From 26e1286f3a1530d581150b2aceb22300968dbb99 Mon Sep 17 00:00:00 2001 From: Philip Lacroix Date: Wed, 12 Mar 2014 07:29:12 +0700 Subject: network/arno-iptables-firewall: Added (a front-end for iptables). Signed-off-by: Willy Sudiarto Raharjo --- network/arno-iptables-firewall/README | 41 +++++++ .../arno-iptables-firewall.SlackBuild | 126 +++++++++++++++++++++ .../arno-iptables-firewall.info | 10 ++ network/arno-iptables-firewall/conf.d.readme | 5 + network/arno-iptables-firewall/doinst.sh | 14 +++ .../patch-configuration-file.diff | 16 +++ .../patch-configuration-script.diff | 77 +++++++++++++ .../patch-startup-script.diff | 25 ++++ network/arno-iptables-firewall/slack-desc | 19 ++++ 9 files changed, 333 insertions(+) create mode 100644 network/arno-iptables-firewall/README create mode 100644 network/arno-iptables-firewall/arno-iptables-firewall.SlackBuild create mode 100644 network/arno-iptables-firewall/arno-iptables-firewall.info create mode 100644 network/arno-iptables-firewall/conf.d.readme create mode 100644 network/arno-iptables-firewall/doinst.sh create mode 100644 network/arno-iptables-firewall/patch-configuration-file.diff create mode 100644 network/arno-iptables-firewall/patch-configuration-script.diff create mode 100644 network/arno-iptables-firewall/patch-startup-script.diff create mode 100644 network/arno-iptables-firewall/slack-desc diff --git a/network/arno-iptables-firewall/README b/network/arno-iptables-firewall/README new file mode 100644 index 0000000000000..8cee93f4577b1 --- /dev/null +++ b/network/arno-iptables-firewall/README @@ -0,0 +1,41 @@ +arno-iptables-firewall is a front-end for iptables. Its configuration +script will setup a secure and restrictive firewall by just asking a +few questions. This includes configuring internal networks for Internet +access via NAT and network services like http or ssh. Moreover, it +provides many advanced additional features that can be enabled in the +well documented configuration file. + +PLEASE NOTE - The setup script is NOT going to be run automatically +after your package is installed. In order to do that, you'll have to +issue the following command: + +# arno-iptables-firewall-configure + +To enable firewall startup at boot-time you'll need to create a symlink +as follows (remove the link to disable automatic firewall startup): + +# ln -sv /etc/rc.d/rc.arno-iptables-firewall /etc/rc.d/rc.firewall +# chmod +x /etc/rc.d/rc.arno-iptables-firewall + +When everything is ready you can start the firewall manually with one +of the following commands: + +# /etc/rc.d/rc.arno-iptables-firewall start + +# arno-iptables-firewall start + +IMPORTANT - Here are some security notes from the upstream author: + +1) If possible, make sure that the firewall is started before the (ADSL) +Internet connection is enabled. For a ppp-interface that doesn't exist +yet you can use the wildcard device called "ppp+" (but you can only use +ppp+ if there aren't any other ppp interfaces). + +2) Don't change any (security) settings ('EXPERT SETTINGS') if you don't +really understand what they mean. Changing them anyway could have a big +impact on the security of your machine. + +3) A lot of people complain that their server stopped working after +installing the firewall. This is the CORRECT behaviour for a firewall: +blocking ALL incoming traffic by default. Configure your e.g. OPEN_TCP +accordingly. diff --git a/network/arno-iptables-firewall/arno-iptables-firewall.SlackBuild b/network/arno-iptables-firewall/arno-iptables-firewall.SlackBuild new file mode 100644 index 0000000000000..6be33adc9112f --- /dev/null +++ b/network/arno-iptables-firewall/arno-iptables-firewall.SlackBuild @@ -0,0 +1,126 @@ +#!/bin/sh + +# Slackware build script for arno-iptables-firewall + +# Copyright 2013-2014 Philip Lacroix +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Thanks to Matteo Bernardini and Robby Workman for their valuable remarks. + +PRGNAM=arno-iptables-firewall +VERSION=${VERSION:-2.0.1d} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=${PKG:-$TMP/package-$PRGNAM} +OUTPUT=${OUTPUT:-/tmp} + +set -e + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM\_$VERSION +tar xvf $CWD/$PRGNAM\_$VERSION.tar.gz + +cd $PRGNAM\_$VERSION +chown -R root:root . +find -L . \ + \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \ + -o -perm 511 \) -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 \ + -o -perm 400 \) -exec chmod 644 {} \; + +PRGBIN=$PKG/usr/sbin +PRGETC=$PKG/etc/$PRGNAM +PRGSHR=$PKG/usr/share/$PRGNAM +PRGDOC=$PKG/usr/doc/$PRGNAM-$VERSION +PRGMAN=$PKG/usr/man + +# Copy firewall, log filter and configuration executables +mkdir -p $PRGBIN +cp -a ./bin/$PRGNAM $PRGBIN/ +cp -a ./configure.sh $PRGBIN/$PRGNAM-configure +cp -a ./bin/arno-fwfilter $PRGBIN/ + +# Patch the configuration script. We need this in order to be able to +# run the script from outside the source directory as well. We're going +# to (1) change from relative to absolute the path to the environment +# file and firewall executable; (2) rename and change the path to the +# startup script (this is for better consistency with Slackware's init +# system); (3) change the path to the unmodified copy of the config +# file, needed to check for existing custom setups. We will NOT create +# a Slackware-compliant /etc/rc.d/rc.firewall symlink to the startup +# script, as this should be done manually by the sysadmin. We won't +# create any SystemV-style symlinks either. Finally (4) we append the +# note, picked from the original installation script and slightly +# enhanced, that will be shown to the user when configuration is done +# (this is to inform that an rc.firewall symlink has to be created in +# order to start up the firewall at boot-time in a proper way). +patch $PRGBIN/$PRGNAM-configure < $CWD/patch-configuration-script.diff + +# Copy and compress man pages +mkdir -p $PRGMAN +cp -a ./share/man/* $PRGMAN/ +find $PRGMAN -type f -exec gzip -9 {} \; + +# Copy and rename configuration files; apply patch to main config file +# in order to fix paths; set permissions. +mkdir -p $PRGETC/conf.d +cp -a ./etc/$PRGNAM/* $PRGETC/ +cat $CWD/conf.d.readme > $PRGETC/conf.d/README +patch $PRGETC/firewall.conf < $CWD/patch-configuration-file.diff +for conf in $( find $PRGETC -type f -not -name README ); do + mv ${conf} ${conf}.new + chmod 600 ${conf}.new +done + +# Copy shared data; include a clean copy of the configuration file, as +# expected by the configuration script for comparison purposes; create +# link to plugin as in the original script. +mkdir -p $PRGSHR +cp -a ./share/$PRGNAM/* $PRGSHR/ +cp -a $PRGETC/firewall.conf.new $PRGSHR/firewall.conf.orig +ln -sv /usr/share/$PRGNAM/plugins/traffic-accounting-show $PRGBIN/ + +# Install startup script and set permissions; apply patch to fix path +# to the executable file and make comments more consistent with the +# Slackware system. +mkdir -p $PKG/etc/rc.d/ +install -m 0644 ./etc/init.d/$PRGNAM $PKG/etc/rc.d/rc.$PRGNAM +patch $PKG/etc/rc.d/rc.$PRGNAM < $CWD/patch-startup-script.diff + +# Copy documentation, include third-party sample files. +mkdir -p $PRGDOC/contrib $PKG/usr/doc +for doc in README CHANGELOG gpl_license.txt ; do + cp -a ./${doc} $PRGDOC/ +done +cp -a ./contrib/adsl-failover $PRGDOC/contrib/ +cp -a ./contrib/Slackware/syslog.conf $PRGDOC/contrib/ +cat $CWD/$PRGNAM.SlackBuild > $PRGDOC/$PRGNAM.SlackBuild + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +cat $CWD/doinst.sh > $PKG/install/doinst.sh + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-noarch-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/network/arno-iptables-firewall/arno-iptables-firewall.info b/network/arno-iptables-firewall/arno-iptables-firewall.info new file mode 100644 index 0000000000000..ad1a473ee1d65 --- /dev/null +++ b/network/arno-iptables-firewall/arno-iptables-firewall.info @@ -0,0 +1,10 @@ +PRGNAM="arno-iptables-firewall" +VERSION="2.0.1d" +HOMEPAGE="http://rocky.eld.leidenuniv.nl" +DOWNLOAD="http://rocky.eld.leidenuniv.nl/arno-iptables-firewall/arno-iptables-firewall_2.0.1d.tar.gz" +MD5SUM="c0504a92f7f34f6973ce1d9996b4908d" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +REQUIRES="" +MAINTAINER="Philip