Commit ce87926f authored by Paul Cammish's avatar Paul Cammish

Remove incrond usage to improve compatability

parent ee4f21f8
Pipeline #695 canceled with stages
......@@ -9,7 +9,7 @@ XS-Ruby-Versions: all
Package: sympl-firewall
Architecture: any
Depends: iptables, ruby, sympl-core (>= 9.0.190611.0), libruby, ruby-sqlite3, incron, ${shlibs:Depends}, ${misc:Depends}
Depends: iptables, ruby, sympl-core (>= 9.0.190611.0), libruby, ruby-sqlite3, ${shlibs:Depends}, ${misc:Depends}
Replaces: symbiosis-firewall
Provides: symbiosis-firewall
Conflicts: symbiosis-firewall
......@@ -17,7 +17,3 @@ Description: Sympl firewall generator
This package contains a firewall generator which makes it simple to restrict
the incoming and outgoing connections a machine is permitted to accept or
initiate.
.
The firewall also allows the user to restrict the abilities of the
www-data user which will ensure that any PHP, or website, compromises
do not propagate.
......@@ -22,20 +22,12 @@ update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
#DEBHELPER#
#
# Add symlinks for the monit script
monit_dir="/etc/sympl/monit.d"
mkdir -p "$monit_dir"
for i in incrond; do
monit_script="/usr/share/sympl/monit/checks/$i"
link_target="$monit_dir/$i"
if [ -x "$monit_script" ] && [ ! -e "$link_target" ]; then
echo "I: Adding symlink for Sympl Monit script for $i"
ln -s "$monit_script" "$link_target" || true
fi
done
if [ -f /etc/incron.d/sympl-firewall]; then
rm /etc/incron.d/sympl-firewall
fi
if [ -f /etc/sympl/monit.d/incrond]; then
rm /etc/sympl/monit.d/incrond
fi
exit 0
/etc/sympl/firewall/incoming.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 load
/etc/sympl/firewall/outgoing.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 load
/etc/sympl/firewall/whitelist.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 reload-whitelist
/etc/sympl/firewall/blacklist.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 reload-blacklist
/etc/sympl/firewall/local.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR,IN_ATTRIB /usr/sbin/sympl-firewall -s 5 load
#!/usr/bin/ruby
#
require 'symbiosis/monitor/check'
# ensure that Incrond is running
class IncrondCheck < Symbiosis::Monitor::Check
def initialize
super pid_file: '/var/run/incrond.pid',
init_script: '/etc/init.d/incron',
unit_name: 'incron',
process_name: 'incrond'
end
end
exit IncrondCheck.new.do_check if $PROGRAM_NAME == __FILE__
......@@ -320,5 +320,15 @@ end
puts "Expiring done - removed #{expired} file(s)" if ( $VERBOSELOCAL )
#
# Updating the firewall is now done by the inotify cronjob
#
# Re-generate the blacklist chain
#
if ( updated || expired > 0 || force )
cmd = %w(/usr/sbin/sympl-firewall)
cmd << "--verbose" if $VERBOSELOCAL
cmd << "--no-execute" unless execute
cmd << "--no-delete" unless delete
cmd += ["--prefix", base_dir]
cmd << "reload-blacklist"
puts "Running #{cmd.join(" ")}" if $VERBOSELOCAL
exec(*cmd)
end
......@@ -335,6 +335,15 @@ end
puts "Expiring done - removed #{expired} file(s)" if ( $VERBOSELOCAL )
#
# Updating the firewall is now done by the inotify cronjob.
#
# Re-generate the whitelist chain
#
if ( updated || expired > 0 || force )
cmd = %w(/usr/sbin/sympl-firewall)
cmd << "--verbose" if $VERBOSELOCAL
cmd << "--no-execute" unless execute
cmd << "--no-delete" unless delete
cmd += ["--prefix", base_dir]
cmd << "reload-whitelist"
puts "Executing #{cmd.join(" ")}" if $VERBOSELOCAL
exec(*cmd)
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment