diff options
-rw-r--r-- | network/firehol/README | 67 | ||||
-rw-r--r-- | network/firehol/doinst.sh | 23 | ||||
-rw-r--r-- | network/firehol/firehol.SlackBuild | 86 | ||||
-rw-r--r-- | network/firehol/firehol.conf | 3 | ||||
-rw-r--r-- | network/firehol/firehol.info | 8 | ||||
-rw-r--r-- | network/firehol/rc.firehol | 33 | ||||
-rw-r--r-- | network/firehol/slack-desc | 19 |
7 files changed, 239 insertions, 0 deletions
diff --git a/network/firehol/README b/network/firehol/README new file mode 100644 index 0000000000000..f80cae88cdc81 --- /dev/null +++ b/network/firehol/README @@ -0,0 +1,67 @@ +firehol is an easy to use but powerfull iptables stateful firewall for +humans. + +FireHOL uses an extremely simple but powerfull way to define firewall rules +which it turns into complete stateful iptables firewalls. FireHOL is a +generic firewall generator, meaning that you can design any kind of local +or routing stateful packet filtering firewalls with ease. + +You can run FireHOL with the 'helpme' argument, to get a configuration file +for the system run, which you can modify according to your needs. + +You can find example config files in /usr/doc/firehol-<ver>/examples. This +directory contains examples from a simple client machine, to a lan-wan +gateway or an office server. + +The default config file in the package contains only a note about where to +find config file examples (/usr/doc/firehol-<ver>/examples), because it is +empty it is not handled as a usual config file. If a user has a real one, +this "example" is simply deleted. + +There is a get-iana.sh script to fetch reserved IPs from iana, It is +renamed to firehol-get-iana, and placed to /usr/sbin. You have to run it at +least once, to silence firehol startup warnings about missing files. + +There is an adblock.sh script to fetch the IPs of popular add servers, +which can be blacklisted, see the file for the details. It is renamed to +firehol-adblock and it is in /usr/sbin. + +In addition to the man pages there is a full html documentation in +/usr/doc/firehol-<ver>/html + +--- + +For example this is a sample firewall for simple home machine with samba +and ssh: + +>version 5 +> +>interface any world +> policy reject +> +> server dns accept +> server dhcp accept +> server icmp accept +> server ssh accept +> server samba accept +> +> client all accept + +--- + +This is a stripped down home server and router configuration (for a +sophisticated version of this file see /usr/doc/firehol) + +>version 5 +> +>interface eth0 home +> server "dns ftp samba squid dhcp http ssh icmp" accept +> client "samba icmp" accept +> +>interface ppp+ internet +> server "smtp http ftp" accept +> client allaccept +> +>router home2internet inface eth0 outface ppp+ +> route all accept + diff --git a/network/firehol/doinst.sh b/network/firehol/doinst.sh new file mode 100644 index 0000000000000..1f2432eb09591 --- /dev/null +++ b/network/firehol/doinst.sh @@ -0,0 +1,23 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then + # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +# Keep same perms on rc.firehol.new: +if [ -e etc/rc.d/rc.firehol ]; then + cp -a etc/rc.d/rc.firehol etc/rc.d/rc.firehol.new.incoming + cat etc/rc.d/rc.firehol.new > etc/rc.d/rc.firehol.new.incoming + mv etc/rc.d/rc.firehol.new.incoming etc/rc.d/rc.firehol.new +fi + +config etc/rc.d/rc.firehol.new +config etc/firehol/firehol.conf.new + diff --git a/network/firehol/firehol.SlackBuild b/network/firehol/firehol.SlackBuild new file mode 100644 index 0000000000000..cf4bf42079012 --- /dev/null +++ b/network/firehol/firehol.SlackBuild @@ -0,0 +1,86 @@ +#!/bin/sh + +# Slackware build script for FireHOL + +# Copyright 2008 Ferenc Deak <ferenc.deak@gmail.com> +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ''AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +PRGNAM=firehol +VERSION=1.273 +ARCH=noarch +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +set -e + +# prepare and extract +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +tar -xvjf $CWD/$PRGNAM-$VERSION.tar.bz2 +cd $PRGNAM-$VERSION +chown -R root:root . +chmod -R u+w,go+r-w,a-s . + +# install the application +mkdir -p $PKG/usr/sbin/ +install firehol.sh $PKG/usr/sbin/firehol +install get-iana.sh $PKG/usr/sbin/firehol-get-iana +install adblock.sh $PKG/usr/sbin/firehol-adblock + +# install man pages +mkdir -p $PKG/usr/man/{man1,man5} +cat man/firehol.1 > $PKG/usr/man/man1/firehol.1 +cat man/firehol.conf.5 > $PKG/usr/man/man5/firehol.conf.5 + +# compress man pages +( cd $PKG/usr/man || exit 1 + find . -type f -exec gzip -9 {} \; + for i in $( find . -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done +) + +# install docs +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION/{html,examples} +cp -a COPYING ChangeLog README TODO WhatIsNew \ + $PKG/usr/doc/$PRGNAM-$VERSION +cp -ar doc/* $PKG/usr/doc/$PRGNAM-$VERSION/html +cp -ar examples/* $PKG/usr/doc/$PRGNAM-$VERSION/examples +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild + +# create /install +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +cat $CWD/doinst.sh > $PKG/install/doinst.sh + +# handle config files in /etc +mkdir -p $PKG/etc/{rc.d,firehol} +cat $CWD/firehol.conf > $PKG/etc/firehol/firehol.conf.new +cat $CWD/rc.firehol > $PKG/etc/rc.d/rc.firehol.new + +# create the package +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.tgz + diff --git a/network/firehol/firehol.conf b/network/firehol/firehol.conf new file mode 100644 index 0000000000000..b9565ee6c9085 --- /dev/null +++ b/network/firehol/firehol.conf @@ -0,0 +1,3 @@ +# This is an empty firehol configuration file. +# For examples see /usr/doc/firehol-<current-ver>/examples! + diff --git a/network/firehol/firehol.info b/network/firehol/firehol.info new file mode 100644 index 0000000000000..033499df57ea8 --- /dev/null +++ b/network/firehol/firehol.info @@ -0,0 +1,8 @@ +PRGNAM="firehol" +VERSION="1.0.3" +HOMEPAGE="http://firehol.sf.net" +DOWNLOAD="http://downloads.sourceforge.net/firehol/firehol-1.273.tar.bz2" +MD5SUM="cbbe1ba21cf44955827d5c906a55aa21" +MAINTAINER="fdeak" +EMAIL="ferenc.deak@gmail.com" +APPROVED="dsomero" diff --git a/network/firehol/rc.firehol b/network/firehol/rc.firehol new file mode 100644 index 0000000000000..6bb616751d74d --- /dev/null +++ b/network/firehol/rc.firehol @@ -0,0 +1,33 @@ +#!/bin/sh +# +# /etc/rc.d/rc.firehol +# +# Start/stop/restart the fireHOL firewall. +# +# Slackware starts 'rc.firewall' automatically if it is exists and +# executable, to make fireHOL your default firewall, make this file +# executable, and link it to rc.firewall: +# ln -s rc.firehol rc.firewall +# chmod 755 /etc/rc.d/rc.firehol +# Alternatively you can call this script from rc.local, altough the +# the first method is preferred. +# +# This is a basic start/stop/restart/reload startup script, +# firehol has more options, you can use those by calling firehol +# directly, see 'man firehol'. + +case "$1" in + 'start') + /usr/sbin/firehol start + ;; + 'stop') + /usr/sbin/firehol stop + ;; + 'restart'|'reload') + /usr/sbin/firehol restart + ;; + *) + echo "Usage: $0 {start|stop|restart}" + ;; +esac + diff --git a/network/firehol/slack-desc b/network/firehol/slack-desc new file mode 100644 index 0000000000000..3d3d3375312ed --- /dev/null +++ b/network/firehol/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +firehol: firehol (An easy to use but powerfull iptables stateful firewall) +firehol: +firehol: FireHOL uses an extremely simple but powerfull way to define firewall +firehol: rules which it turns into complete stateful iptables firewalls. +firehol: FireHOL is a generic firewall generator, meaning that you can design +firehol: any kind of local or routing stateful packet filtering firewalls with +firehol: ease. +firehol: You can run FireHOL with the 'helpme' argument, to get a configuration +firehol: file for the system run, which you can modify according to your needs. +firehol: +firehol: |