private void RemoveRulesNotRequried(List <FirewallRule> newRules)
{
#if !DotNetCoreClrIOT
List <string> rulesToBeDeleted = new List <string>();
foreach (var rule in this.rules)
{
NetFwRule fwRule = (NetFwRule)rule;
if (fwRule == null)
{
continue;
}
if (FabricNodeFirewallRules.IsFabricFirewallRule(fwRule))
{
if (newRules.All(newRule => newRule.Name != fwRule.Name)) // Firewall rule is not in the set of new rules
{
rulesToBeDeleted.Add(fwRule.Name);
}
}
}
foreach (string ruleToBeDeleted in rulesToBeDeleted)
{
rules.Remove(ruleToBeDeleted);
}
#endif
}
public void RemoveWindowsFabricRules()
{
#if !DotNetCoreClrIOT
List <string> windowsFabricRuleNames = new List <string>();
foreach (var rule in this.rules)
{
NetFwRule fwRule = (NetFwRule)rule;
if (FabricNodeFirewallRules.IsFabricFirewallRule(fwRule))
{
windowsFabricRuleNames.Add(fwRule.Name);
}
}
foreach (var ruleName in windowsFabricRuleNames)
{
this.rules.Remove(ruleName);
}
#endif
}
public static List <FirewallRule> GetRulesForNode(string nodeName,
string leaseDriverPort,
string applicationPorts,
string httpGatewayPort,
string httpAppGatewayPort,
string fabricPath,
string dcaPath,
string fileStoreServicePath,
string fabricGatewayPath,
string fabricAppGatewayPath,
string faultAnalysisServicePath,
string backupRestoreServicePath,
string fabricUpgradeServicePath,
string fabricRepairServicePath,
string fabricInfrastructureServicePath,
string upgradeOrchestrationServicePath,
string centralSecretServicePath,
string eventStoreServicePath,
string gatewayResourceManagerPath,
string dynamicPorts,
SettingsOverridesTypeSection securitySection)
{
FabricNodeFirewallRules nodeRules = new FabricNodeFirewallRules()
{
ApplicationPorts = applicationPorts,
FabricPath = fabricPath,
LeaseDriverPort = leaseDriverPort,
NodeName = nodeName,
DCAPath = dcaPath,
FileStoreServicePath = fileStoreServicePath,
HttpGatewayPort = httpGatewayPort,
FabricGatewayPath = fabricGatewayPath,
HttpAppGatewayPort = httpAppGatewayPort,
FabricAppGatewayPath = fabricAppGatewayPath,
FaultAnalysisServicePath = faultAnalysisServicePath,
BackupRestoreServicePath = backupRestoreServicePath,
FabricUpgradeServicePath = fabricUpgradeServicePath,
FabricRepairServicePath = fabricRepairServicePath,
FabricInfrastructureServicePath = fabricInfrastructureServicePath,
UpgradeOrchestrationServicePath = upgradeOrchestrationServicePath,
CentralSecretServicePath = centralSecretServicePath,
EventStoreServicePath = eventStoreServicePath,
GatewayResourceManagerPath = gatewayResourceManagerPath,
DynamicPorts = dynamicPorts
};
#if !DotNetCoreClrLinux && !DotNetCoreClrIOT
policy = (INetFwPolicy2)Activator.CreateInstance(policyType);
#endif
fwProfileSet = GetAllRequiredProfiles(securitySection);
List <FirewallRule> rules = new List <FirewallRule>();
#if !DotNetCoreClrLinux && !DotNetCoreClrIOT // Application Path specific rules are not valid for Linux
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.FabricExceptionTemplate, nodeRules.FabricPath, FabricNodeFirewallRules.inDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.FabricExceptionTemplate, nodeRules.FabricPath, FabricNodeFirewallRules.outDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.FabricDCaExceptionTemplate, nodeRules.DCAPath, FabricNodeFirewallRules.outDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.FileStoreServiceExceptionTemplate, nodeRules.FileStoreServicePath, FabricNodeFirewallRules.inDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.FileStoreServiceExceptionTemplate, nodeRules.FileStoreServicePath, FabricNodeFirewallRules.outDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.FabricGatewayExceptionTemplate, nodeRules.FabricGatewayPath, FabricNodeFirewallRules.inDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.FabricGatewayExceptionTemplate, nodeRules.FabricGatewayPath, FabricNodeFirewallRules.outDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.FaultAnalysisServiceExceptionTemplate, nodeRules.FaultAnalysisServicePath, FabricNodeFirewallRules.inDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.FaultAnalysisServiceExceptionTemplate, nodeRules.FaultAnalysisServicePath, FabricNodeFirewallRules.outDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.BackupRestoreServiceExceptionTemplate, nodeRules.BackupRestoreServicePath, FabricNodeFirewallRules.inDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.BackupRestoreServiceExceptionTemplate, nodeRules.BackupRestoreServicePath, FabricNodeFirewallRules.outDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.UpgradeOrchestrationServiceExceptionTemplate, nodeRules.UpgradeOrchestrationServicePath, FabricNodeFirewallRules.inDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.UpgradeOrchestrationServiceExceptionTemplate, nodeRules.UpgradeOrchestrationServicePath, FabricNodeFirewallRules.outDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.CentralSecretServiceExceptionTemplate, nodeRules.CentralSecretServicePath, FabricNodeFirewallRules.inDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.CentralSecretServiceExceptionTemplate, nodeRules.CentralSecretServicePath, FabricNodeFirewallRules.outDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.FabricUpgradeServiceExceptionTemplate, nodeRules.FabricUpgradeServicePath, FabricNodeFirewallRules.inDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.FabricUpgradeServiceExceptionTemplate, nodeRules.FabricUpgradeServicePath, FabricNodeFirewallRules.outDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.FabricRepairServiceExceptionTemplate, nodeRules.FabricRepairServicePath, FabricNodeFirewallRules.inDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.FabricRepairServiceExceptionTemplate, nodeRules.FabricRepairServicePath, FabricNodeFirewallRules.outDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.FabricInfrastructureServiceExceptionTemplate, nodeRules.FabricInfrastructureServicePath, FabricNodeFirewallRules.inDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.FabricInfrastructureServiceExceptionTemplate, nodeRules.FabricInfrastructureServicePath, FabricNodeFirewallRules.outDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.EventStoreServiceExceptionTemplate, nodeRules.EventStoreServicePath, FabricNodeFirewallRules.inDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.EventStoreServiceExceptionTemplate, nodeRules.EventStoreServicePath, FabricNodeFirewallRules.outDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.GatewayResourceManagerExceptionTemplate, nodeRules.GatewayResourceManagerPath, FabricNodeFirewallRules.inDirection);
AddApplicationPathExceptionProfileRules(rules, nodeRules, FabricNodeFirewallRules.GatewayResourceManagerExceptionTemplate, nodeRules.GatewayResourceManagerPath, FabricNodeFirewallRules.outDirection);
#endif
AddLeaseDriverExceptionProfileRule(rules, nodeRules, FabricNodeFirewallRules.inDirection);
AddLeaseDriverExceptionProfileRule(rules, nodeRules, FabricNodeFirewallRules.outDirection);
if (!string.IsNullOrEmpty(httpGatewayPort))
{
AddHttpGatewayExceptionProfilesRule(rules, nodeRules);
}
if (!string.IsNullOrEmpty(httpAppGatewayPort))
{
AddHttpAppGatewayExceptionProfilesRule(rules, nodeRules);
}
if (!string.IsNullOrEmpty(applicationPorts))
{
AddApplicationPortRangeExceptionProfileRules(rules, nodeRules);
}
if (!string.IsNullOrEmpty(dynamicPorts))
{
AddDynamicPortRangeExceptionProfileRules(rules, nodeRules);
}
return(rules);
}
private static void AddDynamicPortRangeExceptionProfileRules(List <FirewallRule> rules, FabricNodeFirewallRules nodeRules)
{
foreach (NET_FW_PROFILE_TYPE2_ fwProfile in fwProfileSet)
{
rules.Add(nodeRules.GetDynamicPortRangeExceptionRule(FabricNodeFirewallRules.inDirection, FabricNodeFirewallRules.ProtocolTcp, fwProfile));
rules.Add(nodeRules.GetDynamicPortRangeExceptionRule(FabricNodeFirewallRules.outDirection, FabricNodeFirewallRules.ProtocolTcp, fwProfile));
rules.Add(nodeRules.GetDynamicPortRangeExceptionRule(FabricNodeFirewallRules.inDirection, FabricNodeFirewallRules.ProtocolUdp, fwProfile));
rules.Add(nodeRules.GetDynamicPortRangeExceptionRule(FabricNodeFirewallRules.outDirection, FabricNodeFirewallRules.ProtocolUdp, fwProfile));
}
}
private static void AddHttpAppGatewayExceptionProfilesRule(List <FirewallRule> rules, FabricNodeFirewallRules nodeRules)
{
foreach (NET_FW_PROFILE_TYPE2_ fwProfile in fwProfileSet)
{
rules.Add(nodeRules.GetHttpGatewayExceptionRule(
FabricNodeFirewallRules.FabricHttpAppGatewayExceptionTemplate,
nodeRules.HttpAppGatewayPort,
FabricNodeFirewallRules.outDirection,
fwProfile));
rules.Add(nodeRules.GetHttpGatewayExceptionRule(
FabricNodeFirewallRules.FabricHttpAppGatewayExceptionTemplate,
nodeRules.HttpAppGatewayPort,
FabricNodeFirewallRules.inDirection,
fwProfile));
}
}
private static void AddLeaseDriverExceptionProfileRule(List <FirewallRule> rules, FabricNodeFirewallRules nodeRules, string direction)
{
foreach (NET_FW_PROFILE_TYPE2_ fwProfile in fwProfileSet)
{
rules.Add(nodeRules.GetLeaseDriverExceptionRule(direction, fwProfile));
}
}
private static void AddApplicationPathExceptionProfileRules(List <FirewallRule> rules, FabricNodeFirewallRules nodeRules, string template, string path, string direction)
{
foreach (NET_FW_PROFILE_TYPE2_ fwProfile in fwProfileSet)
{
rules.Add(nodeRules.GetApplicationPathException(template, path, direction, fwProfile));
}
}
public static List <FirewallRule> GetRulesForNode2(string nodeName,
string clientConnectionPort,
string serviceConnectionPort,
string clusterConnectionPort,
string clusterManagerReplicatorPort,
string repairManagerReplicatorPort,
string namingReplicatorPort,
string failoverManagerReplicatorPort,
string imageStoreServiceReplicatorPort,
string upgradeServiceReplicatorPort)
{
List <FirewallRule> rules = new List <FirewallRule>();
FabricNodeFirewallRules nodeRules = new FabricNodeFirewallRules()
{
NodeName = nodeName,
};
rules.Add(nodeRules.GetCustomTcpPortException(FabricNodeFirewallRules.ClientConnectionExceptionTemplate, clientConnectionPort, FabricNodeFirewallRules.inDirection));
rules.Add(nodeRules.GetCustomTcpPortException(FabricNodeFirewallRules.ClientConnectionExceptionTemplate, clientConnectionPort, FabricNodeFirewallRules.outDirection));
rules.Add(nodeRules.GetCustomTcpPortException(FabricNodeFirewallRules.ServiceConnectionExceptionTemplate, serviceConnectionPort, FabricNodeFirewallRules.inDirection));
rules.Add(nodeRules.GetCustomTcpPortException(FabricNodeFirewallRules.ServiceConnectionExceptionTemplate, serviceConnectionPort, FabricNodeFirewallRules.outDirection));
rules.Add(nodeRules.GetCustomTcpPortException(FabricNodeFirewallRules.ClusterConnectionExceptionTemplate, clusterConnectionPort, FabricNodeFirewallRules.inDirection));
rules.Add(nodeRules.GetCustomTcpPortException(FabricNodeFirewallRules.ClusterConnectionExceptionTemplate, clusterConnectionPort, FabricNodeFirewallRules.outDirection));
if (!string.IsNullOrEmpty(clusterManagerReplicatorPort))
{
rules.Add(
nodeRules.GetCustomTcpPortException(
FabricNodeFirewallRules.ClusterManagerReplicatorEndpointExceptionTemplate,
clusterManagerReplicatorPort, FabricNodeFirewallRules.inDirection));
rules.Add(
nodeRules.GetCustomTcpPortException(
FabricNodeFirewallRules.ClusterManagerReplicatorEndpointExceptionTemplate,
clusterManagerReplicatorPort, FabricNodeFirewallRules.outDirection));
}
if (!string.IsNullOrEmpty(repairManagerReplicatorPort))
{
rules.Add(
nodeRules.GetCustomTcpPortException(
FabricNodeFirewallRules.RepairManagerReplicatorEndpointExceptionTemplate,
repairManagerReplicatorPort, FabricNodeFirewallRules.inDirection));
rules.Add(
nodeRules.GetCustomTcpPortException(
FabricNodeFirewallRules.RepairManagerReplicatorEndpointExceptionTemplate,
repairManagerReplicatorPort, FabricNodeFirewallRules.outDirection));
}
if (!string.IsNullOrEmpty(namingReplicatorPort))
{
rules.Add(
nodeRules.GetCustomTcpPortException(
FabricNodeFirewallRules.NamingReplicatorEndpointExceptionTemplate, namingReplicatorPort,
FabricNodeFirewallRules.inDirection));
rules.Add(
nodeRules.GetCustomTcpPortException(
FabricNodeFirewallRules.NamingReplicatorEndpointExceptionTemplate, namingReplicatorPort,
FabricNodeFirewallRules.outDirection));
}
if (!string.IsNullOrEmpty(failoverManagerReplicatorPort))
{
rules.Add(
nodeRules.GetCustomTcpPortException(
FabricNodeFirewallRules.FailoverManagerReplicatorEndpointExceptionTemplate,
failoverManagerReplicatorPort, FabricNodeFirewallRules.inDirection));
rules.Add(
nodeRules.GetCustomTcpPortException(
FabricNodeFirewallRules.FailoverManagerReplicatorEndpointExceptionTemplate,
failoverManagerReplicatorPort, FabricNodeFirewallRules.outDirection));
}
if (!string.IsNullOrEmpty(imageStoreServiceReplicatorPort))
{
rules.Add(
nodeRules.GetCustomTcpPortException(
FabricNodeFirewallRules.ImageStoreServiceReplicatorEndpointExceptionTemplate,
imageStoreServiceReplicatorPort, FabricNodeFirewallRules.inDirection));
rules.Add(
nodeRules.GetCustomTcpPortException(
FabricNodeFirewallRules.ImageStoreServiceReplicatorEndpointExceptionTemplate,
imageStoreServiceReplicatorPort, FabricNodeFirewallRules.outDirection));
}
if (!string.IsNullOrEmpty(upgradeServiceReplicatorPort))
{
rules.Add(
nodeRules.GetCustomTcpPortException(
FabricNodeFirewallRules.UpgradeServiceReplicatorEndpointExceptionTemplate,
upgradeServiceReplicatorPort, FabricNodeFirewallRules.inDirection));
rules.Add(
nodeRules.GetCustomTcpPortException(
FabricNodeFirewallRules.UpgradeServiceReplicatorEndpointExceptionTemplate,
upgradeServiceReplicatorPort, FabricNodeFirewallRules.outDirection));
}
return(rules);
}
private static List <FirewallRule> GetRulesForNodes(List <NodeSettings> nodes, SettingsOverridesTypeSection securitySection)
{
List <FirewallRule> newRules = new List <FirewallRule>();
foreach (NodeSettings setting in nodes)
{
string fabricPath = Path.Combine(
setting.DeploymentFoldersInfo.GetCodeDeploymentDirectory(Constants.FabricService),
Constants.ServiceExes[Constants.FabricService]);
string dcaPath = Path.Combine(
setting.DeploymentFoldersInfo.GetCodeDeploymentDirectory(Constants.DCAService),
Constants.ServiceExes[Constants.DCAService]);
string fileStoreServicePath = Path.Combine(
GetFabricSystemApplicationCodeFolder(setting.DeploymentFoldersInfo, Constants.FileStoreService, Constants.SystemServiceCodePackageName, Constants.SystemServiceCodePackageVersion),
Constants.ServiceExes[Constants.FileStoreService]);
string fabricGatewayPath = Path.Combine(
setting.DeploymentFoldersInfo.GetCodeDeploymentDirectory(Constants.FabricService),
Constants.ServiceExes[Constants.FabricGatewayService]);
string fabricAppGatewayPath = Path.Combine(
setting.DeploymentFoldersInfo.GetCodeDeploymentDirectory(Constants.FabricService),
Constants.ServiceExes[Constants.FabricApplicationGatewayService]);
string faultAnalysisServicePath = Path.Combine(
GetFabricSystemApplicationCodeFolder(setting.DeploymentFoldersInfo, Constants.FaultAnalysisService, Constants.SystemServiceCodePackageName, Constants.SystemServiceCodePackageVersion),
Constants.ServiceExes[Constants.FaultAnalysisService]);
#if !DotNetCoreClrLinux
string backupRestoreServicePath = Path.Combine(
GetFabricSystemApplicationCodeFolder(setting.DeploymentFoldersInfo, Constants.BackupRestoreService, Constants.SystemServiceCodePackageName, Constants.SystemServiceCodePackageVersion),
Constants.ServiceExes[Constants.BackupRestoreService]);
#else
string backupRestoreServicePath = null;
#endif
string fabricUpgradeServicePath = Path.Combine(
GetFabricSystemApplicationCodeFolder(setting.DeploymentFoldersInfo, Constants.FabricUpgradeService, Constants.SystemServiceCodePackageName, Constants.SystemServiceCodePackageVersion),
Constants.ServiceExes[Constants.FabricUpgradeService]);
string fabricRepairServicePath = Path.Combine(
GetFabricSystemApplicationCodeFolder(setting.DeploymentFoldersInfo, Constants.FabricRepairManagerService, Constants.SystemServiceCodePackageName, Constants.SystemServiceCodePackageVersion),
Constants.ServiceExes[Constants.FabricRepairManagerService]);
string fabricInfrastructureServicePath = Path.Combine(
GetFabricSystemApplicationCodeFolder(setting.DeploymentFoldersInfo, Constants.FabricInfrastructureService, Constants.SystemServiceCodePackageName, Constants.SystemServiceCodePackageVersion),
Constants.ServiceExes[Constants.FabricInfrastructureService]);
#if !DotNetCoreClrLinux && !DotNetCoreClrIOT
string centralsecretServicePath = Path.Combine(
GetFabricSystemApplicationCodeFolder(setting.DeploymentFoldersInfo, Constants.CentralSecretService, Constants.SystemServiceCodePackageName, Constants.SystemServiceCodePackageVersion),
Constants.ServiceExes[Constants.CentralSecretService]);
#else
string centralsecretServicePath = null;
#endif
#if !DotNetCoreClrLinux
string upgradeOrchestrationServicePath = Path.Combine(
GetFabricSystemApplicationCodeFolder(setting.DeploymentFoldersInfo, Constants.UpgradeOrchestrationService, Constants.SystemServiceCodePackageName, Constants.SystemServiceCodePackageVersion),
Constants.ServiceExes[Constants.UpgradeOrchestrationService]);
#else
string upgradeOrchestrationServicePath = null;
#endif
string leaseDriverPort = null;
string applicationPortRange = null;
string dynamicPortRange = null;
string httpGatewayPort = null;
string httpAppGatewayPort = null;
GetPorts(
setting,
out leaseDriverPort,
out applicationPortRange,
out httpGatewayPort,
out httpAppGatewayPort,
out dynamicPortRange);
var rulesForNode = FabricNodeFirewallRules.GetRulesForNode(
setting.NodeName,
leaseDriverPort,
applicationPortRange,
httpGatewayPort,
httpAppGatewayPort,
fabricPath,
dcaPath,
fileStoreServicePath,
fabricGatewayPath,
fabricAppGatewayPath,
faultAnalysisServicePath,
backupRestoreServicePath,
fabricUpgradeServicePath,
fabricRepairServicePath,
fabricInfrastructureServicePath,
upgradeOrchestrationServicePath,
centralsecretServicePath,
dynamicPortRange,
securitySection);
newRules.AddRange(rulesForNode);
#if DotNetCoreClrLinux
string clientConnectionPort = null;
string clusterConnectionPort = null;
string serviceConnectionPort = null;
string clusterManagerReplicatorPort = null;
string repairManagerReplicatorPort = null;
string namingReplicatorPort = null;
string failoverManagerReplicatorPort = null;
string imageStoreServiceReplicatorPort = null;
string upgradeServiceReplicatorPort = null;
GetPorts2(
setting,
out clientConnectionPort,
out serviceConnectionPort,
out clusterConnectionPort,
out clusterManagerReplicatorPort,
out repairManagerReplicatorPort,
out namingReplicatorPort,
out failoverManagerReplicatorPort,
out imageStoreServiceReplicatorPort,
out upgradeServiceReplicatorPort);
var rulesForNode2 = FabricNodeFirewallRules.GetRulesForNode2(
setting.NodeName,
clientConnectionPort,
serviceConnectionPort,
clusterConnectionPort,
clusterManagerReplicatorPort,
repairManagerReplicatorPort,
namingReplicatorPort,
failoverManagerReplicatorPort,
imageStoreServiceReplicatorPort,
upgradeServiceReplicatorPort);
newRules.AddRange(rulesForNode2);
#endif
}
return(newRules);
}
