{ "info": { "author": "UNKNOWN", "author_email": "UNKNOWN", "bugtrack_url": null, "classifiers": [ "Development Status :: 4 - Beta", "Environment :: Console", "License :: OSI Approved :: MIT License", "Natural Language :: English", "Operating System :: POSIX :: Linux", "Programming Language :: Python :: 2", "Programming Language :: Python :: 3", "Topic :: Security", "Topic :: System :: Networking :: Firewalls" ], "description": "Mignis\n======\n\nMignis is a semantic based tool for firewall configuration. It is designed to help \nwriting **iptables rules** using an more **human-readable syntax**, \nwithout restricting iptables functionalities.\n\nThe traslation from Mignis syntax into the corresponding iptables ruleset has been\n**formally verified** in a paper published in Computer Security Foundations Symposium (CSF), 2014:\n\n- `Mignis: A Semantic Based Tool for Firewall Configuration `_\n\nRequirements\n~~~~~~~~~~~~\n\n- Python 2.7 or higher (Python 3.x supported).\n\nInstallation\n~~~~~~~~~~~~\n\nLatest working version is available on PyPI:\n\n``pip install mignis``\n\nMost up-to-date way is to directly install the master branch from GitHub:\n\n``pip install--upgrade git+https://github.com/secgroup/Mignis.git``\n\nDescription\n~~~~~~~~~~~\n\nThere are many possible ways to write a set of iptables rules for a\nspecific purpose, we decided to use the following approach:\n\n- define each interface and its corresponding subnet.\n- bind the interface to the subnet (on the mangle-prerouting chain).\n This allows us to specify interfaces and/or IP addresses\n interchangeably (this is for example exploited in the translation of\n a masquerade rule).\n- give higher priority to deny rules, so that they are placed before\n any other abstract firewall rule (this has to be kept in mind when\n writing rules).\n- use logging rules to analyze mismatched traffic (which will be\n dropped).\n\nRules' ordering is fundamental when writing iptables rules. Our approach\ninstead allows to write a set of abstract **rules** which are\n**order-independent**.\n\nUsage\n~~~~~\n\n::\n\n usage: mignis.py [--help] [-F] [-c filename] [-w filename | -e | -q query]\n [-d {0,1,2,3}] [-n] [-f]\n\n A semantic based tool for firewall configuration\n\n optional arguments:\n --help, -h show this help message and exit\n -d {0,1,2,3}, --debug {0,1,2,3}\n set debugging output level (0-2)\n -n, --dryrun do not execute/write the rules (dryrun)\n -f, --force force rule execution or writing\n\n possible actions::\n -F, --flush flush iptables ruleset\n -c filename, --config filename\n read mignis rules from file\n\n options for --config/-c:\n -w filename, --write filename\n write the rules to file\n -e, --execute execute the rules without writing to file\n -q query, --query query\n perform a query over the configuration (unstable)\n\nMignis takes a configuration file and generates a series of iptables\nrules.\n\nRules can either be written to a file (in a format parsable by the\n``iptables-restore`` command) or directly executed via the ``iptables``\ncommand.\n\nUsage example:\n\n.. code:: bash\n\n ./mignis.py -c config/ex_simple.config -w ex_simple.iptables\n\nThis will create an *ex\\_simple.iptables* file from the\n*ex\\_simple.config* configuration. To actually use the rules we just\nhave to execute ``iptables-restore ex_simple.iptables``.\n\nConfiguration file example\n^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n::\n\n OPTIONS\n default_rules yes\n logging no\n\n INTERFACES\n lan eth0 10.0.0.0/24\n ext eth1 0.0.0.0/0\n dummy eth2 none ignore\n vpn tun0 10.8.0.0/24\n\n ALIASES\n mypc 10.0.0.2\n router_ext_ip 1.2.3.4\n malicious_host 5.6.7.8\n host_over_vpn 10.8.0.123\n remote_host_1 20.20.20.1\n remote_host_2 30.30.30.2\n remote_host_3 40.40.40.3\n remote_hosts (remote_host_1, remote_host_2, remote_host_3)\n\n FIREWALL\n # no restrictions on outgoing connections\n local > *\n\n # ssh accessible from the outside\n * > local:22 tcp\n\n # machines inside the lan are NAT'ed (using masquerade) when communicating through ext\n lan [.] > ext\n\n # forbid the communication with a malicious host\n lan / malicious_host\n\n # dnat to mypc on port 8888\n ext > [router_ext_ip:8888] mypc:8888 udp\n\n # dnat to host_over_vpn on port 9999 with masquerade\n ext [.] > [router_ext_ip:9999] host_over_vpn:9999 tcp\n\n # allow access to port 80 and 443 on this machine\n ext > local:(80, 443) tcp\n\n # allow only a limited set of hosts to access our vpn\n remote_hosts > local:1194 udp\n\n POLICIES\n * // * icmp\n * // * udp\n * / *\n\n CUSTOM\n # log and accept packets on port 7792\n -A INPUT -p tcp --dport 7792 -j LOG --log-prefix \"PORT 7792 \"\n -A INPUT -p tcp --dport 7792 -j ACCEPT\n\nEach configuration file needs 6 sections:\n\n- **OPTIONS**: at the moment two generic mignis options can be\n specified:\n\n - ``default_rules`` is used to choose whether to insert default\n rules or not. Default rules are usually safe to use and are\n hardcoded into mignis and concern broadcast/multicast packets,\n invalid packets drops and localhost loopback communication.\n - ``logging`` is used to choose whether to log unexplicitly dropped\n packets or not (i.e. packets which don't match any rule and get\n dropped by the default policy).\n\n- **INTERFACES**: defines each interface with their alias (which can be\n used when writing rules). The syntax is\n ``alias interface-name subnet options``. If the interface doesn't\n have an ip address the keyword ``none`` must be used in place of the\n subnet. At the moment the only option allowed is ``ignore``, which is\n used to tell mignis to always allow traffic on that interface (i.e.\n it is not taken into account in firewall rules).\n- **ALIASES**: defines aliases for IP addresses. The syntax is\n ``alias ip-address``.\n- **FIREWALL**: contains abstract rules. The syntax is\n ``abstract-rule | iptables-filters``.\n\n First we define an *address*, which is either an interface, an alias\n or an IP address.\n\n An *abstract rule* is defined as follows:\n ``from [source_nat] opt [dest_nat] to``\n\n - *from* and *to* are addresses,\n - *source\\_nat* is the address *from* will be SNAT'ed to (it's\n possible to use \".\" to indicate a masquerade),\n - *dest\\_nat* is the address *to* will be DNAT'ed to,\n - *opt* is one of: \"/\" (deny with DROP), \"//\" (deny with REJECT),\n \">\" (one-way forward), \"<>\" (two-way forward)\n\n Finally an *iptables filter* is any iptables option used for\n filtering packets. Common options may be \"--icmp-type echo-reply\",\n \"-m module\", etc.\n\n- **POLICIES**: the default mignis behavior for unmatched packets is to\n drop them. This section is useful if one wants to reject packets\n instead, using the mignis syntax for rules matching (only drop or\n reject rules can be specified). In the example we are rejecting icmp\n and udp packets, while we're dropping the rest (this last rule may be\n omitted, we wrote it there only for clarity).\n\n- **CUSTOM**: contains raw iptables rules. Note that you can also\n modify the tool's behavior here, since you can use the *-D* and *-I*\n switches for deleting and inserting rules in specific locations. We\n provide this section to add more flexibility, but we cannot guarantee\n that your custom rules will not conflict with the abstract ones, so\n please use this section with care and only if you know what you're\n doing.\n\nFirewall rules examples\n^^^^^^^^^^^^^^^^^^^^^^^\n\nLet's see some examples from the configuration above, to clearify how\nrules can be written and to see how they're translated into iptables\nrules.