Commit 11c020c5 authored by Patrick J Cherry's avatar Patrick J Cherry
Browse files

* Added ability to disable firewall

 * Tidied postinst to make sure everything is sane
 * Added essential-icmpv6 rule
parent c6bed2a2
......@@ -5,10 +5,10 @@ set -e
#
# Skip, if we are not in "configure" state
#
if [ "$1" != "configure" ]; then
echo "I: Skipping configuration"
exit 0
fi
#if [ "$1" != "configure" ]; then
# echo "I: Skipping configuration"
# exit 0
#fi
#
# The prefix of our tree.
......@@ -129,11 +129,7 @@ for dir in incoming outgoing ; do
#
# Essential IPv6 ICMP protocols
#
for itype in destination-unreachable packet-too-big parameter-problem \
router-solicitation router-advertisement \
neighbor-solicitation neighbor-advertisement ; do
touch $PREFIX/$dir.d/05-icmpv6-$itype
done
touch $PREFIX/$dir.d/05-essential-icmpv6
done
......@@ -175,6 +171,7 @@ fi
#
if [ -e $PREFIX/outgoing.d/50-www-data ] ; then
mv $PREFIX/outgoing.d/50-www-data $PREFIX/outgoing.d/10-match-uid-not-www-data
touch $PREFIX/outgoing.d/99-reject
fi
#
......@@ -185,19 +182,6 @@ if [ -z "$CHROOT" ]; then
symbiosis-firewall flush
symbiosis-firewall load
#
# Remove denyhosts. Yummy!
#
if [ -d /usr/share/denyhosts/ ]; then
cat > /etc/cron.hourly/purgy <<EOF
#!/bin/bash
dpkg --purge bytemark-vhost-ssh-protection denyhosts 2>/dev/null >/dev/null
rm -f /etc/denyhosts.conf*
rm /etc/cron.hourly/purgy
EOF
chmod 755 /etc/cron.hourly/purgy
fi
else
echo " - In a chroot()"
echo " - Not flushing / running firewall"
......
% if ipv6?
#
# ICMP packets essential for IPv6 to work.
#
#
for itype in destination-unreachable packet-too-big parameter-problem \
router-solicitation router-advertisement \
neighbor-solicitation neighbor-advertisement ; do
/sbin/ip6tables -A <%= chain %> -p icmpv6 --icmpv6-type $itype <%= src_or_dst %> -j ACCEPT
done
% end
essential-icmpv6.incoming
\ No newline at end of file
......@@ -201,6 +201,13 @@ if manual or help
exit 0
end
#
# Exit if we've been disabled
#
if File.exists(File.join(base_dir, "disabled"))
puts "Firewall disabled. Exiting." if $VERBOSE
exit 0
end
#
# Set the action
......
......@@ -158,6 +158,13 @@ if manual or help
exit 0
end
#
# Exit if we've been disabled
#
if File.exists(File.join(base_dir, "disabled.blacklist"))
puts "Firewall blacklist disabled. Exiting." if $VERBOSE
exit 0
end
expired = 0
blacklist_d = File.join(base_dir, "blacklist.d")
......
......@@ -149,10 +149,17 @@ if manual or help
exit 0
end
# Expire old entries first of all, then add new ones.
#
puts "Expiring old whitelist entries" if ( $VERBOSE )
# Exit if we've been disabled
#
if File.exists(File.join(base_dir, "disabled.whitelist"))
puts "Firewall whitelist disabled. Exiting." if $VERBOSE
exit 0
end
#
# Basics.
#
expired = 0
whitelist_d = File.join(base_dir, "whitelist.d")
......@@ -163,6 +170,11 @@ end
expire_before = Time.now - ( expire_after * 24 * 60 * 60 )
#
# Expire old entries first of all, then add new ones.
#
puts "Expiring old whitelist entries" if ( $VERBOSE )
Dir.glob( File.join(whitelist_d,"*.auto" ) ).each do |entry|
if File.mtime(entry) < expire_before
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment