github.com/wtfutil/wtf@v0.43.0/modules/security/firewall.go (about)

     1  package security
     2  
     3  import (
     4  	"bytes"
     5  	"os/exec"
     6  	"os/user"
     7  	"runtime"
     8  	"strings"
     9  
    10  	"github.com/wtfutil/wtf/utils"
    11  )
    12  
    13  const osxFirewallCmd = "/usr/libexec/ApplicationFirewall/socketfilterfw"
    14  
    15  /* -------------------- Exported Functions -------------------- */
    16  
    17  func FirewallState() string {
    18  	switch runtime.GOOS {
    19  	case "darwin":
    20  		return firewallStateMacOS()
    21  	case "linux":
    22  		return firewallStateLinux()
    23  	case "windows":
    24  		return firewallStateWindows()
    25  	default:
    26  		return ""
    27  	}
    28  }
    29  
    30  func FirewallStealthState() string {
    31  	switch runtime.GOOS {
    32  	case "linux":
    33  		return firewallStealthStateLinux()
    34  	case "darwin":
    35  		return firewallStealthStateMacOS()
    36  	case "windows":
    37  		return firewallStealthStateWindows()
    38  	default:
    39  		return ""
    40  	}
    41  }
    42  
    43  /* -------------------- Unexported Functions -------------------- */
    44  
    45  func firewallStateLinux() string { // might be very Ubuntu specific
    46  	user, _ := user.Current()
    47  
    48  	if strings.Contains(user.Username, "root") {
    49  		cmd := exec.Command("ufw", "status")
    50  
    51  		var o bytes.Buffer
    52  		cmd.Stdout = &o
    53  		if err := cmd.Run(); err != nil {
    54  			return "[red]NA[white]"
    55  		}
    56  
    57  		if strings.Contains(o.String(), "inactive") {
    58  			return "[red]Disabled[white]"
    59  		} else {
    60  			return "[green]Enabled[white]"
    61  		}
    62  	} else {
    63  		return "[red]N/A[white]"
    64  	}
    65  }
    66  
    67  func firewallStateMacOS() string {
    68  	cmd := exec.Command(osxFirewallCmd, "--getglobalstate")
    69  	str := utils.ExecuteCommand(cmd)
    70  
    71  	return statusLabel(str)
    72  }
    73  
    74  func firewallStateWindows() string {
    75  	// The raw way to do this in PS, not using netsh, nor registry, is the following:
    76  	//   if (((Get-NetFirewallProfile | select name,enabled)
    77  	//                                | where { $_.Enabled -eq $True } | measure ).Count -eq 3)
    78  	//   { Write-Host "OK" -ForegroundColor Green} else { Write-Host "OFF" -ForegroundColor Red }
    79  
    80  	cmd := exec.Command("powershell.exe", "-NoProfile",
    81  		"-Command", "& { ((Get-NetFirewallProfile | select name,enabled) | where { $_.Enabled -eq $True } | measure ).Count }")
    82  
    83  	fwStat := utils.ExecuteCommand(cmd)
    84  	fwStat = strings.TrimSpace(fwStat) // Always sanitize PowerShell output:  "3\r\n"
    85  
    86  	switch fwStat {
    87  	case "3":
    88  		return "[green]Good[white] (3/3)"
    89  	case "2":
    90  		return "[orange]Poor[white] (2/3)"
    91  	case "1":
    92  		return "[yellow]Bad[white] (1/3)"
    93  	case "0":
    94  		return "[red]Disabled[white]"
    95  	default:
    96  		return "[white]N/A[white]"
    97  	}
    98  }
    99  
   100  /* -------------------- Getting Stealth State ------------------- */
   101  // "Stealth": Not responding to pings from unauthorized devices
   102  
   103  func firewallStealthStateLinux() string {
   104  	return "[white]N/A[white]"
   105  }
   106  
   107  func firewallStealthStateMacOS() string {
   108  	cmd := exec.Command(osxFirewallCmd, "--getstealthmode")
   109  	str := utils.ExecuteCommand(cmd)
   110  
   111  	return statusLabel(str)
   112  }
   113  
   114  func firewallStealthStateWindows() string {
   115  	return "[white]N/A[white]"
   116  }
   117  
   118  func statusLabel(str string) string {
   119  	label := "off"
   120  
   121  	if strings.Contains(str, "enabled") {
   122  		label = "on"
   123  	}
   124  
   125  	return label
   126  }