Commit 083d7022 authored by Steve Kemp's avatar Steve Kemp
Browse files

Renamed from /etc/firewall/ -> /etc/symbiosis/firewall

parent b940fad3
......@@ -45,7 +45,7 @@ This firewall script is designed to be simple to use, while still
allowing a reasonable level of control over your system.
The firewall generator will read a number of files located beneath
the directory /etc/firewall and automatically use the names of those
the directory /etc/symbiosis/firewall and automatically use the names of those
files to construct a complete iptables-based firewall script.
The script will be executed once it has been generated, and then
......@@ -63,16 +63,16 @@ you simply need to create files in the directories the script reads:
=over 8
=item /etc/firewall/blacklist.d/
=item /etc/symbiosis/firewall/blacklist.d/
Any file present in this directory is assumed to be the IP address of a machine you wish to globally prevent connections from.
=item /etc/firewall/incoming.d/
=item /etc/symbiosis/firewall/incoming.d/
This directory is examined to determine which rules should be applied to incoming connections.
=item /etc/firewall/outgoing.d/
=item /etc/symbiosis/firewall/outgoing.d/
This directory is examined to determine which rules should be applied to outgoing connections.
=item /etc/firewall/local.d/
=item /etc/symbiosis/firewall/local.d/
Executable shell-scripts in this directory are executed after the firewall
is installed.
......@@ -172,10 +172,10 @@ my %SERVICE;
#
# Directories we examine.
#
$CONFIG{ 'blacklist.d' } = "/etc/firewall/blacklist.d/";
$CONFIG{ 'incoming.d' } = "/etc/firewall/incoming.d/";
$CONFIG{ 'outgoing.d' } = "/etc/firewall/outgoing.d/";
$CONFIG{ 'local.d' } = "/etc/firewall/local.d/";
$CONFIG{ 'blacklist.d' } = "/etc/symbiosis/firewall/blacklist.d/";
$CONFIG{ 'incoming.d' } = "/etc/symbiosis/firewall/incoming.d/";
$CONFIG{ 'outgoing.d' } = "/etc/symbiosis/firewall/outgoing.d/";
$CONFIG{ 'local.d' } = "/etc/symbiosis/firewall/local.d/";
$CONFIG{ 'rule.d' } = "/usr/share/firewall/rule.d/";
......@@ -210,7 +210,7 @@ loadKernelModules();
#
# Fix ownership of the /etc/firewall hierarchy
# Fix ownership of the /etc/symbiosis/firewall hierarchy
#
fixOwnership();
......@@ -267,7 +267,7 @@ foreach my $entry (@outgoing)
#
# Is the firewall disabled?
#
if ( -e "/etc/firewall/disabled" )
if ( -e "/etc/symbiosis/firewall/disabled" )
{
unlink($tempfile);
exit;
......@@ -1393,10 +1393,10 @@ sub loadKernelModules
=begin doc
Ensure that /etc/firewall is owned by the admin user, such that
Ensure that /etc/symbiosis/firewall is owned by the admin user, such that
we can allow the user to make changes via sftp.
NOTE: We explicitly change the permissions of /etc/firewall, not
NOTE: We explicitly change the permissions of /etc/symbiosis/firewall, not
the directory the user has setup - we do that so that somebody couldn't
run "firewall --incoming-d=/tmp" to change the ownership of /tmp, for example.
......@@ -1421,7 +1421,7 @@ sub fixOwnership
#
# OK we know we have an admin user.
#
system( "chown", "-R", "admin:admin", "/etc/firewall" );
system( "chown", "-R", "admin:admin", "/etc/symbiosis/firewall" );
}
......
......@@ -37,27 +37,27 @@ firewall-blacklist - A simple script to mitigate against dictionary attacks.
=head1 ABOUT
This script is designed to look over the system logs and blacklist
hosts which are attempting dictionary attacks.
hosts which are attempting dictionary attacks.
The way that the script detects addresses which are worthy of blacklisting
is via the use of pattern files. All pattern files located beneath
/etc/firewall/patterns.d/ are loaded and applied. These pattern files
contain the name of a file to examine and a list of regular expressions
which will be tested for within that named logfile.
is via the use of pattern files. All pattern files located beneath
/etc/symbiosis/firewall/patterns.d/ are loaded and applied. These pattern
files contain the name of a file to examine and a list of regular expressions
which will be tested for within that named logfile.
Any IPs which are blocked will be logged to syslog, and similarly the
removal of the blocks will also be logged to syslog.
Any IPs which are blocked will be logged to syslog, and similarly the
removal of the blocks will also be logged to syslog.
=cut
=head1 DISABLING
If you don't wish to use this script simply touch the file:
If you don't wish to use this script simply touch the file:
=for example begin
/etc/firewall/disabled.blacklist
/etc/symbiosis/firewall/disabled.blacklist
=for example end
......@@ -66,8 +66,8 @@ firewall-blacklist - A simple script to mitigate against dictionary attacks.
=head1 WHITELISTING
The file /etc/firewall/whitelist.d/ will be consulted - any IP address
listed in that directory will be ignored.
The file /etc/symbiosis/firewall/whitelist.d/ will be consulted - any IP
address listed in that directory will be ignored.
=cut
......@@ -83,7 +83,7 @@ firewall-blacklist - A simple script to mitigate against dictionary attacks.
=head1 LICENSE
Copyright (c) 2008,2009 by Bytemark Computer Consulting Ltd. All rights reserved.
Copyright (c) 2008-2010 by Bytemark Computer Consulting Ltd. All rights reserved.
This program is free software;
you can redistribute it and/or modify it under
......@@ -109,9 +109,9 @@ use Sys::Syslog;
# Configuration variables
#
my %CONFIG;
$CONFIG{ 'input' } = "/etc/firewall/patterns.d/";
$CONFIG{ 'blacklist' } = "/etc/firewall/blacklist.d/";
$CONFIG{ 'whitelist' } = "/etc/firewall/whitelist.d/";
$CONFIG{ 'input' } = "/etc/symbiosis/firewall/patterns.d/";
$CONFIG{ 'blacklist' } = "/etc/symbiosis/firewall/blacklist.d/";
$CONFIG{ 'whitelist' } = "/etc/symbiosis/firewall/whitelist.d/";
$CONFIG{ 'verbose' } = 0;
$CONFIG{ 'attempts' } = 20; # count of attacks before blacklisting
$CONFIG{ 'expire' } = 2; # number of days to keep records
......@@ -127,7 +127,7 @@ parseCommandLineArguments();
#
# If the firewall is disabled then exit
#
if ( -e "/etc/firewall/disabled" )
if ( -e "/etc/symbiosis/firewall/disabled" )
{
$CONFIG{ 'verbose' } && print "Firewall disabled\n";
......@@ -137,7 +137,7 @@ if ( -e "/etc/firewall/disabled" )
#
# If just the blacklister is disabled then exit
#
if ( -e "/etc/firewall/disabled.blacklist" )
if ( -e "/etc/symbiosis/firewall/disabled.blacklist" )
{
$CONFIG{ 'verbose' } && print "Blacklister disabled\n";
cleanBlacklist();
......@@ -147,7 +147,7 @@ if ( -e "/etc/firewall/disabled.blacklist" )
# reload the firewall to make sure changes take effect.
#
if ( ( -x "/usr/bin/firewall" ) &&
( recentlyModified("/etc/firewall/disabled") ) )
( recentlyModified("/etc/symbiosis/firewall/disabled") ) )
{
$CONFIG{ 'verbose' } && print "Reloading firewall\n";
system("/usr/bin/firewall");
......
symbiosis-firewall (2010:0623) stable; urgency=low
* Updated to use /etc/symbiosis/firewall as the prefix
directory rather than /etc/firewall
-- Steve Kemp <steve@bytemark.co.uk> Wed, 23 Jun 2010 10:20:30 +0000
symbiosis-firewall (2010:0604) stable; urgency=low
[ Steve Kemp ]
......
rule.d usr/share/firewall
bin usr/
patterns.d/ etc/firewall
patterns.d/ etc/symbiosis/firewall
......@@ -10,11 +10,43 @@ if [ "$1" != "configure" ]; then
exit 0
fi
#
# The prefix of our tree.
#
PREFIX=/etc/symbiosis/firewall
#
# The old tree.
#
OLD=/etc/firewall
#
# If we have the old tree then move it into place.
#
if [ -d $OLD -a -d $OLD/incoming.d -a -d $OLD/outgoing.d ]; then
if [ ! -d $PREFIX ]; then
mkdir -p $PREFIX
fi
mv $OLD/* $PREFIX/
rmdir $OLD
fi
#
# Otherwise we have to make a new prefix and start from scratch
#
if [ ! -d $PREFIX ]; then
mkdir -p $PREFIX
fi
#
# If we're disabled then disable ourself
#
if [ -e /opt/bytemark/no-firewall ]; then
touch /etc/firewall/disabled
touch $PREFIX/disabled
rm /opt/bytemark/no-firewall
fi
......@@ -29,7 +61,7 @@ fi
# See if there are any entries present.
#
incoming=0
for i in /etc/firewall/incoming.d/*-*; do
for i in $PREFIX/incoming.d/*-*; do
if [ -e $i ]; then
incoming=1
fi
......@@ -39,61 +71,61 @@ if [ "$incoming" = "0" ]; then
echo "Creating default rules for the incoming firewall"
if [ ! -d /etc/firewall/incoming.d/ ]; then
mkdir -p /etc/firewall/incoming.d/
touch /etc/firewall/incoming.d/.empty
if [ ! -d $PREFIX/incoming.d/ ]; then
mkdir -p $PREFIX/incoming.d/
touch $PREFIX/incoming.d/.empty
fi
touch /etc/firewall/incoming.d/00-ssh
touch /etc/firewall/incoming.d/05-ping
touch /etc/firewall/incoming.d/10-http
touch /etc/firewall/incoming.d/20-ftp
touch /etc/firewall/incoming.d/30-imap
touch /etc/firewall/incoming.d/40-imaps
touch /etc/firewall/incoming.d/50-pop3
touch /etc/firewall/incoming.d/55-dns
touch /etc/firewall/incoming.d/60-pop3s
touch /etc/firewall/incoming.d/70-smtp
touch /etc/firewall/incoming.d/75-ntp
touch /etc/firewall/incoming.d/80-smtps
touch /etc/firewall/incoming.d/85-submission
touch /etc/firewall/incoming.d/99-reject
touch /etc/firewall/incoming.d/00-related
touch /etc/firewall/incoming.d/00-established
touch $PREFIX/incoming.d/00-ssh
touch $PREFIX/incoming.d/05-ping
touch $PREFIX/incoming.d/10-http
touch $PREFIX/incoming.d/20-ftp
touch $PREFIX/incoming.d/30-imap
touch $PREFIX/incoming.d/40-imaps
touch $PREFIX/incoming.d/50-pop3
touch $PREFIX/incoming.d/55-dns
touch $PREFIX/incoming.d/60-pop3s
touch $PREFIX/incoming.d/70-smtp
touch $PREFIX/incoming.d/75-ntp
touch $PREFIX/incoming.d/80-smtps
touch $PREFIX/incoming.d/85-submission
touch $PREFIX/incoming.d/99-reject
touch $PREFIX/incoming.d/00-related
touch $PREFIX/incoming.d/00-established
#
# Now create our outgoing directory, if it is missing.
#
if [ ! -d /etc/firewall/outgoing.d/ ]; then
mkdir -p /etc/firewall/outgoing.d/
touch /etc/firewall/outgoing.d/.empty
if [ ! -d $PREFIX/outgoing.d/ ]; then
mkdir -p $PREFIX/outgoing.d/
touch $PREFIX/outgoing.d/.empty
fi
#
# Default outgoing rules.
#
echo "Creating default rules for firewall"
touch /etc/firewall/outgoing.d/50-www-data
touch $PREFIX/outgoing.d/50-www-data
fi
#
# Make sure that DNS is unconditionally allowed.
#
touch /etc/firewall/incoming.d/55-dns
touch $PREFIX/incoming.d/55-dns
#
# Cope with prior mistaken rules
#
if [ -e /etc/firewall/outgoing.d/00-established ]; then
if [ -e $PREFIX/outgoing.d/00-established ]; then
# create rule in correct directory.
touch /etc/firewall/incoming.d/00-established
touch $PREFIX/incoming.d/00-established
# remove the wrong file.
rm /etc/firewall/outgoing.d/00-established
rm $PREFIX/outgoing.d/00-established
fi
#
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment