cloudwatt
diff --git a/‎LICENSE‎
Lines changed: 674 additions & 0 deletions b/‎LICENSE‎
Lines changed: 674 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 86 additions & 0 deletions b/‎README.md‎
Lines changed: 86 additions & 0 deletions
diff --git a/‎backup/.gitignore‎ b/‎backup/.gitignore‎
diff --git a/‎backup/firewall/.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎backup/firewall/.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎backup/firewall/configurations/.gitignore‎
Lines changed: 4 additions & 0 deletions b/‎backup/firewall/configurations/.gitignore‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎configurations/.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎configurations/.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎configurations/firewall.json‎
Lines changed: 122 additions & 0 deletions b/‎configurations/firewall.json‎
Lines changed: 122 additions & 0 deletions
diff --git a/‎firewall.php.example‎
Lines changed: 35 additions & 0 deletions b/‎firewall.php.example‎
Lines changed: 35 additions & 0 deletions
@@ -0,0 +1,86 @@
+# PHP-CLI SHELL for FIREWALL
+
+This repository is the addon for PHP-CLI SHELL about FIREWALL (acl) service.  
+With this addon you can create ACLs (monosite, failover and fullmesh) and generate template for your firewall appliance.  
+For the moment, only JunOS templates are availables. There are 2 templates for JunOS: one formated with {} and one with set commands.    
+
+ACL monosite: basic ACL, source(s), destination(s), no automation. For this ACL category you can not enable fullmesh option! 
+ACL failover: failover ACL(s) will be automaticaly generated for all failover sites in inbound or outbound.  
+ACL failover with fullmesh option: source and destination of ACL will be isolated to process automation.
+
+You have to use base PHP-CLI SHELL project that is here: https://github.com/cloudwatt/php-cli-shell_base
+
+
+# INSTALLATION
+
+#### APT PHP
+__*https://launchpad.net/~ondrej/+archive/ubuntu/php*__
+* add-apt-repository ppa:ondrej/php
+* apt-get update
+* apt install php7.1-cli php7.1-mbstring php7.1-readline
+
+#### REPOSITORIES
+* git clone https://github.com/cloudwatt/php-cli-shell_base
+* git checkout tags/v1.1
+* git clone https://github.com/cloudwatt/php-cli-shell_firewall
+* git checkout tags/v1.0
+* Merge these two repositories
+
+#### PHPIPAM (Optionnal)
+If you have PHPIPAM and you want object name autocompletion, you have to perform these steps:
+* git clone https://github.com/cloudwatt/php-cli-shell_phpipam
+* git checkout tags/v1.1
+* Merge this repository with two previous repositories (base and firewall)
+* Install PHP-CLI SHELL for PHPIPAM with README helper  
+  https://github.com/cloudwatt/php-cli-shell_phpipam/blob/master/README.md
+	
+#### CONFIGURATION FILE
+* mv configurations/firewall.json.example configurations/firewall.json
+* vim configurations/firewall.json
+    * Adapt configuration to your network topology
+	* Of course you can add more than two sites
+	* Do not change topology attribute names: internet, onPremise, interSite, private
+	* /!\ Zone name between site (MPLS-ADM, MPLS-USR) must be the same on all sites  
+	  *This is will change in next release to add more flexibility*
+* Optionnal
+    * You can create user configuration files for base and firewall services to overwrite some configurations  
+	  These files will be ignored for commits, so your user config files can not be overwrited by a futur release
+	* vim configurations/firewall.user.json
+	  Change configuration like path or file
+	* All *.user.json files are ignored by .gitignore
+	
+
+#### PHP LAUNCHER FILE
+* mv firewall.php.example firewall.php
+* vim firewall.php
+    * Change [IPAM_SERVER_KEY] with the key of your PHPIPAM server in configuration file  
+	  You can add many PHPIPAM server, it is compatible multiple PHPIPAM  
+	  If you have not PHPIPAM service, remove argument or keep it empty
+
+#### CREDENTIALS FILE (Only if you install PHPIPAM service)
+/!\ For security reason, use a read only account!  
+__*Change informations which are between []*__
+* vim credentialsFile
+    * read -sr USER_PASSWORD_INPUT
+    * export IPAM_[IPAM_SERVER_KEY]_LOGIN=[YourLoginHere]
+    * export IPAM_[IPAM_SERVER_KEY]_PASSWORD=$USER_PASSWORD_INPUT  
+	__Change [IPAM_SERVER_KEY] with the key of your PHPIPAM server in configuration file__
+
+
+# EXECUTION
+
+#### SHELL
+Launch PHP-CLI Shell for FIREWALL service
+* source credentialsFile
+* php firewall.php
+
+#### CLI
+Call commands directly from your OS shell.  
+__*Informations between [] are optionnal*__
+* source credentialsFile
+* php firewall.php --site name|all --create_host "name;IPv4[;IPv6]" --create_subnet "name;IPv4/mask[;IPv6/mask]" --create_network "name;IPv4-IPv4[;IPv6-IPv6]"  
+  --create_rule monosite|failover [--fullmesh] --action permit|deny  
+  --source_host name --source_subnet name --source_network name  
+  --destination_host name --destination_subnet name --destination_network name  
+  --protocol protocol;number[-number] --description maDescription  
+  --save [name;[force]] --export_configuration "junos[;force]"
@@ -0,0 +1 @@
+objects.json
@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore
@@ -0,0 +1 @@
+*.user.json
@@ -0,0 +1,122 @@
+{
+	"FIREWALL": {
+		"sites": {
+			"site_A": {
+				"location": "Paris, FRANCE",
+				"hostname": "firewall_A",
+				"os": "juniper-junos",
+				"ip": "1.2.3.4",
+				"gui": "https",
+				"zones": {
+					"WAN": {
+						"ipv4": [ "0.0.0.0/0" ],
+						"ipv6": [ "::/0" ]
+					},
+					"VPN-C": {
+						"ipv4": [ "10.0.0.0/16" ],
+						"ipv6": [ "2a04:2507:0:0::/64" ]
+					},
+					"VPN-D":	{
+						"ipv4": [ "10.1.0.0/16" ],
+						"ipv6": [ "2a04:2507:0:1::/64" ]
+					},
+					"LOCAL-ADM":	{
+						"ipv4": [ "10.2.0.0/16" ],
+						"ipv6": [ "2a04:2507:0:2::/64" ]
+					},
+					"LOCAL-USR": {
+						"ipv4": [ "10.3.0.0/16" ],
+						"ipv6": [ "2a04:2507:0:3::/64" ]
+					},
+					"MPLS-ADM": {
+						"ipv4": [ "10.4.0.0/16", "10.6.0.0/16", "10.8.0.0/16" ],
+						"ipv6": [ "2a04:2507:0:4::/64", "2a04:2507:0:6::/64", "2a04:2507:0:8::/64" ]
+					},
+					"MPLS-USR": {
+						"ipv4": [ "10.5.0.0/16", "10.7.0.0/16", "10.9.0.0/16" ],
+						"ipv6": [ "2a04:2507:0:5::/64", "2a04:2507:0:7::/64", "2a04:2507:0:9::/64" ]
+					},
+					"__PRIVATE__": {
+						"ipv4": [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ],
+						"ipv6": [ ]
+					}
+				},
+				"topology": {
+					"internet": [ "WAN" ],
+					"onPremise": [ "LOCAL-ADM", "LOCAL-USR" ],
+					"interSite": {
+						"site_C": [ "VPN-C" ],
+						"site_D": [ "VPN-D" ],
+						"site_B": [ "MPLS-ADM", "MPLS-USR" ]
+					},
+					"private": [ "__PRIVATE__" ]
+				}
+			},
+			"site_B": {
+				"location": "Bordeaux, FRANCE",
+				"hostname": "firewall_B",
+				"os": "juniper-junos",
+				"ip": "1.2.3.5",
+				"gui": "https",
+				"zones": {
+					"WAN": {
+						"ipv4": [ "0.0.0.0/0" ],
+						"ipv6": [ "::/0" ]
+					},
+					"VPN-C": {
+						"ipv4": [ "10.0.0.0/16" ],
+						"ipv6": [ "2a04:2507:0:0::/64" ]
+					},
+					"VPN-D":	{
+						"ipv4": [ "10.1.0.0/16" ],
+						"ipv6": [ "2a04:2507:0:1::/64" ]
+					},
+					"LOCAL-ADM":	{
+						"ipv4": [ "10.4.0.0/16" ],
+						"ipv6": [ "2a04:2507:0:4::/64" ]
+					},
+					"LOCAL-USR": {
+						"ipv4": [ "10.5.0.0/16" ],
+						"ipv6": [ "2a04:2507:0:5::/64" ]
+					},
+					"MPLS-ADM": {
+						"ipv4": [ "10.2.0.0/16", "10.6.0.0/16", "10.8.0.0/16" ],
+						"ipv6": [ "2a04:2507:0:2::/64", "2a04:2507:0:6::/64", "2a04:2507:0:8::/64" ]
+					},
+					"MPLS-USR": {
+						"ipv4": [ "10.3.0.0/16", "10.7.0.0/16", "10.9.0.0/16" ],
+						"ipv6": [ "2a04:2507:0:3::/64", "2a04:2507:0:7::/64", "2a04:2507:0:9::/64" ]
+					},
+					"__PRIVATE__": {
+						"ipv4": [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ],
+						"ipv6": [ ]
+					}
+				},
+				"topology": {
+					"internet": [ "WAN" ],
+					"onPremise": [ "LOCAL-ADM", "LOCAL-USR" ],
+					"interSite": {
+						"site_C": [ "VPN-C" ],
+						"site_D": [ "VPN-D" ],
+						"site_A": [ "MPLS-ADM", "MPLS-USR" ]
+					},
+					"private": [ "__PRIVATE__" ]
+				}
+			}
+		},
+		"configuration": {
+			"templates": {
+				"path": "templates/firewall"
+			},
+			"exports": {
+				"path": "tmp"
+			},
+			"objects" : {
+				"file": "backup/firewall/objects.json"
+			},
+			"configs": {
+				"path": "backup/firewall/configurations"
+			}
+		}
+	}
+}
@@ -0,0 +1,35 @@
+<?php
+	define("ROOT_DIR", __DIR__);
+	require_once('services/firewall.php');
+
+	if(!isset($configurations))
+	{
+		$configurations = array(
+			__DIR__ . '/configurations/config.json',
+			__DIR__ . '/configurations/config.user.json',
+			__DIR__ . '/configurations/firewall.json',
+			__DIR__ . '/configurations/firewall.user.json',
+		);
+	}
+
+	/**
+	  * Déplace le curseur d'une ligne vers le haut
+	  * Fix le saut de ligne lors de la touche entrée pour lancer le script CLI
+	  *
+	  * Permet d'harmoniser le traitement des sauts de lignes:
+	  * --> Saut de ligne avant un texte et non après!
+	  */
+	echo "\033[1A";
+
+	/**
+	  * Change [IPAM_SERVER_KEY] with the key of your PHPIPAM server in configuration file
+	  * You can add many PHPIPAM server, it is compatible multiple PHPIPAM  
+	  * If you have not PHPIPAM service, remove argument or keep it empty
+	  *
+	  * Example with PHPIPAM disabled: $MAIN = new Service_Firewall($configurations, array());
+	  * Example with PHPIPAM enabled: $MAIN = new Service_Firewall($configurations, array('myIpamKey_1', 'myIpamKey_2'));
+	  */
+	$MAIN = new Service_Firewall($configurations, array('[IPAM_SERVER_KEY]'));
+
+	echo PHP_EOL;
+	exit();