Firewall - Code Metrics - Inspection of "- redo a lot of the firewalling" - eduVPN/vpn-server-api - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( ca105e...9d9c7b )

by François

created 2016-08-03 07:17 UTC

Firewall A

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	184
Duplicated Lines	0 %

Coupling/Cohesion

Components	1
Dependencies	1

Importance

Changes	13
Bugs	2	Features	2

Metric	Value
wmc	32
c	13
b	2
f	2
lcom	1
cbo	1
dl	0
loc	184
rs	9.6

9 Methods

Rating	Name	Size	Complexity
A	getInputChain()	18	4
B	getNat()	26	4
A	getFirewall4()	4	1
A	getFirewall6()	4	1
A	getFirewall()	16	2
A	getFilter()	19	1
C	getForwardChain()	48	10
A	getForwardFirewall()	19	4
B	getIngressPorts()	19	5

<?php
/**
 * Copyright 2016 François Kooman <[email protected]>.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

namespace fkooman\VPN\Server;

class Firewall
{
    public static function getFirewall4(Pools $p, $asArray = false)
    {
        return self::getFirewall($p, 4, $asArray);
    }

    public static function getFirewall6(Pools $p, $asArray = false)
    {
        return self::getFirewall($p, 6, $asArray);
    }

    private static function getFirewall(Pools $p, $inetFamily, $asArray)
    {
        $firewall = [];

        // NAT
        $firewall = array_merge($firewall, self::getNat($p, $inetFamily));

        // FILTER
        $firewall = array_merge($firewall, self::getFilter($p, $inetFamily));

        if ($asArray) {
            return $firewall;
        }

        return implode(PHP_EOL, $firewall).PHP_EOL;
    }

    private static function getNat(Pools $p, $inetFamily)
    {
        $nat = [
            '*nat',
            ':PREROUTING ACCEPT [0:0]',
            ':INPUT ACCEPT [0:0]',
            ':OUTPUT ACCEPT [0:0]',
            ':POSTROUTING ACCEPT [0:0]',
        ];

        foreach ($p as $pool) {
            if ($pool->getUseNat()) {
                if (4 === $inetFamily) {
                    // get the IPv4 range
                    $srcNet = $pool->getRange()->getAddressPrefix();
                } else {
                    // get the IPv6 range
                    $srcNet = $pool->getRange6()->getAddressPrefix();
                }
                $nat[] = sprintf('-A POSTROUTING -s %s -o %s -j MASQUERADE', $srcNet, $pool->getExtIf());
            }
        }
        $nat[] = 'COMMIT';

        return $nat;
    }

    private static function getFilter(Pools $p, $inetFamily)
    {
        $filter = [
            '*filter',
            ':INPUT ACCEPT [0:0]',
            ':FORWARD ACCEPT [0:0]',
            ':OUTPUT ACCEPT [0:0]',
        ];

        // INPUT
        $filter = array_merge($filter, self::getInputChain($p, $inetFamily));

        // FORWARD
        $filter = array_merge($filter, self::getForwardChain($p, $inetFamily));

        $filter[] = 'COMMIT';

        return $filter;
    }

    private static function getInputChain(Pools $p, $inetFamily)
    {
        $inputChain = [
            '-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT',
            sprintf('-A INPUT -p %s -j ACCEPT', 4 === $inetFamily ? 'icmp' : 'ipv6-icmp'),
            '-A INPUT -i lo -j ACCEPT',
        ];

        $inputPorts = self::getIngressPorts($p);
        foreach ($inputPorts as $inputPort) {
            list($proto, $port) = explode('/', $inputPort);
            $inputChain[] = sprintf('-A INPUT -m state --state NEW -m %s -p %s --dport %d -j ACCEPT', $proto, $proto, $port);
        }

        $inputChain[] = sprintf('-A INPUT -j REJECT --reject-with %s', 4 === $inetFamily ? 'icmp-host-prohibited' : 'icmp6-adm-prohibited');

        return $inputChain;
    }

    private static function getForwardChain(Pools $p, $inetFamily)
    {
        $forwardChain = [
            '-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT',
        ];

        foreach ($p as $pool) {
            if (6 === $inetFamily && !$pool->getForward6()) {
                // IPv6 forwarding was disabled
                continue;
            }

            if (4 === $inetFamily) {
                // get the IPv4 range
                $srcNet = $pool->getRange()->getAddressPrefix();
            } else {
                // get the IPv6 range
                $srcNet = $pool->getRange6()->getAddressPrefix();
            }
            $forwardChain[] = sprintf('-N vpn-%s', $pool->getId());

            $forwardChain[] = sprintf('-A FORWARD -i tun-%s+ -s %s -j vpn-%s', $pool->getId(), $srcNet, $pool->getId());

            // merge outgoing forwarding firewall rules to prevent certain
            // traffic
            $forwardChain = array_merge($forwardChain, self::getForwardFirewall($pool, $inetFamily));

            if ($pool->getClientToClient()) {
                // allow client-to-client
                $forwardChain[] = sprintf('-A vpn-%s -o tun-%s+ -d %s -j ACCEPT', $pool->getId(), $pool->getId(), $srcNet);
            }
            if ($pool->getDefaultGateway()) {
                // allow traffic to all outgoing destinations
                $forwardChain[] = sprintf('-A vpn-%s -o %s -j ACCEPT', $pool->getId(), $pool->getExtIf(), $srcNet);
            } else {
                // only allow certain traffic to the external interface
                foreach ($pool->getRoutes() as $route) {
                    if ($inetFamily === $route->getFamily()) {
                        $forwardChain[] = sprintf('-A vpn-%s -o %s -d %s -j ACCEPT', $pool->getId(), $pool->getExtIf(), $route->getAddressPrefix());
                    }
                }
            }
        }

        $forwardChain[] = sprintf('-A FORWARD -j REJECT --reject-with %s', 4 === $inetFamily ? 'icmp-host-prohibited' : 'icmp6-adm-prohibited');

        return $forwardChain;
    }

    private static function getForwardFirewall(Pool $pool, $inetFamily)
    {
        $forwardFirewall = [];

        if ($pool->getBlockSmb()) {
            // drop SMB outgoing traffic
            // @see https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834
            foreach (['tcp', 'udp'] as $proto) {
                $forwardFirewall[] = sprintf(
                    '-A vpn-%s -o %s -m multiport -p %s --dports 137:139,445 -j REJECT --reject-with %s',
                    $pool->getId(),
                    $pool->getExtIf(),
                    $proto,
                    4 === $inetFamily ? 'icmp-host-prohibited' : 'icmp6-adm-prohibited');
            }
        }

        return $forwardFirewall;
    }

    private static function getIngressPorts(Pools $p)
    {
        $ingressPorts = ['tcp/22', 'tcp/80', 'tcp/443'];

        // we only care about additional UDP ports, as we only want UDP and
        // fallback to tcp/443
        foreach ($p as $pool) {
            foreach ($pool->getInstances() as $instance) {
                if ('udp' === $instance->getProto()) {
                    $port = sprintf('udp/%d', $instance->getPort());
                    if (!in_array($port, $ingressPorts)) {
                        $ingressPorts[] = $port;
                    }
                }
            }
        }

        return $ingressPorts;
    }
}


1			<?php
2			/**
3			* Copyright 2016 François Kooman <[email protected]>.
4			*
5			* Licensed under the Apache License, Version 2.0 (the "License");
6			* you may not use this file except in compliance with the License.
7			* You may obtain a copy of the License at
8			*
9			* http://www.apache.org/licenses/LICENSE-2.0
10			*
11			* Unless required by applicable law or agreed to in writing, software
12			* distributed under the License is distributed on an "AS IS" BASIS,
13			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14			* See the License for the specific language governing permissions and
15			* limitations under the License.
16			*/
17
18			namespace fkooman\VPN\Server;
19
20			class Firewall
21			{
22			public static function getFirewall4(Pools $p, $asArray = false)
23			{
24			return self::getFirewall($p, 4, $asArray);
25			}
26
27			public static function getFirewall6(Pools $p, $asArray = false)
28			{
29			return self::getFirewall($p, 6, $asArray);
30			}
31
32			private static function getFirewall(Pools $p, $inetFamily, $asArray)
33			{
34			$firewall = [];
35
36			// NAT
37			$firewall = array_merge($firewall, self::getNat($p, $inetFamily));
38
39			// FILTER
40			$firewall = array_merge($firewall, self::getFilter($p, $inetFamily));
41
42			if ($asArray) {
43			return $firewall;
44			}
45
46			return implode(PHP_EOL, $firewall).PHP_EOL;
47			}
48
49			private static function getNat(Pools $p, $inetFamily)
50			{
51			$nat = [
52			'*nat',
53			':PREROUTING ACCEPT [0:0]',
54			':INPUT ACCEPT [0:0]',
55			':OUTPUT ACCEPT [0:0]',
56			':POSTROUTING ACCEPT [0:0]',
57			];
58
59			foreach ($p as $pool) {
60			if ($pool->getUseNat()) {
61			if (4 === $inetFamily) {
62			// get the IPv4 range
63			$srcNet = $pool->getRange()->getAddressPrefix();
64			} else {
65			// get the IPv6 range
66			$srcNet = $pool->getRange6()->getAddressPrefix();
67			}
68			$nat[] = sprintf('-A POSTROUTING -s %s -o %s -j MASQUERADE', $srcNet, $pool->getExtIf());
69			}
70			}
71			$nat[] = 'COMMIT';
72
73			return $nat;
74			}
75
76			private static function getFilter(Pools $p, $inetFamily)
77			{
78			$filter = [
79			'*filter',
80			':INPUT ACCEPT [0:0]',
81			':FORWARD ACCEPT [0:0]',
82			':OUTPUT ACCEPT [0:0]',
83			];
84
85			// INPUT
86			$filter = array_merge($filter, self::getInputChain($p, $inetFamily));
87
88			// FORWARD
89			$filter = array_merge($filter, self::getForwardChain($p, $inetFamily));
90
91			$filter[] = 'COMMIT';
92
93			return $filter;
94			}
95
96			private static function getInputChain(Pools $p, $inetFamily)
97			{
98			$inputChain = [
99			'-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT',
100			sprintf('-A INPUT -p %s -j ACCEPT', 4 === $inetFamily ? 'icmp' : 'ipv6-icmp'),
101			'-A INPUT -i lo -j ACCEPT',
102			];
103
104			$inputPorts = self::getIngressPorts($p);
105			foreach ($inputPorts as $inputPort) {
106			list($proto, $port) = explode('/', $inputPort);
107			$inputChain[] = sprintf('-A INPUT -m state --state NEW -m %s -p %s --dport %d -j ACCEPT', $proto, $proto, $port);
108			}
109
110			$inputChain[] = sprintf('-A INPUT -j REJECT --reject-with %s', 4 === $inetFamily ? 'icmp-host-prohibited' : 'icmp6-adm-prohibited');
111
112			return $inputChain;
113			}
114
115			private static function getForwardChain(Pools $p, $inetFamily)
116			{
117			$forwardChain = [
118			'-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT',
119			];
120
121			foreach ($p as $pool) {
122			if (6 === $inetFamily && !$pool->getForward6()) {
123			// IPv6 forwarding was disabled
124			continue;
125			}
126
127			if (4 === $inetFamily) {
128			// get the IPv4 range
129			$srcNet = $pool->getRange()->getAddressPrefix();
130			} else {
131			// get the IPv6 range
132			$srcNet = $pool->getRange6()->getAddressPrefix();
133			}
134			$forwardChain[] = sprintf('-N vpn-%s', $pool->getId());
135
136			$forwardChain[] = sprintf('-A FORWARD -i tun-%s+ -s %s -j vpn-%s', $pool->getId(), $srcNet, $pool->getId());
137
138			// merge outgoing forwarding firewall rules to prevent certain
139			// traffic
140			$forwardChain = array_merge($forwardChain, self::getForwardFirewall($pool, $inetFamily));
141
142			if ($pool->getClientToClient()) {
143			// allow client-to-client
144			$forwardChain[] = sprintf('-A vpn-%s -o tun-%s+ -d %s -j ACCEPT', $pool->getId(), $pool->getId(), $srcNet);
145			}
146			if ($pool->getDefaultGateway()) {
147			// allow traffic to all outgoing destinations
148			$forwardChain[] = sprintf('-A vpn-%s -o %s -j ACCEPT', $pool->getId(), $pool->getExtIf(), $srcNet);
149			} else {
150			// only allow certain traffic to the external interface
151			foreach ($pool->getRoutes() as $route) {
152			if ($inetFamily === $route->getFamily()) {
153			$forwardChain[] = sprintf('-A vpn-%s -o %s -d %s -j ACCEPT', $pool->getId(), $pool->getExtIf(), $route->getAddressPrefix());
154			}
155			}
156			}
157			}
158
159			$forwardChain[] = sprintf('-A FORWARD -j REJECT --reject-with %s', 4 === $inetFamily ? 'icmp-host-prohibited' : 'icmp6-adm-prohibited');
160
161			return $forwardChain;
162			}
163
164			private static function getForwardFirewall(Pool $pool, $inetFamily)
165			{
166			$forwardFirewall = [];
167
168			if ($pool->getBlockSmb()) {
169			// drop SMB outgoing traffic
170			// @see https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834
171			foreach (['tcp', 'udp'] as $proto) {
172			$forwardFirewall[] = sprintf(
173			'-A vpn-%s -o %s -m multiport -p %s --dports 137:139,445 -j REJECT --reject-with %s',
174			$pool->getId(),
175			$pool->getExtIf(),
176			$proto,
177			4 === $inetFamily ? 'icmp-host-prohibited' : 'icmp6-adm-prohibited');
178			}
179			}
180
181			return $forwardFirewall;
182			}
183
184			private static function getIngressPorts(Pools $p)
185			{
186			$ingressPorts = ['tcp/22', 'tcp/80', 'tcp/443'];
187
188			// we only care about additional UDP ports, as we only want UDP and
189			// fallback to tcp/443
190			foreach ($p as $pool) {
191			foreach ($pool->getInstances() as $instance) {
192			if ('udp' === $instance->getProto()) {
193			$port = sprintf('udp/%d', $instance->getPort());
194			if (!in_array($port, $ingressPorts)) {
195			$ingressPorts[] = $port;
196			}
197			}
198			}
199			}
200
201			return $ingressPorts;
202			}
203			}
204

eduVPN / vpn-server-api

GitHub Access Token became invalid

Push — master ( ca105e...9d9c7b )

Firewall A

Complexity

Size/Duplication

Coupling/Cohesion

Importance

9 Methods

Duplication Side-by-Side

Filter issues like