--- /dev/null
+The Debian Package hcoop-firewall-config
+----------------------------
+
+Comments regarding the Package
+
+ -- Clinton Ebadi <clinton@unknownlamer.org> Thu, 29 Mar 2012 01:24:08 -0400
--- /dev/null
+hcoop-firewall-config for Debian
+--------------------------------
+
+<possible notes regarding this package - if none, delete this file>
+
+ -- Clinton Ebadi <clinton@unknownlamer.org> Thu, 29 Mar 2012 01:24:08 -0400
--- /dev/null
+hcoop-firewall-config for Debian
+--------------------------------
+
+<this file describes information about the source package, see Debian policy
+manual section 4.14. You WILL either need to modify or delete this file>
+
+
+
+
--- /dev/null
+hcoop-firewall-config (0) stable; urgency=low
+
+ * Initial Release.
+
+ -- Clinton Ebadi <clinton@unknownlamer.org> Thu, 29 Mar 2012 01:24:08 -0400
--- /dev/null
+Source: hcoop-firewall-config
+Section: hcoop-config/net
+Priority: extra
+Maintainer: Clinton Ebadi <clinton@unknownlamer.org>
+Build-Depends: cdbs (>= 0.4.85~),
+ debhelper (>= 8~),
+ dh-buildinfo,
+ config-package-dev (>= 4.5~)
+Standards-Version: 3.9.2
+Homepage: http://hcoop.net/
+Vcs-Git: git://git.hcoop.net/git/hcoop/debian/hcoop-firewall-config.git
+Vcs-Browser: http://git.hcoop.net/?p=hcoop/debian/hcoop-firewall-config.git;a=summary
+
+Package: hcoop-firewall-config
+Architecture: all
+Depends: cdbs, sudo, ferm, ${misc:Depends}
+Provides: ${diverted-files}
+Conflicts: ${diverted-files}
+Description: HCoop admin access configuration
+ Configuration needed from admin users to access nodes and perform
+ administrative tasks (e.g. sudoers).
\ No newline at end of file
--- /dev/null
+files/* etc/ferm
\ No newline at end of file
--- /dev/null
+#!/usr/bin/make -f
+# -*- makefile -*-
+# Sample debian/rules that uses debhelper.
+# This file was originally written by Joey Hess and Craig Small.
+# As a special exception, when this file is copied by dh-make into a
+# dh-make output file, you may use that output file without restriction.
+# This special exception was added by Craig Small in version 0.37 of dh-make.
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+DEB_DIVERT_EXTENSION =.hcoop
+DEB_DIVERT_FILES_hcoop-firewall-config += \
+ /etc/ferm/ferm.conf.hcoop
+
+include /usr/share/cdbs/1/rules/debhelper.mk
+include /usr/share/cdbs/1/rules/config-package.mk
--- /dev/null
+3.0 (native)
--- /dev/null
+# -*- shell-script -*-
+#
+# Configuration file for ferm(1).
+#
+
+table filter {
+ chain INPUT {
+ policy DROP;
+
+ # connection tracking
+ mod state state INVALID DROP;
+ mod state state (ESTABLISHED RELATED) ACCEPT;
+
+ # allow local packet
+ interface lo ACCEPT;
+
+ # respond to ping
+ proto icmp ACCEPT;
+
+ # allow IPsec
+ proto udp dport 500 ACCEPT;
+ proto (esp ah) ACCEPT;
+
+ proto tcp dport ssh ACCEPT;
+
+ # domtool slave
+ proto tcp dport 1235 ACCEPT;
+
+ proto (tcp udp) dport ( kerberos afs3-callback ) ACCEPT;
+
+ # system ports
+ @include 'local_ports_in.conf';
+ #@include 'users_tcp_in.conf'
+ }
+ chain OUTPUT {
+ policy DROP;
+
+ # connection tracking
+ #mod state state INVALID DROP;
+ mod state state (ESTABLISHED RELATED) ACCEPT;
+
+ proto tcp dport ssh ACCEPT;
+
+ # connections to domtool dispatcher and slaves (for e.g. QFoo)
+ proto tcp dport 1234 ACCEPT;
+ proto tcp dport 1235 ACCEPT;
+
+ proto (tcp udp) dport ( kerberos afs3-fileserver afs3-callback afs3-prserver afs3-vlserver afs3-volser afs3-errors afs3-bos ) ACCEPT;
+
+ proto (tcp udp) dport ntp ACCEPT;
+ proto (tcp udp) dport domain ACCEPT;
+
+ # root needs port 80 for things like apt-get
+ mod owner uid-owner 0 { proto (tcp) dport (http https) ACCEPT; }
+
+ @include 'local_ports_out.conf';
+ #include 'users_tcp_out.conf'
+ }
+ chain FORWARD {
+ policy DROP;
+
+ # connection tracking
+ mod state state INVALID DROP;
+ mod state state (ESTABLISHED RELATED) ACCEPT;
+ }
+}
+
+#include 'user_chains.conf'
+
+# IPv6:
+#domain ip6 {
+# table filter {
+# chain INPUT {
+# policy ACCEPT;
+# # ...
+# }
+# # ...
+# }
+#}