Skip to content

Latest commit

 

History

History
275 lines (219 loc) · 7.44 KB

firewall.md

File metadata and controls

275 lines (219 loc) · 7.44 KB

Firewall SecurityResource

A firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined rules. The available firewall resource is built upon Ubuntu UFW (Uncomplicated FireWall), to which a control system, based on a ReST interface, has been added.
The firewall agent is available for Ubuntu OS only.
The rules that can be defined on this type of firewall are stateless (they do not maintain information about the context). It works as a packet filter, which looks at network addresses, ports and protocols.

Services specifically available for the firewall Resource are:

  1. The Experimenter can statically define a list of allowed IP addresses (or CIDR masks)
  2. The Experimenter can statically define a list of denied IP addresses (or CIDR masks)
  3. The Experimenter can statically define the default behaviour of the firewall
  4. The Experimenter can get the status of the firewall
  5. The Experimenter can get the rules installed on the firewall
  6. The Experimenter can dynamically add a rule to the firewall
  7. The Experimenter can dynamically update a rule on the firewall
  8. The Experimenter can dynamically remove a rule from the firewall

Resource properties

  • testbed: Defines where to deploy the Security Resource selected. It is ignored if want_agent is True
  • want_agent: Defines if the Experimenter wants the security resource to be an agent directly installed on the VM that he wants to monitor
  • ssh_key: Defines the SSH public key to be pushed on the VM in order to be able to log into it
  • lan_name: Select the network on which the VM is deployed (if want_agent is False). If no value is entered, softfire-internal is chosen
  • logging: Defines if the Experimenter wants the security resource to send its log messages to a collector and he wants to see them on a dashboard
  • allowed_ips: List of IPs (or CIDR masks) allowed by the firewall. [allow from IP]
  • denied_ips: List of IPs (or CIDR masks) denied by the firewall [deny from IP]
  • default_rule: Default rule applied by the firewall (allow/deny)

API documentation

Control your UFW firewall via Rest APIs. Please consider that this is a Beta Version. Authentication will be probably added to the following APIs.

Version information

Version : 0.1

URI scheme

Host : your.fw.ip:5000 Schemes : HTTP

Produces

  • text/json

Paths

Insert new rule

POST /ufw/rules

Description

Add a new rule to the firewall.

Rule text is sent in the body of the request.

RULE SYNTAX

Users can specify rules using either a simple syntax or a full syntax. The simple syntax only specifies the port and optionally the protocol to be allowed or denied on the host.

Example rules using the simple syntax: allow 53

This rule will allow tcp and udp port 53 to any address on the firewall host. To specify a protocol, append /protocol to the port.

Users can also use a fuller syntax, specifying the source and destination addresses and ports. This syntax is loosely based on OpenBSD’s PF syntax. For example:

deny proto tcp to any port 80

This will deny all traffic to tcp port 80.

deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25

This will deny all traffic from the RFC1918 Class A network to tcp port 25 with the address 192.168.0.1.

Responses

HTTP Code Description Schema

200

A JSON object containing the list of rules installed in the firewall through this APIs.

No Content

400

Systax Error. The rule sent in the body of the request is not correct and therefore it’s not included

No Content

List of rules

GET /ufw/rules

Description

List the rules installed in the firewall, coupled with a unique id.

Responses

HTTP Code Description Schema

200

A JSON object containing the list of rules installed in the firewall through this APIs.

No Content

Modify the existing rule

POST /ufw/rules/<rule_id>

Description

Modify the rule with a new one

The new rule text is sent in the body of the request.

Rule syntax is the same as for new rules.

Responses

HTTP Code Description Schema

200

A JSON object containing the list of rules installed in the firewall through this APIs.

No Content

400

Systax Error. The rule sent in the body of the request is not correct and therefore it’s not included

No Content

404

Non existing rule. The id specified in the URL does not match the id of any rule in the firewall.

No Content

Delete a rule

DELETE /ufw/rules/<rule_id>

Description

Delete an existing rule from the firewall

Responses

HTTP Code Description Schema

200

A JSON object containing the list of rules installed in the firewall through this APIs.

No Content

404

Non existing rule. The id specified in the URL does not match the id of any rule in the firewall.

No Content

GET /ufw/status

Description

Show status of firewall and ufw managed rules. Equivalent to run ufw status from Terminal

Responses

HTTP Code Description Schema

200

Shows if the firewall is in active or inactive status. If active it shows managed rules also.

No Content

Produces

  • text