[debian-lan-devel] [SCM] Debian-LAN development and packaging branch, master, updated. debian/0.12-2-gcc9c302
Julien Lambot
jlambot at gmail.com
Mon Jul 8 19:42:00 UTC 2013
Nice :)
I was just busy setting up a test environment and learning git to provide
it. You're always a shot ahead of me ;)
On Mon, Jul 8, 2013 at 8:43 PM, Andreas B. Mundt <andi at debian.org> wrote:
> The following commit has been merged in the master branch:
> commit cc9c302e7c103a9c875efad311475214a56b97e8
> Author: Andreas B. Mundt <andi at debian.org>
> Date: Mon Jul 8 20:26:21 2013 +0200
>
> Add FIREWALL class. Enable shorewall for the 'two-interfaces'-setup.
>
> For the setup where the mainserver acts as gateway, configure
> shorewall to block all access from the external network except ssh
> logins (limited to one connection per minute).
>
> Based on the more sophisticated example provided by Julien Lambot in
> <URL:
> http://lists.alioth.debian.org/pipermail/debian-lan-devel/2013q2/000357.html
> >,
> thanks!
>
> diff --git a/fai/config/class/50-host-classes
> b/fai/config/class/50-host-classes
> index 8da8289..1338c49 100755
> --- a/fai/config/class/50-host-classes
> +++ b/fai/config/class/50-host-classes
> @@ -40,7 +40,7 @@ FLAVOR="LVM8_A DISKLESS_SERVER" ## simple diskless,
> default for testing in a VM
> #FLAVOR="RAIDLVM7BAK_A RAID DISKLESS_SERVER" ## diskless, RAID1, backup
> disk
>
> ## Setup with graphical user management tool GOsa. Remove GOSA class if
> it is not needed:
> -MAINSERVER_A="$FLAVOR CUPS_SERVER LOG_SERVER PROXY NTP_SERVER DNS_SERVER
> NFS_SERVER \
> +MAINSERVER_A="$FLAVOR FIREWALL CUPS_SERVER LOG_SERVER PROXY NTP_SERVER
> DNS_SERVER NFS_SERVER \
> MAIL_SERVER LDAP_CLIENT LDAP_SERVER KERBEROS_CLIENT KERBEROS_KDC KDC_LDAP
> SERVER_A GOSA"
>
> WORKSTATION_A="LVM5_A CUPS_CLIENT LOG_CLIENT LDAP_CLIENT NFS_CLIENT
> KERBEROS_CLIENT \
> diff --git a/fai/config/package_config/CUPS_CLIENT
> b/fai/config/package_config/FIREWALL
> similarity index 60%
> copy from fai/config/package_config/CUPS_CLIENT
> copy to fai/config/package_config/FIREWALL
> index f498806..2645b4c 100644
> --- a/fai/config/package_config/CUPS_CLIENT
> +++ b/fai/config/package_config/FIREWALL
> @@ -1,2 +1,2 @@
> PACKAGES aptitude
> -cups-client
> +shorewall
> diff --git a/fai/config/scripts/FIREWALL/10-config
> b/fai/config/scripts/FIREWALL/10-config
> new file mode 100755
> index 0000000..7c2a3a9
> --- /dev/null
> +++ b/fai/config/scripts/FIREWALL/10-config
> @@ -0,0 +1,134 @@
> +#!/bin/bash
> +#
> +
> +set -e
> +
> +if [ "$FAI_ACTION" != "install" ] && [ "$CONVERT" != "true" ] ; then
> + exit 0
> +fi
> +
> +CONFDIR="${target}/etc/shorewall/"
> +
> +if [ "$MAINSERVER_IPADDR" = "$GATEWAY" ] ; then
> + ## mainserver = gateway, use shorewall's "two-interfaces" example as
> base setup:
> + for FILE in interfaces masq policy routestopped rules zones ; do
> + cp -v
> ${target}/usr/share/doc/shorewall/examples/two-interfaces/$FILE $CONFDIR
> + done
> +
> + ## Enable shorewall and forwarding:
> + sed -i "s/startup=0/startup=1/" ${target}/etc/default/shorewall
> + sed -i "s/IP_FORWARDING=Keep/IP_FORWARDING=on/"
> $CONFDIR/shorewall.conf
> +
> + ## Define interfaces and use parameters:
> + sed -i -e 's/eth0/\$NET_IF/' -e 's/eth1/\$LOC_IF/'
> $CONFDIR/interfaces $CONFDIR/masq $CONFDIR/routestopped
> + sed -i -e '$i LOC_IF=eth0' -e '$i NET_IF=eth1' $CONFDIR/params
> +
> + ## Allow access from the LAN to the firewall and from the firewall to
> LAN and internet:
> + sed -i -e '/^loc/a loc \$FW ACCEPT' \
> + -e '/^net/a $FW net ACCEPT' \
> + -e '/.*MUST BE LAST/i $FW loc ACCEPT'
> $CONFDIR/policy
> +
> + ## Debian-LAN rules:
> + cat >> $CONFDIR/rules <<EOF
> +##
> +## Debian-LAN
> +##
> +#
> +# Limit ssh connections from everywhere
> +#
> +SSH(ACCEPT) all \$FW - - -
> - s:1/min:1
> +
> +EOF
> +
> +else
> + # FIXME: Add firewall for server with single nic here:
> + exit 0
> +fi
> +
> +## C.f.
> http://lists.alioth.debian.org/pipermail/debian-lan-devel/2013q2/000357.html
> +## More restrictive rules (if traffic loc <--> $FW --> net is not allowed
> by default)
> +
> +#HTTP(ACCEPT) \$FW net
> +#HTTP(ACCEPT) loc \$FW
> +#HTTPS(ACCEPT) \$FW net
> +#HTTPS(ACCEPT) loc \$FW
> +#
> +#LDAP(ACCEPT) loc \$FW
> +#LDAPS(ACCEPT) loc \$FW
> +#
> +#SMTP(ACCEPT) loc \$FW
> +#IMAP(ACCEPT) loc \$FW
> +#
> +#SSH(ACCEPT) loc \$FW
> +#SSH(ACCEPT) \$FW loc
> +#SSH(ACCEPT) \$FW net
> +#
> +#NTP(ACCEPT) \$FW net
> +#NTP(ACCEPT) loc \$FW
> +#
> +##
> +## Allow CUPS
> +##
> +#IPPserver(ACCEPT) loc \$FW
> +#IPPserver(ACCEPT) \$FW loc
> +#Jetdirect(ACCEPT) \$FW loc
> +#
> +##
> +## Allow apt-cacher-ng
> +##
> +#ACCEPT loc \$FW tcp 3142
> +#
> +##
> +## Allow TFTP
> +##
> +#TFTP(ACCEPT) loc \$FW
> +#TFTP(ACCEPT) \$FW loc
> +#
> +##
> +## Allow Nagios NRPE
> +##
> +#ACCEPT \$FW loc tcp 5666
> +#
> +##
> +## Allow Munin
> +##
> +#Munin(ACCEPT) \$FW loc
> +#
> +##
> +## Allow Syslog server
> +##
> +#Syslog(ACCEPT) loc \$FW
> +#
> +##
> +## Kerberos v5 KDC
> +##
> +#ACCEPT loc \$FW tcp 88
> +#ACCEPT loc \$FW udp 88
> +## kpasswd
> +#ACCEPT loc \$FW udp 464
> +#
> +##
> +## Allow NFSv4
> +##
> +#ACCEPT loc \$FW udp 111
> +#ACCEPT loc \$FW tcp 111
> +#ACCEPT loc \$FW tcp 2049
> +#ACCEPT loc \$FW udp 2049
> +#ACCEPT loc \$FW tcp 32764:32769
> +#ACCEPT loc \$FW udp 32764:32769
> +#
> +##
> +## SQUID Manual Proxy (
> http://www.shorewall.net/Shorewall_Squid_Usage.html#Manual)
> +##
> +#Squid(ACCEPT) loc \$FW
> +#Webcache(ACCEPT) loc \$FW
> +#
> +### below rules must be checked ## mostly triggered during FAI
> installation
> +#ACCEPT loc \$FW tcp 51105
> +#ACCEPT loc \$FW udp 55850
> +#ACCEPT loc \$FW tcp 36174
> +#ACCEPT loc \$FW tcp 4711
> +#ACCEPT \$FW loc tcp 39233
> +#ACCEPT \$FW loc tcp 53615
> +##### pay extra attention ####
> +#EOF
> diff --git a/fai/config/scripts/SERVER_A/10-misc
> b/fai/config/scripts/SERVER_A/10-misc
> index f0f4c71..0a6eed8 100755
> --- a/fai/config/scripts/SERVER_A/10-misc
> +++ b/fai/config/scripts/SERVER_A/10-misc
> @@ -57,9 +57,6 @@ if [ "$MAINSERVER_IPADDR" != "$GATEWAY" ] ; then
> gateway ${GATEWAY}
> EOF
> else
> - cat >> $target/etc/network/interfaces <<EOF
> - post-up iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> -EOF
> if $ROOTCMD which dansguardian > /dev/null ; then
> cat >> $target/etc/network/interfaces <<EOF
> ## Redirect port 80 to dansguardian:
> @@ -73,6 +70,4 @@ allow-hotplug eth1
> auto eth1
> iface eth1 inet dhcp
> EOF
> - ## Switch on forwarding:
> - ainsl -a /etc/sysctl.d/debian-lan.conf "net.ipv4.ip_forward=1"
> fi
>
> --
> Debian-LAN development and packaging
>
> _______________________________________________
> debian-lan-devel mailing list
> debian-lan-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/debian-lan-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/debian-lan-devel/attachments/20130708/98b3a030/attachment.html>
More information about the debian-lan-devel
mailing list