindow(_("Warning: Bad Token"),
- text, type="warning")
- raise gui.StayOnScreen
- else: # all the port data looks good
- self.firewall.portlist = portlist
-
def activate_firewall (self, widget):
if self.disabled_radio.get_active ():
self.table.set_sensitive(gtk.FALSE)
@@ -149,7 +74,10 @@ class FirewallWindow (InstallWindow):
box = gtk.VBox (gtk.FALSE, 5)
box.set_border_width (5)
- label = gui.WrappingLabel (_("A firewall can help prevent unauthorized access to your computer from the outside world. Would you like to enable a firewall?"))
+ label = gui.WrappingLabel (_("A firewall can help prevent "
+ "unauthorized access to your computer "
+ "from the outside world. Would you like "
+ "to enable a firewall?"))
label.set_alignment (0.0, 0)
label.set_size_request(450, -1)
@@ -176,19 +104,18 @@ class FirewallWindow (InstallWindow):
box.pack_start (self.table, gtk.FALSE, 5)
y = 0
- label = gtk.Label (_("Allow others on the internet to access "
- "these services."))
- label.set_size_request(450, -1)
+ label = gui.WrappingLabel (_("With a firewall, you may wish to "
+ "allow access to specific services on "
+ "your computer from others. "
+ "Allow access to which services?"))
+ label.set_size_request(400, -1)
label.set_alignment(0.0, 0.0)
self.table.attach(label, 0, 2, y, y + 1, gtk.EXPAND | gtk.FILL, gtk.FILL, 5, 5)
y = y + 1
hbox = gtk.HBox(gtk.FALSE, 10)
- self.label2 = gui.MnemonicLabel (_("_Allow incoming:"))
- self.label2.set_alignment (0.2, 0.0)
self.incoming = checklist.CheckList(1)
self.incoming.set_size_request(-1, 125)
- self.label2.set_mnemonic_widget(self.incoming)
incomingSW = gtk.ScrolledWindow()
incomingSW.set_border_width(5)
@@ -196,43 +123,19 @@ class FirewallWindow (InstallWindow):
incomingSW.set_shadow_type(gtk.SHADOW_IN)
incomingSW.add(self.incoming)
-# self.table.attach (self.label2, 0, 1, y, y + 1, gtk.FILL, gtk.FILL, 5, 5)
- self.table.attach (incomingSW, 0, 2, y, y + 1, gtk.EXPAND|gtk.FILL, gtk.FILL, 5, 5)
-
- self.knownPorts = {"SSH": (self.firewall.ssh,
- N_("Remote Login (SSH)")),
- "WWW (HTTP)": (self.firewall.http,
- N_("Web Server")),
- "Mail (SMTP)": (self.firewall.smtp,
- N_("Mail Server (SMTP)")),
- "FTP": (self.firewall.ftp,
- N_("File Transfer (FTP)"))}
-
- for (key, (val, disp)) in self.knownPorts.items():
- self.incoming.append_row ((disp, key), val)
+ for serv in self.firewall.services:
+ self.incoming.append_row ( (_(serv.get_name()), serv),
+ serv.get_enabled() )
- y = y + 1
- self.label3 = gui.MnemonicLabel (_("Other _ports:"))
- self.ports = gtk.Entry ()
- self.label3.set_mnemonic_widget(self.ports)
-
- self.table.attach (self.label3, 0, 1, y, y + 1, gtk.FILL, gtk.FILL, 5, 5)
- self.table.attach (self.ports, 1, 2, y, y + 1, gtk.EXPAND|gtk.FILL, gtk.FILL, 10, 5)
-
- y = y + 1
+ self.table.attach (incomingSW, 0, 2, y, y + 1, gtk.EXPAND|gtk.FILL, gtk.FILL, 5, 5)
if self.firewall.enabled == 0:
self.disabled_radio.set_active (gtk.TRUE)
else:
self.enabled_radio.set_active(gtk.TRUE)
- if self.firewall.portlist != "":
- self.ports.set_text (self.firewall.portlist)
-
self.activate_firewall(None)
- box.pack_start (gtk.HSeparator(), gtk.FALSE)
-
label = gtk.Label(_("_Security Enhanced Linux (SELinux) Extensions:"))
label.set_use_underline(gtk.TRUE)
self.se_option_menu = gtk.OptionMenu()
@@ -255,6 +158,7 @@ class FirewallWindow (InstallWindow):
hbox.set_sensitive(gtk.FALSE)
if (SELINUX_DEFAULT == 1) or flags.selinux:
+ box.pack_start (gtk.HSeparator(), gtk.FALSE)
box.pack_start(hbox, gtk.FALSE)
return box
diff --git a/kickstart.py b/kickstart.py
index 5dd2d387b..08c9bc13b 100644
--- a/kickstart.py
+++ b/kickstart.py
@@ -1,7 +1,7 @@
#
# kickstart.py: kickstart install support
#
-# Copyright 1999-2003 Red Hat, Inc.
