diff --git a/CHANGELOG.md b/CHANGELOG.md index 5db76f0..fe6ead4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp ### Fixed +* status output (number of # in headers) + ### Security ## [22.04] - 2022-04-28 diff --git a/README.md b/README.md index 714f463..a1c93c4 100644 --- a/README.md +++ b/README.md @@ -8,9 +8,13 @@ See https://gitea.evolix.org/evolix/minifirewall ## Install ~~~ -install --mode 0700 minifirewall /etc/init.d/minifirewall +install --mode 0700 minifirewall /usr/local/sbin/ +install --mode 0700 init.sh /etc/init.d/minifirewall install --mode 0600 minifirewall.conf /etc/default/minifirewall mkdir --mode 0700 /etc/minifirewall.d + +install --mode 0644 minifirewall.service /etc/systemd/system/minifirewall.service +systemctl daemon-reload ~~~ ## Config @@ -37,11 +41,17 @@ you need to use the port used by the container (ie: 8080) in the public/semi-pub ## Usage +~~~ +systemctl start/stop/restart minifirewall +minifirewall status +~~~ + +Formerly : ~~~ /etc/init.d/minifirewall start/stop/restart ~~~ -If you want to add minifirewall in boot sequence, add the start command to `/usr/share/scripts/alert5`. +If you want to add minifirewall in SysV Init boot sequence, add the start command to `/usr/share/scripts/alert5`. ## License diff --git a/init.sh b/init.sh new file mode 100644 index 0000000..e4492d9 --- /dev/null +++ b/init.sh @@ -0,0 +1,44 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: minifirewall +# Required-Start: +# Required-Stop: +# Should-Start: $network $syslog $named +# Should-Stop: $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop the firewall +# Description: Firewall designed for standalone server +### END INIT INFO + +minifirewall_bin=/usr/local/sbin/minifirewall + +if [ -z "${minifirewall_bin}" ]; then + echo "${minifirewall_bin}: not found" +elif [ ! -x "${minifirewall_bin}" ]; then + echo "${minifirewall_bin}: not executable" +fi + +case "$1" in + start) + systemctl start minifirewall + ;; + stop) + systemctl stop minifirewall + ;; + status) + systemctl status minifirewall + ;; + restart|reload|condrestart) + systemctl restart minifirewall + ;; + reset) + ${minifirewall_bin} reset + ;; + *) + echo "Usage: $0 {start|stop|restart|status|reset}" + exit 1 +esac + +exit 0 diff --git a/minifirewall b/minifirewall index f383d87..f62e9de 100755 --- a/minifirewall +++ b/minifirewall @@ -1,159 +1,51 @@ #!/bin/sh # shellcheck disable=SC2059 -# minifirewall is a shell script for easy firewalling on a standalone server -# It uses netfilter/iptables http://netfilter.org/ designed for recent Linux kernel -# See https://gitea.evolix.org/evolix/minifirewall - -# Copyright (c) 2007-2022 Evolix -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 3 -# of the License. - -# Description -# script for standalone server - -# Start or stop minifirewall -# - -### BEGIN INIT INFO -# Provides: minifirewall -# Required-Start: -# Required-Stop: -# Should-Start: $network $syslog $named -# Should-Stop: $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: start and stop the firewall -# Description: Firewall designed for standalone server -### END INIT INFO - -VERSION="22.04" - -NAME="minifirewall" +PROGNAME="minifirewall" # shellcheck disable=SC2034 -DESC="Firewall designed for standalone server" +REPOSITORY="https://gitea.evolix.org/evolix/minifirewall" + +VERSION="22.04.3" +readonly VERSION set -u -# Variables configuration -######################### +show_version() { + cat <. -# iptables paths -IPT=$(command -v iptables) -if [ -z "${IPT}" ]; then - echo "Unable to find 'iptables\` command in PATH." >&2 - exit 1 -fi -IPT6=$(command -v ip6tables) -if [ -z "${IPT6}" ]; then - echo "Unable to find 'ip6tables\` command in PATH." >&2 - exit 1 -fi +${PROGNAME} comes with ABSOLUTELY NO WARRANTY. +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +as published by the Free Software Foundation; either version 3 +of the License. +END +} +show_help() { + cat <&2 + show_help + exit 1 + fi +} check_unpersisted_state() { cmp_bin=$(command -v cmp) diff_bin=$(command -v diff) @@ -335,11 +234,11 @@ report_state_changes() { start() { syslog_info "starting" - printf "${BOLD}${NAME} starting${RESET}\n" + printf "${BOLD}${PROGNAME} starting${RESET}\n" # Stop and warn if error! set -e - trap 'printf "${RED}${NAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT + trap 'printf "${RED}${PROGNAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT # sysctl network security settings ################################## @@ -890,7 +789,7 @@ start() { trap - INT TERM EXIT syslog_info "started" - printf "${GREEN}${BOLD}${NAME} started${RESET}\n" + printf "${GREEN}${BOLD}${PROGNAME} started${RESET}\n" # No need to exit on error anymore set +e @@ -900,7 +799,7 @@ start() { stop() { syslog_info "stopping" - printf "${BOLD}${NAME} stopping${RESET}\n" + printf "${BOLD}${PROGNAME} stopping${RESET}\n" printf "${BLUE}flushing all rules and accepting everything${RESET}\n" @@ -983,13 +882,13 @@ stop() { rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}" syslog_info "stopped" - printf "${GREEN}${BOLD}${NAME} stopped${RESET}\n" + printf "${GREEN}${BOLD}${PROGNAME} stopped${RESET}\n" } status() { printf "${BLUE}#### iptables --list ###############################${RESET}\n" ${IPT} --list --numeric --verbose --line-numbers - printf "\n${BLUE}### iptables --table nat --list ####################${RESET}\n" + printf "\n${BLUE}#### iptables --table nat --list ###################${RESET}\n" ${IPT} --table nat --list --numeric --verbose --line-numbers printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n" ${IPT} --table mangle --list --numeric --verbose --line-numbers @@ -1004,7 +903,7 @@ status() { status_without_numbers() { printf "${BLUE}#### iptables --list ###############################${RESET}\n" ${IPT} --list --numeric - printf "\n${BLUE}### iptables --table nat --list ####################${RESET}\n" + printf "\n${BLUE}#### iptables --table nat --list ###################${RESET}\n" ${IPT} --table nat --list --numeric printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n" ${IPT} --table mangle --list --numeric @@ -1018,7 +917,7 @@ status_without_numbers() { reset() { syslog_info "resetting" - printf "${BOLD}${NAME} resetting${RESET}\n" + printf "${BOLD}${PROGNAME} resetting${RESET}\n" ${IPT} -Z if is_ipv6_enabled; then @@ -1033,67 +932,172 @@ reset() { fi syslog_info "reset" - printf "${GREEN}${BOLD}${NAME} reset${RESET}\n" -} -show_version() { - cat <. - -${NAME} comes with ABSOLUTELY NO WARRANTY. -This program is free software; you can redistribute it and/or -modify it under the terms of the GNU General Public License -as published by the Free Software Foundation; either version 3 -of the License. -END + printf "${GREEN}${BOLD}${PROGNAME} reset${RESET}\n" } -case "${1:-''}" in - start) - source_configuration - check_unpersisted_state +main() { + case "${1:-''}" in + start) + exit_if_not_systemd + source_configuration + check_unpersisted_state - start - ;; + start + ;; - stop) - source_configuration - check_unpersisted_state + stop) + exit_if_not_systemd + source_configuration + check_unpersisted_state - stop - ;; + stop + ;; - status) - source_configuration - check_unpersisted_state + status) + source_configuration + check_unpersisted_state - status - ;; + status + ;; - reset) - source_configuration - check_unpersisted_state + reset) + source_configuration + check_unpersisted_state - reset - ;; + reset + ;; - restart) - source_configuration - check_unpersisted_state + restart) + exit_if_not_systemd + source_configuration + check_unpersisted_state - stop - start - ;; + stop + start + ;; - version) - show_version - ;; + version|--version|-V) + show_version + exit 0 + ;; - *) - echo "Usage: $0 {start|stop|restart|status|reset|version}" - exit 1 - ;; -esac + help|-h|-\?|--help) + show_help + exit 0 + ;; -exit 0 + *) + show_help + exit 1 + ;; + esac +} + +config_file="/etc/default/minifirewall" +includes_dir="/etc/minifirewall.d" + +# iptables paths +IPT=$(command -v iptables) +if [ -z "${IPT}" ]; then + echo "Unable to find 'iptables\` command in PATH." >&2 + exit 1 +fi +IPT6=$(command -v ip6tables) +if [ -z "${IPT6}" ]; then + echo "Unable to find 'ip6tables\` command in PATH." >&2 + exit 1 +fi + +## pseudo dry-run : +## Uncomment and call these functions instead of the real iptables and ip6tables commands +# IPT="fake_iptables" +# IPT6="fake_ip6tables" +# fake_iptables() { +# printf "DRY-RUN iptables %s\n" "$*" +# } +# fake_ip6tables() { +# printf "DRY-RUN ip6tables %s\n" "$*" +# } +## Beware that commands executed from included files are not modified by this trick. + +# TCP/IP variables +LOOPBACK='127.0.0.0/8' +CLASSA='10.0.0.0/8' +CLASSB='172.16.0.0/12' +CLASSC='192.168.0.0/16' +CLASSD='224.0.0.0/4' +CLASSE='240.0.0.0/5' +ALL='0.0.0.0' +BROAD='255.255.255.255' +PORTSROOT='0:1023' +PORTSUSER='1024:65535' + +# Configuration + +INT='' +IPV6='' +DOCKER='' +INTLAN='' +TRUSTEDIPS='' +PRIVILEGIEDIPS='' +SERVICESTCP1p='' +SERVICESUDP1p='' +SERVICESTCP1='' +SERVICESUDP1='' +SERVICESTCP2='' +SERVICESUDP2='' +SERVICESTCP3='' +SERVICESUDP3='' +DNSSERVEURS='' +HTTPSITES='' +HTTPSSITES='' +FTPSITES='' +SSHOK='' +SMTPOK='' +SMTPSECUREOK='' +NTPOK='' +PROXY='' +PROXYBYPASS='' +PROXYPORT='' +BACKUPSERVERS='' + +LEGACY_CONFIG='off' + +STATE_FILE_LATEST='/var/run/minifirewall_state_latest' +STATE_FILE_CURRENT='/var/run/minifirewall_state_current' +STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous' +STATE_FILE_DIFF='/var/run/minifirewall_state_diff' + +LOGGER_BIN=$(command -v logger) + +# No colors by default +RED='' +GREEN='' +YELLOW='' +BLUE='' +MAGENTA='' +CYAN='' +WHITE='' +BOLD='' +RESET='' +# check if stdout is a terminal... +if [ -t 1 ]; then + + # see if it supports colors... + ncolors=$(tput colors) + + if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then + RED=$(tput setaf 1) + GREEN=$(tput setaf 2) + YELLOW=$(tput setaf 3) + BLUE=$(tput setaf 4) + MAGENTA=$(tput setaf 5) + CYAN=$(tput setaf 6) + WHITE=$(tput setaf 7) + BOLD=$(tput bold) + RESET='\e[m' + fi +fi + +# shellcheck disable=SC2086 +main $@ diff --git a/minifirewall.service b/minifirewall.service new file mode 100644 index 0000000..89014bf --- /dev/null +++ b/minifirewall.service @@ -0,0 +1,18 @@ +# /etc/systemd/system/minifirewall.service + +[Unit] +Description=Control the firewall +After=network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +Restart=no +TimeoutSec=5min +IgnoreSIGPIPE=no +RemainAfterExit=yes +ExecStart=/usr/local/sbin/minifirewall start +ExecStop=/usr/local/sbin/minifirewall stop + +[Install] +WantedBy=default.target