From: Clinton Ebadi Date: Thu, 29 Mar 2012 06:48:44 +0000 (-0400) Subject: Basic restrictive firewall X-Git-Tag: debian/0 X-Git-Url: https://git.hcoop.net/hcoop/zz_old/debian/hcoop-firewall-config.git/commitdiff_plain/refs/tags/debian/0 Basic restrictive firewall * Only open ports needed for kerberos, afs, ntp, dns requests, ssh * Only root can open http connections (for apt) * Outgoing icmp requests disabled for now -- this was thh default, not certain if there are any advantages/disadvantages to this * Include local in/out ports using local conffiles (for now, fwtool will surface properly eventually) --- d4245e04087ddf9d3a8284357c710be5351ca073 diff --git a/debian/README b/debian/README new file mode 100644 index 0000000..fee0b9d --- /dev/null +++ b/debian/README @@ -0,0 +1,6 @@ +The Debian Package hcoop-firewall-config +---------------------------- + +Comments regarding the Package + + -- Clinton Ebadi Thu, 29 Mar 2012 01:24:08 -0400 diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..88a2521 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,6 @@ +hcoop-firewall-config for Debian +-------------------------------- + + + + -- Clinton Ebadi Thu, 29 Mar 2012 01:24:08 -0400 diff --git a/debian/README.source b/debian/README.source new file mode 100644 index 0000000..0662359 --- /dev/null +++ b/debian/README.source @@ -0,0 +1,9 @@ +hcoop-firewall-config for Debian +-------------------------------- + + + + + + diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..8075d45 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +hcoop-firewall-config (0) stable; urgency=low + + * Initial Release. + + -- Clinton Ebadi Thu, 29 Mar 2012 01:24:08 -0400 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..45a4fb7 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +8 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..f86ab81 --- /dev/null +++ b/debian/control @@ -0,0 +1,21 @@ +Source: hcoop-firewall-config +Section: hcoop-config/net +Priority: extra +Maintainer: Clinton Ebadi +Build-Depends: cdbs (>= 0.4.85~), + debhelper (>= 8~), + dh-buildinfo, + config-package-dev (>= 4.5~) +Standards-Version: 3.9.2 +Homepage: http://hcoop.net/ +Vcs-Git: git://git.hcoop.net/git/hcoop/debian/hcoop-firewall-config.git +Vcs-Browser: http://git.hcoop.net/?p=hcoop/debian/hcoop-firewall-config.git;a=summary + +Package: hcoop-firewall-config +Architecture: all +Depends: cdbs, sudo, ferm, ${misc:Depends} +Provides: ${diverted-files} +Conflicts: ${diverted-files} +Description: HCoop admin access configuration + Configuration needed from admin users to access nodes and perform + administrative tasks (e.g. sudoers). \ No newline at end of file diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/debian/copyright @@ -0,0 +1 @@ + diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..e69de29 diff --git a/debian/hcoop-firewall-config.install b/debian/hcoop-firewall-config.install new file mode 100644 index 0000000..4ddf853 --- /dev/null +++ b/debian/hcoop-firewall-config.install @@ -0,0 +1 @@ +files/* etc/ferm \ No newline at end of file diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..5219b17 --- /dev/null +++ b/debian/rules @@ -0,0 +1,17 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +DEB_DIVERT_EXTENSION =.hcoop +DEB_DIVERT_FILES_hcoop-firewall-config += \ + /etc/ferm/ferm.conf.hcoop + +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/rules/config-package.mk diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/files/ferm.conf.hcoop b/files/ferm.conf.hcoop new file mode 100644 index 0000000..2637c92 --- /dev/null +++ b/files/ferm.conf.hcoop @@ -0,0 +1,79 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# + +table filter { + chain INPUT { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # allow local packet + interface lo ACCEPT; + + # respond to ping + proto icmp ACCEPT; + + # allow IPsec + proto udp dport 500 ACCEPT; + proto (esp ah) ACCEPT; + + proto tcp dport ssh ACCEPT; + + # domtool slave + proto tcp dport 1235 ACCEPT; + + proto (tcp udp) dport ( kerberos afs3-callback ) ACCEPT; + + # system ports + @include 'local_ports_in.conf'; + #@include 'users_tcp_in.conf' + } + chain OUTPUT { + policy DROP; + + # connection tracking + #mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + proto tcp dport ssh ACCEPT; + + # connections to domtool dispatcher and slaves (for e.g. QFoo) + proto tcp dport 1234 ACCEPT; + proto tcp dport 1235 ACCEPT; + + proto (tcp udp) dport ( kerberos afs3-fileserver afs3-callback afs3-prserver afs3-vlserver afs3-volser afs3-errors afs3-bos ) ACCEPT; + + proto (tcp udp) dport ntp ACCEPT; + proto (tcp udp) dport domain ACCEPT; + + # root needs port 80 for things like apt-get + mod owner uid-owner 0 { proto (tcp) dport (http https) ACCEPT; } + + @include 'local_ports_out.conf'; + #include 'users_tcp_out.conf' + } + chain FORWARD { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + } +} + +#include 'user_chains.conf' + +# IPv6: +#domain ip6 { +# table filter { +# chain INPUT { +# policy ACCEPT; +# # ... +# } +# # ... +# } +#} diff --git a/files/local_ports_in.conf b/files/local_ports_in.conf new file mode 100644 index 0000000..e69de29 diff --git a/files/local_ports_out.conf b/files/local_ports_out.conf new file mode 100644 index 0000000..e69de29