(cherry picked from commit 759f7911)

Also add forgotten shebang

(cherry picked from commit 4e9b69a9)

(cherry picked from commit f2fb4e9c)

Functions provided in sentinel.sh depends on OpenWrt functions.sh. When
this script (sentinel.sh) is sourced and functions called (e.g. in
nikola crontab), it ends up on error as `config_load` and others are not
found.

(cherry picked from commit b2157001)

Fixes: 9fde67a1
("sentinel-i_agree_with_eula: New package to agree with eula")

Added
* Argument `--renew` that automatically receives latest version of server
  certificate on client startup
* Argument `--cert-url` to specify URL used to get server's certificate
  when `--renew` is used

This also moves startup to be more in line with firewall and network.
Dynamic firewall should start as soon as it makes sense and that is
right after we have firewall configured (S19) and network set up (S20).
That makes start with S25 good option. We also stop it way later before
all network components are being stopped.

Fixed
    * Crash caused by wrong default logrotate config file location

Fixed
* Crash when syslog-ng was restarted by Nikola and log was send to it by
  Nikola

Changed
* Executable renamed from `nikola` to `sentinel-nikola`
* Python package renamed from `nikola` to `sentinel_nikola`
* Cron now runs shell script that checks if EULA was approved as well as
  if Nikola is enabled before running it.
* Syslog-ng now filters packets with DROP fate as well as REJECT

Use case for this package is either someone that doesn't have WebUI and
want to collect data or routers in special setups like contracts. It is
easy to influence package selection for contracted routers, but much
harder to influence uci settings.

Fixed
* Telnet getting stuck with specific control sequence being received

It should have been in scl directory as include directory on its own is
not automatically included.

Karel Koci authored 4 years ago and Karel Koci committed 4 years ago

This introduces new minipots, namely FTP, HTTP and SMTP.
It also completely reworks existing telnet minipot.

Without this change iptables messages are included in /var/log/messages
as well as in our target. That means without this we are not filtering
them from default log. The reason is that source for standard log is
defined before source for nikola's log. This means that filter is
applied late.

Syslog-ng's scls are included before main config while standard configs
are appended. Including them so soon makes filter effective.

Martin Prudek authored 4 years ago and Karel Koci committed 4 years ago

We use marking is to be able to identify traffic for minipots
and other probes and let it bypass the firewall. The marking is done by
checking destination ports - e.g. 22, 23 etc.

When marked in mangle INPUT chain the destination ports were already
REDIRECTed to corresponding internal ports e.g. 2525, 2333 etc and thus
no marking were done at all.

Marking in mangle PREROUTING chain is done before REDIRECT and thus
correct destination ports are matched.

We have to check for EULA agreement before we run turris-survey.

Revert HaaS proxy to version 2.0.
It was reported and reproduced that you can login to the
honeypot, but you can not do there anything. Basically, sessions are recorded but with empty commands.
It looks like a graphical bug in a terminal.

Related issue: https://gitlab.nic.cz/turris/turris-os-packages/-/issues/639

This reverts commit df36b76b.

Karel Koci authored 4 years ago and Karel Koci committed 4 years ago

The idea is that once user agrees with EULA that all components should
be able to start. If user does not want to run some component then he
can selectively disable it. The opposite that user would have to enable
every single component is contra-productive for our use case when we
want all users automatically have all new components enabled otherwise
just few users would enable it.

Karel Koci authored 4 years ago and Karel Koci committed 4 years ago

This changes code little bit.
It uses tabs instead of spaces. Most of our shell code uses tabs. It is
not a huge issue but when I was at it it makes sense to flip it.
Prints now do not state that "start" failed but rather print generic
error. In other words: "Failed to start" is removed. The reason is that
this is not used just in components doing start but rather in any
case checking if component is enabled or not.
The last tweak is that some unnecessary returns were removed and
general code was tweak little bit to be more clean (such as replacement
of multi-line string with cat<<EOF.

This was just forgotten end of if statement.

Install DATA means chmod 0644 instead of 755 (BIN)

Dependency for EULA was added even proxy can run without it, but most of
the time, you will have proxy with minipot and/or nikola. In the proxy
package, there is a configuration file for each sentinel part.

While at it add details where you can found EULA and how you can agree
with it.

Other sentinel packages and packages in general name uci-default scripts
simly as uci-default (same as init file is just init). This also enables
execution flag on exacutable files. They are installed as executable but
it is good practice to have them set as executable in repository as
well.

This was pretty mich the same code with exception of field to be set.
All of those packages depend on sentinel-firewall and it is tied to
actiovation of it. This makes sentinel-firewall an ideal package to
place common code to.

This uses same log output as firewall3 is but this can be modified later
on to not interfere with user's specified logging.
This also opens doors for future usage of NFLOG instead of kernel
messages.

Karel Koci authored 4 years ago and Karel Koci committed 4 years ago

HaaS is not technically part of Sentinel but it needs pretty much the
same machinery.

Karel Koci authored 4 years ago and Karel Koci committed 4 years ago

This introduces new approach to configure updater. The problem with
previous solution, that was in the fact grand new, was it overall
chatiness. On one side it allowed users to modify and create their own
firewall. On the other side it was easy to break it and required lot of
things to go right.

Few notable problems are:
* Updates of user specified rules if configuration needed for Sentinel
  to work changes is pretty much impossible.
* Firewall3 in reality ignores in some cases (as for example mangle)
  source and target zone specification.
* Not all configurations supported by firewall3 are visible in Luci and
  modifying such rule in Luci resulted in wrong config. This was most
  probably caused by invalid rule interpretation in Luci and could be
  fixed.
* Every projects had their own rule to bypass dynamic firewall and
  duplicate co to add it to firewall configuration.

Replacing UCI configured rules with script that inserts appropriate
rules gives us more freedom in how we do stuff. It is for example easy
to more precisely filter traffic. It is possible to insert rules to the
beginning to prepend all other possible rules (that was not as easy done
with just using UCI configs).

In core this package only adds import rule to UCI firewall for script
that later runs all executable files from specific directory. This
script based design also easily allows sharing of the code and
functionality. This means for example that dynamic firewall knows how to
bypass its blocking rule and provides library to other scripts to just
specify port and protocol to bypass.