Lacroix" +EMAIL="philnx at bluebottle dot com" diff --git a/network/arno-iptables-firewall/conf.d.readme b/network/arno-iptables-firewall/conf.d.readme new file mode 100644 index 0000000000000..e64d1b133eb32 --- /dev/null +++ b/network/arno-iptables-firewall/conf.d.readme @@ -0,0 +1,5 @@ +# /etc/arno-iptables-firewall/conf.d/ + +Files with a .conf extension in this directory will be sourced by the +environment file. + diff --git a/network/arno-iptables-firewall/doinst.sh b/network/arno-iptables-firewall/doinst.sh new file mode 100644 index 0000000000000..5129a9435f7d6 --- /dev/null +++ b/network/arno-iptables-firewall/doinst.sh @@ -0,0 +1,14 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then + rm $NEW + fi +} + +CONFIG=${CONFIG:-/etc/arno-iptables-firewall} +for conf in $( find $CONFIG -name *.new ) ; do + config ${conf} +done diff --git a/network/arno-iptables-firewall/patch-configuration-file.diff b/network/arno-iptables-firewall/patch-configuration-file.diff new file mode 100644 index 0000000000000..f49ee6099f981 --- /dev/null +++ b/network/arno-iptables-firewall/patch-configuration-file.diff @@ -0,0 +1,16 @@ +235c235 +< IP4TABLES="/sbin/iptables" +--- +> IP4TABLES="/usr/sbin/iptables" +240c240 +< IP6TABLES="/sbin/ip6tables" +--- +> IP6TABLES="/usr/sbin/ip6tables" +244c244 +< ENV_FILE="/usr/local/share/arno-iptables-firewall/environment" +--- +> ENV_FILE="/usr/share/arno-iptables-firewall/environment" +248c248 +< PLUGIN_BIN_PATH="/usr/local/share/arno-iptables-firewall/plugins" +--- +> PLUGIN_BIN_PATH="/usr/share/arno-iptables-firewall/plugins" diff --git a/network/arno-iptables-firewall/patch-configuration-script.diff b/network/arno-iptables-firewall/patch-configuration-script.diff new file mode 100644 index 0000000000000..6cdc80c7ad0ab --- /dev/null +++ b/network/arno-iptables-firewall/patch-configuration-script.diff @@ -0,0 +1,77 @@ +34,35c34,35 +< if [ -f ./share/arno-iptables-firewall/environment ]; then +< . ./share/arno-iptables-firewall/environment +--- +> if [ -f /usr/share/arno-iptables-firewall/environment ]; then +> . /usr/share/arno-iptables-firewall/environment +37c37 +< printf "\033[40m\033[1;31mERROR: Could not read environment file ./share/arno-iptables-firewall/environment!\033[0m\n" >&2 +--- +> printf "\033[40m\033[1;31mERROR: Could not read environment file /usr/share/arno-iptables-firewall/environment!\033[0m\n" >&2 +219c219 +< +--- +> +221,223c221,223 +< chmod 755 /etc/init.d/arno-iptables-firewall +< chown 0:0 "$FIREWALL_CONF" /etc/init.d/arno-iptables-firewall +< chmod 600 "$FIREWALL_CONF" +--- +> chmod 755 /etc/rc.d/rc.arno-iptables-firewall +> chown 0:0 "$FIREWALL_CONF" /etc/rc.d/rc.arno-iptables-firewall +> chmod 600 "$FIREWALL_CONF" +228c228 +< AIF_VERSION="$(grep "MY_VERSION=" ./bin/arno-iptables-firewall |sed -e "s/^MY_VERSION=\"//" -e "s/\"$//")" +--- +> AIF_VERSION="$(grep "MY_VERSION=" /usr/sbin/arno-iptables-firewall |sed -e "s/^MY_VERSION=\"//" -e "s/\"$//")" +236,252d235 +< # Remove any symlinks in rc*.d out of the way +< rm -f /etc/rc*.d/*arno-iptables-firewall +< +< if get_user_yn "Do you want to start the firewall at boot (via /etc/init.d/) (Y/N)?" "y"; then +< if [ -d /etc/rcS.d ]; then +< ln -sv /etc/init.d/arno-iptables-firewall /etc/rcS.d/S41arno-iptables-firewall +< else +< ln -sv /etc/init.d/arno-iptables-firewall /etc/rc2.d/S11arno-iptables-firewall +< fi +< +< # Check for insserv. Used for dependency based booting on eg. Debian +< INSSERV="$(find_command /sbin/insserv)" +< if [ -n "$INSSERV" ]; then +< "$INSSERV" arno-iptables-firewall +< fi +< fi +< +254c237 +< change_conf_var /etc/init.d/arno-iptables-firewall "VERBOSE" "1" +--- +> change_conf_var /etc/rc.d/rc.arno-iptables-firewall "VERBOSE" "1" +256c239 +< change_conf_var /etc/init.d/arno-iptables-firewall "VERBOSE" "0" +--- +> change_conf_var /etc/rc.d/rc.arno-iptables-firewall "VERBOSE" "0" +259c242 +< if diff ./etc/arno-iptables-firewall/firewall.conf "$FIREWALL_CONF" >/dev/null; then +--- +> if diff /usr/share/arno-iptables-firewall/firewall.conf.orig "$FIREWALL_CONF" >/dev/null; then +275a259,276 +> echo "" +> echo "-------------------------------------------------------------------------------" +> echo "** NOTE: 1) You can now (manually) start the firewall by executing **" +> echo "** \"/etc/rc.d/rc.arno-iptables-firewall start\" **" +> echo "** It is recommended however to first review the settings in **" +> echo "** /etc/arno-iptables-firewall/firewall.conf! **" +> echo "** **" +> echo "** 2) In order to start the firewall automatically at boot-time, **" +> echo "** you will need to manually create in /etc/rc.d/ an appropriate **" +> echo "** symlink, named \"rc.firewall\", pointing to the startup script. **" +> echo "** To do that, issue the following command: **" +> echo "** **" +> echo "** ln -sv /etc/rc.d/rc.arno-iptables-firewall /etc/rc.d/rc.firewall **" +> echo "** **" +> echo "** Simply delete the link if you wish to disable firewall startup **" +> echo "** at boot-time. **" +> echo "-------------------------------------------------------------------------------" +> echo "" +278d278 +< diff --git a/network/arno-iptables-firewall/patch-startup-script.diff b/network/arno-iptables-firewall/patch-startup-script.diff new file mode 100644 index 0000000000000..c6dd915c7854b --- /dev/null +++ b/network/arno-iptables-firewall/patch-startup-script.diff @@ -0,0 +1,25 @@ +4c4 +< # description: init.d script for Arno's iptables firewall +--- +> # description: rc.d script for Arno's iptables firewall +7c7 +< # Provides: arno-iptables-firewall +--- +> # Provides: rc.arno-iptables-firewall +16,20c16,21 +< # You should put this script in eg. "/etc/init.d/" . # +< # Furthermore make sure it's executable! -> "chmod 700" or "chmod +x" it # +< # If you want to run it upon boot, either add an entry in your "/etc/rc.d/rc.local" or # +< # (for eg. Debian) in "/etc/rcS.d/" create a symlink to the arno-iptables-firewall script # +< # ("ln -s /etc/init.d/arno-iptables-firewall script S99-arno-iptables-firewall script"). # +--- +> # You should put this script in "/etc/rc.d/". # +> # Furthermore make sure it's executable! -> "chmod 700" or "chmod +x" it. # +> # If you want to run it upon boot, either create an "/etc/rc.d/rc.firewall" symlink to the # +> # present script ("ln -sv /etc/rc.d/rc.arno-iptables-firewall /etc/rc.d/rc.firewall") or # +> # edit the network system startup script "/etc/rc.d/rc.inet2" by renaming both occurrences # +> # of "rc.firewall" to match this script's name (i.e. "rc.arno-iptables-firewall"). # +24c25 +< PROGRAM="/usr/local/sbin/arno-iptables-firewall" +--- +> PROGRAM="/usr/sbin/arno-iptables-firewall" diff --git a/network/arno-iptables-firewall/slack-desc b/network/arno-iptables-firewall/slack-desc new file mode 100644 index 0000000000000..80e82a06f9189 --- /dev/null +++ b/network/arno-iptables-firewall/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. +# Line up the first '|' above the ':' following the base package name, and +# the '|' on the right side marks the last column you can put a character in. +# You must make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':' except on otherwise blank lines. + + |-----handy-ruler------------------------------------------------------| +arno-iptables-firewall: arno-iptables-firewall (a front-end for iptables) +arno-iptables-firewall: +arno-iptables-firewall: arno-iptables-firewall is a front-end for iptables. Its configuration +arno-iptables-firewall: script will setup a secure and restrictive firewall by just asking a +arno-iptables-firewall: few questions. This includes the configuration of internal networks +arno-iptables-firewall: for Internet access via NAT and network services like http or ssh. +arno-iptables-firewall: Moreover, it provides many advanced additional features that can be +arno-iptables-firewall: enabled in the well documented configuration file. +arno-iptables-firewall: +arno-iptables-firewall: Homepage: http://rocky.eld.leidenuniv.nl +arno-iptables-firewall: -- cgit v1.2.3