\n\n1. ``* > local:22 tcp``\\ Allows *ssh* (tcp port 22) connections\n towards localhost from any interface.\n\n ::\n\n iptables -A INPUT -p tcp --dport 22 -j ACCEPT\n\n2. ``lan [.] > ext``\\ Allows packets originating from the *lan*\n interface to go to *ext*, using a source NAT (masquerade).\n\n ::\n\n iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT\n iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth1 -j MASQUERADE\n\n3. ``lan / malicious_host``\\ Forbids the communication from the *lan*\n towards a *malicious host*.\n\n ::\n\n iptables -A FORWARD -i eth0 -d 5.6.7.8 -j DROP\n\n4. ``ext > [router_ext_ip:8888] mypc:8888 udp``\\ UDP packets\n originating from *ext* to *router\\_ext\\_ip* on port 8888, are DNAT'ed\n to *mypc* on port 8888.\n\n ::\n\n iptables -t mangle -A PREROUTING -p udp -i eth1 -d 10.0.0.2 --dport 8888 -m state --state NEW -j DROP\n iptables -A FORWARD -p udp -i eth1 -d 10.0.0.2 --dport 8888 -j ACCEPT\n iptables -t nat -A PREROUTING -p udp -i eth1 -d 1.2.3.4 --dport 8888 -j DNAT --to-destination 10.0.0.2:8888\n\n Note: the first mangle rule is used to block packets which are trying\n to reach *mypc* bypassing the NAT.\n\n5. ``ext [.] > [router_ext_ip:9999] host_over_vpn:9999 tcp``\\ TCP packets\n originating from *ext* to *router\\_ext\\_ip* on port 9999, are DNAT'ed\n to *host\\_over\\_vpn* on port 9999 using a source NAT (masquerade). The masquerade\n ensures that answers from *host\\_over\\_vpn* are routed through the vpn interface.\n\n ::\n\n iptables -t mangle -A PREROUTING -p tcp -i eth1 -d 10.8.0.123 --dport 9999 -m state --state NEW -j DROP\n iptables -A FORWARD -p tcp -i eth1 -d 10.8.0.123 --dport 9999 -j ACCEPT\n iptables -t nat -A POSTROUTING -p tcp -s 0.0.0.0/0 -d 10.8.0.123 --dport 9999 -j MASQUERADE\n iptables -t nat -A PREROUTING -p tcp -i eth1 -d 1.2.3.4 --dport 9999 -j DNAT --to-destination 10.8.0.123:9999\n\n Note: the first mangle rule is used to block packets which are trying\n to reach *host\\_over\\_vpn* bypassing the NAT.\n\n6. ``ext > local:(80, 443) tcp``\\ Allow access from *ext* to port 80 and 443 on the\n local machine.\n\n ::\n\n iptables -A INPUT -p tcp -i eth1 --dport 80 -j ACCEPT\n iptables -A INPUT -p tcp -i eth1 --dport 443 -j ACCEPT\n\n7. ``remote_hosts > local:1194 udp``\\ Only the list of hosts specified in *remote\\_hosts* can connect to our VPN.\n\n ::\n \n iptables -A INPUT -p udp -s 20.20.20.1 --dport 1194 -j ACCEPT\n iptables -A INPUT -p udp -s 30.30.30.2 --dport 1194 -j ACCEPT\n iptables -A INPUT -p udp -s 40.40.40.3 --dport 1194 -j ACCEPT\n\n\nWork in progress features (still unstable)\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n- Lists operations for excluding hosts/lists from a list. For example\n if we define a list alias \"list1 (eth0, eth1)\" and want a rule that\n is valid for *list1* except for the host *1.1.1.1* (which belongs to\n the interface *eth0*), we can write ``list1/1.1.1.1 > eth2``.\n- Improving checks for identifying overlapping rules.\n- Rules queries to list all the connections that match a particular\n host, this is useful to see all the packets a host can send/receive.\n This has to be expanded with lists and rules (exploiting the\n overlapping checks).\n\nFuture work for Mignis v2\n~~~~~~~~~~~~~~~~~~~~~~~~~\n\n- Complete code rewrite with a modular compiler-like design.\n- Support multiple firewall languages (iptables, nftables, Cisco, etc.)\n- Abstract-level rules optimizations.\n- Accept different kinds of configuration files (e.g. JSON, python\n scripts) and/or consider a richer language for writing the rules.