Commit ce87926f authored by Paul Cammish's avatar Paul Cammish
Browse files

Remove incrond usage to improve compatability

parent ee4f21f8
...@@ -9,7 +9,7 @@ XS-Ruby-Versions: all ...@@ -9,7 +9,7 @@ XS-Ruby-Versions: all
Package: sympl-firewall Package: sympl-firewall
Architecture: any Architecture: any
Depends: iptables, ruby, sympl-core (>= 9.0.190611.0), libruby, ruby-sqlite3, incron, ${shlibs:Depends}, ${misc:Depends} Depends: iptables, ruby, sympl-core (>= 9.0.190611.0), libruby, ruby-sqlite3, ${shlibs:Depends}, ${misc:Depends}
Replaces: symbiosis-firewall Replaces: symbiosis-firewall
Provides: symbiosis-firewall Provides: symbiosis-firewall
Conflicts: symbiosis-firewall Conflicts: symbiosis-firewall
...@@ -17,7 +17,3 @@ Description: Sympl firewall generator ...@@ -17,7 +17,3 @@ Description: Sympl firewall generator
This package contains a firewall generator which makes it simple to restrict This package contains a firewall generator which makes it simple to restrict
the incoming and outgoing connections a machine is permitted to accept or the incoming and outgoing connections a machine is permitted to accept or
initiate. initiate.
.
The firewall also allows the user to restrict the abilities of the
www-data user which will ensure that any PHP, or website, compromises
do not propagate.
...@@ -22,20 +22,12 @@ update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy ...@@ -22,20 +22,12 @@ update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
#DEBHELPER# #DEBHELPER#
# if [ -f /etc/incron.d/sympl-firewall]; then
# Add symlinks for the monit script rm /etc/incron.d/sympl-firewall
fi
monit_dir="/etc/sympl/monit.d"
mkdir -p "$monit_dir" if [ -f /etc/sympl/monit.d/incrond]; then
rm /etc/sympl/monit.d/incrond
for i in incrond; do fi
monit_script="/usr/share/sympl/monit/checks/$i"
link_target="$monit_dir/$i"
if [ -x "$monit_script" ] && [ ! -e "$link_target" ]; then
echo "I: Adding symlink for Sympl Monit script for $i"
ln -s "$monit_script" "$link_target" || true
fi
done
exit 0 exit 0
/etc/sympl/firewall/incoming.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 load
/etc/sympl/firewall/outgoing.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 load
/etc/sympl/firewall/whitelist.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 reload-whitelist
/etc/sympl/firewall/blacklist.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 reload-blacklist
/etc/sympl/firewall/local.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR,IN_ATTRIB /usr/sbin/sympl-firewall -s 5 load
#!/usr/bin/ruby
#
require 'symbiosis/monitor/check'
# ensure that Incrond is running
class IncrondCheck < Symbiosis::Monitor::Check
def initialize
super pid_file: '/var/run/incrond.pid',
init_script: '/etc/init.d/incron',
unit_name: 'incron',
process_name: 'incrond'
end
end
exit IncrondCheck.new.do_check if $PROGRAM_NAME == __FILE__
...@@ -320,5 +320,15 @@ end ...@@ -320,5 +320,15 @@ end
puts "Expiring done - removed #{expired} file(s)" if ( $VERBOSELOCAL ) puts "Expiring done - removed #{expired} file(s)" if ( $VERBOSELOCAL )
# #
# Updating the firewall is now done by the inotify cronjob # Re-generate the blacklist chain
# #
if ( updated || expired > 0 || force )
cmd = %w(/usr/sbin/sympl-firewall)
cmd << "--verbose" if $VERBOSELOCAL
cmd << "--no-execute" unless execute
cmd << "--no-delete" unless delete
cmd += ["--prefix", base_dir]
cmd << "reload-blacklist"
puts "Running #{cmd.join(" ")}" if $VERBOSELOCAL
exec(*cmd)
end
...@@ -335,6 +335,15 @@ end ...@@ -335,6 +335,15 @@ end
puts "Expiring done - removed #{expired} file(s)" if ( $VERBOSELOCAL ) puts "Expiring done - removed #{expired} file(s)" if ( $VERBOSELOCAL )
# #
# Updating the firewall is now done by the inotify cronjob. # Re-generate the whitelist chain
# #
if ( updated || expired > 0 || force )
cmd = %w(/usr/sbin/sympl-firewall)
cmd << "--verbose" if $VERBOSELOCAL
cmd << "--no-execute" unless execute
cmd << "--no-delete" unless delete
cmd += ["--prefix", base_dir]
cmd << "reload-whitelist"
puts "Executing #{cmd.join(" ")}" if $VERBOSELOCAL
exec(*cmd)
end
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment