<div dir="ltr"><div>Nice :)<br></div>I was just busy setting up a test environment and learning git to provide it. You're always a shot ahead of me ;)<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Mon, Jul 8, 2013 at 8:43 PM, Andreas B. Mundt <span dir="ltr"><<a href="mailto:andi@debian.org" target="_blank">andi@debian.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The following commit has been merged in the master branch:<br>
commit cc9c302e7c103a9c875efad311475214a56b97e8<br>
Author: Andreas B. Mundt <<a href="mailto:andi@debian.org">andi@debian.org</a>><br>
Date: Â Mon Jul 8 20:26:21 2013 +0200<br>
<br>
  Add FIREWALL class.  Enable shorewall for the 'two-interfaces'-setup.<br>
<br>
  For the setup where the mainserver acts as gateway, configure<br>
  shorewall to block all access from the external network except ssh<br>
  logins (limited to one connection per minute).<br>
<br>
  Based on the more sophisticated example provided by Julien Lambot in<br>
  <URL:<a href="http://lists.alioth.debian.org/pipermail/debian-lan-devel/2013q2/000357.html" target="_blank">http://lists.alioth.debian.org/pipermail/debian-lan-devel/2013q2/000357.html</a>>,<br>
  thanks!<br>
<br>
diff --git a/fai/config/class/50-host-classes b/fai/config/class/50-host-classes<br>
index 8da8289..1338c49 100755<br>
--- a/fai/config/class/50-host-classes<br>
+++ b/fai/config/class/50-host-classes<br>
@@ -40,7 +40,7 @@ FLAVOR="LVM8_A DISKLESS_SERVER" Â ## simple diskless, default for testing in a VM<br>
 #FLAVOR="RAIDLVM7BAK_A RAID DISKLESS_SERVER"  ## diskless, RAID1, backup disk<br>
<br>
 ## Setup with graphical user management tool GOsa.  Remove GOSA class if it is not needed:<br>
-MAINSERVER_A="$FLAVOR CUPS_SERVER LOG_SERVER PROXY NTP_SERVER DNS_SERVER NFS_SERVER \<br>
+MAINSERVER_A="$FLAVOR FIREWALL CUPS_SERVER LOG_SERVER PROXY NTP_SERVER DNS_SERVER NFS_SERVER \<br>
 MAIL_SERVER LDAP_CLIENT LDAP_SERVER KERBEROS_CLIENT KERBEROS_KDC KDC_LDAP SERVER_A GOSA"<br>
<br>
 WORKSTATION_A="LVM5_A CUPS_CLIENT LOG_CLIENT LDAP_CLIENT NFS_CLIENT KERBEROS_CLIENT \<br>
diff --git a/fai/config/package_config/CUPS_CLIENT b/fai/config/package_config/FIREWALL<br>
similarity index 60%<br>
copy from fai/config/package_config/CUPS_CLIENT<br>
copy to fai/config/package_config/FIREWALL<br>
index f498806..2645b4c 100644<br>
--- a/fai/config/package_config/CUPS_CLIENT<br>
+++ b/fai/config/package_config/FIREWALL<br>
@@ -1,2 +1,2 @@<br>
 PACKAGES aptitude<br>
-cups-client<br>
+shorewall<br>
diff --git a/fai/config/scripts/FIREWALL/10-config b/fai/config/scripts/FIREWALL/10-config<br>
new file mode 100755<br>
index 0000000..7c2a3a9<br>
--- /dev/null<br>
+++ b/fai/config/scripts/FIREWALL/10-config<br>
@@ -0,0 +1,134 @@<br>
+#!/bin/bash<br>
+#<br>
+<br>
+set -e<br>
+<br>
+if [ "$FAI_ACTION" != "install" ] && [ "$CONVERT" != "true" ] ; then<br>
+ Â Â exit 0<br>
+fi<br>
+<br>
+CONFDIR="${target}/etc/shorewall/"<br>
+<br>
+if [ "$MAINSERVER_IPADDR" = "$GATEWAY" ] ; then<br>
+ Â Â ## mainserver = gateway, use shorewall's "two-interfaces" example as base setup:<br>
+ Â Â for FILE in interfaces masq policy routestopped rules zones ; do<br>
+ Â Â Â Â cp -v ${target}/usr/share/doc/shorewall/examples/two-interfaces/$FILE $CONFDIR<br>
+ Â Â done<br>
+<br>
+ Â Â ## Enable shorewall and forwarding:<br>
+ Â Â sed -i "s/startup=0/startup=1/" ${target}/etc/default/shorewall<br>
+ Â Â sed -i "s/IP_FORWARDING=Keep/IP_FORWARDING=on/" $CONFDIR/shorewall.conf<br>
+<br>
+ Â Â ## Define interfaces and use parameters:<br>
+ Â Â sed -i -e 's/eth0/\$NET_IF/' -e 's/eth1/\$LOC_IF/' $CONFDIR/interfaces $CONFDIR/masq $CONFDIR/routestopped<br>
+ Â Â sed -i -e '$i LOC_IF=eth0' -e '$i NET_IF=eth1' $CONFDIR/params<br>
+<br>
+ Â Â ## Allow access from the LAN to the firewall and from the firewall to LAN and internet:<br>
+   sed -i -e '/^loc/a loc       \$FW       ACCEPT' \<br>
+     -e '/^net/a $FW       net       ACCEPT' \<br>
+     -e '/.*MUST BE LAST/i $FW       loc       ACCEPT' $CONFDIR/policy<br>
+<br>
+ Â Â ## Debian-LAN rules:<br>
+ Â Â cat >> $CONFDIR/rules <<EOF<br>
+##<br>
+## Â Debian-LAN<br>
+##<br>
+#<br>
+# Limit ssh connections from everywhere<br>
+#<br>
+SSH(ACCEPT)   all       \$FW     -     -     -     -     s:1/min:1<br>
+<br>
+EOF<br>
+<br>
+else<br>
+ Â Â # FIXME: Add firewall for server with single nic here:<br>
+ Â Â exit 0<br>
+fi<br>
+<br>
+## C.f. <a href="http://lists.alioth.debian.org/pipermail/debian-lan-devel/2013q2/000357.html" target="_blank">http://lists.alioth.debian.org/pipermail/debian-lan-devel/2013q2/000357.html</a><br>
+## More restrictive rules (if traffic loc <--> $FW --> net is not allowed by default)<br>
+<br>
+#HTTP(ACCEPT) Â Â \$FW Â Â Â Â Â Â net<br>
+#HTTP(ACCEPT)   loc       \$FW<br>
+#HTTPS(ACCEPT) Â \$FW Â Â Â Â Â Â net<br>
+#HTTPS(ACCEPT)  loc       \$FW<br>
+#<br>
+#LDAP(ACCEPT)   loc       \$FW<br>
+#LDAPS(ACCEPT)  loc       \$FW<br>
+#<br>
+#SMTP(ACCEPT)   loc       \$FW<br>
+#IMAP(ACCEPT)   loc       \$FW<br>
+#<br>
+#SSH(ACCEPT)   loc       \$FW<br>
+#SSH(ACCEPT) Â Â \$FW Â Â Â Â Â Â loc<br>
+#SSH(ACCEPT) Â Â \$FW Â Â Â Â Â Â net<br>
+#<br>
+#NTP(ACCEPT) Â Â \$FW Â Â Â Â Â Â net<br>
+#NTP(ACCEPT)   loc       \$FW<br>
+#<br>
+##<br>
+## Allow CUPS<br>
+##<br>
+#IPPserver(ACCEPT)  loc       \$FW<br>
+#IPPserver(ACCEPT) Â \$FW Â Â Â Â Â Â loc<br>
+#Jetdirect(ACCEPT) Â \$FW Â Â Â Â Â Â loc<br>
+#<br>
+##<br>
+## Allow apt-cacher-ng<br>
+##<br>
+#ACCEPT      loc       \$FW       tcp   3142<br>
+#<br>
+##<br>
+## Allow TFTP<br>
+##<br>
+#TFTP(ACCEPT)   loc       \$FW<br>
+#TFTP(ACCEPT) Â Â \$FW Â Â Â Â Â Â loc<br>
+#<br>
+##<br>
+## Allow Nagios NRPE<br>
+##<br>
+#ACCEPT      \$FW       loc       tcp   5666<br>
+#<br>
+##<br>
+## Allow Munin<br>
+##<br>
+#Munin(ACCEPT) Â \$FW Â Â Â Â Â Â loc<br>
+#<br>
+##<br>
+## Allow Syslog server<br>
+##<br>
+#Syslog(ACCEPT)  loc       \$FW<br>
+#<br>
+##<br>
+## Kerberos v5 KDC<br>
+##<br>
+#ACCEPT      loc       \$FW       tcp   88<br>
+#ACCEPT      loc       \$FW       udp   88<br>
+## kpasswd<br>
+#ACCEPT      loc       \$FW       udp   464<br>
+#<br>
+##<br>
+## Allow NFSv4<br>
+##<br>
+#ACCEPT      loc       \$FW       udp   111<br>
+#ACCEPT      loc       \$FW       tcp   111<br>
+#ACCEPT      loc       \$FW       tcp   2049<br>
+#ACCEPT      loc       \$FW       udp   2049<br>
+#ACCEPT      loc       \$FW       tcp   32764:32769<br>
+#ACCEPT      loc       \$FW       udp   32764:32769<br>
+#<br>
+##<br>
+## SQUID Manual Proxy (<a href="http://www.shorewall.net/Shorewall_Squid_Usage.html#Manual" target="_blank">http://www.shorewall.net/Shorewall_Squid_Usage.html#Manual</a>)<br>
+##<br>
+#Squid(ACCEPT)   loc       \$FW<br>
+#Webcache(ACCEPT)  loc       \$FW<br>
+#<br>
+### below rules must be checked ## mostly triggered during FAI installation<br>
+#ACCEPT      loc       \$FW       tcp   51105<br>
+#ACCEPT      loc       \$FW       udp   55850<br>
+#ACCEPT      loc       \$FW       tcp   36174<br>
+#ACCEPT      loc       \$FW       tcp   4711<br>
+#ACCEPT      \$FW       loc       tcp   39233<br>
+#ACCEPT      \$FW       loc       tcp   53615<br>
+##### pay extra attention ####<br>
+#EOF<br>
diff --git a/fai/config/scripts/SERVER_A/10-misc b/fai/config/scripts/SERVER_A/10-misc<br>
index f0f4c71..0a6eed8 100755<br>
--- a/fai/config/scripts/SERVER_A/10-misc<br>
+++ b/fai/config/scripts/SERVER_A/10-misc<br>
@@ -57,9 +57,6 @@ if [ "$MAINSERVER_IPADDR" != "$GATEWAY" ] ; then<br>
    gateway  ${GATEWAY}<br>
 EOF<br>
 else<br>
- Â Â cat >> $target/etc/network/interfaces <<EOF<br>
- Â Â Â post-up iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE<br>
-EOF<br>
   if $ROOTCMD which dansguardian > /dev/null ; then<br>
    cat >> $target/etc/network/interfaces <<EOF<br>
    ## Redirect port 80 to dansguardian:<br>
@@ -73,6 +70,4 @@ allow-hotplug eth1<br>
 auto eth1<br>
 iface eth1 inet dhcp<br>
 EOF<br>
- Â Â ## Switch on forwarding:<br>
- Â Â ainsl -a /etc/sysctl.d/debian-lan.conf "net.ipv4.ip_forward=1"<br>
 fi<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Debian-LAN development and packaging<br>
<br>
_______________________________________________<br>
debian-lan-devel mailing list<br>
<a href="mailto:debian-lan-devel@lists.alioth.debian.org">debian-lan-devel@lists.alioth.debian.org</a><br>
<a href="http://lists.alioth.debian.org/mailman/listinfo/debian-lan-devel" target="_blank">http://lists.alioth.debian.org/mailman/listinfo/debian-lan-devel</a><br>
</font></span></blockquote></div><br></div>