From 79b50d5e83025a831b8ea4aabc4e18f1d3c281ef Mon Sep 17 00:00:00 2001 From: Tomas Jacik Date: Fri, 27 Jan 2012 22:27:57 +0100 Subject: [PATCH 1/2] - set proper chmod - added ipv6 regex while searching for RESERVED adresses - fixed msn port - added OpenVPN port - added Nagios NRPE daemon port - added wait for interface feature - added default firehol setting probing for debian based systems - added wizzard support wlan - added debian packaging --- debian/NEWS | 9 ++ debian/README.Debian | 19 +++ debian/README.Services | 33 ++++++ debian/README.source | 2 + debian/RESERVED_IPV4 | 21 ++++ debian/RESERVED_IPV6 | 16 +++ debian/bittorrent.conf | 3 + debian/changelog | 252 ++++++++++++++++++++++++++++++++++++++++ debian/conffiles | 5 + debian/control | 17 +++ debian/copyright | 27 +++++ debian/files | 1 + debian/firehol.examples | 1 + debian/get-iana.1 | 30 +++++ debian/get-iana.1.txt | 30 +++++ debian/init.d/firehol | 68 +++++++++++ debian/postinst | 22 ++++ debian/postrm | 13 +++ debian/rules | 85 ++++++++++++++ debian/source/format | 1 + 20 files changed, 655 insertions(+) create mode 100644 debian/NEWS create mode 100644 debian/README.Debian create mode 100644 debian/README.Services create mode 100644 debian/README.source create mode 100644 debian/RESERVED_IPV4 create mode 100644 debian/RESERVED_IPV6 create mode 100644 debian/bittorrent.conf create mode 100644 debian/changelog create mode 100644 debian/conffiles create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/files create mode 100644 debian/firehol.examples create mode 100644 debian/get-iana.1 create mode 100644 debian/get-iana.1.txt create mode 100644 debian/init.d/firehol create mode 100644 debian/postinst create mode 100644 debian/postrm create mode 100755 debian/rules create mode 100644 debian/source/format diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 0000000..7b99efc --- /dev/null +++ b/debian/NEWS @@ -0,0 +1,9 @@ +firehol (1.256-1) unstable; urgency=low + + This release reverts the split from firehol into firehol-wizard,firehol and + the lib. That will make updates much easier in the future. + get-iana (a script for updating the list of reserved ips) is now available + you can run it regulary to update your ip list. Its recommended to install + the aggregate package to aggregate the ip ranges from the iana. + + -- Alexander Wirt Thu, 30 Aug 2007 17:18:22 +0200 diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..3349b1d --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,19 @@ +firehol for Debian GNU/Linux +---------------------------- + +You have to enable firehol in /etc/default/firehol to +get firehol starting. To enable it set START_FIREHOL to anything +else than NO/no. + +You should also give firehol-wizard a try for generating +a starting configuration. To launch firehol-wizard just start /sbin/firehol +with the wizard parameter (/sbin/firehol wizard). + +If you want to have firehol waiting until a device is up before +it proceeds the firewall rules you can add it in WAIT_FOR_IFACE +in the defaults file. Firehol then waits until the device is up +or 60 secs are over. + +Thanks to Sam Couter for this contribution. + +-- Alexander Wirt Fri, 21 Jul 2006 17:52:29 +0200 diff --git a/debian/README.Services b/debian/README.Services new file mode 100644 index 0000000..ed224c3 --- /dev/null +++ b/debian/README.Services @@ -0,0 +1,33 @@ +Adding additional services to firehol +===================================== + +Since version 1.214 it is possible to define new +services with extra config files dropped into +/etc/firehol/services. Every file with the ending +.conf gets parsed. + +Any config file should start with a specical header: + +#FHVER: 1:213 + +1 is the API version and 213 the minimum version of FireHOL +the service is expected to work with. +Inside the configfile you could use any service defintion +as described at: http://firehol.sourceforge.net/adding.html? +Here a small example for bittorrent: + +----------------------- +#FHVER: 1:213 +server_torrent_ports="tcp/6881:6999" +client_torrent_ports="default" +----------------------- + +Thats all :). If dropped into /etc/firehol/services +you could use the torrent service as any builtin service in +you config. + +You could find this file under the +examples dir in /usr/share/doc/firehol. + + -- Alexander Wirt Thu, 23 Dec 2004 15:33:52 +0100 + diff --git a/debian/README.source b/debian/README.source new file mode 100644 index 0000000..00a5ad6 --- /dev/null +++ b/debian/README.source @@ -0,0 +1,2 @@ +I use dpatch for patch handling inside the firehol package. Please see +/usr/share/doc/dpatch/README.source.gz (if you have installed dpatch) for documentation about dpatch. diff --git a/debian/RESERVED_IPV4 b/debian/RESERVED_IPV4 new file mode 100644 index 0000000..fad315f --- /dev/null +++ b/debian/RESERVED_IPV4 @@ -0,0 +1,21 @@ +0.0.0.0/7 +5.0.0.0/8 +10.0.0.0/8 +14.0.0.0/8 +23.0.0.0/8 +27.0.0.0/8 +31.0.0.0/8 +36.0.0.0/7 +39.0.0.0/8 +42.0.0.0/8 +49.0.0.0/8 +50.0.0.0/8 +100.0.0.0/6 +104.0.0.0/6 +127.0.0.0/8 +176.0.0.0/7 +179.0.0.0/8 +181.0.0.0/8 +185.0.0.0/8 +223.0.0.0/8 +240.0.0.0/4 diff --git a/debian/RESERVED_IPV6 b/debian/RESERVED_IPV6 new file mode 100644 index 0000000..688c4a2 --- /dev/null +++ b/debian/RESERVED_IPV6 @@ -0,0 +1,16 @@ +::/8 +0100::/8 +0200::/7 +0400::/6 +0800::/5 +1000::/4 +4000::/3 +6000::/3 +8000::/3 +A000::/3 +C000::/3 +E000::/4 +F000::/5 +F800::/6 +FE00::/9 +FEC0::/10 diff --git a/debian/bittorrent.conf b/debian/bittorrent.conf new file mode 100644 index 0000000..a1d11ce --- /dev/null +++ b/debian/bittorrent.conf @@ -0,0 +1,3 @@ +#FHVER: 1:213 +server_torrent_ports="tcp/6881:6999" +client_torrent_ports="default" diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..747f941 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,252 @@ +firehol (1.293-2) unstable; urgency=low + + * New upstream release + * Supports ipv6 + + -- Tomas Jacik Fri, 14 Oct 2011 23:57:41 +0100 + +firehol (1.273-1) unstable; urgency=low + + * New upstream release + - support /proc/config.gz (Closes: #465319) + - works without less (Closes: #494941) + * Update RESERVED_IPS + * fix comment in /etc/default/firehol (Closes: #521873) + * Suggest ulogd (Closes: #555528) + + -- Alexander Wirt Sat, 14 Nov 2009 21:11:41 +0100 + +firehol (1.256-4) unstable; urgency=low + + * Update list of reserved IPs (Closes: #455752, #479897) + * Move get-iana to /usr/sbin + * Make get-iana working again (Closes: #470879) + * Fix get-iana name in firehol output (Closes: #475352) + * Also support wizard parameter in the init script (Closes: #461082) + * Don't let initscript fail if there are no parameters (Closes: #489991) + + -- Alexander Wirt Fri, 18 Jul 2008 22:20:16 +0200 + +firehol (1.256-3) unstable; urgency=low + + * Adding a patch to 00list helps. Activate the OpenVPN Patch + (Closes: #440916) + + -- Alexander Wirt Thu, 18 Oct 2007 14:13:09 +0200 + +firehol (1.256-2) unstable; urgency=low + + * Add OpenVPN support (Closes: #440916) + * Allow lower and mixed case for START_FIREHOL. + Old logic (start if != NO) got also restored. + (Closes: #440919) + + -- Alexander Wirt Wed, 05 Sep 2007 22:54:53 +0200 + +firehol (1.256-1) unstable; urgency=low + + * New upstream version (Closes: #425398) + * Removed split - makes updates much easier + - This fixes