Commit 90048a7e authored by Paul Cammish's avatar Paul Cammish

Merge branch 'issue266_buster' into 'buster-testing'

Issue 266 (buster)

See merge request sympl/sympl!130
parents 0cd01f9c 8d1de94e
Pipeline #700 passed with stages
in 33 minutes and 50 seconds
sympl-firewall (10.0.190816.0) stable; urgency=medium
* Removed incrond, re-instated old triggers.
-- Paul Cammish <sympl@kelduum.net> Sun, 08 Sep 2019 17:51:00 +0100
sympl-firewall (10.0.190816.0) stable; urgency=medium
* Fixed warning from nftables.
......
......@@ -9,7 +9,7 @@ XS-Ruby-Versions: all
Package: sympl-firewall
Architecture: any
Depends: iptables, ruby, sympl-core (>= 9.0.190611.0), libruby, ruby-sqlite3, incron, ${shlibs:Depends}, ${misc:Depends}
Depends: iptables, ruby, sympl-core (>= 9.0.190611.0), libruby, ruby-sqlite3, ${shlibs:Depends}, ${misc:Depends}
Replaces: symbiosis-firewall
Provides: symbiosis-firewall
Conflicts: symbiosis-firewall
......@@ -17,7 +17,3 @@ Description: Sympl firewall generator
This package contains a firewall generator which makes it simple to restrict
the incoming and outgoing connections a machine is permitted to accept or
initiate.
.
The firewall also allows the user to restrict the abilities of the
www-data user which will ensure that any PHP, or website, compromises
do not propagate.
......@@ -3,8 +3,6 @@ patterns.d etc/sympl/firewall
rule.d usr/share/sympl/firewall
action.d usr/share/sympl/firewall
test.d etc/sympl
incron.d etc/
monit.d/* usr/share/sympl/monit/checks/
incoming.d etc/sympl/firewall
outgoing.d etc/sympl/firewall
local.d etc/sympl/firewall
......
......@@ -22,20 +22,15 @@ update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
#DEBHELPER#
#
# Add symlinks for the monit script
monit_dir="/etc/sympl/monit.d"
mkdir -p "$monit_dir"
for i in incrond; do
monit_script="/usr/share/sympl/monit/checks/$i"
link_target="$monit_dir/$i"
if [ -x "$monit_script" ] && [ ! -e "$link_target" ]; then
echo "I: Adding symlink for Sympl Monit script for $i"
ln -s "$monit_script" "$link_target" || true
fi
done
# Remove old incrond support
if [ -f /etc/incron.d/sympl-firewall ]; then
rm /etc/incron.d/sympl-firewall
fi
if [ -L /etc/sympl/monit.d/incrond ]; then
rm /etc/sympl/monit.d/incrond
fi
if [ -f /usr/share/sympl/monit/checks/incrond ]; then
rm /etc/incron.d/sympl-firewall
fi
exit 0
/etc/sympl/firewall/incoming.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 load
/etc/sympl/firewall/outgoing.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 load
/etc/sympl/firewall/whitelist.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 reload-whitelist
/etc/sympl/firewall/blacklist.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 reload-blacklist
/etc/sympl/firewall/local.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR,IN_ATTRIB /usr/sbin/sympl-firewall -s 5 load
#!/usr/bin/ruby
#
require 'symbiosis/monitor/check'
# ensure that Incrond is running
class IncrondCheck < Symbiosis::Monitor::Check
def initialize
super pid_file: '/var/run/incrond.pid',
init_script: '/etc/init.d/incron',
unit_name: 'incron',
process_name: 'incrond'
end
end
exit IncrondCheck.new.do_check if $PROGRAM_NAME == __FILE__
......@@ -320,5 +320,15 @@ end
puts "Expiring done - removed #{expired} file(s)" if ( $VERBOSELOCAL )
#
# Updating the firewall is now done by the inotify cronjob
#
# Re-generate the blacklist chain
#
if ( updated || expired > 0 || force )
cmd = %w(/usr/sbin/sympl-firewall)
cmd << "--verbose" if $VERBOSELOCAL
cmd << "--no-execute" unless execute
cmd << "--no-delete" unless delete
cmd += ["--prefix", base_dir]
cmd << "reload-blacklist"
puts "Running #{cmd.join(" ")}" if $VERBOSELOCAL
exec(*cmd)
end
......@@ -335,6 +335,15 @@ end
puts "Expiring done - removed #{expired} file(s)" if ( $VERBOSELOCAL )
#
# Updating the firewall is now done by the inotify cronjob.
#
# Re-generate the whitelist chain
#
if ( updated || expired > 0 || force )
cmd = %w(/usr/sbin/sympl-firewall)
cmd << "--verbose" if $VERBOSELOCAL
cmd << "--no-execute" unless execute
cmd << "--no-delete" unless delete
cmd += ["--prefix", base_dir]
cmd << "reload-whitelist"
puts "Executing #{cmd.join(" ")}" if $VERBOSELOCAL
exec(*cmd)
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment