ÿØÿà JFIF    ÿÛ C    !"$"$ÿÛ C  ÿ p " ÿÄ     ÿÄ   ÿÚ   ÕÔË® (% aA*‚XYD¡(J„¡E¢RE,P€XYae )(E¤²€B¤R¥ BQ¤¢ X«)X…€¤  @ .............................................................................................................................................................................. ............................................................................. ÿØÿà JFIF    ÿÛ C    !"$"$ÿÛ C  ÿ p " ÿÄ     ÿÄ   ÿÚ   ÕÔË® (% aA*‚XYD¡(J„¡E¢RE,P€XYae )(E¤²€B¤R¥ BQ¤¢ X«)X…€¤  @ .............................................................................................................................................................................. ............................................................................. o Fa@szdZddlZddlZddlZddlmZddlZddlmZm Z m Z ddl m Z ddl ZddZdd ZGd d d ZdS) z'frontend.py: frontend interface for ufwN)UFWError)errorwarnmsg)UFWBackendIptablesc Cstj}dD] }|tj|qdD] }|tj|qdD] }|tj|q#dD] }|tj|q1dD] }|tj|q?dD] }|tj |qMgd}|D]}|tj ||tj |q_t |dkrd }|| d krd}|| d kr|| d kr|| |vr||d t |dksd |vrt |dkrtdz ||d d}W|Sty}ztd|jWYd}~|Sd}~wtytdddw)zEParse command. Returns tuple for action, rule, ip_version and dryrun.)enabledisablehelpz--helpversionz --versionreloadreset)listinfodefaultupdate)onoffZlowZmediumZhighZfull)allowdenyreject)NverboseZnumbered)rawz before-rulesz user-rulesz after-rulesz logging-rulesbuiltins listeningadded)rlimitrrinsertdeleteprepend --dry-runrrouteruleznot enough argsNz%szInvalid syntaxF)Zdo_exit)ufwparserZ UFWParserZregister_commandZUFWCommandBasicZ UFWCommandAppZUFWCommandLoggingZUFWCommandDefaultZUFWCommandStatusZUFWCommandShowUFWCommandRuleUFWCommandRouteRulelenlowerrr parse_commandrvalue Exception)argvpiZ rule_commandsidxprer4./usr/lib/python3/dist-packages/ufw/frontend.pyr+sP     r+cCstdidtjjddddddddd d d d d dddddddddddddddddddid d!d"d#d$d%d&d'd(d(d)d)d*d*d+d,d-d.d/d0d1d2d3d3d4d5d6d7d8d9d:d;dd?i}|S)@zPrint help messagea+ Usage: %(progname)s %(command)s %(commands)s: %(enable)-31s enables the firewall %(disable)-31s disables the firewall %(default)-31s set default policy %(logging)-31s set logging to %(level)s %(allow)-31s add allow %(rule)s %(deny)-31s add deny %(rule)s %(reject)-31s add reject %(rule)s %(limit)-31s add limit %(rule)s %(delete)-31s delete %(urule)s %(insert)-31s insert %(urule)s at %(number)s %(prepend)-31s prepend %(urule)s %(route)-31s add route %(urule)s %(route-delete)-31s delete route %(urule)s %(route-insert)-31s insert route %(urule)s at %(number)s %(reload)-31s reload firewall %(reset)-31s reset firewall %(status)-31s show firewall status %(statusnum)-31s show firewall status as numbered list of %(rules)s %(statusverbose)-31s show verbose firewall status %(show)-31s show firewall report %(version)-31s display version information %(appcommands)s: %(applist)-31s list application profiles %(appinfo)-31s show information on %(profile)s %(appupdate)-31s update %(profile)s %(appdefault)-31s set default application policy ZprognameZcommandZCOMMANDZcommandsZCommandsrrrz default ARGZloggingz logging LEVELlevelZLEVELrz allow ARGSr#rz deny ARGSrz reject ARGSrz limit ARGSrzdelete RULE|NUMZuruleZRULErzinsert NUM RULErz prepend RULEr"z route RULEz route-deletezroute delete RULE|NUMz route-insertzroute insert NUM RULEnumberZNUMr r statusZ statusnumzstatus numberedrulesZRULESZ statusverbosezstatus verboseshowzshow ARGr Z appcommandszApplication profile commandsZapplistzapp listZappinfozapp info PROFILEprofileZPROFILEZ appupdatezapp update PROFILEZ appdefaultzapp default ARG)_r%commonZ programName)Zhelp_msgr4r4r5get_command_help[s       !"Cr>c@seZdZdZ  d,ddZddZdd Zd d Zd-d dZd.ddZ ddZ ddZ ddZ d/ddZ d/ddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd/d*d+ZdS)0 UFWFrontendZUIiptablesNcCs\|dkrz t|||d|_Wntywtd|td|_td|_td|_dS)Nr@)rootdirdatadirzUnsupported backend type '%s'nyyes)rbackendr-rr<norEyes_full)selfdryrunZ backend_typerArBr4r4r5__init__s    zUFWFrontend.__init__c Cs|d}d}|rd}d}|r|jr|s|jrd}|rBz|j|jjdd|WntyA}z t|jWYd}~nd}~wwd}|rz|jWntyd}z |rZ|j}WYd}~nd}~ww|dkrz|j|jjdddWnty}z t|jWYd}~nd}~wwt|td }|Sz|j Wnty}z t|jWYd}~nd}~wwtd }|S) zlToggles ENABLED state in /ufw/ufw.conf and starts or stops running firewall. rGrEFTconfZENABLEDNz0Firewall is active and enabled on system startupz/Firewall stopped and disabled on system startup) rF is_enabledZ set_defaultfilesrrr,start_firewallr< stop_firewall)rIenabledresZ config_strZchangedr3Z error_strr4r4r5 set_enabledsb zUFWFrontend.set_enabledc Csnd}z|j||}|jr|j|jW|SW|Sty6}z t|jWYd}~|Sd}~ww)zSets default policy of firewallrLN)rFset_default_policyrNrQrPrrr,)rIpolicy directionrSr3r4r4r5rUs   zUFWFrontend.set_default_policyc CHd}z |j|}W|Sty#}z t|jWYd}~|Sd}~ww)zSets log level of firewallrLN)rF set_loglevelrrr,)rIr6rSr3r4r4r5rYzUFWFrontend.set_loglevelFc CsFz |j||}W|Sty"}z t|jWYd}~|Sd}~ww)zShows status of firewallN)rF get_statusrrr,)rIrZ show_countoutr3r4r4r5r[szUFWFrontend.get_statusrc CsDz |j|}W|Sty!}z t|jWYd}~|Sd}~ww)zShows raw output of firewallN)rFZget_running_rawrrr,)rIZ rules_typer\r3r4r4r5 get_show_raw szUFWFrontend.get_show_rawc Cs d}z tj|j}Wntytd}t|w|j}t | }| |D]}|js:|dvr:q.|d|7}t || }| |D]}|||D]} | d} | ds| dsd} |d|7}| d ksv| d kr|d 7}d | d} n |d | 7}tj | } |dtj| d7}tjjd|dd|| ddd} | |d| dkr| d| | |j| } t| dkr|d7}| D]}|dkr|dt|kr|d|tjj||df7}q|d7}qVqNq.|jstjd|S)zMShows listening services and incoming rules that might affect themrLzCould not get listening status)Ztcp6Zudp6z%s: Zladdrz127.z::1z %s z0.0.0.0z::z* z%s/0z%s z(%s)exerNr$inF)actionZprotocolZdportdstrWforward6r r z [%2d] %s z)Skipping tcp6 and udp6 (IPv6 is disabled))r%utilZparse_netstat_outputrFuse_ipv6r-r<r get_rulesr keyssort startswithZget_if_from_ipospathbasenamer=ZUFWRuleset_v6endswithZ set_interface normalizeZ get_matchingr)r&r' get_commanddebug)rIrSderr_msgr9Z protocolsprotoportsZportitemZaddrZifnamer#Zmatchingr0r4r4r5get_show_listeningsv              / zUFWFrontend.get_show_listeningcCs|j}td}t|dkr|tdSg}|jD]&}|jr+dtjj|}ntjj |}||vr7q| ||d|7}q|S)z!Shows added rules to the firewallz9Added user rules (see 'ufw status' for running firewall):rz (None)route %sz ufw %s) rFrgr<r)rbr%r&r(rqr'append)rIr9r\rrrstrr4r4r5get_show_added\s     zUFWFrontend.get_show_addedc Csd}d}d}g}|jdkr|jdkr||ng}z|jr|dkr*|j|d}nF|dkr6|j|d}n:|dkrf|j|d}|j|d}|D]} |D]} | j} d| _| | sc| | _|| qNqJn td|}t |t |dkr|jj std }|dkr|}|WS|dkr|d }|WS|dkr|d |d }|WS|D]}| } |j| _| |j| |j|| qn|j|}|jdkr|Wntywd} d}td }|jd}|jd}t|D]\}} |} | j||kr |t| jd 7}t |z|jr|dkrT| jdkr4| dkr,|dkr,dnd}| |n| j|krG|t| jd 7}t || d|j| }n{|dkr| jdkrs| dkrk|dkrkdnd}| |n(| j|kr| | j|n| jdkr| j|kr|t| jd 7}t || d|j| }n'|dkr| j}| d|dkr| dkr|dkrdnd}| |n$| js||kr|j||| d}|dkr| |n| d|j| }| js|dkr|jd}| |d| d|dkr,| dkr$|dkr$dnd}| |n*| jsV| jdkrV| j|krV|j| jd}|dkrQ| || n| d|dkr_|d 7}| jsv| j|krv|dkrv| | j|||j| 7}nPtd|}t || jdkr| dkr|dkrdnd}| ||dks|dkr| d|j| }n|dkrtd}t |td|}t |Wnt y}z |j}d}WYd}~nd}~ww| jrtd}t |q|s||7}|St |dkrt!||Sd}t"t#| d}||D]9}| dkrV||rV|| }d|_z |||WqtyUd}td| $}t |Yqwq|td7}|rk|td7}t ||td7}t |)zUpdates firewall with rulerLv4Fv6TZbothzInvalid IP version '%s'rz"Could not delete non-existent rulez (v6)rdzInvalid position ''r zIPv6 support not enabledNz Rule changed after normalizationzCould not back out rule '%s'z" Error applying application rules.z# Some rules could not be unapplied.z( Attempted rules successfully unapplied.)%dappsapprzremoverFZget_app_rules_from_systemrmatchr<rr)rJZdup_ruleZ set_actionr`Z set_logtypeZlogtypeZget_app_rules_from_templateZpositionreverser-Zget_rules_count enumeratestrrfZ set_positionrnset_ruleZfind_other_positionr,updatedwarningsrrr rangeZ format_rule)rIr# ip_versionrSrttmpr9ZtmprulesZ tmprules6xrDZprev6r{countZ set_errorZ pos_err_msgZnum_v4Znum_v6r0ZbeginZuser_posr/r3Zwarn_msgZ undo_errorZindexesjZ backout_ruler4r4r5rysn                                                   zUFWFrontend.set_rulec CsPzt|}Wntytd|}t|w|j}|dks'|t|kr1td|}t||j|}|sCtd|}t|d|_d}|j rMd}d}|s|j r^dt j j |} nt j j|} td| |j|jd } t| tjd d tj} | d kr| |jkr| |jkrd }d } |r|||} | Std} | S)z Delete rulezCould not find rule '%s'rzCould not find rule '%d'Tr~rryz=Deleting: %(rule)s Proceed with operation (%(yes)s|%(no)s)? )r#rErGFoutputnewlinerDrLAborted)intr-r<rrFrgr)Zget_rule_by_numberrrrbr%r&r(rqr'rErGrsysstdoutstdinreadliner*striprHr) rIr7forcerCrtr9r#rproceedr|promptansrSr4r4r5 delete_ruleEsV          zUFWFrontend.delete_rulec CsHd}|dr"|d}t|dkr||d}|S|d}|S|dkr-|d}|S|drQtd }|d }t|d krEt|||d|d }|S|d kr\||}|S|dkrf|}|S|dkrq|d}|S|dr|d d}|dkr| }|S|dkr| }|S| |}|S|dkr|dd}|S|dkr| d}|S|dkr| d}|S|dkr|j r| d| dtd}|Std}|S|dr||d d|}|S|dks|dks|dks|dkr|jdkrGz|j |j}||jkr||_||d Wn,tyF}z|js,t|jtj|js < 86 4 2 0 .   )' %            zUFWFrontend.do_actionc CrX)z+Sets default application policy of firewallrLN)rFset_default_application_policyrrr,)rIrVrSr3r4r4r5rrZz*UFWFrontend.set_default_application_policycCs:t|jj}|td}|D]}|d|7}q|S)z*Display list of known application profileszAvailable applications: %s)r rFprofilesrhrir<)rInamesr|rCr4r4r5get_application_lists z UFWFrontend.get_application_listcCsg}|dkrt|jj}|ntj|s!td}t || |d}|D]}||jjvs8|jj|sBtd|}t |tj ||jj|sUtd}t ||td|7}|tdtj |jj|7}|tdtj |jj|7}tj|jj|}t|d ksd |d vr|td 7}n|td 7}|D]}|d|7}q||t|d kr|d7}q*tj|S)zDisplay information on profileallrrLzCould not find profile '%s'zInvalid profilez Profile: %s z Title: %s zDescription: %s r ,rzPorts:zPort:rz -- )r rFrrhrir%rrr<rrzZverify_profileZ get_titleZget_descriptionZ get_portsr)re wrap_text)rIZpnamerrtr|namervr/r4r4r5get_application_infosN           z UFWFrontend.get_application_infoc Cs d}d}d}z |jjrtjrd}Wn tyd}Ynw|dkrMt|jj}| |D]}|j |\}}|rK|dkrE|d7}||7}|}q1n|j |\}}|dkr]|d7}|r|j r|r~z|j Wntyuw|t d7}|S|t d7}|S)Refresh application profilerLTFrrdrzSkipped reloading firewall)rF do_checksr%re under_sshr-r rrhriZupdate_app_rulerNZ_reload_user_rulesr<) rIr;r|Z allow_reloadZtrigger_reloadrr/rfoundr4r4r5application_update sH    zUFWFrontend.application_updatecCs d}d}|dkrtd}t||jjd}|dkr&tjd||f|S|dkr-d}n|d kr4d }n|d kr;d }n td |}t|d g}|jjrQ|d|||g7}zt |}Wnt yewd|j vr{| |j |j d|j d}|S| |j dd}|S)rrLrz%Cannot specify 'all' with '--add-new'Zdefault_application_policyskipz'Policy is '%s', not adding profile '%s'ZacceptrZdroprrzUnknown policy '%s'r%r!r#Ziptype)r<rrFdefaultsr%rerrrJrzr+r-datarr`)rIr;r|rVrtrargsr2r4r4r5application_add8sF       zUFWFrontend.application_addcCsd}|dkr |d}|S|dkr|d}|S|dkr#|d}|S|dkr.|d }|S|d kr8|}|S|d krC||}|S|d ksK|d krm||}d}|d kr[||}|dkrg|dkrg|d7}||}|Std|}t|)zzPerform action on profile. action and profile are usually based on return values from parse_command(). rLz default-allowrz default-denyrzdefault-rejectrz default-skiprr rrzupdate-with-newrdr)rrrrrr<r)rIr`r;rSZstr1Zstr2rtr4r4r5do_application_actionbs<        z!UFWFrontend.do_application_actioncCsrd}|jjr7tjr7td|j|jd}t|t j ddt j }|dkr7||jkr7||jkr7d}|S)z6If running under ssh, prompt the user for confirmationTzWCommand may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? rErGFrrD)rFrr%rerr<rErGrrrrrr*rrH)rIrrrr4r4r5continue_under_sshs zUFWFrontend.continue_under_sshcCsd}td|j|jd}|jjr!tjr!td|j|jd}|jjrP|sPttj |t j ddt j }|dkrP||jkrP||jkrPtd}|S|jr\||d7}|j}|S) zReset the firewallrLzTResetting all rules to installed defaults. Proceed with operation (%(yes)s|%(no)s)? rzResetting all rules to installed defaults. This may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? FrrDr)r<rErGrFrr%rerrrrrrrr*rrHrNrTr )rIrrSrrr4r4r5r s$     zUFWFrontend.reset)r@NN)FF)r)F)__name__ __module__ __qualname____doc__rKrTrUrYr[r]rxr}rrrrrrrrrrr r4r4r4r5r?s0 6  H M 1V  .+* r?)rrkrrZ ufw.commonrZufw.utilr%rrrZufw.backend_iptablesrZ ufw.parserr+r>r?r4r4r4r5s  >H