Merge branch 'master' of github.com:trailofbits/algo

Dockerfile

@@ -20,7 +20,7 @@ RUN apk --no-cache add ${BUILD_PACKAGES} && \
     python -m pip --no-cache-dir install virtualenv && \
     python -m virtualenv env && \
     source env/bin/activate && \
-    python -m pip --no-cache-dir install -r requirements.txt --no-use-pep51 && \
+    python -m pip --no-cache-dir install -r requirements.txt && \
     apk del ${BUILD_PACKAGES}
 COPY . .
 RUN chmod 0755 /algo/algo-docker.sh

docs/deploy-from-ansible.md

@@ -83,9 +83,11 @@ Note: The `strongswan` role generates Apple profiles with On-Demand Wifi and Cel
 
 - role: local, provider: local
 
-Required variables:
+This role is intended to be run for local install onto an Ubuntu server, or onto an unsupported cloud provider's Ubuntu instance. Required variables:
 
-- server - IP address of your server
+- server - IP address of your server (or "localhost" if deploying to the local machine)
+- endpoint - public IP address of the server you're installing on
+- ssh_user - name of the SSH user you will use to install on the machine (passwordless login required). If `server=localhost`, this isn't required.
 - ca_password - Password for the private CA key
 
 Note that by default, the iptables rules on your existing server will be overwritten. If you don't want to overwrite the iptables rules, you can use the `--skip-tags iptables` flag.
@@ -249,16 +251,6 @@ Required variables:
 
 You need to source the rc file prior to run Algo. Download it from the OpenStack dashboard->Compute->API Access and source it in the shell (eg: source /tmp/dhc-openrc.sh)
 
-
-### Local
-
-Required variables:
-
-- server - IP or hostname to access the server via SSH
-- endpoint - Public IP address or domain name of your server
-- ssh_user
-
-
 ### Update users
 
 Playbook:

roles/common/templates/rules.v4.j2

@@ -77,6 +77,13 @@ COMMIT
 
 # Drop traffic between VPN clients
 -A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
+# Drop traffic to VPN clients from SSH tunnels
+-A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
+
+# Drop traffic to the link-local network
+-A FORWARD -s {{ subnets|join(',') }} -d 169.254.0.0/16 -j DROP
+# Drop traffic to the link-local network from SSH tunnels
+-A OUTPUT -d 169.254.0.0/16 -m owner --gid-owner 15000 -j DROP
 
 # Forward any packet that's part of an established connection
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

roles/common/templates/rules.v6.j2

@@ -87,6 +87,8 @@ COMMIT
 
 # Drop traffic between VPN clients
 -A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
+# Drop traffic to VPN clients from SSH tunnels
+-A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
 
 -A FORWARD -j ICMPV6-CHECK
 -A FORWARD -p tcp --dport 445 -j DROP

roles/ssh_tunneling/tasks/main.yml

@@ -14,7 +14,10 @@
     - restart ssh
 
 - name: Ensure that the algo group exist
-  group: name=algo state=present
+  group:
+    name: algo
+    state: present
+    gid: 15000
 
 - name: Ensure that the jail directory exist
   file:
@@ -28,7 +31,7 @@
   - name: Ensure that the SSH users exist
     user:
       name: "{{ item }}"
-      groups: algo
+      group: algo
       home: '/var/jail/{{ item }}'
       createhome: yes
       generate_ssh_key: false