[debian-lan-devel] [SCM] Debian-LAN development and packaging branch, master, updated. debian/0.12-7-ge84d7a5

Andreas B. Mundt andi at debian.org
Tue Jul 23 08:12:22 UTC 2013 

The following commit has been merged in the master branch:
commit e84d7a5bf317a8a910b9a6ddc132f01b45b1e368
Author: Andreas B. Mundt <andi at debian.org>
Date:   Sun Jul 21 22:16:52 2013 +0200

    Improved firewall setup.

diff --git a/fai/config/scripts/FIREWALL/10-config b/fai/config/scripts/FIREWALL/10-config
index 678648d..447ee7b 100755
--- a/fai/config/scripts/FIREWALL/10-config
+++ b/fai/config/scripts/FIREWALL/10-config
@@ -10,13 +10,12 @@ fi
 CONFDIR="${target}/etc/shorewall/"
 
 prepare_shorewall(){
-    ## mainserver = gateway, use shorewall's "two-interfaces" example as base setup:
+    ## Use shorewall's "two-interfaces" example as base setup:
     for FILE in interfaces masq policy routestopped rules zones ; do
         cp -v ${target}/usr/share/doc/shorewall/examples/two-interfaces/$FILE $CONFDIR
     done
 
-    ## Enable shorewall and forwarding:
-    sed -i "s/startup=0/startup=1/" ${target}/etc/default/shorewall
+    ## Enable forwarding:
     sed -i "s/IP_FORWARDING=Keep/IP_FORWARDING=on/" $CONFDIR/shorewall.conf
 
     ## Define interfaces and use parameters:
@@ -27,52 +26,77 @@ prepare_shorewall(){
     sed -i -e 's%^\(SSH(ACCEPT).*\)$%\1  -  -  -  -  s:1/min:1%' $CONFDIR/rules
 }
 
-
-if [ "$HOSTNAME" = "mainserver" ] && [ "$MAINSERVER_IPADDR" = "$GATEWAY" ] ; then
-    prepare_shorewall
-
-    ## Allow access from the LAN to the firewall and from the firewall to LAN and internet:
-    sed -i -e '/^loc/a loc             \$FW             ACCEPT' \
-        -e '/^net/a $FW             net             ACCEPT' \
-        -e '/.*MUST BE LAST/i $FW             loc             ACCEPT' $CONFDIR/policy
-
-    ## Debian-LAN rules:
-    cat >> $CONFDIR/rules <<EOF
+if [ "$HOSTNAME" = "mainserver" ] ; then
+    if [ "$MAINSERVER_IPADDR" = "$GATEWAY" ] ; then
+        ## mainserver = gateway, use shorewall's "two-interfaces" example as base setup:
+        prepare_shorewall
+        ## Allow access from the LAN to the firewall and from the firewall to LAN and internet:
+        sed -i -e '/.*MUST BE LAST/i \
+\#\# Debian-LAN policy:\
+loc             $FW             ACCEPT\
+$FW             loc             ACCEPT\
+$FW             net             ACCEPT' $CONFDIR/policy
+
+        ## Comment all rules where traffic is allowed already:
+        sed -i -e "s/^\(.*ACCEPT)\?\s\+loc\s\+\$FW.*\)$/\#\# Allowed by Debian-LAN policy:\n\#\1/" \
+            -e "s/^\(.*ACCEPT)\?\s\+\$FW\s\+loc.*\)$/\#\# Allowed by Debian-LAN policy:\n\#\1/" \
+            -e "s/^\(.*ACCEPT)\?\s\+\$FW\s\+net.*\)$/\#\# Allowed by Debian-LAN policy:\n\#\1/" $CONFDIR/rules
+
+        ## Debian-LAN rules:
+        cat >> $CONFDIR/rules <<EOF
 ##
 ##  Debian-LAN
 ##
-#
-# Limit ssh connections from everywhere
-#
-SSH(ACCEPT)     all             \$FW  -  -  -  -  s:1/min:1
-
+SSH(ACCEPT)     net             \$FW  -  -  -  -  s:1/min:1
+Limit(SSH,1,60):info  loc       \$FW  tcp  22
 EOF
 
+    else
+        ## mainserver != gateway, use shorewall's "Universal" example as base setup:
+        for FILE in interfaces policy rules zones ; do
+            cp -v ${target}/usr/share/doc/shorewall/examples/Universal/$FILE $CONFDIR
+        done
+
+        ## Allow access from the LAN to the firewall:
+        sed -i -e 's%^\(net.*\)$%\
+\#\# Debian-LAN policy:\
+\#\1\
+net     $FW     ACCEPT%' $CONFDIR/policy
+
+        ## Comment rules where traffic is allowed already and limit ssh access:
+        sed -i -e "s/^\(.*ACCEPT)\?\s\+net\s\+\$FW.*\)$/\#\# Allowed by Debian-LAN policy:\n\#\1/" $CONFDIR/rules
+        echo 'Limit(SSH,1,60):info  net       $FW  tcp  22' >> $CONFDIR/rules
+    fi
+
 elif [ "$HOSTNAME" = "gateway" ] ; then
     prepare_shorewall
 
     ## Allow access from firewall to LAN:
-    sed -i -e '/.*MUST BE LAST/i $FW             loc             ACCEPT' $CONFDIR/policy
+    sed -i -e '/.*MUST BE LAST/i \
+\#\# Debian-LAN policy:\
+$FW             loc             ACCEPT' $CONFDIR/policy
+
+    ## Comment all rules where traffic is allowed already:
+    sed -i -e "s/^\(.*ACCEPT)\?\s\+\$FW\s\+loc.*\)$/\#\# Allowed by Debian-LAN policy:\n\#\1/" $CONFDIR/rules
 
     ## Debian-LAN rules:
     cat >> $CONFDIR/rules <<EOF
 ##
 ##  Debian-LAN
 ##
-#
-# Limit ssh connections from everywhere
-#
-SSH(ACCEPT)     all             \$FW  -  -  -  -  s:1/min:1
+SSH(ACCEPT)     net             \$FW  -  -  -  -  s:1/min:1
 HTTP(ACCEPT)    \$FW             net
 NTP(ACCEPT)     \$FW             net
 DNS(ACCEPT)     loc             \$FW
 EOF
 
-else
-    # FIXME: Add firewall for server with single nic here:
-    exit 0
 fi
 
+## Enable shorewall:
+sed -i "s/startup=0/startup=1/" ${target}/etc/default/shorewall
+
+
+
 ## C.f. http://lists.alioth.debian.org/pipermail/debian-lan-devel/2013q2/000357.html
 ## More restrictive rules (if traffic loc <--> $FW --> net is not allowed by default)
 

-- 
Debian-LAN development and packaging

More information about the debian-lan-devel mailing list