From a37dba2c8126e5c18d23f0cc1dac20006a703b5f Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Sun, 19 Apr 2020 14:52:01 +0100 Subject: [PATCH] remove configureFirewall function, the call to it, and related tests Signed-off-by: Adam Warner --- automated install/basic-install.sh | 43 -------- test/test_automated_install.py | 162 ----------------------------- 2 files changed, 205 deletions(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index e25f7389..60d2dc3e 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -1783,45 +1783,6 @@ create_pihole_user() { fi } -# Allow HTTP and DNS traffic -configureFirewall() { - printf "\\n" - # If a firewall is running, - if firewall-cmd --state &> /dev/null; then - # ask if the user wants to install Pi-hole's default firewall rules - whiptail --title "Firewall in use" --yesno "We have detected a running firewall\\n\\nPi-hole currently requires HTTP and DNS port access.\\n\\n\\n\\nInstall Pi-hole default firewall rules?" "${r}" "${c}" || \ - { printf " %b Not installing firewall rulesets.\\n" "${INFO}"; return 0; } - printf " %b Configuring FirewallD for httpd and pihole-FTL\\n" "${TICK}" - # Allow HTTP and DNS traffic - firewall-cmd --permanent --add-service=http --add-service=dns - # Reload the firewall to apply these changes - firewall-cmd --reload - return 0 - # Check for proper kernel modules to prevent failure - elif modinfo ip_tables &> /dev/null && is_command iptables ; then - # If chain Policy is not ACCEPT or last Rule is not ACCEPT - # then check and insert our Rules above the DROP/REJECT Rule. - if iptables -S INPUT | head -n1 | grep -qv '^-P.*ACCEPT$' || iptables -S INPUT | tail -n1 | grep -qv '^-\(A\|P\).*ACCEPT$'; then - whiptail --title "Firewall in use" --yesno "We have detected a running firewall\\n\\nPi-hole currently requires HTTP and DNS port access.\\n\\n\\n\\nInstall Pi-hole default firewall rules?" "${r}" "${c}" || \ - { printf " %b Not installing firewall rulesets.\\n" "${INFO}"; return 0; } - printf " %b Installing new IPTables firewall rulesets\\n" "${TICK}" - # Check chain first, otherwise a new rule will duplicate old ones - iptables -C INPUT -p tcp -m tcp --dport 80 -j ACCEPT &> /dev/null || iptables -I INPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT - iptables -C INPUT -p tcp -m tcp --dport 53 -j ACCEPT &> /dev/null || iptables -I INPUT 1 -p tcp -m tcp --dport 53 -j ACCEPT - iptables -C INPUT -p udp -m udp --dport 53 -j ACCEPT &> /dev/null || iptables -I INPUT 1 -p udp -m udp --dport 53 -j ACCEPT - iptables -C INPUT -p tcp -m tcp --dport 4711:4720 -i lo -j ACCEPT &> /dev/null || iptables -I INPUT 1 -p tcp -m tcp --dport 4711:4720 -i lo -j ACCEPT - return 0 - fi - # Otherwise, - else - # no firewall is running - printf " %b No active firewall detected.. skipping firewall configuration\\n" "${INFO}" - # so just exit - return 0 - fi - printf " %b Skipping firewall configuration\\n" "${INFO}" -} - # finalExports() { # If the Web interface is not set to be installed, @@ -1972,10 +1933,6 @@ installPihole() { # Check if dnsmasq is present. If so, disable it and back up any possible # config file disable_dnsmasq - # Configure the firewall - if [[ "${useUpdateVars}" == false ]]; then - configureFirewall - fi # install a man page entry for pihole install_manpage diff --git a/test/test_automated_install.py b/test/test_automated_install.py index 567ea241..2a38d24c 100644 --- a/test/test_automated_install.py +++ b/test/test_automated_install.py @@ -92,168 +92,6 @@ def test_setupVars_saved_to_file(Pihole): assert "{}={}".format(k, v) in output -def test_configureFirewall_firewalld_running_no_errors(Pihole): - ''' - confirms firewalld rules are applied when firewallD is running - ''' - # firewallD returns 'running' as status - mock_command('firewall-cmd', {'*': ('running', 0)}, Pihole) - # Whiptail dialog returns Ok for user prompt - mock_command('whiptail', {'*': ('', 0)}, Pihole) - configureFirewall = Pihole.run(''' - source /opt/pihole/basic-install.sh - configureFirewall - ''') - expected_stdout = 'Configuring FirewallD for httpd and pihole-FTL' - assert expected_stdout in configureFirewall.stdout - firewall_calls = Pihole.run('cat /var/log/firewall-cmd').stdout - assert 'firewall-cmd --state' in firewall_calls - assert ('firewall-cmd ' - '--permanent ' - '--add-service=http ' - '--add-service=dns') in firewall_calls - assert 'firewall-cmd --reload' in firewall_calls - - -def test_configureFirewall_firewalld_disabled_no_errors(Pihole): - ''' - confirms firewalld rules are not applied when firewallD is not running - ''' - # firewallD returns non-running status - mock_command('firewall-cmd', {'*': ('not running', '1')}, Pihole) - configureFirewall = Pihole.run(''' - source /opt/pihole/basic-install.sh - configureFirewall - ''') - expected_stdout = ('No active firewall detected.. ' - 'skipping firewall configuration') - assert expected_stdout in configureFirewall.stdout - - -def test_configureFirewall_firewalld_enabled_declined_no_errors(Pihole): - ''' - confirms firewalld rules are not applied when firewallD is running, user - declines ruleset - ''' - # firewallD returns running status - mock_command('firewall-cmd', {'*': ('running', 0)}, Pihole) - # Whiptail dialog returns Cancel for user prompt - mock_command('whiptail', {'*': ('', 1)}, Pihole) - configureFirewall = Pihole.run(''' - source /opt/pihole/basic-install.sh - configureFirewall - ''') - expected_stdout = 'Not installing firewall rulesets.' - assert expected_stdout in configureFirewall.stdout - - -def test_configureFirewall_no_firewall(Pihole): - ''' confirms firewall skipped no daemon is running ''' - configureFirewall = Pihole.run(''' - source /opt/pihole/basic-install.sh - configureFirewall - ''') - expected_stdout = 'No active firewall detected' - assert expected_stdout in configureFirewall.stdout - - -def test_configureFirewall_IPTables_enabled_declined_no_errors(Pihole): - ''' - confirms IPTables rules are not applied when IPTables is running, user - declines ruleset - ''' - # iptables command exists - mock_command('iptables', {'*': ('', '0')}, Pihole) - # modinfo returns always true (ip_tables module check) - mock_command('modinfo', {'*': ('', '0')}, Pihole) - # Whiptail dialog returns Cancel for user prompt - mock_command('whiptail', {'*': ('', '1')}, Pihole) - configureFirewall = Pihole.run(''' - source /opt/pihole/basic-install.sh - configureFirewall - ''') - expected_stdout = 'Not installing firewall rulesets.' - assert expected_stdout in configureFirewall.stdout - - -def test_configureFirewall_IPTables_enabled_rules_exist_no_errors(Pihole): - ''' - confirms IPTables rules are not applied when IPTables is running and rules - exist - ''' - # iptables command exists and returns 0 on calls - # (should return 0 on iptables -C) - mock_command('iptables', {'-S': ('-P INPUT DENY', '0')}, Pihole) - # modinfo returns always true (ip_tables module check) - mock_command('modinfo', {'*': ('', '0')}, Pihole) - # Whiptail dialog returns Cancel for user prompt - mock_command('whiptail', {'*': ('', '0')}, Pihole) - configureFirewall = Pihole.run(''' - source /opt/pihole/basic-install.sh - configureFirewall - ''') - expected_stdout = 'Installing new IPTables firewall rulesets' - assert expected_stdout in configureFirewall.stdout - firewall_calls = Pihole.run('cat /var/log/iptables').stdout - # General call type occurances - assert len(re.findall(r'iptables -S', firewall_calls)) == 1 - assert len(re.findall(r'iptables -C', firewall_calls)) == 4 - assert len(re.findall(r'iptables -I', firewall_calls)) == 0 - - # Specific port call occurances - assert len(re.findall(r'tcp --dport 80', firewall_calls)) == 1 - assert len(re.findall(r'tcp --dport 53', firewall_calls)) == 1 - assert len(re.findall(r'udp --dport 53', firewall_calls)) == 1 - assert len(re.findall(r'tcp --dport 4711:4720', firewall_calls)) == 1 - - -def test_configureFirewall_IPTables_enabled_not_exist_no_errors(Pihole): - ''' - confirms IPTables rules are applied when IPTables is running and rules do - not exist - ''' - # iptables command and returns 0 on calls (should return 1 on iptables -C) - mock_command( - 'iptables', - { - '-S': ( - '-P INPUT DENY', - '0' - ), - '-C': ( - '', - 1 - ), - '-I': ( - '', - 0 - ) - }, - Pihole - ) - # modinfo returns always true (ip_tables module check) - mock_command('modinfo', {'*': ('', '0')}, Pihole) - # Whiptail dialog returns Cancel for user prompt - mock_command('whiptail', {'*': ('', '0')}, Pihole) - configureFirewall = Pihole.run(''' - source /opt/pihole/basic-install.sh - configureFirewall - ''') - expected_stdout = 'Installing new IPTables firewall rulesets' - assert expected_stdout in configureFirewall.stdout - firewall_calls = Pihole.run('cat /var/log/iptables').stdout - # General call type occurances - assert len(re.findall(r'iptables -S', firewall_calls)) == 1 - assert len(re.findall(r'iptables -C', firewall_calls)) == 4 - assert len(re.findall(r'iptables -I', firewall_calls)) == 4 - - # Specific port call occurances - assert len(re.findall(r'tcp --dport 80', firewall_calls)) == 2 - assert len(re.findall(r'tcp --dport 53', firewall_calls)) == 2 - assert len(re.findall(r'udp --dport 53', firewall_calls)) == 2 - assert len(re.findall(r'tcp --dport 4711:4720', firewall_calls)) == 2 - - def test_selinux_not_detected(Pihole): ''' confirms installer continues when SELinux configuration file does not exist