\n- Provide a 2nd-level abstract semantic using security roles.", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/segroup/Mignis", "keywords": "iptables,firewall,semantic firewall configuration,netfilter", "license": "MIT", "maintainer": null, "maintainer_email": null, "name": "mignis", "package_url": "https://pypi.org/project/mignis/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/mignis/", "project_urls": { "Download": "UNKNOWN", "Homepage": "https://github.com/segroup/Mignis" }, "release_url": "https://pypi.org/project/mignis/0.9.5.post1/", "requires_dist": null, "requires_python": null, "summary": "Mignis is a semantic based tool for firewall configuration", "version": "0.9.5.post1" }, "last_serial": 2702296, "releases": { "0.9.3": [ { "comment_text": "", "digests": { "md5": "7a1a7f22ee22165d7c27ee74e26efb14", "sha256": "b0b1857368a2c308846ea4c1e56ad072ae229a3cfaccd36ca154877f796fd9d2" }, "downloads": -1, "filename": "mignis-0.9.3.tar.gz", "has_sig": false, "md5_digest": "7a1a7f22ee22165d7c27ee74e26efb14", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 27465, "upload_time": "2017-03-09T16:59:03", "url": "https://files.pythonhosted.org/packages/a8/84/eec97aef076480ae1f825562b14a32bbfaa54a9feed59233e9b993e28145/mignis-0.9.3.tar.gz" } ], "0.9.3.post1": [ { "comment_text": "", "digests": { "md5": "8ba76cf26641451175faa19bebffbc96", "sha256": "e5a623a76f4f875a73857f681445f4aca62422030849480994dbef8bc228c23d" }, "downloads": -1, "filename": "mignis-0.9.3.post1.tar.gz", "has_sig": false, "md5_digest": "8ba76cf26641451175faa19bebffbc96", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 26268, "upload_time": "2017-03-10T11:44:34", "url": "https://files.pythonhosted.org/packages/23/2d/77e9fa21d98e0056add4a4f11ab7bd86592eb7ec8a07320a7113a60195f5/mignis-0.9.3.post1.tar.gz" } ], "0.9.4": [ { "comment_text": "", "digests": { "md5": "4b431f35e123d3b46126dbc4f6ff9479", "sha256": "516d2a07dd08a600cda60c91cae4f40eb2c4d901306bd51d74dcb388f83d1589" }, "downloads": -1, "filename": "mignis-0.9.4.tar.gz", "has_sig": false, "md5_digest": "4b431f35e123d3b46126dbc4f6ff9479", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 32904, "upload_time": "2017-03-13T11:24:27", "url": "https://files.pythonhosted.org/packages/e0/99/bb002ba07f42ce5b9a3c7b98c58b94114181cd164e2cce09f1b818c2be23/mignis-0.9.4.tar.gz" } ], "0.9.5": [ { "comment_text": "", "digests": { "md5": "2ed3763cbed990a88f811b453b2b9c98", "sha256": "accffbf9226eeff841ed5f6d77459fb28474699a8d60388eca67aea30ed6c7bf" }, "downloads": -1, "filename": "mignis-0.9.5.tar.gz", "has_sig": false, "md5_digest": "2ed3763cbed990a88f811b453b2b9c98", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 32736, "upload_time": "2017-03-13T11:41:44", "url": "https://files.pythonhosted.org/packages/1a/9e/5f0c2af0d466e7e10fb2c0ce8447e899621c92daab253ecd81ce2b839958/mignis-0.9.5.tar.gz" } ], "0.9.5.post1": [ { "comment_text": "", "digests": { "md5": "435ed065e0ffdafa6b89effcb6e8955a", "sha256": "618a870fffd28742004912c2808fd83b4fdf5f2b76a14e8415c26382ed08c5c2" }, "downloads": -1, "filename": "mignis-0.9.5.post1.tar.gz", "has_sig": false, "md5_digest": "435ed065e0ffdafa6b89effcb6e8955a", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 32748, "upload_time": "2017-03-13T12:54:27", "url": "https://files.pythonhosted.org/packages/69/7c/889388014613fe0d7c51ebcb08fa790b0e78a7bbf8f5759ec1be5f6a7fcd/mignis-0.9.5.post1.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "435ed065e0ffdafa6b89effcb6e8955a", "sha256": "618a870fffd28742004912c2808fd83b4fdf5f2b76a14e8415c26382ed08c5c2" }, "downloads": -1, "filename": "mignis-0.9.5.post1.tar.gz", "has_sig": false, "md5_digest": "435ed065e0ffdafa6b89effcb6e8955a", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 32748, "upload_time": "2017-03-13T12:54:27", "url": "https://files.pythonhosted.org/packages/69/7c/889388014613fe0d7c51ebcb08fa790b0e78a7bbf8f5759ec1be5f6a7fcd/mignis-0.9.5.post1.tar.gz" } ] }