also some problems with the wizard (Closes: #424073) + - Restores old condrestart feature (Closes: #324851) + * Add support for vlan interfaces in the wizard (Closes: #411662). + Thanks to Vincent Danjean for the patch + * Add firehol configfile to initscript (Closes: #293873) + * Depend on lsb-base (Closes: #420990) + * Rename msn to msnp and add msn with port 1863 (Closes: #411846) + + -- Alexander Wirt Sat, 01 Sep 2007 08:44:26 +0200 + +firehol (1.231-7) unstable; urgency=low + + * Remove bashism from init script (Closes: #390726) + + -- Alexander Wirt Tue, 3 Oct 2006 12:52:57 +0200 + +firehol (1.231-6) unstable; urgency=low + + * Remove simple dhcp config (Closes: #390178) + * Switch initfile to LSB conformance + + -- Alexander Wirt Fri, 29 Sep 2006 18:44:27 +0200 + +firehol (1.231-5) unstable; urgency=low + + * Added helpme option (starts wizard) to /etc/init.d/firehol + (Thanks to Eduard Bloch for the idea) (Closes: #335328) + * Updates list of reserved ips (Closes: #357250, Closes: #379127) + * Updated manpage (Closes: #335602) + * Removed bc from depedencies (Closes: #349409) + * Updated manpage for the protection command (Closes: #371832) + * Updates description (Closes: #359221) + * Changed client range to 1000:65535 (Closes: #357034) + * Fixed some spelling error in the package description (Closes: #363413) + * Backported some fix the nfs service + * Backported service ospf from cvs + * Backported a fix for the spf client from cvs + * Backported a fix for the sip service + * Backported recent feature + + -- Alexander Wirt Fri, 21 Jul 2006 17:52:29 +0200 + +firehol (1.231-4) unstable; urgency=low + + * Cleaned up tempdir creation and removal in firehol-wizard + (Closes: #324598). Thanks to Javier Fernández-Sanguino Peña for the patch + + -- Alexander Wirt Tue, 23 Aug 2005 07:23:29 +0200 + +firehol (1.231-3) unstable; urgency=low + + * Fixed lockfile deletion (Closes: #315399,#309651) + + -- Alexander Wirt Sun, 10 Jul 2005 08:52:50 +0200 + +firehol (1.231-2) unstable; urgency=medium + + * Create lockfile while starting firehol (Closes: #304853) + + -- Alexander Wirt Thu, 27 Jul 2006 15:20:26 +0200 + +firehol (1.231-1) unstable; urgency=low + + * New upstream release (Closes: #303560) + + -- Alexander Wirt Fri, 8 Apr 2005 20:40:43 +0200 + +firehol (1.214-2) unstable; urgency=high + + * Makes wget and curl check fail silently because the normal user + will never need it. Added wget | curl to recommends. + (Closes: #291041) + * Allow additional argumentens for init script (Closes: #290728) + Thanks to Peter Marschall for the patch + * Fixed security bug in the tempdir creation (Closes: #291680) + Thanks to Sam Couter for pointing to it + * Fixed wrong named variable in the lan-gateway.conf example + (Closes: #289211) + * Added the possibility to wait for an interface if set in + /etc/default/firehol. See README.Debian for more infos + (Closes: #291667) Thanks again to Sam Couter for the patch. + + -- Alexander Wirt Sat, 22 Jan 2005 15:11:18 +0100 + +firehol (1.214-1) unstable; urgency=low + + * New upstream release (Closes: #279231) + + Updated RESERVED_IPS (Closes: #269248) + * Removed dependency on less (Closes: #260202) + * Added README.Services and bittorrent example + * Added openvpn as service (IANA Port from openvpn 2.0) + + -- Alexander Wirt Thu, 23 Dec 2004 15:33:52 +0100 + +firehol (1.191-2) unstable; urgency=low + + * Now uses pager instead of hardcoded less (Closes: #258654) + Thanks to Itamar Ravid for the patch + + -- Alexander Wirt Sun, 18 Jul 2004 15:35:34 +0200 + +firehol (1.191-1) unstable; urgency=low + + * New Maintainer: Alexander Wirt + * New Upstream Release + + Better Kernel Module managment (Closes: #244241, #242062) + * Fixed description so that new users doesn't get scared (Closes: #243102) + * Fixed /etc/default/firehol handling (Closes: #245307) + Thanks Michael Ablassmeier for the patch. + * Mentioned firehol-wizard in the new README.Debian + * Moved firehol and firehol-wizard manpages into the correct section + * Removed gawk dependancy and set GAWK_CMD to awk in firehol-lib (Closes: #250401) + + -- Alexander Wirt Sat, 22 May 2004 18:39:45 +0200 + +firehol (1.182+cvs+20040325-2) unstable; urgency=low + + * Also search for the kernel config in /boot/config-`uname -r`. (Closes: + #241171) + * Don't die if we don't find lsmod and modprobe, only warn if they would be + needed. (Closes: #241172) + * debian/control: Recommend modutils | module-init-tools. + + -- Marc 'HE' Brockschmidt Wed, 31 Mar 2004 15:29:16 +0200 + +firehol (1.182+cvs+20040325-1) unstable; urgency=low + + * New upstream source (no release, but stable): + + Fixed cups rule (Closes: #216632) + * debian/control: + + I'm a DD now! + + Bumped Standards-Version to 3.6.1 (no changes) + + -- Marc 'HE' Brockschmidt Thu, 25 Mar 2004 21:05:42 +0100 + +firehol (1.159-1) unstable; urgency=low + + * New upstream release: + - New helper functions MARK and BLACKLIST + - Better support for kernel series 2.[56] + - Added lockd support in service NFS, suggested by Daniel Pittman + - New rules for TFTP, XDMCP and Veritas NetBackup. + (Closes: #214570) + * Fixed bashisms in debian/rules. Thanks Domenico Andreoli for the patch. + (Closes: #209366) + + -- Marc Brockschmidt Sat, 18 Oct 2003 15:53:05 +0200 + +firehol (1.146+cvs+20030729-1) unstable; urgency=low + + * New upstream release. + * Included patch from Daniel Pittman (Thanks!) fixing a typo in firehol + which resulted in trying to load the ip_tables module in all cases. + (Closes: #200571) + + -- Marc Brockschmidt Tue, 29 Jul 2003 02:02:05 +0200 + +firehol (1.132+cvs+20030611-1) unstable; urgency=low + + * New upstream version (shortened list of reserved IPs, 2 new + services: dcpp and msn) + * New upstream version (with manpage for firehol.conf(5)). + * Updated to Standards-Version 3.5.10. + + -- Marc Brockschmidt Tue, 10 Jun 2003 23:30:12 +0200 + +firehol (1.129+cvs+20030601-1) unstable; urgency=low + + * Splitted firehol.sh in 2 scripts (firehol.sh, firehol-wizard.sh), + created a lib and a init-script. + * Changed startup order to create an iptables firewall before + configuring the network devices (and stop it after deconfiguring + them) + + -- Marc Brockschmidt Sun, 01 Jun 2003 19:15:00 +0200 + +firehol (1.128-4) unstable; urgency=low + + * Fixed console messages from the init script (see Debian Policy, + chapter 10.4) + * Cleaned the startup code a bit... + + -- Marc Brockschmidt Sat, 10 May 2003 12:54:48 +0200 + +firehol (1.128-3) unstable; urgency=low + + * Cleaned debian/rules a bit. + * Now uses /etc/default/firehol to determine wether it is configured + or not. + + -- Marc Brockschmidt Sun, 05 May 2003 19:53:20 +0200 + +firehol (1.128-2) unstable; urgency=low + + * Fixed use of /var/lock/subsys/* + + -- Marc Brockschmidt Thu, 01 May 2003 21:45:00 +0200 + +firehol (1.128-1) unstable; urgency=low + + * Initial Release. + + -- Marc Brockschmidt Thu, 01 May 2003 13:10:00 +0200 diff --git a/debian/conffiles b/debian/conffiles new file mode 100644 index 0000000..807ba25 --- /dev/null +++ b/debian/conffiles @@ -0,0 +1,5 @@ +/etc/init.d/firehol +/etc/firehol/firehol.conf +/etc/default/firehol +/etc/firehol/RESERVED_IPV4 +/etc/firehol/RESERVED_IPV6 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..7d17706 --- /dev/null +++ b/debian/control @@ -0,0 +1,17 @@ +Source: firehol +Section: net +Priority: optional +Maintainer: Alexander Wirt +Uploaders: Marc 'HE' Brockschmidt +Build-Depends: dpatch +Standards-Version: 3.8.3 + +Package: firehol +Architecture: all +Depends: iptables (>= 1.2.4), iproute, net-tools, bash (>= 2.04), lsb-base +Recommends: modutils | module-init-tools, wget | curl, aggregate +Suggests: ulogd +Description: An easy to use but powerful iptables stateful firewall + Generates generic firewalls with an extremely simple but powerful + configuration language, enabling you to design any kind of local + or routing stateful packet filtering firewall with ease. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..e4a400b --- /dev/null +++ b/debian/copyright @@ -0,0 +1,27 @@ +This package was debianized by Marc Brockschmidt on +Thu, 01 May 2003 13:10:00 +0200. + +It is available at: http://firehol.sf.net + +Upstream Authors: Costa Tsaousis + +Copyright: + +Copyright (C) 2002-2003 Costa Tsaousis +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, +MA 02110-1301, USA. + + +See /usr/share/common-licenses/GPL-2 diff --git a/debian/files b/debian/files new file mode 100644 index 0000000..1b256d2 --- /dev/null +++ b/debian/files @@ -0,0 +1 @@ +firehol_1.293-2_all.deb net optional diff --git a/debian/firehol.examples b/debian/firehol.examples new file mode 100644 index 0000000..4089e54 --- /dev/null +++ b/debian/firehol.examples @@ -0,0 +1 @@ +adblock.sh diff --git a/debian/get-iana.1 b/debian/get-iana.1 new file mode 100644 index 0000000..7781059 --- /dev/null +++ b/debian/get-iana.1 @@ -0,0 +1,30 @@ +.\" Title: get-iana +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.73.1 +.\" Date: 08/30/2007 +.\" Manual: +.\" Source: +.\" +.TH "GET\-IANA" "1" "08/30/2007" "" "" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +get-iana - updates the list of reserved ips from the IANA for usage from firehol +.SH "SYNOPSIS" +\fBget\-iana\fR +.sp +.SH "DESCRIPTION" +This manual page documents briefly the \fBget\-iana\fR command\. +.sp +\fBget\-iana\fR fetches the list of reserver networks from the iana website (http://www\.iana\.org/assignments/ipv4\-address\-space)\. And formats the for inclusion in the firehol(1) firewall script\. If available it uses aggregate(1) for optimisation of the ip list\. +.sp +.SH "SEE ALSO" +firehol(1), aggregate(1) +.sp +.SH "AUTHOR" +get\-iana was written by Costa Tsaousis \. +.sp +This manual page was written by Alexander Wirt \. +.sp diff --git a/debian/get-iana.1.txt b/debian/get-iana.1.txt new file mode 100644 index 0000000..9c8c596 --- /dev/null +++ b/debian/get-iana.1.txt @@ -0,0 +1,30 @@ +GET-IANA(1) +=========== +Costa Tsaousis + +NAME +---- +get-iana - updates the list of reserved ips from the IANA for usage from firehol + +SYNOPSIS +-------- +*get-iana* + +DESCRIPTION +----------- +This manual page documents briefly the *get-iana* command. + +*get-iana* fetches the list of reserver networks from the iana website +(http://www.iana.org/assignments/ipv4-address-space). And formats the for +inclusion in the firehol(1) firewall script. If available it uses aggregate(1) +for optimisation of the ip list. + +SEE ALSO +-------- +firehol(1), aggregate(1) + +AUTHOR +------ +get-iana was written by Costa Tsaousis . + +This manual page was written by Alexander Wirt . diff --git a/debian/init.d/firehol b/debian/init.d/firehol new file mode 100644 index 0000000..cd73a13 --- /dev/null +++ b/debian/init.d/firehol @@ -0,0 +1,68 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: firehol +# Required-Start: $network $syslog +# Required-Stop: $network +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Description: Starts firehol firewall configuration +# short-description: firehol firewall configuration +### END INIT INFO + +#includes lsb functions +. /lib/lsb/init-functions + +PATH=/sbin:/bin +NAME=firehol +DESC=Firewall + +test -x /sbin/firehol || exit 0 + +set -e + +[ -r /etc/default/firehol ] && . /etc/default/firehol + +START_FIREHOL="$( echo $START_FIREHOL | /usr/bin/tr a-z A-Z)" + +COMMAND="$1" +test -n "$1" && shift + +case "$COMMAND" in + start) + + if [ "$START_FIREHOL" = "NO" ]; then + log_warning_msg "$DESC disabled via /etc/default/firehol" + exit 0 + else + log_daemon_msg "Starting $DESC" "$NAME" + /sbin/firehol start "$@" >/dev/null || log_end_msg 1 + log_end_msg 0 + fi + ;; + stop) + log_daemon_msg "Stopping $DESC" "$NAME" + /sbin/firehol stop "$@" >/dev/null || log_end_msg 1 + log_end_msg 0 + ;; + helpme|wizard) + log_daemon_msg "Starting $NAME wizard" 1>&2 + /sbin/firehol wizard + ;; + restart|force-reload) + if [ "$START_FIREHOL" = "NO" ]; then + log_warning_msg "$DESC disabled via /etc/default/firehol" + exit 0 + else + log_daemon_msg "Restarting $DESC configuration" + /sbin/firehol restart "$@" >/dev/null || log_end_msg 1 + log_action_end_msg 0 + fi + ;; + *) + N=/etc/init.d/$NAME + log_action_msg "Usage: $N {start|stop|restart|force-reload} []" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 0000000..9c1f0d1 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,22 @@ +#!/bin/sh -e + +if [ -f /etc/firehol.conf ] +then + mv -f /etc/firehol.conf /etc/firehol/firehol.conf + echo + echo + echo "FireHOL has now its configuration in /etc/firehol/firehol.conf" + echo "Your existing configuration has been moved to its new place." + echo +fi + +case "$1" in + configure) + if [ -x "/etc/init.d/firehol" ]; then + update-rc.d firehol defaults >/dev/null + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; +esac diff --git a/debian/postrm b/debian/postrm new file mode 100644 index 0000000..b2b7af1 --- /dev/null +++ b/debian/postrm @@ -0,0 +1,13 @@ +#!/bin/sh -e + +case "$1" in + remove) + ;; + + purge) + update-rc.d -f firehol remove >/dev/null + ;; + + upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; +esac diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..aa2958a --- /dev/null +++ b/debian/rules @@ -0,0 +1,85 @@ +#!/usr/bin/make -f +# First try in creating a debian/rules-file. + +build: + touch build-stamp + +clean: + -rm -f build + -rm -rf debian/*substvars debian/tmp debian/files + +binary: binary-indep binary-arch + +binary-indep: checkroot build + #Create the directories: + install -d debian/tmp/DEBIAN + install -d debian/tmp/sbin/ + install -d debian/tmp/usr/sbin + install -d debian/tmp/etc/firehol + install -d debian/tmp/etc/firehol/services + install -d debian/tmp/etc/default + install -d debian/tmp/etc/init.d + install -d debian/tmp/usr/share/man/man1/ + install -d debian/tmp/usr/share/man/man5/ + install -d debian/tmp/usr/share/doc/firehol + install -d debian/tmp/usr/share/doc/firehol/html + install -d debian/tmp/usr/share/doc/firehol/examples + + #Install the scripts and the config: + install -m 755 firehol.sh debian/tmp/sbin/firehol + install -m 755 debian/init.d/firehol debian/tmp/etc/init.d/firehol + install -m 644 examples/client-all.conf debian/tmp/etc/firehol/firehol.conf + install -m 644 debian/RESERVED_IPV4 debian/tmp/etc/firehol + install -m 644 debian/RESERVED_IPV6 debian/tmp/etc/firehol + install -m 755 get-iana.sh debian/tmp/usr/sbin/get-iana + sed -i -e 's/aggregate-flim/aggregate/g' debian/tmp/usr/sbin/get-iana + + echo "#To enable firehol at startup set START_FIREHOL=YES" > debian/tmp/etc/default/firehol + echo "START_FIREHOL=NO" >> debian/tmp/etc/default/firehol + echo "#If you want to have firehol wait for an iface to be up add it here" >> debian/tmp/etc/default/firehol + echo 'WAIT_FOR_IFACE=""' >> debian/tmp/etc/default/firehol + + chmod 644 debian/tmp/etc/default/firehol + + #Copy the documentation: + install -m 644 debian/README.Debian debian/README.Services debian/tmp/usr/share/doc/firehol/ + install -m 644 doc/*.html doc/*.css debian/tmp/usr/share/doc/firehol/html/ + install -m 644 man/firehol.1 debian/tmp/usr/share/man/man1/ + install -m 644 debian/get-iana.1 debian/tmp/usr/share/man/man1/ + install -m 644 man/firehol.conf.5 debian/tmp/usr/share/man/man5/ + gzip -9 debian/tmp/usr/share/man/man1/firehol.1 debian/tmp/usr/share/man/man5/firehol.conf.5 debian/tmp/usr/share/man/man1/get-iana.1 + + #Copy the examples: + install -m 644 examples/*.conf debian/tmp/usr/share/doc/firehol/examples/ + install -m 644 adblock.sh debian/tmp/usr/share/doc/firehol/examples/ + install -m 644 debian/bittorrent.conf debian/tmp/usr/share/doc/firehol/examples/ + + #Copyright, Changelog, etc: + install -m 644 debian/copyright debian/tmp/usr/share/doc/firehol/ + install -m 644 debian/changelog debian/tmp/usr/share/doc/firehol/changelog.Debian + gzip -9 debian/tmp/usr/share/doc/firehol/changelog.Debian + install -m 644 ChangeLog debian/tmp/usr/share/doc/firehol/changelog + gzip -9 debian/tmp/usr/share/doc/firehol/changelog + + install -m 644 WhatIsNew README TODO debian/tmp/usr/share/doc/firehol/ + + #Create MD5-Sums: + (cd debian/tmp; find -type f | sed s#^./## | grep -v DEBIAN | xargs md5sum > DEBIAN/md5sums) + chmod 644 debian/tmp/DEBIAN/md5sums + + # Standard package building stuff + install -m755 debian/postinst debian/tmp/DEBIAN + install -m755 debian/postrm debian/tmp/DEBIAN + install -m644 debian/conffiles debian/tmp/DEBIAN + dpkg-gencontrol -pfirehol -is -ip + chmod 644 debian/tmp/DEBIAN/control + chown -R root:root debian/tmp + dpkg --build debian/tmp .. + +binary-arch: checkroot build + # No architecture dependent packages + +checkroot: + test root = "`whoami`" + +.PHONY: binary clean binary-indep binary-arch build install clean diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..d3827e7 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +1.0 From 1d04a7de2b090ccf26468e946dd63f3e0b37e214 Mon Sep 17 00:00:00 2001 From: Tomas Jacik Date: Fri, 27 Jan 2012 22:36:35 +0100 Subject: [PATCH 2/2] Set proper chmod --- adblock.sh | 0 buildrpm.sh | 0 examples/client-all.conf | 0 examples/office.conf | 0 firehol.sh | 63 ++++++++++++++++++++++++++++++++++++++-- get-iana.sh | 0 6 files changed, 61 insertions(+), 2 deletions(-) mode change 100644 => 100755 adblock.sh mode change 100644 => 100755 buildrpm.sh mode change 100755 => 100644 examples/client-all.conf mode change 100755 => 100644 examples/office.conf mode change 100644 => 100755 get-iana.sh diff --git a/adblock.sh b/adblock.sh old mode 100644 new mode 100755 diff --git a/buildrpm.sh b/buildrpm.sh old mode 100644 new mode 100755 diff --git a/examples/client-all.conf b/examples/client-all.conf old mode 100755 new mode 100644 diff --git a/examples/office.conf b/examples/office.conf old mode 100755 new mode 100644 diff --git a/firehol.sh b/firehol.sh index 8e89757..6251972 100755 --- a/firehol.sh +++ b/firehol.sh @@ -831,6 +831,13 @@ load_ips() { t2="${t2} ${x}" done + local t6=`${CAT_CMD} "${FIREHOL_CONFIG_DIR}/${v}" | ${EGREP_CMD} "^ *((([0-9A-Fa-f]{1,4}:){7}(([0-9A-Fa-f]{1,4})|:))|(([0-9A-Fa-f]{1,4}:){6}(:|((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})|(:[0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){5}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){4}(:[0-9A-Fa-f]{1,4}){0,1}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){3}(:[0-9A-Fa-f]{1,4}){0,2}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){2}(:[0-9A-Fa-f]{1,4}){0,3}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:)(:[0-9A-Fa-f]{1,4}){0,4}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(:(:[0-9A-Fa-f]{1,4}){0,5}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})))(%.+)?/[0-9]+ *$"` + for x in ${t6} + do + i=$[i + 1] + t2="${t2} ${x}" + done + if [ ${i} -eq 0 -o -z "${t2}" ] then echo >&2 @@ -1269,7 +1276,10 @@ helper_mms="mms" # because the mms module is not there: # ALL_SHOULD_ALSO_RUN="${ALL_SHOULD_ALSO_RUN} mms" -server_msn_ports="tcp/6891" +server_msnp_ports="tcp/6891" +client_msnp_ports="default" + +server_msn_ports="tcp/1863 udp/1863" client_msn_ports="default" server_mysql_ports="tcp/3306" @@ -1305,6 +1315,10 @@ client_nut_ports="default" server_nxserver_ports="tcp/5000:5200" client_nxserver_ports="default" +# OpenVPN +server_openvpn_ports="tcp/1194 udp/1194" +client_openvpn_ports="default" + # Oracle database server_oracle_ports="tcp/1521" client_oracle_ports="default" @@ -1384,6 +1398,10 @@ client_snmp_ports="default" server_snmptrap_ports="udp/162" client_snmptrap_ports="any" +# Nagios NRPE +server_nrpe_ports="tcp/5666" +client_nrpe_ports="default" + server_ssh_ports="tcp/22" client_ssh_ports="default" @@ -6206,6 +6224,38 @@ work_realcmd_helper() { test ${FIREHOL_CONF_SHOW} -eq 1 && show_work_realcmd 3 } +wait_for_interface() { + local iface=$1; shift + local timeout=60 + + if [ -n "$1" ]; then + timeout=$1 + fi + + local start=`date +%s` + local found=0 + + while [ "`date +%s`" -lt $(($start+$timeout)) -a $found -eq 0 ] + do + local addr=`ip addr show $iface 2> /dev/null | awk '$1 ~ /^inet$/ {print $2}'` + if [ -n "$addr" ] + then + found=1 + fi + if [ $found -eq 0 ] + then + sleep 0.5 + fi + done + + if [ $found -eq 1 ] + then + # the interface is up + return 0 + else + return 1 + fi +} # ------------------------------------------------------------------------------ @@ -6251,6 +6301,7 @@ if ${LSMOD_CMD} 2>/dev/null | ${GREP_CMD} -q ipchains ; then exit 0 fi +test -e /etc/default/firehol && . /etc/default/firehol # ------------------------------------------------------------------------------ # XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX @@ -7148,7 +7199,7 @@ EOF echo } - interfaces=`${IP_CMD} link show | ${EGREP_CMD} "^[0-9A-Za-z]+:" | ${CUT_CMD} -d ':' -f 2 | ${SED_CMD} "s/^ //" | ${GREP_CMD} -v "^lo$" | ${SORT_CMD} | ${UNIQ_CMD} | ${TR_CMD} "\n" " "` + interfaces=`${IP_CMD} link show | ${EGREP_CMD} "^[0-9A-Za-z]+:" | ${CUT_CMD} -d ':' -f 2 | ${SED_CMD} "s/^ //" | ${SED_CMD} "s/@[a-z0-9]*//" | ${GREP_CMD} -v "^lo$" | ${SORT_CMD} | ${UNIQ_CMD} | ${TR_CMD} "\n" " "` gw_if=`${IP_CMD} route show | ${GREP_CMD} "^default" | ${SED_CMD} "s/dev /dev:/g" | ${TR_CMD} " " "\n" | ${GREP_CMD} "^dev:" | ${CUT_CMD} -d ':' -f 2` gw_ip=`${IP_CMD} route show | ${GREP_CMD} "^default" | ${SED_CMD} "s/via /via:/g" | ${TR_CMD} " " "\n" | ${GREP_CMD} "^via:" | ${CUT_CMD} -d ':' -f 2 | ips2net -` @@ -7600,6 +7651,14 @@ ${RM_CMD} -f "${FIREHOL_TMP}.awk" # ------------------------------------------------------------------------------ # Run the configuration file. +if [ -n "$WAIT_FOR_IFACE" ] +then + for i in "$WAIT_FOR_IFACE" + do + wait_for_interface $i + done +fi + enable -n trap # Disable the trap buildin shell command. enable -n exit # Disable the exit buildin shell command. source ${FIREHOL_TMP} "$@" # Run the configuration as a normal script. diff --git a/get-iana.sh b/get-iana.sh old mode 100644 new mode 100755