Commit 9cb5a505 authored by Paul Cammish's avatar Paul Cammish
Browse files

Replaced refernces to Symbiosis with Sympl

parent 18183b82
......@@ -26,13 +26,13 @@ manpages/%.man: ./sbin/%
RUBYLIB=$(RUBYLIB) $< --manual | sed -e 's/^=\+$$//' | txt2man -s 1 -t $(notdir $<) | sed -e 's/\\\\fB/\\fB/' > $@
test -s $@
manpages: ./manpages/symbiosis-firewall-whitelist.man ./manpages/symbiosis-firewall.man ./manpages/symbiosis-firewall-blacklist.man
manpages: ./manpages/sympl-firewall-whitelist.man ./manpages/sympl-firewall.man ./manpages/sympl-firewall-blacklist.man
all: manpages ext/symbiosis_utmp.so
all: manpages ext/sympl_utmp.so
distclean: clean
test: ext/symbiosis_utmp.so
test: ext/sympl_utmp.so
@cd test.d && RUBYLIB=$(RUBYLIB):. ruby ./ts_firewall.rb
@if [ ! -d ./i ]; then mkdir ./i ; fi
@if [ ! -d ./i/incoming.d/ ]; then mkdir ./i/incoming.d/; fi
......@@ -69,9 +69,9 @@ test: ext/symbiosis_utmp.so
@echo "212.110.161.177" > i/outgoing.d/20-accept
@echo "2001:41c8:20:862:ac1:1::|48" >> i/outgoing.d/20-accept
@touch i/outgoing.d/99-reject
@RUBYLIB=$(RUBYLIB) ruby -I. ./sbin/symbiosis-firewall -p ./i -t rule.d -x -v -d
@RUBYLIB=$(RUBYLIB) ruby -I. ./sbin/sympl-firewall -p ./i -t rule.d -x -v -d
ext/symbiosis_utmp.so: ext/Makefile
ext/sympl_utmp.so: ext/Makefile
make -C ext $(notdir $@)
ext/Makefile: ext/extconf.rb
......
......@@ -15,8 +15,8 @@ Setup
Create your rules by touching files in:
/etc/symbiosis/firewall/incoming.d/
/etc/symbiosis/firewall/outgoing.d/
/etc/sympl/firewall/incoming.d/
/etc/sympl/firewall/outgoing.d/
The filenames you choose must be of the form "$number-$name", where
number is used purely for sorting purposes. The name you use will
......@@ -26,17 +26,17 @@ which outgoing connections are permitted.
(See the later section on naming.)
Simple Example
--------------
Basic Example
-------------
The following defines a system which will only accept incoming connections
for SSH and SMTP
rm /etc/symbiosis/firewall/incoming.d/*
touch /etc/symbiosis/firewall/incoming.d/10-smtp
touch /etc/symbiosis/firewall/incoming.d/20-ssh
touch /etc/symbiosis/firewall/incoming.d/99-drop
rm /etc/sympl/firewall/incoming.d/*
touch /etc/sympl/firewall/incoming.d/10-smtp
touch /etc/sympl/firewall/incoming.d/20-ssh
touch /etc/sympl/firewall/incoming.d/99-drop
Complex Example
......@@ -45,10 +45,10 @@ Complex Example
The following example will accept incoming SMTP connections from anywhere
but only SSH from a single IP address:
rm /etc/symbiosis/firewall/incoming.d/*
touch /etc/symbiosis/firewall/incoming.d/10-smtp
touch /etc/symbiosis/firewall/incoming.d/99-drop
echo "192.168.1.1" > /etc/symbiosis/firewall/incoming.d/20-ssh
rm /etc/sympl/firewall/incoming.d/*
touch /etc/sympl/firewall/incoming.d/10-smtp
touch /etc/sympl/firewall/incoming.d/99-drop
echo "192.168.1.1" > /etc/sympl/firewall/incoming.d/20-ssh
Naming
......
sympl-firewall (9.19.06.04.0900) stable; urgency=medium
* Replaced references to Symbiosis with Sympl
-- Paul Cammish <sympl@kelduum.net> Tue, 04 Jun 2019 09:00:00 +0100
sympl-firewall (2019:0529) stable; urgency=medium
* Renamed package to sympl-firewall
-- Paul Cammish <sympl@kelduum.net> Wed, 29 May 2019 14:35 +0100
-- Paul Cammish <sympl@kelduum.net> Wed, 29 May 2019 14:35:00 +0100
symbiosis-firewall (2018:0717) stable; urgency=medium
......
......@@ -9,7 +9,7 @@ XS-Ruby-Versions: all
Package: sympl-firewall
Architecture: any
Depends: iptables, ruby, sympl-common (>= 2015:1210), libruby, ruby-sqlite3, incron, ${shlibs:Depends}, ${misc:Depends}
Depends: iptables, ruby, sympl-common, libruby, ruby-sqlite3, incron, ${shlibs:Depends}, ${misc:Depends}
Replaces: symbiosis-firewall
Provides: symbiosis-firewall
Conflicts: symbiosis-firewall
......
......@@ -5,6 +5,7 @@ Source: https://github.mythic-beasts.com/sympl/sympl_stretch
Files: *
Copyright: 2019, The Sympl Project
2009-2018, Bytemark Ltd
License: GPL-2+
This program is free software; you can redistribute it
and/or modify it under the terms of the GNU General Public
......
sbin usr/
patterns.d etc/symbiosis/firewall
rule.d usr/share/symbiosis/firewall
action.d usr/share/symbiosis/firewall
test.d etc/symbiosis
patterns.d etc/sympl/firewall
rule.d usr/share/sympl/firewall
action.d usr/share/sympl/firewall
test.d etc/sympl
incron.d etc/
monit.d/* usr/share/symbiosis/monit/checks/
incoming.d etc/symbiosis/firewall
outgoing.d etc/symbiosis/firewall
local.d etc/symbiosis/firewall
whitelist.d etc/symbiosis/firewall
blacklist.d etc/symbiosis/firewall
monit.d/* usr/share/sympl/monit/checks/
incoming.d etc/sympl/firewall
outgoing.d etc/sympl/firewall
local.d etc/sympl/firewall
whitelist.d etc/sympl/firewall
blacklist.d etc/sympl/firewall
sysctl.d etc/
usr/sbin/symbiosis-firewall etc/network/if-up.d/symbiosis-firewall
usr/sbin/symbiosis-firewall etc/network/if-down.d/symbiosis-firewall
usr/sbin/sympl-firewall etc/network/if-up.d/sympl-firewall
usr/sbin/sympl-firewall etc/network/if-down.d/sympl-firewall
rm_conffile /etc/symbiosis/monit.d/incrond 2017:0424
......@@ -12,7 +12,7 @@ fi
#
# The prefix of our tree.
#
PREFIX=/etc/symbiosis/firewall
PREFIX=/etc/sympl/firewall
chown -R admin:admin $PREFIX
......@@ -22,11 +22,11 @@ chown -R admin:admin $PREFIX
#
# Add symlinks for the monit script
monit_dir="/etc/symbiosis/monit.d"
monit_dir="/etc/sympl/monit.d"
mkdir -p "$monit_dir"
for i in incrond; do
monit_script="/usr/share/symbiosis/monit/checks/$i"
monit_script="/usr/share/sympl/monit/checks/$i"
link_target="$monit_dir/$i"
if [ -x "$monit_script" ] && [ ! -e "$link_target" ]; then
......
......@@ -4,7 +4,7 @@
set -e
PREFIX=/etc/symbiosis/firewall
PREFIX=/etc/sympl/firewall
#
# Remove any stat override for the firewall directory.
......
symbiosis-firewall binary: script-not-executable ./usr/share/symbiosis/firewall/action.d/*
symbiosis-firewall binary: shell-script-fails-syntax-check ./usr/share/symbiosis/firewall/action.d/*
......@@ -8,16 +8,16 @@
# (Since we only process *new* logfile entries each time we start.)
#
5,20,35,50 * * * * root [ -x /usr/sbin/symbiosis-firewall-blacklist ] && /usr/sbin/symbiosis-firewall-blacklist
5,20,35,50 * * * * root [ -x /usr/sbin/sympl-firewall-blacklist ] && /usr/sbin/sympl-firewall-blacklist
#
# Whitelist valid IP addresses every hour, but outside the scope of the
# firewall test.
#
10,25,40,55 * * * * root [ -x /usr/sbin/symbiosis-firewall-whitelist ] && /usr/sbin/symbiosis-firewall-whitelist
10,25,40,55 * * * * root [ -x /usr/sbin/sympl-firewall-whitelist ] && /usr/sbin/sympl-firewall-whitelist
#
# Reload the firewall every hour.
#
@hourly root [ -x /usr/sbin/symbiosis-firewall ] && /usr/sbin/symbiosis-firewall
@hourly root [ -x /usr/sbin/sympl-firewall ] && /usr/sbin/sympl-firewall
sympl-firewall binary: script-not-executable ./usr/share/sympl/firewall/action.d/*
sympl-firewall binary: shell-script-fails-syntax-check ./usr/share/sympl/firewall/action.d/*
require 'mkmf'
create_makefile('symbiosis_utmp')
create_makefile('sympl_utmp')
/etc/symbiosis/firewall/incoming.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/symbiosis-firewall -s 5 load
/etc/symbiosis/firewall/outgoing.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/symbiosis-firewall -s 5 load
/etc/symbiosis/firewall/whitelist.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/symbiosis-firewall -s 5 reload-whitelist
/etc/symbiosis/firewall/blacklist.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/symbiosis-firewall -s 5 reload-blacklist
/etc/symbiosis/firewall/local.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR,IN_ATTRIB /usr/sbin/symbiosis-firewall -s 5 load
/etc/sympl/firewall/incoming.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 load
/etc/sympl/firewall/outgoing.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 load
/etc/sympl/firewall/whitelist.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 reload-whitelist
/etc/sympl/firewall/blacklist.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 reload-blacklist
/etc/sympl/firewall/local.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR,IN_ATTRIB /usr/sbin/sympl-firewall -s 5 load
#!/usr/bin/ruby
# NAME
# symbiosis-firewall - Symbioisis firewall management
# sympl-firewall - Symbioisis firewall management
#
# SYNOPSIS
# symbiosis-firewall [ -h | --help ] [-m | --manual] [ -v | --verbose ]
# sympl-firewall [ -h | --help ] [-m | --manual] [ -v | --verbose ]
# [ -p | --prefix <dir> ] [ -t | --template-d <dir> ]
# [ -x | --no-exec] [ -d | --no-delete ] <action>
#
......@@ -15,7 +15,7 @@
# -v, --verbose Show verbose errors
#
# -p, --prefix <dir> Directory where action.d, incoming.d, outgoing.d etc
# are located. Defaults to /etc/symbiosis/firewall.
# are located. Defaults to /etc/sympl/firewall.
#
# -t, --template-d <dir> Additional directory to search for templates.
#
......@@ -42,7 +42,7 @@
# carried out.)
#
# Usage of the Symbiosis firewall is comprehensively documented in the
# symbiosis-documentation package, as well as on the documentation website.
# sympl-documentation package, as well as on the documentation website.
#
# If this script is run as a user other than root, then the --no-execute and
# --no-delete flags are set.
......@@ -105,8 +105,8 @@
#
# For each "rule" type you should simply create two files:
#
# /usr/local/share/symbiosis/firewall/rule.d/$name.incoming
# /usr/local/share/symbiosis/firewall/rule.d/$name.outgoing
# /usr/local/share/sympl/firewall/rule.d/$name.incoming
# /usr/local/share/sympl/firewall/rule.d/$name.outgoing
#
# The contents of these file(s) will be inserted appropriately into the
# generated firewall script.
......@@ -122,7 +122,7 @@
# flushed.
#
# SEE ALSO
# symbiosis-firewall-whitelist(1), symbiosis-firewall-blacklist(1),
# sympl-firewall-whitelist(1), sympl-firewall-blacklist(1),
# iptables(8), ip6tables(8), run-parts(8)
#
# AUTHOR
......@@ -137,7 +137,7 @@ require 'fileutils'
require 'pp'
def verbose(s)
puts "symbiosis-firewall: "+s if $VERBOSE
puts "sympl-firewall: "+s if $VERBOSE
end
......@@ -155,8 +155,8 @@ help = false
manual = false
$VERBOSE = false
execute = delete = (Process.uid == 0)
base_dir = '/etc/symbiosis/firewall'
template_dir = '/usr/share/symbiosis/firewall/rule.d'
base_dir = '/etc/sympl/firewall'
template_dir = '/usr/share/sympl/firewall/rule.d'
address_families = %w(inet inet6)
action = nil
sleep_for = 0
......@@ -281,13 +281,13 @@ require 'symbiosis/utils'
# Acquire lock
#
lock_fh = nil
lock_fn = "/var/lock/symbiosis-firewall.lock"
lock_fn = "/var/lock/sympl-firewall.lock"
begin
lock_fh = File.open(lock_fn, "w+")
Symbiosis::Utils.lock(lock_fh)
rescue Errno::ENOLCK => err
warn "symbiosis-firewall: Failed to acquire lock on #{lock_fn}: #{err.to_s}" if $VERBOSE
warn "sympl-firewall: Failed to acquire lock on #{lock_fn}: #{err.to_s}" if $VERBOSE
print err.backtrace.join("\n") if $DEBUG
exit 1
end
......@@ -308,7 +308,7 @@ if ENV.has_key?("IFACE") and ENV.has_key?("PHASE")
# Don't bother even looking at this if the loopback interface is involved.
#
if "lo" == iface
verbose "symbiosis-firewall: Not configuring firewall for loopback interface #{iface}"
verbose "sympl-firewall: Not configuring firewall for loopback interface #{iface}"
exit 0
end
......@@ -320,7 +320,7 @@ if ENV.has_key?("IFACE") and ENV.has_key?("PHASE")
when "post-down"
action = "flush"
else
warn "symbiosis-firewall: Don't know what to do during if-up/if-down phase #{phase.inspect}"
warn "sympl-firewall: Don't know what to do during if-up/if-down phase #{phase.inspect}"
exit 1
end
......@@ -336,7 +336,7 @@ if ENV.has_key?("IFACE") and ENV.has_key?("PHASE")
if "flush" == action
verbose "Flushing firewall for all #{address_families.join(" and ")} interfaces."
else
warn "symbiosis-firewall: Not running firewall as no primary interface was found." if $VERBOSE
warn "sympl-firewall: Not running firewall as no primary interface was found." if $VERBOSE
exit 0
end
......@@ -344,7 +344,7 @@ if ENV.has_key?("IFACE") and ENV.has_key?("PHASE")
verbose "Running #{action} for interface #{iface} (#{address_families.join(" and ")})" if $VERBOSE
else
warn "symbiosis-firewall: Not running firewall for secondary interface #{iface.inspect}" if $VERBOSE
warn "sympl-firewall: Not running firewall for secondary interface #{iface.inspect}" if $VERBOSE
exit 0
end
......@@ -391,7 +391,7 @@ begin
#
# Set up the template directories.
#
Template.directories = %w(/usr/local/share/firewall /usr/local/share/firewall/rule.d /usr/local/share/symbiosis/firewall/rule.d /usr/share/firewall /usr/share/firewall/rule.d /usr/share/symbiosis/firewall/rule.d)
Template.directories = %w(/usr/local/share/firewall /usr/local/share/firewall/rule.d /usr/local/share/sympl/firewall/rule.d /usr/share/firewall /usr/share/firewall/rule.d /usr/share/sympl/firewall/rule.d)
Template.directories = template_dir unless template_dir.nil?
Template.address_families = address_families
iptables_cmds = Template.iptables_cmds
......@@ -413,7 +413,7 @@ begin
# Make sure we can find the script
#
unless ( File.exist?(script_path) )
warn "symbiosis-firewall: Could not find action script for #{action.inspect}"
warn "sympl-firewall: Could not find action script for #{action.inspect}"
exit 1
end
......@@ -440,7 +440,7 @@ begin
if ( execute and ::Process.uid == 0 )
unless system( tf.path )
warn "symbiosis-firewall: Firewall script failed."
warn "sympl-firewall: Firewall script failed."
#
# FIXME: This is deliberately hard-coded, although it probably needs to catch errors better.
......@@ -451,7 +451,7 @@ begin
#
next unless File.executable?(cmd)
warn "symbiosis-firewall: Flushing #{cmd} rules and chains."
warn "sympl-firewall: Flushing #{cmd} rules and chains."
%w(INPUT FORWARD OUTPUT).each do |chain|
#
......@@ -474,12 +474,12 @@ begin
# Now restore our old tables
#
unless iptables_restore.empty?
warn "symbiosis-firewall: Restoring old iptables rules and chains."
warn "sympl-firewall: Restoring old iptables rules and chains."
IO.popen('/sbin/iptables-restore','w'){|io| io.write iptables_restore}
end
unless ip6tables_restore.empty?
warn "symbiosis-firewall: Restoring old ip6tables rules and chains."
warn "sympl-firewall: Restoring old ip6tables rules and chains."
IO.popen('/sbin/ip6tables-restore','w'){|io| io.write ip6tables_restore}
end
......@@ -498,7 +498,7 @@ begin
#
new_path = tf.path+"-saved"
FileUtils.cp tf.path, new_path
warn "symbiosis-firewall: Left firewall script in #{new_path} for inspection."
warn "sympl-firewall: Left firewall script in #{new_path} for inspection."
end
end
......@@ -510,7 +510,7 @@ begin
Symbiosis::Utils.unlock(lock_fh)
lock_fh.close unless lock_fh.nil? or lock_fh.closed?
rescue SystemCallError => err
warn "symbiosis-firewall: Failed to release lock on #{lock_fn}: #{err.to_s}" if $VERBOSE
warn "sympl-firewall: Failed to release lock on #{lock_fn}: #{err.to_s}" if $VERBOSE
puts err.backtrace.join("\n") if $DEBUG
end
......
#! /usr/bin/ruby
#
# NAME
# symbiosis-firewall-blacklist - Automatically blacklist IP addresses.
# sympl-firewall-blacklist - Automatically blacklist IP addresses.
#
# SYNOPSIS
# symbiosis-firewall-blacklist [ -h | --help ] [-m | --manual]
# sympl-firewall-blacklist [ -h | --help ] [-m | --manual]
# [ -v | --verbose ] [ -x | --no-exec] [ -d | --no-delete ]
# [ -a | --block-after <n> ] [ -e | --expire-after <n> ]
# [ -p | --prefix <dir> ]
......@@ -31,7 +31,7 @@
# expired. Defaults to 2.
#
# -p, --prefix <dir> Directory where incoming.d, outgoing.d etc are
# located. Defaults to /etc/symbiosis/firewall.
# located. Defaults to /etc/sympl/firewall.
#
# USAGE
#
......@@ -52,14 +52,14 @@
# Each file will contain a list of ports, one per line, or simply "all" to
# blacklist all ports.
#
# Once that directory has been written, symbiosis-firewall(1) is called with
# Once that directory has been written, sympl-firewall(1) is called with
# the reload-blacklist action.
#
# Most of the flags above are passed straight on to symbiosis-firewall(1).
# Most of the flags above are passed straight on to sympl-firewall(1).
#
# SEE ALSO
#
# symbiosis-firewall(1), symbiosis-firewall-whitelist(1)
# sympl-firewall(1), sympl-firewall-whitelist(1)
#
# AUTHOR
#
......@@ -79,7 +79,7 @@ require 'syslog'
help = false
manual = false
$VERBOSE = false
base_dir = "/etc/symbiosis/firewall/"
base_dir = "/etc/sympl/firewall/"
delete = true
execute = true
force = false
......
#! /usr/bin/ruby
#
# NAME
# symbiosis-firewall-whitelist - Automatically whitelist IP addresses.
# sympl-firewall-whitelist - Automatically whitelist IP addresses.
#
# SYNOPSIS
# symbiosis-firewall-whitelist [ -h | --help ] [-m | --manual]
# sympl-firewall-whitelist [ -h | --help ] [-m | --manual]
# [ -v | --verbose ] [ -x | --no-exec] [ -d | --no-delete ]
# [ -e | --expire-after <n> ] [ -w | --wtmp-file <file> ]
# [ -p | --prefix <dir> ]
......@@ -28,7 +28,7 @@
#
#
# -p, --prefix <dir> Directory where action.d, incoming.d, outgoing.d etc.
# are located. Defaults to /etc/symbiosis/firewall.
# are located. Defaults to /etc/sympl/firewall.
#
# USAGE
#
......@@ -36,16 +36,16 @@
# have been used to successfully login via SSH.
#
# It does this by opening the wtmp file, and looking for IP addresses. Once it
# has found some, it records them in /etc/symbiosis/firewall/whitelist.d/.
# has found some, it records them in /etc/sympl/firewall/whitelist.d/.
# Each addition is one of the two forms:
#
# 1.2.3.4.auto The IPv4 address 1.2.3.4
# 2001:123:456:789::|64.auto The IPv6 range 2001:123:456:789::/64
#
# Once that directory has been written, symbiosis-firewall(1) is called with
# Once that directory has been written, sympl-firewall(1) is called with
# the reload-whitelist action.
#
# Most of the flags above are passed straight on to symbiosis-firewall(1).
# Most of the flags above are passed straight on to sympl-firewall(1).
#
# AUTHOR
#
......@@ -67,7 +67,7 @@ require 'syslog'
help = false
manual = false
$VERBOSE = false
base_dir = "/etc/symbiosis/firewall/"
base_dir = "/etc/sympl/firewall/"
wtmp_file = "/var/log/wtmp"
delete = true
execute = true
......@@ -206,7 +206,7 @@ expire_before = time_now - ( expire_after * ( 24 * 60 * 60 ) )
#
# Check to see when we were last run.
#
stamp_file = '/var/lib/symbiosis/symbiosis-firewall-whitelist.stamp'
stamp_file = '/var/lib/sympl/sympl-firewall-whitelist.stamp'
if File.exist?(stamp_file)
last_run = File.stat(stamp_file).mtime
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment