From 620331c29d76cca0ec5cff8c2f132a76b6cd6906 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 29 Apr 2022 14:07:30 +0200 Subject: [PATCH 1/7] Split init script and code script --- init.sh | 44 ++++++ minifirewall | 383 +++++++++++++++++++++++++-------------------------- 2 files changed, 232 insertions(+), 195 deletions(-) create mode 100644 init.sh diff --git a/init.sh b/init.sh new file mode 100644 index 0000000..b838bb1 --- /dev/null +++ b/init.sh @@ -0,0 +1,44 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: minifirewall +# Required-Start: +# Required-Stop: +# Should-Start: $network $syslog $named +# Should-Stop: $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop the firewall +# Description: Firewall designed for standalone server +### END INIT INFO + +minifirewall_bin=/usr/local/sbin/minifirewall + +if [ -z "${minifirewall_bin}" ]; then + echo "${minifirewall_bin}: not found" +elif [ ! -x "${minifirewall_bin}" ]; then + echo "${minifirewall_bin}: not executable" +fi + +case "$1" in + start) + ${minifirewall_bin} start + ;; + stop) + ${minifirewall_bin} stop + ;; + status) + ${minifirewall_bin} status + ;; + restart|reload|condrestart) + ${minifirewall_bin} restart + ;; + reset) + ${minifirewall_bin} reset + ;; + *) + echo "Usage: $0 {start|stop|restart|status|reset}" + exit 1 +esac + +exit 0 \ No newline at end of file diff --git a/minifirewall b/minifirewall index f383d87..3d3727f 100755 --- a/minifirewall +++ b/minifirewall @@ -1,159 +1,50 @@ #!/bin/sh # shellcheck disable=SC2059 -# minifirewall is a shell script for easy firewalling on a standalone server -# It uses netfilter/iptables http://netfilter.org/ designed for recent Linux kernel -# See https://gitea.evolix.org/evolix/minifirewall - -# Copyright (c) 2007-2022 Evolix -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 3 -# of the License. - -# Description -# script for standalone server - -# Start or stop minifirewall -# - -### BEGIN INIT INFO -# Provides: minifirewall -# Required-Start: -# Required-Stop: -# Should-Start: $network $syslog $named -# Should-Stop: $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: start and stop the firewall -# Description: Firewall designed for standalone server -### END INIT INFO - -VERSION="22.04" - -NAME="minifirewall" +PROGNAME="minifirewall" # shellcheck disable=SC2034 -DESC="Firewall designed for standalone server" +REPOSITORY="https://gitea.evolix.org/evolix/minifirewall" + +VERSION="22.04.3" +readonly VERSION set -u -# Variables configuration -######################### +show_version() { + cat <. -# iptables paths -IPT=$(command -v iptables) -if [ -z "${IPT}" ]; then - echo "Unable to find 'iptables\` command in PATH." >&2 - exit 1 -fi -IPT6=$(command -v ip6tables) -if [ -z "${IPT6}" ]; then - echo "Unable to find 'ip6tables\` command in PATH." >&2 - exit 1 -fi +${PROGNAME} comes with ABSOLUTELY NO WARRANTY. +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +as published by the Free Software Foundation; either version 3 +of the License. +END +} +show_help() { + cat <. - -${NAME} comes with ABSOLUTELY NO WARRANTY. -This program is free software; you can redistribute it and/or -modify it under the terms of the GNU General Public License -as published by the Free Software Foundation; either version 3 -of the License. -END + printf "${GREEN}${BOLD}${PROGNAME} reset${RESET}\n" } -case "${1:-''}" in - start) - source_configuration - check_unpersisted_state +main() { + case "${1:-''}" in + start) + source_configuration + check_unpersisted_state - start - ;; + start + ;; - stop) - source_configuration - check_unpersisted_state + stop) + source_configuration + check_unpersisted_state - stop - ;; + stop + ;; - status) - source_configuration - check_unpersisted_state + status) + source_configuration + check_unpersisted_state - status - ;; + status + ;; - reset) - source_configuration - check_unpersisted_state + reset) + source_configuration + check_unpersisted_state - reset - ;; + reset + ;; - restart) - source_configuration - check_unpersisted_state + restart) + source_configuration + check_unpersisted_state - stop - start - ;; + stop + start + ;; - version) - show_version - ;; + version|--version|-V) + show_version + exit 0 + ;; - *) - echo "Usage: $0 {start|stop|restart|status|reset|version}" - exit 1 - ;; -esac + help|-h|-\?|--help) + show_help + exit 0 + ;; -exit 0 + *) + show_help + exit 1 + ;; + esac +} + +config_file="/etc/default/minifirewall" +includes_dir="/etc/minifirewall.d" + +# iptables paths +IPT=$(command -v iptables) +if [ -z "${IPT}" ]; then + echo "Unable to find 'iptables\` command in PATH." >&2 + exit 1 +fi +IPT6=$(command -v ip6tables) +if [ -z "${IPT6}" ]; then + echo "Unable to find 'ip6tables\` command in PATH." >&2 + exit 1 +fi + +## pseudo dry-run : +## Uncomment and call these functions instead of the real iptables and ip6tables commands +# IPT="fake_iptables" +# IPT6="fake_ip6tables" +# fake_iptables() { +# printf "DRY-RUN iptables %s\n" "$*" +# } +# fake_ip6tables() { +# printf "DRY-RUN ip6tables %s\n" "$*" +# } +## Beware that commands executed from included files are not modified by this trick. + +# TCP/IP variables +LOOPBACK='127.0.0.0/8' +CLASSA='10.0.0.0/8' +CLASSB='172.16.0.0/12' +CLASSC='192.168.0.0/16' +CLASSD='224.0.0.0/4' +CLASSE='240.0.0.0/5' +ALL='0.0.0.0' +BROAD='255.255.255.255' +PORTSROOT='0:1023' +PORTSUSER='1024:65535' + +# Configuration + +INT='' +IPV6='' +DOCKER='' +INTLAN='' +TRUSTEDIPS='' +PRIVILEGIEDIPS='' +SERVICESTCP1p='' +SERVICESUDP1p='' +SERVICESTCP1='' +SERVICESUDP1='' +SERVICESTCP2='' +SERVICESUDP2='' +SERVICESTCP3='' +SERVICESUDP3='' +DNSSERVEURS='' +HTTPSITES='' +HTTPSSITES='' +FTPSITES='' +SSHOK='' +SMTPOK='' +SMTPSECUREOK='' +NTPOK='' +PROXY='' +PROXYBYPASS='' +PROXYPORT='' +BACKUPSERVERS='' + +LEGACY_CONFIG='off' + +STATE_FILE_LATEST='/var/run/minifirewall_state_latest' +STATE_FILE_CURRENT='/var/run/minifirewall_state_current' +STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous' +STATE_FILE_DIFF='/var/run/minifirewall_state_diff' + +LOGGER_BIN=$(command -v logger) + +# No colors by default +RED='' +GREEN='' +YELLOW='' +BLUE='' +MAGENTA='' +CYAN='' +WHITE='' +BOLD='' +RESET='' +# check if stdout is a terminal... +if [ -t 1 ]; then + + # see if it supports colors... + ncolors=$(tput colors) + + if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then + RED=$(tput setaf 1) + GREEN=$(tput setaf 2) + YELLOW=$(tput setaf 3) + BLUE=$(tput setaf 4) + MAGENTA=$(tput setaf 5) + CYAN=$(tput setaf 6) + WHITE=$(tput setaf 7) + BOLD=$(tput bold) + RESET='\e[m' + fi +fi + +# shellcheck disable=SC2086 +main ${ARGS} \ No newline at end of file -- 2.39.2 From 286690f94e121a3af54ecc01a302325a2e87ab55 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Mon, 2 May 2022 16:38:54 +0200 Subject: [PATCH 2/7] Add systemd service unit for Minifirewall. --- minifirewall.service | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 minifirewall.service diff --git a/minifirewall.service b/minifirewall.service new file mode 100644 index 0000000..9462484 --- /dev/null +++ b/minifirewall.service @@ -0,0 +1,19 @@ +# /etc/systemd/system/minifirewall.service + +[Unit] +Description=Control the firewall +After=network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +Restart=no +TimeoutSec=5min +IgnoreSIGPIPE=no +RemainAfterExit=yes +SuccessExitStatus=5 6 +ExecStart=/usr/local/sbin/minifirewall start +ExecStop=/usr/local/sbin/minifirewall stop + +[Install] +WantedBy=default.target -- 2.39.2 From a8b604a9004cf5382acf506bfbbdeb86dca0a715 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Mon, 2 May 2022 16:45:33 +0200 Subject: [PATCH 3/7] Update README.md/intall instructions for systemd and new local bin path. --- README.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 714f463..a1c93c4 100644 --- a/README.md +++ b/README.md @@ -8,9 +8,13 @@ See https://gitea.evolix.org/evolix/minifirewall ## Install ~~~ -install --mode 0700 minifirewall /etc/init.d/minifirewall +install --mode 0700 minifirewall /usr/local/sbin/ +install --mode 0700 init.sh /etc/init.d/minifirewall install --mode 0600 minifirewall.conf /etc/default/minifirewall mkdir --mode 0700 /etc/minifirewall.d + +install --mode 0644 minifirewall.service /etc/systemd/system/minifirewall.service +systemctl daemon-reload ~~~ ## Config @@ -37,11 +41,17 @@ you need to use the port used by the container (ie: 8080) in the public/semi-pub ## Usage +~~~ +systemctl start/stop/restart minifirewall +minifirewall status +~~~ + +Formerly : ~~~ /etc/init.d/minifirewall start/stop/restart ~~~ -If you want to add minifirewall in boot sequence, add the start command to `/usr/share/scripts/alert5`. +If you want to add minifirewall in SysV Init boot sequence, add the start command to `/usr/share/scripts/alert5`. ## License -- 2.39.2 From 1f9002f4f35b94e5adeaa3c914df773a6f2af85c Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Thu, 11 Aug 2022 16:45:28 +0200 Subject: [PATCH 4/7] Prevent direct call to minifirewall script in favor of systemctl or /etc/init.d/minifirewall stub --- init.sh | 10 +++++----- minifirewall | 21 ++++++++++++++++----- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/init.sh b/init.sh index b838bb1..e4492d9 100644 --- a/init.sh +++ b/init.sh @@ -22,16 +22,16 @@ fi case "$1" in start) - ${minifirewall_bin} start + systemctl start minifirewall ;; stop) - ${minifirewall_bin} stop + systemctl stop minifirewall ;; status) - ${minifirewall_bin} status + systemctl status minifirewall ;; restart|reload|condrestart) - ${minifirewall_bin} restart + systemctl restart minifirewall ;; reset) ${minifirewall_bin} reset @@ -41,4 +41,4 @@ case "$1" in exit 1 esac -exit 0 \ No newline at end of file +exit 0 diff --git a/minifirewall b/minifirewall index 3d3727f..bf2ef5b 100755 --- a/minifirewall +++ b/minifirewall @@ -27,11 +27,12 @@ show_help() { cat <&2 + show_help + exit 1 + fi +} check_unpersisted_state() { cmp_bin=$(command -v cmp) diff_bin=$(command -v diff) @@ -930,6 +938,7 @@ reset() { main() { case "${1:-''}" in start) + exit_if_not_systemd source_configuration check_unpersisted_state @@ -937,6 +946,7 @@ main() { ;; stop) + exit_if_not_systemd source_configuration check_unpersisted_state @@ -958,6 +968,7 @@ main() { ;; restart) + exit_if_not_systemd source_configuration check_unpersisted_state @@ -1089,4 +1100,4 @@ if [ -t 1 ]; then fi # shellcheck disable=SC2086 -main ${ARGS} \ No newline at end of file +main ${ARGS} -- 2.39.2 From f7418fff418a7a01591ec3e569eb79164c7d3aea Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Thu, 11 Aug 2022 17:10:05 +0200 Subject: [PATCH 5/7] Corrige --- minifirewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/minifirewall b/minifirewall index bf2ef5b..d2cfcc0 100755 --- a/minifirewall +++ b/minifirewall @@ -1100,4 +1100,4 @@ if [ -t 1 ]; then fi # shellcheck disable=SC2086 -main ${ARGS} +main $@ -- 2.39.2 From 1e981371922584f750fed9762bb9e22da35752f3 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Fri, 12 Aug 2022 15:08:28 +0200 Subject: [PATCH 6/7] Retire SuccessExitStatus=5 6 inutile --- minifirewall.service | 1 - 1 file changed, 1 deletion(-) diff --git a/minifirewall.service b/minifirewall.service index 9462484..89014bf 100644 --- a/minifirewall.service +++ b/minifirewall.service @@ -11,7 +11,6 @@ Restart=no TimeoutSec=5min IgnoreSIGPIPE=no RemainAfterExit=yes -SuccessExitStatus=5 6 ExecStart=/usr/local/sbin/minifirewall start ExecStop=/usr/local/sbin/minifirewall stop -- 2.39.2 From f42274341dd8c696c67439c3609730f0bef828be Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 10 May 2022 15:52:26 +0200 Subject: [PATCH 7/7] fix status output (number of # in headers) --- CHANGELOG.md | 2 ++ minifirewall | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5db76f0..fe6ead4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp ### Fixed +* status output (number of # in headers) + ### Security ## [22.04] - 2022-04-28 diff --git a/minifirewall b/minifirewall index d2cfcc0..f62e9de 100755 --- a/minifirewall +++ b/minifirewall @@ -888,7 +888,7 @@ stop() { status() { printf "${BLUE}#### iptables --list ###############################${RESET}\n" ${IPT} --list --numeric --verbose --line-numbers - printf "\n${BLUE}### iptables --table nat --list ####################${RESET}\n" + printf "\n${BLUE}#### iptables --table nat --list ###################${RESET}\n" ${IPT} --table nat --list --numeric --verbose --line-numbers printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n" ${IPT} --table mangle --list --numeric --verbose --line-numbers @@ -903,7 +903,7 @@ status() { status_without_numbers() { printf "${BLUE}#### iptables --list ###############################${RESET}\n" ${IPT} --list --numeric - printf "\n${BLUE}### iptables --table nat --list ####################${RESET}\n" + printf "\n${BLUE}#### iptables --table nat --list ###################${RESET}\n" ${IPT} --table nat --list --numeric printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n" ${IPT} --table mangle --list --numeric -- 2.39.2