mirror of
https://github.com/pi-hole/pi-hole
synced 2024-12-22 14:58:08 +00:00
Merge pull request #3283 from pi-hole/tweak/remove_firewall_config
Remove configureFirewall function, the call to it, and related tests
This commit is contained in:
commit
df13b9c32a
@ -1780,45 +1780,6 @@ create_pihole_user() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Allow HTTP and DNS traffic
|
|
||||||
configureFirewall() {
|
|
||||||
printf "\\n"
|
|
||||||
# If a firewall is running,
|
|
||||||
if firewall-cmd --state &> /dev/null; then
|
|
||||||
# ask if the user wants to install Pi-hole's default firewall rules
|
|
||||||
whiptail --title "Firewall in use" --yesno "We have detected a running firewall\\n\\nPi-hole currently requires HTTP and DNS port access.\\n\\n\\n\\nInstall Pi-hole default firewall rules?" "${r}" "${c}" || \
|
|
||||||
{ printf " %b Not installing firewall rulesets.\\n" "${INFO}"; return 0; }
|
|
||||||
printf " %b Configuring FirewallD for httpd and pihole-FTL\\n" "${TICK}"
|
|
||||||
# Allow HTTP and DNS traffic
|
|
||||||
firewall-cmd --permanent --add-service=http --add-service=dns
|
|
||||||
# Reload the firewall to apply these changes
|
|
||||||
firewall-cmd --reload
|
|
||||||
return 0
|
|
||||||
# Check for proper kernel modules to prevent failure
|
|
||||||
elif modinfo ip_tables &> /dev/null && is_command iptables ; then
|
|
||||||
# If chain Policy is not ACCEPT or last Rule is not ACCEPT
|
|
||||||
# then check and insert our Rules above the DROP/REJECT Rule.
|
|
||||||
if iptables -S INPUT | head -n1 | grep -qv '^-P.*ACCEPT$' || iptables -S INPUT | tail -n1 | grep -qv '^-\(A\|P\).*ACCEPT$'; then
|
|
||||||
whiptail --title "Firewall in use" --yesno "We have detected a running firewall\\n\\nPi-hole currently requires HTTP and DNS port access.\\n\\n\\n\\nInstall Pi-hole default firewall rules?" "${r}" "${c}" || \
|
|
||||||
{ printf " %b Not installing firewall rulesets.\\n" "${INFO}"; return 0; }
|
|
||||||
printf " %b Installing new IPTables firewall rulesets\\n" "${TICK}"
|
|
||||||
# Check chain first, otherwise a new rule will duplicate old ones
|
|
||||||
iptables -C INPUT -p tcp -m tcp --dport 80 -j ACCEPT &> /dev/null || iptables -I INPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT
|
|
||||||
iptables -C INPUT -p tcp -m tcp --dport 53 -j ACCEPT &> /dev/null || iptables -I INPUT 1 -p tcp -m tcp --dport 53 -j ACCEPT
|
|
||||||
iptables -C INPUT -p udp -m udp --dport 53 -j ACCEPT &> /dev/null || iptables -I INPUT 1 -p udp -m udp --dport 53 -j ACCEPT
|
|
||||||
iptables -C INPUT -p tcp -m tcp --dport 4711:4720 -i lo -j ACCEPT &> /dev/null || iptables -I INPUT 1 -p tcp -m tcp --dport 4711:4720 -i lo -j ACCEPT
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
# Otherwise,
|
|
||||||
else
|
|
||||||
# no firewall is running
|
|
||||||
printf " %b No active firewall detected.. skipping firewall configuration\\n" "${INFO}"
|
|
||||||
# so just exit
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
printf " %b Skipping firewall configuration\\n" "${INFO}"
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
#
|
||||||
finalExports() {
|
finalExports() {
|
||||||
# If the Web interface is not set to be installed,
|
# If the Web interface is not set to be installed,
|
||||||
@ -1969,10 +1930,6 @@ installPihole() {
|
|||||||
# Check if dnsmasq is present. If so, disable it and back up any possible
|
# Check if dnsmasq is present. If so, disable it and back up any possible
|
||||||
# config file
|
# config file
|
||||||
disable_dnsmasq
|
disable_dnsmasq
|
||||||
# Configure the firewall
|
|
||||||
if [[ "${useUpdateVars}" == false ]]; then
|
|
||||||
configureFirewall
|
|
||||||
fi
|
|
||||||
|
|
||||||
# install a man page entry for pihole
|
# install a man page entry for pihole
|
||||||
install_manpage
|
install_manpage
|
||||||
|
@ -92,168 +92,6 @@ def test_setupVars_saved_to_file(Pihole):
|
|||||||
assert "{}={}".format(k, v) in output
|
assert "{}={}".format(k, v) in output
|
||||||
|
|
||||||
|
|
||||||
def test_configureFirewall_firewalld_running_no_errors(Pihole):
|
|
||||||
'''
|
|
||||||
confirms firewalld rules are applied when firewallD is running
|
|
||||||
'''
|
|
||||||
# firewallD returns 'running' as status
|
|
||||||
mock_command('firewall-cmd', {'*': ('running', 0)}, Pihole)
|
|
||||||
# Whiptail dialog returns Ok for user prompt
|
|
||||||
mock_command('whiptail', {'*': ('', 0)}, Pihole)
|
|
||||||
configureFirewall = Pihole.run('''
|
|
||||||
source /opt/pihole/basic-install.sh
|
|
||||||
configureFirewall
|
|
||||||
''')
|
|
||||||
expected_stdout = 'Configuring FirewallD for httpd and pihole-FTL'
|
|
||||||
assert expected_stdout in configureFirewall.stdout
|
|
||||||
firewall_calls = Pihole.run('cat /var/log/firewall-cmd').stdout
|
|
||||||
assert 'firewall-cmd --state' in firewall_calls
|
|
||||||
assert ('firewall-cmd '
|
|
||||||
'--permanent '
|
|
||||||
'--add-service=http '
|
|
||||||
'--add-service=dns') in firewall_calls
|
|
||||||
assert 'firewall-cmd --reload' in firewall_calls
|
|
||||||
|
|
||||||
|
|
||||||
def test_configureFirewall_firewalld_disabled_no_errors(Pihole):
|
|
||||||
'''
|
|
||||||
confirms firewalld rules are not applied when firewallD is not running
|
|
||||||
'''
|
|
||||||
# firewallD returns non-running status
|
|
||||||
mock_command('firewall-cmd', {'*': ('not running', '1')}, Pihole)
|
|
||||||
configureFirewall = Pihole.run('''
|
|
||||||
source /opt/pihole/basic-install.sh
|
|
||||||
configureFirewall
|
|
||||||
''')
|
|
||||||
expected_stdout = ('No active firewall detected.. '
|
|
||||||
'skipping firewall configuration')
|
|
||||||
assert expected_stdout in configureFirewall.stdout
|
|
||||||
|
|
||||||
|
|
||||||
def test_configureFirewall_firewalld_enabled_declined_no_errors(Pihole):
|
|
||||||
'''
|
|
||||||
confirms firewalld rules are not applied when firewallD is running, user
|
|
||||||
declines ruleset
|
|
||||||
'''
|
|
||||||
# firewallD returns running status
|
|
||||||
mock_command('firewall-cmd', {'*': ('running', 0)}, Pihole)
|
|
||||||
# Whiptail dialog returns Cancel for user prompt
|
|
||||||
mock_command('whiptail', {'*': ('', 1)}, Pihole)
|
|
||||||
configureFirewall = Pihole.run('''
|
|
||||||
source /opt/pihole/basic-install.sh
|
|
||||||
configureFirewall
|
|
||||||
''')
|
|
||||||
expected_stdout = 'Not installing firewall rulesets.'
|
|
||||||
assert expected_stdout in configureFirewall.stdout
|
|
||||||
|
|
||||||
|
|
||||||
def test_configureFirewall_no_firewall(Pihole):
|
|
||||||
''' confirms firewall skipped no daemon is running '''
|
|
||||||
configureFirewall = Pihole.run('''
|
|
||||||
source /opt/pihole/basic-install.sh
|
|
||||||
configureFirewall
|
|
||||||
''')
|
|
||||||
expected_stdout = 'No active firewall detected'
|
|
||||||
assert expected_stdout in configureFirewall.stdout
|
|
||||||
|
|
||||||
|
|
||||||
def test_configureFirewall_IPTables_enabled_declined_no_errors(Pihole):
|
|
||||||
'''
|
|
||||||
confirms IPTables rules are not applied when IPTables is running, user
|
|
||||||
declines ruleset
|
|
||||||
'''
|
|
||||||
# iptables command exists
|
|
||||||
mock_command('iptables', {'*': ('', '0')}, Pihole)
|
|
||||||
# modinfo returns always true (ip_tables module check)
|
|
||||||
mock_command('modinfo', {'*': ('', '0')}, Pihole)
|
|
||||||
# Whiptail dialog returns Cancel for user prompt
|
|
||||||
mock_command('whiptail', {'*': ('', '1')}, Pihole)
|
|
||||||
configureFirewall = Pihole.run('''
|
|
||||||
source /opt/pihole/basic-install.sh
|
|
||||||
configureFirewall
|
|
||||||
''')
|
|
||||||
expected_stdout = 'Not installing firewall rulesets.'
|
|
||||||
assert expected_stdout in configureFirewall.stdout
|
|
||||||
|
|
||||||
|
|
||||||
def test_configureFirewall_IPTables_enabled_rules_exist_no_errors(Pihole):
|
|
||||||
'''
|
|
||||||
confirms IPTables rules are not applied when IPTables is running and rules
|
|
||||||
exist
|
|
||||||
'''
|
|
||||||
# iptables command exists and returns 0 on calls
|
|
||||||
# (should return 0 on iptables -C)
|
|
||||||
mock_command('iptables', {'-S': ('-P INPUT DENY', '0')}, Pihole)
|
|
||||||
# modinfo returns always true (ip_tables module check)
|
|
||||||
mock_command('modinfo', {'*': ('', '0')}, Pihole)
|
|
||||||
# Whiptail dialog returns Cancel for user prompt
|
|
||||||
mock_command('whiptail', {'*': ('', '0')}, Pihole)
|
|
||||||
configureFirewall = Pihole.run('''
|
|
||||||
source /opt/pihole/basic-install.sh
|
|
||||||
configureFirewall
|
|
||||||
''')
|
|
||||||
expected_stdout = 'Installing new IPTables firewall rulesets'
|
|
||||||
assert expected_stdout in configureFirewall.stdout
|
|
||||||
firewall_calls = Pihole.run('cat /var/log/iptables').stdout
|
|
||||||
# General call type occurances
|
|
||||||
assert len(re.findall(r'iptables -S', firewall_calls)) == 1
|
|
||||||
assert len(re.findall(r'iptables -C', firewall_calls)) == 4
|
|
||||||
assert len(re.findall(r'iptables -I', firewall_calls)) == 0
|
|
||||||
|
|
||||||
# Specific port call occurances
|
|
||||||
assert len(re.findall(r'tcp --dport 80', firewall_calls)) == 1
|
|
||||||
assert len(re.findall(r'tcp --dport 53', firewall_calls)) == 1
|
|
||||||
assert len(re.findall(r'udp --dport 53', firewall_calls)) == 1
|
|
||||||
assert len(re.findall(r'tcp --dport 4711:4720', firewall_calls)) == 1
|
|
||||||
|
|
||||||
|
|
||||||
def test_configureFirewall_IPTables_enabled_not_exist_no_errors(Pihole):
|
|
||||||
'''
|
|
||||||
confirms IPTables rules are applied when IPTables is running and rules do
|
|
||||||
not exist
|
|
||||||
'''
|
|
||||||
# iptables command and returns 0 on calls (should return 1 on iptables -C)
|
|
||||||
mock_command(
|
|
||||||
'iptables',
|
|
||||||
{
|
|
||||||
'-S': (
|
|
||||||
'-P INPUT DENY',
|
|
||||||
'0'
|
|
||||||
),
|
|
||||||
'-C': (
|
|
||||||
'',
|
|
||||||
1
|
|
||||||
),
|
|
||||||
'-I': (
|
|
||||||
'',
|
|
||||||
0
|
|
||||||
)
|
|
||||||
},
|
|
||||||
Pihole
|
|
||||||
)
|
|
||||||
# modinfo returns always true (ip_tables module check)
|
|
||||||
mock_command('modinfo', {'*': ('', '0')}, Pihole)
|
|
||||||
# Whiptail dialog returns Cancel for user prompt
|
|
||||||
mock_command('whiptail', {'*': ('', '0')}, Pihole)
|
|
||||||
configureFirewall = Pihole.run('''
|
|
||||||
source /opt/pihole/basic-install.sh
|
|
||||||
configureFirewall
|
|
||||||
''')
|
|
||||||
expected_stdout = 'Installing new IPTables firewall rulesets'
|
|
||||||
assert expected_stdout in configureFirewall.stdout
|
|
||||||
firewall_calls = Pihole.run('cat /var/log/iptables').stdout
|
|
||||||
# General call type occurances
|
|
||||||
assert len(re.findall(r'iptables -S', firewall_calls)) == 1
|
|
||||||
assert len(re.findall(r'iptables -C', firewall_calls)) == 4
|
|
||||||
assert len(re.findall(r'iptables -I', firewall_calls)) == 4
|
|
||||||
|
|
||||||
# Specific port call occurances
|
|
||||||
assert len(re.findall(r'tcp --dport 80', firewall_calls)) == 2
|
|
||||||
assert len(re.findall(r'tcp --dport 53', firewall_calls)) == 2
|
|
||||||
assert len(re.findall(r'udp --dport 53', firewall_calls)) == 2
|
|
||||||
assert len(re.findall(r'tcp --dport 4711:4720', firewall_calls)) == 2
|
|
||||||
|
|
||||||
|
|
||||||
def test_selinux_not_detected(Pihole):
|
def test_selinux_not_detected(Pihole):
|
||||||
'''
|
'''
|
||||||
confirms installer continues when SELinux configuration file does not exist
|
confirms installer continues when SELinux configuration file does not exist
|
||||||
|
Loading…
Reference in New Issue
Block a user