Release 22.05 #155
|
@ -18,7 +18,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* evolinux-base: backup-server-state release 22.03
|
||||
* evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware
|
||||
* generate-ldif: Add services check for bkctld
|
||||
* minifirewall: upstream release 22.03.1 and use includes directory
|
||||
* minifirewall: upstream release 22.03.2 and use includes directory
|
||||
|
||||
### Fixed
|
||||
|
||||
|
|
23
minifirewall/files/blacklist-countries.sh
Normal file
23
minifirewall/files/blacklist-countries.sh
Normal file
|
@ -0,0 +1,23 @@
|
|||
#!/bin/sh
|
||||
|
||||
ripedeny_file=/var/tmp/ripe_deny
|
||||
|
||||
cd /var/tmp
|
||||
|
||||
rm -f $ripedeny_file
|
||||
|
||||
GET http://antispam00.evolix.org/spam/ripe.cidr.md5 > ripe.cidr.md5
|
||||
GET http://antispam00.evolix.org/spam/ripe.cidr > ripe.cidr
|
||||
|
||||
for i in CN KR RU; do
|
||||
|
||||
grep "^$i|" ripe.cidr >> $ripedeny_file
|
||||
|
||||
done
|
||||
|
||||
/sbin/iptables -F NEEDRESTRICT
|
||||
|
||||
for i in $(cat $ripedeny_file); do
|
||||
BLOCK=$(echo $i | cut -d"|" -f2)
|
||||
/sbin/iptables -I NEEDRESTRICT -s $BLOCK -j DROP
|
||||
done
|
|
@ -28,9 +28,10 @@
|
|||
# Description: Firewall designed for standalone server
|
||||
### END INIT INFO
|
||||
|
||||
VERSION="22.03.1"
|
||||
VERSION="22.03.2"
|
||||
|
||||
NAME="minifirewall"
|
||||
# shellcheck disable=SC2034
|
||||
DESC="Firewall designed for standalone server"
|
||||
|
||||
set -u
|
||||
|
@ -115,6 +116,8 @@ chain_exists() {
|
|||
chain_name="$1"
|
||||
if [ $# -ge 2 ]; then
|
||||
intable="--table $2"
|
||||
else
|
||||
intable=""
|
||||
fi
|
||||
# shellcheck disable=SC2086
|
||||
iptables ${intable} -nL "${chain_name}" >/dev/null 2>&1
|
||||
|
@ -476,34 +479,46 @@ start() {
|
|||
# Privileged services (accessible from privileged & trusted IPs)
|
||||
for dstport in ${SERVICESTCP2}; do
|
||||
for srcip in ${PRIVILEGIEDIPS}; do
|
||||
if ! is_ipv6 ${srcip}; then
|
||||
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||
fi
|
||||
done
|
||||
|
||||
for srcip in ${TRUSTEDIPS}; do
|
||||
if ! is_ipv6 ${srcip}; then
|
||||
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
for dstport in ${SERVICESUDP2}; do
|
||||
for srcip in ${PRIVILEGIEDIPS}; do
|
||||
if ! is_ipv6 ${srcip}; then
|
||||
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||
fi
|
||||
done
|
||||
|
||||
for srcip in ${TRUSTEDIPS}; do
|
||||
if ! is_ipv6 ${srcip}; then
|
||||
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
# Trusted services (accessible from trusted IPs)
|
||||
for dstport in ${SERVICESTCP3}; do
|
||||
for srcip in ${TRUSTEDIPS}; do
|
||||
if ! is_ipv6 ${srcip}; then
|
||||
${IPT} -I MINIFW-DOCKER-TRUSTED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
for dstport in ${SERVICESUDP3}; do
|
||||
for srcip in ${TRUSTEDIPS}; do
|
||||
if ! is_ipv6 ${srcip}; then
|
||||
${IPT} -I MINIFW-DOCKER-TRUSTED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||
fi
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
|
11
minifirewall/files/minifirewall.d/zzz-custom
Normal file
11
minifirewall/files/minifirewall.d/zzz-custom
Normal file
|
@ -0,0 +1,11 @@
|
|||
### custom minifirewall commands
|
||||
#
|
||||
# You can add any custom command in files like this;
|
||||
# either this one, or others in the same directory.
|
||||
# They are executed as shell scripts.
|
||||
# They are automatically included in alphanumerical order.
|
||||
#
|
||||
# Within included files, you can use those helper functions :
|
||||
# * is_ipv6_enabled: returns true if IPv6 is enabled, or false
|
||||
# * is_docker_enabled: returns true if Docker mode is eabled, or false
|
||||
# * is_proxy_enabled: returns true if Proxy mode is enabled , or false
|
7
minifirewall/files/minifirewall.d/zzzz-ban
Normal file
7
minifirewall/files/minifirewall.d/zzzz-ban
Normal file
|
@ -0,0 +1,7 @@
|
|||
### ban rules
|
||||
#
|
||||
# If you have ban rules in /root/ban.iptables
|
||||
# (either manually or with /usr/share/scripts/blacklist-countries.sh)
|
||||
# ou can automatically import them with the following command:
|
||||
#
|
||||
# cat /root/ban.iptables | iptables-restore -n
|
|
@ -14,14 +14,6 @@
|
|||
owner: root
|
||||
group: root
|
||||
|
||||
- name: include directory is present
|
||||
file:
|
||||
path: /etc/minifirewall.d/
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0700"
|
||||
|
||||
- name: configuration is copied
|
||||
copy:
|
||||
src: minifirewall.conf
|
||||
|
@ -30,3 +22,40 @@
|
|||
mode: "0600"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: includes directory is present
|
||||
file:
|
||||
path: /etc/minifirewall.d/
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0700"
|
||||
|
||||
- name: examples for includes are present
|
||||
copy:
|
||||
src: "minifirewall.d/"
|
||||
dest: "/etc/minifirewall.d/"
|
||||
force: "no"
|
||||
mode: "0600"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
|
||||
- name: /usr/share/scripts exists
|
||||
file:
|
||||
dest: /usr/share/scripts
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
state: directory
|
||||
|
||||
- name: blacklist-countries.sh is copied
|
||||
copy:
|
||||
src: blacklist-countries.sh
|
||||
dest: /usr/share/scripts/blacklist-countries.sh
|
||||
force: "no"
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
|
|
Loading…
Reference in a new issue