Move interface to realm mappings into the firewall options, in preper…

…ation for letting users define them.
fmunozs · Mar 17, 2010 · 9e9b576 · 9e9b576
1 parent c1f29eb
commit 9e9b576
Show file tree

Hide file tree

Showing 8 changed files with 52 additions and 52 deletions.
diff --git a/checks/pix/external_to_dmz.ftg b/checks/pix/external_to_dmz.ftg
@@ -29,6 +29,7 @@ class Flint::X2DTest
 end
 
 x2d_check :http_restricted, "HTTP is restricted to a specific set of hosts" do
+  puts "I RAN!"
   assert_protocol_is_restricted("http", {:protocol => :tcp, :destination_port => [80]})
 end
 

diff --git a/checks/pix/x2i_proto/high_risk.check.rb b/checks/pix/x2i_proto/high_risk.check.rb
@@ -10,10 +10,8 @@
         describe "The #{pb.name} protocol presents a high risk to your network, and should not be allowed into your internal networks from the outside."
 
         paths = []
-        pp "Looking for #{pb.name}"
         tcp_ports.each do |port|
           if port
-            pp "Looking at #{port}"
             paths.concat(Flint::ServicePath.find( :sha => firewall.sha,
                                                   :protocol => "tcp",
                                                   :out_interface_name => @out_interface.name,
@@ -24,7 +22,6 @@
 
         udp_ports.each do |port|
           if port
-            pp "Looking at #{port}"
             paths.concat(Flint::ServicePath.find( :sha => firewall.sha,
                                                   :protocol => :udp,
                                                   :out_interface_name => @out_interface.name,
@@ -34,7 +31,6 @@
         end
 
         paths.each do |path|
-          puts "Got bad path: #{path.inspect}"
           path.lines.all.each do |ln|
             affected_netblocks(path.destination_as_cidr)
             if r = firewall.rule_at(ln)

diff --git a/lib/flint/.#cisco_firewall.rb b/lib/flint/.#cisco_firewall.rb
diff --git a/lib/flint/cisco_firewall.rb b/lib/flint/cisco_firewall.rb
@@ -188,11 +188,33 @@ def parse
             i.save
           end
         end
+        build_realms
         ServicePath.build_service_paths(self)
         ProtocolMap.build_protocol_map(self)
       end
     end
 
+    def build_realms
+      opts = self.options
+      extr = []
+      intr = []
+      dmzr = []
+      Interface.find(:sha => sha).all.each do |i|
+        if i.name.match(/inside/i)
+          intr.push(i.name)
+        elsif i.name.match(/outside/i)
+          extr.push(i.name)
+        elsif i.name.match(/dmz/i)
+          dmzr.push(i.name)
+        end
+      end
+      opts[:internal_interfaces] = intr
+      opts[:external_interfaces] = extr
+      opts[:dmz_interfaces] = dmzr
+      self.options = opts
+      self.save
+    end
+
     def ensure_interface(sha, name)
       i = Interface.find(:sha => sha, :name => name).first
       i ||= Interface.create(:name => name,
@@ -345,26 +367,6 @@ def normalize_rule(line)
       line
     end
 
-    def external? iface
-      # XXX
-      iface = iface.name if iface.kind_of? Interface
-      iface =~ /outside/i
-    end
-
-    def dmz? iface
-      iface = iface.name if iface.kind_of? Interface
-      iface =~/dmz/i
-    end
-
-    def internal? iface
-      iface = iface.name if iface.kind_of? Interface
-      iface =~/inside/i
-    end
-
-    def external
-      "outside"
-    end
-
     def table_by_name(n)
       if (t = Table.find(:sha => sha, :name => n))
         t.members

diff --git a/lib/flint/firewall.rb b/lib/flint/firewall.rb
@@ -5,6 +5,7 @@ class Firewall < Ohm::Model
     attribute :options_dump
     attribute :sha
 
+
     index :sha
 
     def self.factory(rule_text, options = { })
@@ -21,6 +22,17 @@ def self.factory(rule_text, options = { })
       f
     end
 
+    def options
+      @options ||=  Marshal.load(self.options_dump)
+      @options
+    end
+
+    def options=(newopts)
+      @options = newopts.clone
+      self.options_dump = Marshal.dump(@options)
+      @options
+    end
+
     def self.from_file(filename)
       data = File.read(filename)
       self.factory(data)
@@ -38,19 +50,21 @@ def parse
     def validate
       assert_unique :sha
     end
-
-
+
     # we model three specific realms of the firewall, external, dmz, and internal
     def external? iface
-      raise "Unimplemented."
+      iface = iface.name if iface.kind_of? Interface
+      options[:external_interfaces].member?(iface)
     end
 
     def internal? iface
-      raise "Unimplemented."
+      iface = iface.name if iface.kind_of? Interface
+      options[:internal_interfaces].member?(iface)
     end
 
     def dmz? iface
-      raise "Unimplemented."
+      iface = iface.name if iface.kind_of? Interface
+      options[:dmz_interfaces].member?(iface)
     end
 
     def interface_realm iface

diff --git a/spec/flint/cisco_firewall_spec.rb b/spec/flint/cisco_firewall_spec.rb
@@ -37,7 +37,9 @@
 
     # a comment
     lines[100].comment?.should be_true
-
+
+    @fw.options[:external_interfaces].should eql(["outside"])
+
   end
 
   it "should recognize name commands" do
@@ -110,13 +112,4 @@
 
   end
 
-  it "should parse a big rule file" do
-    @rules = File.read("#{ FLINT_ROOT }/victim.pix")
-    @fw = Flint::CiscoFirewall.factory(@rules)
-    lines = @fw.rule_lines
-    lines.size.should == 4709
-  end
-
-
-
 end
diff --git a/spec/flint/pix_device_security_spec.rb b/spec/flint/pix_device_security_spec.rb
@@ -12,7 +12,10 @@
  telnet 10.0.0.0 255.0.0.0 outside
  http 10.0.0.0 255.0.0.0 outside
  http 10.0.0.0 255.0.0.0 inside
- snmp-server host outside 10.0.0.0")
+ snmp-server host outside 10.0.0.0
+ nameif ethernet0 outside security0
+ nameif ethernet0 dmz security50"
+)
     @tr = Flint::TestRunner.new(@tg)
     @tr.run(@fw)
     @tr.results(:dmz_ssh).all.select { |r|
@@ -35,7 +38,9 @@
  telnet 10.0.0.0 255.0.0.0 dmz
  http 10.0.0.0 255.0.0.0 dmz
  http 10.0.0.0 255.0.0.0 dmz
- snmp-server host dmz 10.0.0.0")
+ snmp-server host dmz 10.0.0.0
+ nameif ethernet0 outside security0
+ nameif ethernet0 dmz security50")
     @tr = Flint::TestRunner.new(@tg)
     @tr.run(@fw)
 

diff --git a/spec/flint/pix_rule_syntax_check_spec.rb b/spec/flint/pix_rule_syntax_check_spec.rb
@@ -16,15 +16,5 @@
     res.first.effected_rules.first.should == @fw.rule_lines[0].number
   end
 
-  it "should work on big rule set" do
-    return unless File.exists?("/Users/craig/Desktop/victim.pix")
-    @rules = File.read("/Users/craig/Desktop/victim.pix")
-    @fw = Flint::CiscoFirewall.factory(@rules)
-    @tr = Flint::TestRunner.new(@tg)
-    @tr.run(@fw)
-    @tr.errors.size.should == 0
-    # @tr.results.map {|r| puts r.to_s; puts "\n" }
-  end
-
 
 end
-Original file line number
+Diff line change
@@ Expand Up / @@ -29,6 +29,7 @@ class Flint::X2DTest @@
     end
     x2d_check :http_restricted, "HTTP is restricted to a specific set of hosts" do
+      puts "I RAN!"
       assert_protocol_is_restricted("http", {:protocol => :tcp, :destination_port => [80]})
     end
@@ Expand Down @@