From 20d99306257efa07c918787ca7fcae1200efc610 Mon Sep 17 00:00:00 2001 From: Philip Lacroix Date: Sat, 15 Feb 2020 08:24:56 +0700 Subject: [PATCH] network/arno-iptables-firewall: Updated for version 2.1.0. Signed-off-by: Willy Sudiarto Raharjo --- network/arno-iptables-firewall/README | 33 ++-- .../arno-iptables-firewall.SlackBuild | 48 +++--- .../arno-iptables-firewall.info | 8 +- .../files/patch-configuration-file.diff | 12 +- .../files/patch-configuration-script.diff | 163 ++++++++++++------ .../files/patch-startup-script.diff | 17 +- network/arno-iptables-firewall/slack-desc | 2 +- 7 files changed, 167 insertions(+), 116 deletions(-) diff --git a/network/arno-iptables-firewall/README b/network/arno-iptables-firewall/README index 57dc9d2018..23ad6f4255 100644 --- a/network/arno-iptables-firewall/README +++ b/network/arno-iptables-firewall/README @@ -1,32 +1,41 @@ arno-iptables-firewall is a front-end for iptables. Its configuration script will set up a secure and restrictive firewall by just asking a few questions. -This includes configuring internal networks for Internet access via NAT and +This includes configuring internal networks for Internet access via NAT, and potential network services like http or ssh. Moreover, it provides advanced additional features that can be enabled in the well documented configuration file. -NOTE - The setup script will *not* run automatically after your package was -installed. In order to run the script you have to issue the following command: +NOTE - The setup script will NOT run automatically after the package has been +installed. In order to run the script, the following command has to be issued: # arno-iptables-firewall-configure -To enable the startup of the firewall at boot-time you need to create a symlink -as follows (in order to disable it, either remove the symlink or "chmod -x" the -startup script): +In order to start the firewall automatically at boot-time, an "rc.firewall" +symlink to the startup script has to be created in /etc/rc.d/ and of course +the startup script itself should be executable: -# ln -sv /etc/rc.d/rc.arno-iptables-firewall /etc/rc.d/rc.firewall -# chmod +x /etc/rc.d/rc.arno-iptables-firewall +# cd /etc/rc.d/ +# ln -sv rc.arno-iptables-firewall rc.firewall +# chmod +x rc.arno-iptables-firewall -You can also start the firewall manually with one of the following commands: +In order to disable startup of the firewall at boot time, remove the symlink or +the executable bit from the startup script: -# /etc/rc.d/rc.arno-iptables-firewall start +# rm /etc/rc.d/rc.firewall +# chmod -x /etc/rc.d/rc.arno-iptables-firewall + +The firewall can also be started manually with one of the following commands: # arno-iptables-firewall start +# /etc/rc.d/rc.arno-iptables-firewall start + +Please refer to the man page for more details. + IMPORTANT - A few security notes from the upstream author: 1) If possible make sure that the firewall is started before the (ADSL) Internet -connection is enabled. For a ppp-interface that doesn't exist yet you can use +connection is enabled. For a ppp-interface that doesn't exist yet, you can use the wildcard device called "ppp+" (but you can only use ppp+ if there aren't any other ppp interfaces). @@ -35,5 +44,5 @@ understand what they mean. Changing them anyway could have a big impact on the security of your machine. 3) A lot of people complain that their server stopped working after installing -the firewall. This is the *correct* behaviour for a firewall: blocking *all* +the firewall. This is the correct behaviour for a firewall: blocking all incoming traffic by default. Configure your OPEN_TCP (e.g.) accordingly. diff --git a/network/arno-iptables-firewall/arno-iptables-firewall.SlackBuild b/network/arno-iptables-firewall/arno-iptables-firewall.SlackBuild index 3a93a44d14..07401eb02e 100644 --- a/network/arno-iptables-firewall/arno-iptables-firewall.SlackBuild +++ b/network/arno-iptables-firewall/arno-iptables-firewall.SlackBuild @@ -2,7 +2,7 @@ # Slackware build script for arno-iptables-firewall -# Copyright 2013-2015 Philip Lacroix +# Copyright 2013-2020 Philip Lacroix # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -27,8 +27,8 @@ PRGNAM=arno-iptables-firewall SRCNAM=aif -VERSION=${VERSION:-2.0.1e} -BUILD=${BUILD:-3} +VERSION=${VERSION:-2.1.0} +BUILD=${BUILD:-1} TAG=${TAG:-_SBo} CWD=$(pwd) @@ -56,8 +56,8 @@ chown -R root:root . find -L . \ \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \ -o -perm 511 \) -exec chmod 755 {} \; -o \ - \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 \ - -o -perm 400 \) -exec chmod 644 {} \; + \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ + -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; PRGBIN=$PKG/usr/sbin PRGETC=$PKG/etc/$PRGNAM @@ -71,23 +71,25 @@ install -m 0755 -D ./configure.sh $PRGBIN/$PRGNAM-configure install -m 0755 ./bin/arno-fwfilter $PRGBIN/ install -m 0755 ./bin/$PRGNAM $PRGBIN/ -# Patch the configuration script. We need this in order to be able to -# run the script from outside the source directory as well. We're going -# to (1) change from relative to absolute the paths to the environment -# file and firewall executable; (2) rename and change the path to the -# startup script (this is for better consistency with Slackware's init -# system); (3) change the path to the unmodified copy of the config -# file, needed to check for existing custom setups. We will NOT create -# a Slackware-compliant /etc/rc.d/rc.firewall symlink to the startup -# script, as this should be done manually by the sysadmin. We won't -# create any SystemV-style symlinks either. (4) We will allow the script -# to be run correctly more than once, by removing previously set values -# if no value is entered: this is to prevent e.g. ports from remaining -# open, or internal interfaces from remaining enabled with NAT. Finally -# (5) we append the note, picked from the original installation script -# and slightly enhanced, that the user will see when configuration is -# done: this is to inform that an rc.firewall symlink has to be created -# in order to start up the firewall at boot-time in a proper way. +# Patch the configuration script. We need this to be able to run the +# script from outside the source directory as well. We're going to: +# +# 1) Change from relative to absolute the paths to the environment file +# and the firewall executable. +# 2) Rename and change the path to the startup script, for consistency with +# Slackware's init system. +# 3) Change the path to the unmodified copy of the config file, needed to +# check for already existing setups. +# 4) Allow the script to be run correctly more than once, by removing +# previously set values if no values are entered: this is to prevent, +# for example, ports from remaining open, or NAT from remaining enabled. +# 5) Append the note, copied from the original install script and adapted +# to the Slackware system, that users read when configuration is done: +# this is mainly to inform that the "rc.firewall" symlink has to be +# manually created in order to start up the firewall at boot-time. We +# will NOT create the symlink automatically, as this should be done by +# the system administrator. + patch $PRGBIN/$PRGNAM-configure < $CWD/files/patch-configuration-script.diff # Copy and compress man pages. @@ -110,7 +112,7 @@ done # expected by the configuration script for comparison purposes; create # link to plugin as in the original script. mkdir -p $PRGSHR -cp -a ./share/$PRGNAM/* $PRGSHR/ +cp -a ./share/$PRGNAM/{environment,plugins} $PRGSHR/ cp -a $PRGETC/firewall.conf.new $PRGSHR/firewall.conf.orig ln -sv /usr/share/$PRGNAM/plugins/traffic-accounting-show $PRGBIN/ diff --git a/network/arno-iptables-firewall/arno-iptables-firewall.info b/network/arno-iptables-firewall/arno-iptables-firewall.info index 1bd234e44e..1bc541c2c6 100644 --- a/network/arno-iptables-firewall/arno-iptables-firewall.info +++ b/network/arno-iptables-firewall/arno-iptables-firewall.info @@ -1,10 +1,10 @@ PRGNAM="arno-iptables-firewall" -VERSION="2.0.1e" +VERSION="2.1.0" HOMEPAGE="https://github.com/arno-iptables-firewall/aif" -DOWNLOAD="https://github.com/arno-iptables-firewall/aif/archive/2.0.1e.tar.gz" -MD5SUM="4981a336f55e2db90f594beedcaef47d" +DOWNLOAD="https://github.com/arno-iptables-firewall/aif/archive/2.1.0.tar.gz" +MD5SUM="8f890a80bb6e8d2d0681c9a822ae39de" DOWNLOAD_x86_64="" MD5SUM_x86_64="" REQUIRES="" MAINTAINER="Philip Lacroix" -EMAIL="slackph at bluebottle dot com" +EMAIL="slackph at posteo dot de" diff --git a/network/arno-iptables-firewall/files/patch-configuration-file.diff b/network/arno-iptables-firewall/files/patch-configuration-file.diff index c530647a22..4be4f835ab 100644 --- a/network/arno-iptables-firewall/files/patch-configuration-file.diff +++ b/network/arno-iptables-firewall/files/patch-configuration-file.diff @@ -1,16 +1,8 @@ -233c233 -< IP4TABLES="/sbin/iptables" ---- -> IP4TABLES="/usr/sbin/iptables" -238c238 -< IP6TABLES="/sbin/ip6tables" ---- -> IP6TABLES="/usr/sbin/ip6tables" -242c242 +256c256 < ENV_FILE="/usr/local/share/arno-iptables-firewall/environment" --- > ENV_FILE="/usr/share/arno-iptables-firewall/environment" -246c246 +260c260 < PLUGIN_BIN_PATH="/usr/local/share/arno-iptables-firewall/plugins" --- > PLUGIN_BIN_PATH="/usr/share/arno-iptables-firewall/plugins" diff --git a/network/arno-iptables-firewall/files/patch-configuration-script.diff b/network/arno-iptables-firewall/files/patch-configuration-script.diff index dacac17330..800fb9157c 100644 --- a/network/arno-iptables-firewall/files/patch-configuration-script.diff +++ b/network/arno-iptables-firewall/files/patch-configuration-script.diff @@ -5,96 +5,145 @@ > if [ -f /usr/share/arno-iptables-firewall/environment ]; then > . /usr/share/arno-iptables-firewall/environment 36c36 -< printf "\033[40m\033[1;31mERROR: Could not read environment file ./share/arno-iptables-firewall/environment!\033[0m\n" >&2 +< printf "\033[40m\033[1;31mERROR: Could not read environment file ./share/arno-iptables-firewall/environment!\033[0m\n\n" >&2 --- -> printf "\033[40m\033[1;31mERROR: Could not read environment file /usr/share/arno-iptables-firewall/environment!\033[0m\n" >&2 -70a71,75 +> printf "\033[40m\033[1;31mERROR: Could not read environment file /usr/share/arno-iptables-firewall/environment!\033[0m\n\n" >&2 +76a77,81 > else > # If no value is entered, remove (unless commented) previously set -> # values: this is to prevent e.g. ports from remaining open, or -> # internal interfaces from remaining enabled with NAT. +> # values: this is to prevent, for example, ports from remaining open, +> # or internal interfaces from remaining enabled with NAT. > sed -i -e "s~^$2=.*$~$2=\"\"~" "$1" -85c90 +91c96 < # else --- > else -86a92,94 -> # This is needed in order to allow the function change_conf_var() +92a98,100 +> # This is needed to allow the function change_conf_var() > # to remove values for previously set open ports. > change_conf_var "$2" "$3" "" -216a225,231 +183,186c191,194 +< echo "Listing available interfaces:" +< echo "-----------------------------" +< list_interfaces; +< echo "-----------------------------" +--- +> # echo "Listing available interfaces:" +> # echo "-----------------------------" +> # list_interfaces; +> # echo "-----------------------------" +255a264,270 > else -> # Remove previously set values related to the internal interface, if -> # no internal interface is entered with this script. +> # Remove previously set values related to the internal interface, +> # if no internal interface is entered with this script. > change_conf_var "$FIREWALL_CONF" "INT_IF" "" > change_conf_var "$FIREWALL_CONF" "INTERNAL_NET" "" > change_conf_var "$FIREWALL_CONF" "INT_NET_BCAST_ADDRESS" "" > change_conf_var "$FIREWALL_CONF" "NAT" "0" -218c233 -< +259,261c274,276 +< if [ -e /etc/init.d/arno-iptables-firewall ]; then +< chown 0:0 /etc/init.d/arno-iptables-firewall +< chmod 755 /etc/init.d/arno-iptables-firewall --- -> -220,222c235,237 -< chmod 755 /etc/init.d/arno-iptables-firewall -< chown 0:0 "$FIREWALL_CONF" /etc/init.d/arno-iptables-firewall -< chmod 600 "$FIREWALL_CONF" ---- -> chmod 755 /etc/rc.d/rc.arno-iptables-firewall -> chown 0:0 "$FIREWALL_CONF" /etc/rc.d/rc.arno-iptables-firewall -> chmod 600 "$FIREWALL_CONF" -227c242 +> if [ -e /etc/rc.d/rc.arno-iptables-firewall ]; then +> chown 0:0 /etc/rc.d/rc.arno-iptables-firewall +> chmod 755 /etc/rc.d/rc.arno-iptables-firewall +271c286 < AIF_VERSION="$(grep "MY_VERSION=" ./bin/arno-iptables-firewall |sed -e "s/^MY_VERSION=\"//" -e "s/\"$//")" --- > AIF_VERSION="$(grep "MY_VERSION=" /usr/sbin/arno-iptables-firewall |sed -e "s/^MY_VERSION=\"//" -e "s/\"$//")" -235,251d249 -< # Remove any symlinks in rc*.d out of the way -< rm -f /etc/rc*.d/*arno-iptables-firewall +279,339c294 +< RC_PATH="/etc" +< # Check for Redhat/SUSE rc.d +< if [ -d "/etc/rc.d" ]; then +< RC_PATH="/etc/rc.d" +< fi < -< if get_user_yn "Do you want to start the firewall at boot (via /etc/init.d/) (Y/N)?" "y"; then -< if [ -d /etc/rcS.d ]; then -< ln -sv /etc/init.d/arno-iptables-firewall /etc/rcS.d/S41arno-iptables-firewall +< # Remove any symlinks in rc*.d out of the way +< rm -f $RC_PATH/rc0.d/*arno-iptables-firewall +< rm -f $RC_PATH/rc1.d/*arno-iptables-firewall +< rm -f $RC_PATH/rc2.d/*arno-iptables-firewall +< rm -f $RC_PATH/rc3.d/*arno-iptables-firewall +< rm -f $RC_PATH/rc4.d/*arno-iptables-firewall +< rm -f $RC_PATH/rc5.d/*arno-iptables-firewall +< rm -f $RC_PATH/rc6.d/*arno-iptables-firewall +< rm -f $RC_PATH/rcS.d/*arno-iptables-firewall +< +< if get_user_yn "Do you want to start the firewall at boot" "y"; then +< DONE=0 +< +< if check_command systemctl; then +< if systemctl enable arno-iptables-firewall; then +< echo "* Successfully enabled service with systemctl" +< DONE=1 +< fi +< elif check_command update-rc.d; then +< # Note: Currently update-rc.d doesn't seem to properly use the init script's LSB header, so specify explicitly +< if update-rc.d -f arno-iptables-firewall start 11 S . stop 10 0 6 .; then +< echo "* Successfully enabled service with update-rc.d" +< DONE=1 +< fi +< elif check_command chkconfig; then +< if chkconfig --add arno-iptables-firewall && chkconfig arno-iptables-firewall on; then +< echo "* Successfully enabled service with chkconfig" +< DONE=1 +< fi < else -< ln -sv /etc/init.d/arno-iptables-firewall /etc/rc2.d/S11arno-iptables-firewall +< if [ -d "$RC_PATH/rcS.d" ]; then +< if ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rcS.d/S11arno-iptables-firewall" && +< ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rc0.d/K10arno-iptables-firewall" && +< ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rc6.d/K10arno-iptables-firewall"; then +< echo "* Successfully enabled service through $RC_PATH/rcS.d/ symlink" +< DONE=1 +< fi +< elif [ -d "$RC_PATH/rc2.d" ]; then +< if ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rc2.d/S09arno-iptables-firewall" && +< ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rc0.d/K91arno-iptables-firewall" && +< ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rc6.d/K91arno-iptables-firewall"; then +< echo "* Successfully enabled service through $RC_PATH/rc2.d/ symlink" +< DONE=1 +< fi +< else +< echo "WARNING: Unable to detect /rc2.d or /rcS.d directories. Skipping runlevel symlinks" >&2 +< fi < fi < -< # Check for insserv. Used for dependency based booting on eg. Debian -< INSSERV="$(find_command /sbin/insserv)" -< if [ -n "$INSSERV" ]; then -< "$INSSERV" arno-iptables-firewall +< if [ $DONE -eq 0 ]; then +< echo "ERROR: Unable to setup automatic start at boot. Please investigate" >&2 < fi < fi < -253c251 -< change_conf_var /etc/init.d/arno-iptables-firewall "VERBOSE" "1" +< if [ -e /etc/init.d/arno-iptables-firewall ]; then --- -> change_conf_var /etc/rc.d/rc.arno-iptables-firewall "VERBOSE" "1" -255c253 -< change_conf_var /etc/init.d/arno-iptables-firewall "VERBOSE" "0" +> if [ -e /etc/rc.d/rc.arno-iptables-firewall ]; then +341c296 +< change_conf_var /etc/init.d/arno-iptables-firewall "VERBOSE" "1" --- -> change_conf_var /etc/rc.d/rc.arno-iptables-firewall "VERBOSE" "0" -258c256 +> change_conf_var /etc/rc.d/rc.arno-iptables-firewall "VERBOSE" "1" +343c298 +< change_conf_var /etc/init.d/arno-iptables-firewall "VERBOSE" "0" +--- +> change_conf_var /etc/rc.d/rc.arno-iptables-firewall "VERBOSE" "0" +347c302 < if diff ./etc/arno-iptables-firewall/firewall.conf "$FIREWALL_CONF" >/dev/null; then --- > if diff /usr/share/arno-iptables-firewall/firewall.conf.orig "$FIREWALL_CONF" >/dev/null; then -274a273,291 +362a318,335 > echo "" > echo "-------------------------------------------------------------------------------" -> echo "** NOTE: 1) You can now (manually) (re)start the firewall by executing **" -> echo "** \"/etc/rc.d/rc.arno-iptables-firewall start\" or **" -> echo "** \"/etc/rc.d/rc.arno-iptables-firewall restart\" **" -> echo "** It is recommended however to first review the settings in **" -> echo "** /etc/arno-iptables-firewall/firewall.conf! **" +> echo "** NOTE: 1) After configuration, it is recommended to review the firewall **" +> echo "** settings in /etc/arno-iptables-firewall/firewall.conf **" > echo "** **" -> echo "** 2) In order to start the firewall automatically at boot-time, **" -> echo "** you will need to manually create in /etc/rc.d/ an appropriate **" -> echo "** symlink, named \"rc.firewall\", pointing to the startup script. **" -> echo "** To do that, issue the following command: **" +> echo "** 2) To manually start or restart the firewall, run: **" +> echo "** /etc/rc.d/rc.arno-iptables-firewall start **" +> echo "** or /etc/rc.d/rc.arno-iptables-firewall restart **" > echo "** **" -> echo "** ln -sv /etc/rc.d/rc.arno-iptables-firewall /etc/rc.d/rc.firewall **" +> echo "** 3) To start the firewall automatically at boot-time, you need an **" +> echo "** appropriate symlink, \"rc.firewall\", pointing to the startup **" +> echo "** script. Issue the following commands to create the symlink: **" +> echo "** cd /etc/rc.d/ **" +> echo "** ln -sv rc.arno-iptables-firewall rc.firewall **" > echo "** **" -> echo "** Delete the link if you wish to disable firewall startup at boot- **" -> echo "** time, or \"chmod -x\" the startup script for the same result. **" +> echo "** 4) To disable startup at boot-time, simply delete the symlink, **" +> echo "** or remove the executable bit from the startup script. **" > echo "-------------------------------------------------------------------------------" -> echo "" -277d293 -< diff --git a/network/arno-iptables-firewall/files/patch-startup-script.diff b/network/arno-iptables-firewall/files/patch-startup-script.diff index c31514e260..5a005f25ec 100644 --- a/network/arno-iptables-firewall/files/patch-startup-script.diff +++ b/network/arno-iptables-firewall/files/patch-startup-script.diff @@ -1,12 +1,12 @@ 4c4 -< # description: init.d script for Arno's iptables firewall +< # description: init.d script for Arno's Iptables Firewall(AIF) --- -> # description: rc.d script for Arno's iptables firewall +> # description: rc.d script for Arno's Iptables Firewall(AIF) 7c7 < # Provides: arno-iptables-firewall --- > # Provides: rc.arno-iptables-firewall -15,21c15,23 +15,21c15,22 < ############################################################################################ < # You should put this script in eg. "/etc/init.d/" . # < # Furthermore make sure it's executable! -> "chmod 700" or "chmod +x" it # @@ -18,13 +18,12 @@ > ################################################################################ > # You should put this script in "/etc/rc.d/". # > # Furthermore make sure it's executable! -> "chmod 755" or "chmod +x" it. # -> # If you want to run it upon boot, either create an "rc.firewall" link to this # -> # script ("ln -sv /etc/rc.d/rc.arno-iptables-firewall /etc/rc.d/rc.firewall") # -> # or edit the network system startup script "/etc/rc.d/rc.inet2", by renaming # -> # both occurrences of "rc.firewall" to match the name ot this script, that is, # -> # "rc.arno-iptables-firewall". # +> # If you want to run it upon boot, create an "rc.firewall" symlink to the # +> # rc.arno-iptables-firewall script: # +> # # +> # ln -sv /etc/rc.d/rc.arno-iptables-firewall /etc/rc.d/rc.firewall # > ################################################################################ -24c25 +24c26 < PROGRAM="/usr/local/sbin/arno-iptables-firewall" --- > PROGRAM="/usr/sbin/arno-iptables-firewall" diff --git a/network/arno-iptables-firewall/slack-desc b/network/arno-iptables-firewall/slack-desc index 6bf5e1aefe..f9350be435 100644 --- a/network/arno-iptables-firewall/slack-desc +++ b/network/arno-iptables-firewall/slack-desc @@ -11,7 +11,7 @@ arno-iptables-firewall: arno-iptables-firewall: arno-iptables-firewall is a front-end for iptables. Its configuration arno-iptables-firewall: script will set up a secure and restrictive firewall by just asking a arno-iptables-firewall: few questions. This includes the configuration of internal networks -arno-iptables-firewall: for Internet access via NAT and potential network services like http +arno-iptables-firewall: for Internet access via NAT, and potential network services like http arno-iptables-firewall: or ssh. Moreover, it provides advanced additional features that can be arno-iptables-firewall: enabled in the well documented configuration file. arno-iptables-firewall: