summaryrefslogtreecommitdiff
path: root/network/arno-iptables-firewall
diff options
context:
space:
mode:
authorPhilip Lacroix <philnx@bluebottle.com>2014-03-12 07:29:12 +0700
committerErik Hanson <erik@slackbuilds.org>2014-03-12 12:42:52 -0500
commit26e1286f3a1530d581150b2aceb22300968dbb99 (patch)
tree1f83029ab263968ff84807b8d2a495c10e6c30c6 /network/arno-iptables-firewall
parent564e1f2a5bd9245600ccf321960bc85607c88555 (diff)
downloadslackbuilds-26e1286f3a1530d581150b2aceb22300968dbb99.tar.gz
network/arno-iptables-firewall: Added (a front-end for iptables).
Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
Diffstat (limited to 'network/arno-iptables-firewall')
-rw-r--r--network/arno-iptables-firewall/README41
-rw-r--r--network/arno-iptables-firewall/arno-iptables-firewall.SlackBuild126
-rw-r--r--network/arno-iptables-firewall/arno-iptables-firewall.info10
-rw-r--r--network/arno-iptables-firewall/conf.d.readme5
-rw-r--r--network/arno-iptables-firewall/doinst.sh14
-rw-r--r--network/arno-iptables-firewall/patch-configuration-file.diff16
-rw-r--r--network/arno-iptables-firewall/patch-configuration-script.diff77
-rw-r--r--network/arno-iptables-firewall/patch-startup-script.diff25
-rw-r--r--network/arno-iptables-firewall/slack-desc19
9 files changed, 333 insertions, 0 deletions
diff --git a/network/arno-iptables-firewall/README b/network/arno-iptables-firewall/README
new file mode 100644
index 0000000000..8cee93f457
--- /dev/null
+++ b/network/arno-iptables-firewall/README
@@ -0,0 +1,41 @@
+arno-iptables-firewall is a front-end for iptables. Its configuration
+script will setup a secure and restrictive firewall by just asking a
+few questions. This includes configuring internal networks for Internet
+access via NAT and network services like http or ssh. Moreover, it
+provides many advanced additional features that can be enabled in the
+well documented configuration file.
+
+PLEASE NOTE - The setup script is NOT going to be run automatically
+after your package is installed. In order to do that, you'll have to
+issue the following command:
+
+# arno-iptables-firewall-configure
+
+To enable firewall startup at boot-time you'll need to create a symlink
+as follows (remove the link to disable automatic firewall startup):
+
+# ln -sv /etc/rc.d/rc.arno-iptables-firewall /etc/rc.d/rc.firewall
+# chmod +x /etc/rc.d/rc.arno-iptables-firewall
+
+When everything is ready you can start the firewall manually with one
+of the following commands:
+
+# /etc/rc.d/rc.arno-iptables-firewall start
+
+# arno-iptables-firewall start
+
+IMPORTANT - Here are some security notes from the upstream author:
+
+1) If possible, make sure that the firewall is started before the (ADSL)
+Internet connection is enabled. For a ppp-interface that doesn't exist
+yet you can use the wildcard device called "ppp+" (but you can only use
+ppp+ if there aren't any other ppp interfaces).
+
+2) Don't change any (security) settings ('EXPERT SETTINGS') if you don't
+really understand what they mean. Changing them anyway could have a big
+impact on the security of your machine.
+
+3) A lot of people complain that their server stopped working after
+installing the firewall. This is the CORRECT behaviour for a firewall:
+blocking ALL incoming traffic by default. Configure your e.g. OPEN_TCP
+accordingly.
diff --git a/network/arno-iptables-firewall/arno-iptables-firewall.SlackBuild b/network/arno-iptables-firewall/arno-iptables-firewall.SlackBuild
new file mode 100644
index 0000000000..6be33adc91
--- /dev/null
+++ b/network/arno-iptables-firewall/arno-iptables-firewall.SlackBuild
@@ -0,0 +1,126 @@
+#!/bin/sh
+
+# Slackware build script for arno-iptables-firewall
+
+# Copyright 2013-2014 Philip Lacroix <philnx at bluebottle dot com>
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Thanks to Matteo Bernardini and Robby Workman for their valuable remarks.
+
+PRGNAM=arno-iptables-firewall
+VERSION=${VERSION:-2.0.1d}
+BUILD=${BUILD:-1}
+TAG=${TAG:-_SBo}
+
+CWD=$(pwd)
+TMP=${TMP:-/tmp/SBo}
+PKG=${PKG:-$TMP/package-$PRGNAM}
+OUTPUT=${OUTPUT:-/tmp}
+
+set -e
+
+rm -rf $PKG
+mkdir -p $TMP $PKG $OUTPUT
+cd $TMP
+rm -rf $PRGNAM\_$VERSION
+tar xvf $CWD/$PRGNAM\_$VERSION.tar.gz
+
+cd $PRGNAM\_$VERSION
+chown -R root:root .
+find -L . \
+ \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
+ -o -perm 511 \) -exec chmod 755 {} \; -o \
+ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 \
+ -o -perm 400 \) -exec chmod 644 {} \;
+
+PRGBIN=$PKG/usr/sbin
+PRGETC=$PKG/etc/$PRGNAM
+PRGSHR=$PKG/usr/share/$PRGNAM
+PRGDOC=$PKG/usr/doc/$PRGNAM-$VERSION
+PRGMAN=$PKG/usr/man
+
+# Copy firewall, log filter and configuration executables
+mkdir -p $PRGBIN
+cp -a ./bin/$PRGNAM $PRGBIN/
+cp -a ./configure.sh $PRGBIN/$PRGNAM-configure
+cp -a ./bin/arno-fwfilter $PRGBIN/
+
+# Patch the configuration script. We need this in order to be able to
+# run the script from outside the source directory as well. We're going
+# to (1) change from relative to absolute the path to the environment
+# file and firewall executable; (2) rename and change the path to the
+# startup script (this is for better consistency with Slackware's init
+# system); (3) change the path to the unmodified copy of the config
+# file, needed to check for existing custom setups. We will NOT create
+# a Slackware-compliant /etc/rc.d/rc.firewall symlink to the startup
+# script, as this should be done manually by the sysadmin. We won't
+# create any SystemV-style symlinks either. Finally (4) we append the
+# note, picked from the original installation script and slightly
+# enhanced, that will be shown to the user when configuration is done
+# (this is to inform that an rc.firewall symlink has to be created in
+# order to start up the firewall at boot-time in a proper way).
+patch $PRGBIN/$PRGNAM-configure < $CWD/patch-configuration-script.diff
+
+# Copy and compress man pages
+mkdir -p $PRGMAN
+cp -a ./share/man/* $PRGMAN/
+find $PRGMAN -type f -exec gzip -9 {} \;
+
+# Copy and rename configuration files; apply patch to main config file
+# in order to fix paths; set permissions.
+mkdir -p $PRGETC/conf.d
+cp -a ./etc/$PRGNAM/* $PRGETC/
+cat $CWD/conf.d.readme > $PRGETC/conf.d/README
+patch $PRGETC/firewall.conf < $CWD/patch-configuration-file.diff
+for conf in $( find $PRGETC -type f -not -name README ); do
+ mv ${conf} ${conf}.new
+ chmod 600 ${conf}.new
+done
+
+# Copy shared data; include a clean copy of the configuration file, as
+# expected by the configuration script for comparison purposes; create
+# link to plugin as in the original script.
+mkdir -p $PRGSHR
+cp -a ./share/$PRGNAM/* $PRGSHR/
+cp -a $PRGETC/firewall.conf.new $PRGSHR/firewall.conf.orig
+ln -sv /usr/share/$PRGNAM/plugins/traffic-accounting-show $PRGBIN/
+
+# Install startup script and set permissions; apply patch to fix path
+# to the executable file and make comments more consistent with the
+# Slackware system.
+mkdir -p $PKG/etc/rc.d/
+install -m 0644 ./etc/init.d/$PRGNAM $PKG/etc/rc.d/rc.$PRGNAM
+patch $PKG/etc/rc.d/rc.$PRGNAM < $CWD/patch-startup-script.diff
+
+# Copy documentation, include third-party sample files.
+mkdir -p $PRGDOC/contrib $PKG/usr/doc
+for doc in README CHANGELOG gpl_license.txt ; do
+ cp -a ./${doc} $PRGDOC/
+done
+cp -a ./contrib/adsl-failover $PRGDOC/contrib/
+cp -a ./contrib/Slackware/syslog.conf $PRGDOC/contrib/
+cat $CWD/$PRGNAM.SlackBuild > $PRGDOC/$PRGNAM.SlackBuild
+
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+cat $CWD/doinst.sh > $PKG/install/doinst.sh
+
+cd $PKG
+/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-noarch-$BUILD$TAG.${PKGTYPE:-tgz}
diff --git a/network/arno-iptables-firewall/arno-iptables-firewall.info b/network/arno-iptables-firewall/arno-iptables-firewall.info
new file mode 100644
index 0000000000..ad1a473ee1
--- /dev/null
+++ b/network/arno-iptables-firewall/arno-iptables-firewall.info
@@ -0,0 +1,10 @@
+PRGNAM="arno-iptables-firewall"
+VERSION="2.0.1d"
+HOMEPAGE="http://rocky.eld.leidenuniv.nl"
+DOWNLOAD="http://rocky.eld.leidenuniv.nl/arno-iptables-firewall/arno-iptables-firewall_2.0.1d.tar.gz"
+MD5SUM="c0504a92f7f34f6973ce1d9996b4908d"
+DOWNLOAD_x86_64=""
+MD5SUM_x86_64=""
+REQUIRES=""
+MAINTAINER="Philip Lacroix"
+EMAIL="philnx at bluebottle dot com"
diff --git a/network/arno-iptables-firewall/conf.d.readme b/network/arno-iptables-firewall/conf.d.readme
new file mode 100644
index 0000000000..e64d1b133e
--- /dev/null
+++ b/network/arno-iptables-firewall/conf.d.readme
@@ -0,0 +1,5 @@
+# /etc/arno-iptables-firewall/conf.d/
+
+Files with a .conf extension in this directory will be sourced by the
+environment file.
+
diff --git a/network/arno-iptables-firewall/doinst.sh b/network/arno-iptables-firewall/doinst.sh
new file mode 100644
index 0000000000..5129a9435f
--- /dev/null
+++ b/network/arno-iptables-firewall/doinst.sh
@@ -0,0 +1,14 @@
+config() {
+ NEW="$1"
+ OLD="$(dirname $NEW)/$(basename $NEW .new)"
+ if [ ! -r $OLD ]; then
+ mv $NEW $OLD
+ elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then
+ rm $NEW
+ fi
+}
+
+CONFIG=${CONFIG:-/etc/arno-iptables-firewall}
+for conf in $( find $CONFIG -name *.new ) ; do
+ config ${conf}
+done
diff --git a/network/arno-iptables-firewall/patch-configuration-file.diff b/network/arno-iptables-firewall/patch-configuration-file.diff
new file mode 100644
index 0000000000..f49ee6099f
--- /dev/null
+++ b/network/arno-iptables-firewall/patch-configuration-file.diff
@@ -0,0 +1,16 @@
+235c235
+< IP4TABLES="/sbin/iptables"
+---
+> IP4TABLES="/usr/sbin/iptables"
+240c240
+< IP6TABLES="/sbin/ip6tables"
+---
+> IP6TABLES="/usr/sbin/ip6tables"
+244c244
+< ENV_FILE="/usr/local/share/arno-iptables-firewall/environment"
+---
+> ENV_FILE="/usr/share/arno-iptables-firewall/environment"
+248c248
+< PLUGIN_BIN_PATH="/usr/local/share/arno-iptables-firewall/plugins"
+---
+> PLUGIN_BIN_PATH="/usr/share/arno-iptables-firewall/plugins"
diff --git a/network/arno-iptables-firewall/patch-configuration-script.diff b/network/arno-iptables-firewall/patch-configuration-script.diff
new file mode 100644
index 0000000000..6cdc80c7ad
--- /dev/null
+++ b/network/arno-iptables-firewall/patch-configuration-script.diff
@@ -0,0 +1,77 @@
+34,35c34,35
+< if [ -f ./share/arno-iptables-firewall/environment ]; then
+< . ./share/arno-iptables-firewall/environment
+---
+> if [ -f /usr/share/arno-iptables-firewall/environment ]; then
+> . /usr/share/arno-iptables-firewall/environment
+37c37
+< printf "\033[40m\033[1;31mERROR: Could not read environment file ./share/arno-iptables-firewall/environment!\033[0m\n" >&2
+---
+> printf "\033[40m\033[1;31mERROR: Could not read environment file /usr/share/arno-iptables-firewall/environment!\033[0m\n" >&2
+219c219
+<
+---
+>
+221,223c221,223
+< chmod 755 /etc/init.d/arno-iptables-firewall
+< chown 0:0 "$FIREWALL_CONF" /etc/init.d/arno-iptables-firewall
+< chmod 600 "$FIREWALL_CONF"
+---
+> chmod 755 /etc/rc.d/rc.arno-iptables-firewall
+> chown 0:0 "$FIREWALL_CONF" /etc/rc.d/rc.arno-iptables-firewall
+> chmod 600 "$FIREWALL_CONF"
+228c228
+< AIF_VERSION="$(grep "MY_VERSION=" ./bin/arno-iptables-firewall |sed -e "s/^MY_VERSION=\"//" -e "s/\"$//")"
+---
+> AIF_VERSION="$(grep "MY_VERSION=" /usr/sbin/arno-iptables-firewall |sed -e "s/^MY_VERSION=\"//" -e "s/\"$//")"
+236,252d235
+< # Remove any symlinks in rc*.d out of the way
+< rm -f /etc/rc*.d/*arno-iptables-firewall
+<
+< if get_user_yn "Do you want to start the firewall at boot (via /etc/init.d/) (Y/N)?" "y"; then
+< if [ -d /etc/rcS.d ]; then
+< ln -sv /etc/init.d/arno-iptables-firewall /etc/rcS.d/S41arno-iptables-firewall
+< else
+< ln -sv /etc/init.d/arno-iptables-firewall /etc/rc2.d/S11arno-iptables-firewall
+< fi
+<
+< # Check for insserv. Used for dependency based booting on eg. Debian
+< INSSERV="$(find_command /sbin/insserv)"
+< if [ -n "$INSSERV" ]; then
+< "$INSSERV" arno-iptables-firewall
+< fi
+< fi
+<
+254c237
+< change_conf_var /etc/init.d/arno-iptables-firewall "VERBOSE" "1"
+---
+> change_conf_var /etc/rc.d/rc.arno-iptables-firewall "VERBOSE" "1"
+256c239
+< change_conf_var /etc/init.d/arno-iptables-firewall "VERBOSE" "0"
+---
+> change_conf_var /etc/rc.d/rc.arno-iptables-firewall "VERBOSE" "0"
+259c242
+< if diff ./etc/arno-iptables-firewall/firewall.conf "$FIREWALL_CONF" >/dev/null; then
+---
+> if diff /usr/share/arno-iptables-firewall/firewall.conf.orig "$FIREWALL_CONF" >/dev/null; then
+275a259,276
+> echo ""
+> echo "-------------------------------------------------------------------------------"
+> echo "** NOTE: 1) You can now (manually) start the firewall by executing **"
+> echo "** \"/etc/rc.d/rc.arno-iptables-firewall start\" **"
+> echo "** It is recommended however to first review the settings in **"
+> echo "** /etc/arno-iptables-firewall/firewall.conf! **"
+> echo "** **"
+> echo "** 2) In order to start the firewall automatically at boot-time, **"
+> echo "** you will need to manually create in /etc/rc.d/ an appropriate **"
+> echo "** symlink, named \"rc.firewall\", pointing to the startup script. **"
+> echo "** To do that, issue the following command: **"
+> echo "** **"
+> echo "** ln -sv /etc/rc.d/rc.arno-iptables-firewall /etc/rc.d/rc.firewall **"
+> echo "** **"
+> echo "** Simply delete the link if you wish to disable firewall startup **"
+> echo "** at boot-time. **"
+> echo "-------------------------------------------------------------------------------"
+> echo ""
+278d278
+<
diff --git a/network/arno-iptables-firewall/patch-startup-script.diff b/network/arno-iptables-firewall/patch-startup-script.diff
new file mode 100644
index 0000000000..c6dd915c78
--- /dev/null
+++ b/network/arno-iptables-firewall/patch-startup-script.diff
@@ -0,0 +1,25 @@
+4c4
+< # description: init.d script for Arno's iptables firewall
+---
+> # description: rc.d script for Arno's iptables firewall
+7c7
+< # Provides: arno-iptables-firewall
+---
+> # Provides: rc.arno-iptables-firewall
+16,20c16,21
+< # You should put this script in eg. "/etc/init.d/" . #
+< # Furthermore make sure it's executable! -> "chmod 700" or "chmod +x" it #
+< # If you want to run it upon boot, either add an entry in your "/etc/rc.d/rc.local" or #
+< # (for eg. Debian) in "/etc/rcS.d/" create a symlink to the arno-iptables-firewall script #
+< # ("ln -s /etc/init.d/arno-iptables-firewall script S99-arno-iptables-firewall script"). #
+---
+> # You should put this script in "/etc/rc.d/". #
+> # Furthermore make sure it's executable! -> "chmod 700" or "chmod +x" it. #
+> # If you want to run it upon boot, either create an "/etc/rc.d/rc.firewall" symlink to the #
+> # present script ("ln -sv /etc/rc.d/rc.arno-iptables-firewall /etc/rc.d/rc.firewall") or #
+> # edit the network system startup script "/etc/rc.d/rc.inet2" by renaming both occurrences #
+> # of "rc.firewall" to match this script's name (i.e. "rc.arno-iptables-firewall"). #
+24c25
+< PROGRAM="/usr/local/sbin/arno-iptables-firewall"
+---
+> PROGRAM="/usr/sbin/arno-iptables-firewall"
diff --git a/network/arno-iptables-firewall/slack-desc b/network/arno-iptables-firewall/slack-desc
new file mode 100644
index 0000000000..80e82a06f9
--- /dev/null
+++ b/network/arno-iptables-firewall/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description.
+# Line up the first '|' above the ':' following the base package name, and
+# the '|' on the right side marks the last column you can put a character in.
+# You must make exactly 11 lines for the formatting to be correct. It's also
+# customary to leave one space after the ':' except on otherwise blank lines.
+
+ |-----handy-ruler------------------------------------------------------|
+arno-iptables-firewall: arno-iptables-firewall (a front-end for iptables)
+arno-iptables-firewall:
+arno-iptables-firewall: arno-iptables-firewall is a front-end for iptables. Its configuration
+arno-iptables-firewall: script will setup a secure and restrictive firewall by just asking a
+arno-iptables-firewall: few questions. This includes the configuration of internal networks
+arno-iptables-firewall: for Internet access via NAT and network services like http or ssh.
+arno-iptables-firewall: Moreover, it provides many advanced additional features that can be
+arno-iptables-firewall: enabled in the well documented configuration file.
+arno-iptables-firewall:
+arno-iptables-firewall: Homepage: http://rocky.eld.leidenuniv.nl
+arno-iptables-firewall: