HCoop / hcoop / zz_old / debian / hcoop-firewall-config.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (initial)
Basic restrictive firewall debian/0
authorClinton Ebadi <clinton@unknownlamer.org>
Thu, 29 Mar 2012 06:48:44 +0000 (02:48 -0400)
committerClinton Ebadi <clinton@unknownlamer.org>
Thu, 29 Mar 2012 06:48:44 +0000 (02:48 -0400)
* Only open ports needed for kerberos, afs, ntp, dns requests, ssh
* Only root can open http connections (for apt)
* Outgoing icmp requests disabled for now -- this was thh default,
  not certain if there are any advantages/disadvantages to this
* Include local in/out ports using local conffiles (for now, fwtool
  will surface properly eventually)

14 files changed:
debian/README [new file with mode: 0644] patch | blob
debian/README.Debian [new file with mode: 0644] patch | blob
debian/README.source [new file with mode: 0644] patch | blob
debian/changelog [new file with mode: 0644] patch | blob
debian/compat [new file with mode: 0644] patch | blob
debian/control [new file with mode: 0644] patch | blob
debian/copyright [new file with mode: 0644] patch | blob
debian/docs [new file with mode: 0644] patch | blob
debian/hcoop-firewall-config.install [new file with mode: 0644] patch | blob
debian/rules [new file with mode: 0755] patch | blob
debian/source/format [new file with mode: 0644] patch | blob
files/ferm.conf.hcoop [new file with mode: 0644] patch | blob
files/local_ports_in.conf [new file with mode: 0644] patch | blob
files/local_ports_out.conf [new file with mode: 0644] patch | blob

diff --git a/debian/README b/debian/README
new file mode 100644 (file)
index 0000000..fee0b9d
--- /dev/null
+++ b/debian/README
@@ -0,0 +1,6 @@
+The Debian Package hcoop-firewall-config
+----------------------------
+
+Comments regarding the Package
+
+ -- Clinton Ebadi <clinton@unknownlamer.org>  Thu, 29 Mar 2012 01:24:08 -0400
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644 (file)
index 0000000..88a2521
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,6 @@
+hcoop-firewall-config for Debian
+--------------------------------
+
+<possible notes regarding this package - if none, delete this file>
+
+ -- Clinton Ebadi <clinton@unknownlamer.org>  Thu, 29 Mar 2012 01:24:08 -0400
diff --git a/debian/README.source b/debian/README.source
new file mode 100644 (file)
index 0000000..0662359
--- /dev/null
+++ b/debian/README.source
@@ -0,0 +1,9 @@
+hcoop-firewall-config for Debian
+--------------------------------
+
+<this file describes information about the source package, see Debian policy
+manual section 4.14. You WILL either need to modify or delete this file>
+
+
+
+
diff --git a/debian/changelog b/debian/changelog
new file mode 100644 (file)
index 0000000..8075d45
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,5 @@
+hcoop-firewall-config (0) stable; urgency=low
+
+  * Initial Release.
+
+ -- Clinton Ebadi <clinton@unknownlamer.org>  Thu, 29 Mar 2012 01:24:08 -0400
diff --git a/debian/compat b/debian/compat
new file mode 100644 (file)
index 0000000..45a4fb7
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+8
diff --git a/debian/control b/debian/control
new file mode 100644 (file)
index 0000000..f86ab81
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,21 @@
+Source: hcoop-firewall-config
+Section: hcoop-config/net
+Priority: extra
+Maintainer: Clinton Ebadi <clinton@unknownlamer.org>
+Build-Depends: cdbs (>= 0.4.85~),
+ debhelper (>= 8~),
+ dh-buildinfo,
+ config-package-dev (>= 4.5~)
+Standards-Version: 3.9.2
+Homepage: http://hcoop.net/
+Vcs-Git: git://git.hcoop.net/git/hcoop/debian/hcoop-firewall-config.git
+Vcs-Browser: http://git.hcoop.net/?p=hcoop/debian/hcoop-firewall-config.git;a=summary
+
+Package: hcoop-firewall-config
+Architecture: all
+Depends: cdbs, sudo, ferm, ${misc:Depends}
+Provides: ${diverted-files}
+Conflicts: ${diverted-files}
+Description: HCoop admin access configuration
+ Configuration needed from admin users to access nodes and perform
+ administrative tasks (e.g. sudoers).
\ No newline at end of file
diff --git a/debian/copyright b/debian/copyright
new file mode 100644 (file)
index 0000000..8b13789
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1 @@
+
diff --git a/debian/docs b/debian/docs
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/debian/hcoop-firewall-config.install b/debian/hcoop-firewall-config.install
new file mode 100644 (file)
index 0000000..4ddf853
--- /dev/null
+++ b/debian/hcoop-firewall-config.install
@@ -0,0 +1 @@
+files/* etc/ferm
\ No newline at end of file
diff --git a/debian/rules b/debian/rules
new file mode 100755 (executable)
index 0000000..5219b17
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,17 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+# Sample debian/rules that uses debhelper.
+# This file was originally written by Joey Hess and Craig Small.
+# As a special exception, when this file is copied by dh-make into a
+# dh-make output file, you may use that output file without restriction.
+# This special exception was added by Craig Small in version 0.37 of dh-make.
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+DEB_DIVERT_EXTENSION =.hcoop
+DEB_DIVERT_FILES_hcoop-firewall-config += \
+       /etc/ferm/ferm.conf.hcoop
+
+include /usr/share/cdbs/1/rules/debhelper.mk
+include /usr/share/cdbs/1/rules/config-package.mk
diff --git a/debian/source/format b/debian/source/format
new file mode 100644 (file)
index 0000000..89ae9db
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
diff --git a/files/ferm.conf.hcoop b/files/ferm.conf.hcoop
new file mode 100644 (file)
index 0000000..2637c92
--- /dev/null
+++ b/files/ferm.conf.hcoop
@@ -0,0 +1,79 @@
+# -*- shell-script -*-
+#
+#  Configuration file for ferm(1).
+#
+
+table filter {
+    chain INPUT {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # allow local packet
+        interface lo ACCEPT;
+
+        # respond to ping
+        proto icmp ACCEPT; 
+
+        # allow IPsec
+        proto udp dport 500 ACCEPT;
+        proto (esp ah) ACCEPT;
+
+       proto tcp dport ssh ACCEPT;
+
+        # domtool slave
+       proto tcp dport 1235 ACCEPT;
+
+       proto (tcp udp) dport ( kerberos afs3-callback ) ACCEPT;
+
+       # system ports
+       @include 'local_ports_in.conf';
+       #@include 'users_tcp_in.conf'
+    }
+    chain OUTPUT {
+        policy DROP;
+
+        # connection tracking
+        #mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+       proto tcp dport ssh ACCEPT;
+
+        # connections to domtool dispatcher and slaves (for e.g. QFoo)
+       proto tcp dport 1234 ACCEPT;
+       proto tcp dport 1235 ACCEPT;
+
+       proto (tcp udp) dport ( kerberos afs3-fileserver afs3-callback afs3-prserver afs3-vlserver afs3-volser afs3-errors afs3-bos ) ACCEPT;
+
+       proto (tcp udp) dport ntp ACCEPT;
+       proto (tcp udp) dport domain ACCEPT;
+
+        # root needs port 80 for things like apt-get
+       mod owner uid-owner 0 { proto (tcp) dport (http https) ACCEPT; }
+
+       @include 'local_ports_out.conf';
+       #include 'users_tcp_out.conf'
+    }
+    chain FORWARD {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+    }
+}
+
+#include 'user_chains.conf'
+
+# IPv6:
+#domain ip6 {
+#    table filter {
+#        chain INPUT {
+#            policy ACCEPT;
+#            # ...
+#        }
+#        # ...
+#    }
+#}
diff --git a/files/local_ports_in.conf b/files/local_ports_in.conf
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/files/local_ports_out.conf b/files/local_ports_out.conf
new file mode 100644 (file)
index 0000000..e69de29
hcoop-firewall-config packaging