+# Copyright 1999-2004 Red Hat, Inc.
#
# This software may be freely redistributed under the terms of the GNU
# library public license.
@@ -122,27 +122,22 @@ class KickstartBase(BaseInstallClass):
'enable', 'port=', 'high', 'medium', 'disabled', 'disable',
'trust=' ])
- ssh = 0
- telnet = 0
- smtp = 0
- http = 0
- ftp = 0
enable = -1
trusts = []
- ports = ""
+ ports = []
for n in args:
(str, arg) = n
if str == '--ssh':
- ssh = 1
+ ports.append("22:tcp")
elif str == '--telnet':
- telnet = 1
+ ports.append("23:tcp")
elif str == '--smtp':
- smtp = 1
+ ports.append("25:tcp")
elif str == '--http':
- http = 1
+ ports.extend(["80:tcp", "443:tcp"]
elif str == '--ftp':
- ftp = 1
+ ports.append("21:tcp")
elif str == '--high' or str == '--medium':
log("used deprecated firewall option: %s" %(str[2:],))
enable = 1
@@ -153,13 +148,14 @@ class KickstartBase(BaseInstallClass):
elif str == '--trust':
trusts.append(arg)
elif str == '--port':
- if ports:
- ports = '%s,%s' % (ports, arg)
- else:
- ports = arg
+ theports = arg.split(",")
+ for p in theports:
+ p = p.strip()
+ if p.find(":") == -1:
+ p = "%s:tcp" %(p,)
+ ports.append(p)
- self.setFirewall(id, enable, trusts, ports, ssh, telnet,
- smtp, http, ftp)
+ self.setFirewall(id, enable, trusts, ports)
def doSELinux(self, id, args):
(args, extra) = isys.getopt(args, '',
diff --git a/textw/firewall_text.py b/textw/firewall_text.py
index 8da04537b..9aaddb385 100644
--- a/textw/firewall_text.py
+++ b/textw/firewall_text.py
@@ -2,8 +2,9 @@
# firewall_text.py: text mode firewall setup
#
# Bill Nottingham <notting@redhat.com>
+# Jeremy Katz <katzj@redhat.com>
#
-# Copyright 2001-2003 Red Hat, Inc.
+# Copyright 2001-2004 Red Hat, Inc.
#
# This software may be freely redistributed under the terms of the GNU
# library public license.
@@ -40,10 +41,6 @@ class FirewallWindow:
typeGrid = Grid(2,1)
-# label = Label(_("Security Level:"))
-# smallGrid.setField (label, 0, 0, (0, 0, 0, 1), anchorLeft = 1)
-
-
self.enabled = SingleRadioButton(_("Enable firewall"), None, firewall.enabled)
self.enabled.setCallback(self.radiocb, (firewall, self.enabled))
typeGrid.setField (self.enabled, 0, 0, (0, 0, 1, 0), anchorLeft = 1)
@@ -54,55 +51,22 @@ class FirewallWindow:
smallGrid.setField (typeGrid, 0, 0, (1, 0, 0, 1), anchorLeft = 1, growx = 1)
currentRow = 1
- devices = network.available().keys()
-
- if (devices):
- devices.sort()
- cols = len(devices)
- if cols > 4:
- rows = cols % 4
- cols = 4
- else:
- rows = 1
-
- if devices != []:
- bigGrid.setField (Label(_("Trusted Devices:")), 0,
- currentRow, (0, 0, 0, 1), anchorLeft = 1)
-
- devicelist = CheckboxTree(height=3, scroll=1)
- bigGrid.setField (devicelist, 1, currentRow,
- (1, 0, 0, 1), anchorLeft = 1)
- currentRow = currentRow + 1
- for dev in devices:
- devicelist.append(dev, selected = (dev in firewall.trustdevs))
-
bigGrid.setField (Label(_("Allow incoming:")), 0, currentRow, (0, 0, 0, 0),
anchorTop = 1)
- self.portGrid = Grid(3,2)
-
- self.ssh = Checkbox (_("SSH"), firewall.ssh)
- self.portGrid.setField (self.ssh, 1, 0, (0, 0, 1, 0), anchorLeft = 1)
- self.telnet = Checkbox (_("Telnet"), firewall.telnet)
- self.portGrid.setField (self.telnet, 2, 0, (0, 0, 1, 0), anchorLeft = 1)
- self.http = Checkbox (_("WWW (HTTP)"), firewall.http)
- self.portGrid.setField (self.http, 0, 1, (0, 0, 1, 0), anchorLeft = 1)
- self.smtp = Checkbox (_("Mail (SMTP)"), firewall.smtp)
- self.portGrid.setField (self.smtp, 1, 1, (0, 0, 1, 0), anchorLeft = 1)
- self.ftp = Checkbox (_("FTP"), firewall.ftp)
- self.portGrid.setField (self.ftp, 2, 1, (0, 0, 1, 0), anchorLeft = 1)
+ self.portGrid = Grid(1, len(firewall.services))
+ # list of Service, Checkbox tuples
+ self.portboxes = []
+ count = 0
+ for serv in firewall.services:
+ s = Checkbox(_(serv.get_name()), serv.get_enabled())
+ self.portboxes.append((serv, s))
+ self.portGrid.setField (s, 0, count, (0, 0, 1, 0), anchorLeft = 1)
+ count += 1
- oGrid = Grid(2,1)
- oGrid.setField (Label(_("Other ports")), 0, 0, (0, 0, 1, 0), anchorLeft = 1)
- self.other = Entry (25, firewall.portlist)
- oGrid.setField (self.other, 1, 0, (0, 0, 1, 0), anchorLeft = 1, growx = 1)
bigGrid.setField (self.portGrid, 1, currentRow, (1, 0, 0, 0), anchorLeft = 1)
bigGrid.setField (Label(""), 0, currentRow + 1, (0, 0, 0, 1), anchorLeft = 1)
- bigGrid.setField (oGrid, 1, currentRow + 1, (1, 0, 0, 1), anchorLeft = 1)
- self.portboxes = ( self.ssh, self.telnet, self.http, self.smtp, self.ftp,
- self.other )
-
toplevel.add(smallGrid, 0, 1, (0, 0, 0, 0), anchorLeft = 1)
if self.disabled.selected():
self.radiocb((firewall, self.disabled))
@@ -125,14 +89,11 @@ class FirewallWindow:
else:
popbb = ButtonBar (screen, (TEXT_OK_BUTTON,))
- poplevel = GridFormHelp (screen, _("Firewall Configuration - Customize"),
+ poplevel = GridFormHelp (screen, _("Customize Firewall Configuration"),
"securitycustom", 1, 5)
- text = _("You can customize your firewall in two ways. "
- "First, you can select to allow all traffic from "
- "certain network interfaces. Second, you can allow "
- "certain protocols explicitly through the firewall. "
- "In a comma separated list, specify additional ports in the form "
- "'service:protocol' such as 'imap:tcp'. ")
+ text = _("With a firewall, you may wish to allow access "
+ "to specific services on your computer from "
+ "others. Allow access to which services?")
poplevel.add (TextboxReflowed(65, text), 0, 0, (0, 0, 0, 1))
@@ -141,53 +102,9 @@ class FirewallWindow:
result2 = poplevel.run()
-# screen.popWindow()
rc2 = popbb.buttonPressed(result2)
-
-# rc2 = ""
if rc2 == TEXT_OK_CHECK or result2 == TEXT_F12_CHECK:
-
- #- Do some sanity checking on port list
- portstring = string.strip(self.other.value())
- portlist = ""
- bad_token_found = 0
- bad_token = ""
- if portstring != "":
- tokens = string.split(portstring, ',')
- for token in tokens:
- try:
- if string.index(token,':'): #- if there's a colon in the token, it's valid
- parts = string.split(token, ':')
- if len(parts) > 2: #- We've found more than one colon. Break loop and raise an error.
- bad_token_found = 1
- bad_token = token
- else:
- if parts[1] == 'tcp' or parts[1] == 'udp': #-upd and tcp are the only valid protocols
- if portlist == "":
- portlist = token
- else:
- portlist = portlist + ',' + token
- else: #- Found a protocol other than tcp or udp. Break loop
- bad_token_found = 1
- bad_token = token
- pass
- except:
- if token != "":
- if portlist == "":
- portlist = token + ":tcp"
- else:
- portlist = portlist + ',' + token + ':tcp'
- else:
- pass
-
- if bad_token_found == 1:
- self.intf.messageWindow(_("Invalid Choice"),
- _("Warning: %s is not a "
- "valid port.") %(token,))
- screen.popWindow()
- else:
- firewall.portlist = portlist
screen.popWindow()
if rc == TEXT_OK_CHECK or result == TEXT_F12_CHECK:
@@ -211,17 +128,8 @@ class FirewallWindow:
screen.popWindow()
- firewall.trustdevs = []
- if devices != []:
- for dev in devicelist.getSelection():
- firewall.trustdevs.append(dev)
-
-# firewall.portlist = self.other.value()
- firewall.ssh = self.ssh.selected()
- firewall.telnet = self.telnet.selected()
- firewall.http = self.http.selected()
- firewall.smtp = self.smtp.selected()
- firewall.ftp = self.ftp.selected()
+ for (s, cb) in self.portboxes:
+ s.set_enabled(cb.selected())
if self.disabled.selected():
firewall.enabled = 0
else:
generated by cgit (git 2.34.1) at 2024-09-21 20:12:07 +0000