From b54aa22381401a1cb2bb4985ea63c802ce8f19a9 Mon Sep 17 00:00:00 2001 From: Manuel Date: Fri, 5 May 2023 10:26:02 +0000 Subject: [PATCH] add firewalld config file --- bookworm/pepbld.sh | 3 +- daedalus/pepbld.sh | 3 +- pepfirewall/nftables.conf | 65 ------------------- pepfirewall/public.xml | 18 +++++ .../0680-open-firewalld-ports.hook.chroot | 19 ------ 5 files changed, 22 insertions(+), 86 deletions(-) delete mode 100755 pepfirewall/nftables.conf create mode 100755 pepfirewall/public.xml delete mode 100755 pephooks/normal/0680-open-firewalld-ports.hook.chroot diff --git a/bookworm/pepbld.sh b/bookworm/pepbld.sh index 7a87496..82e19f9 100755 --- a/bookworm/pepbld.sh +++ b/bookworm/pepbld.sh @@ -55,6 +55,7 @@ mkdir -p $uchinanchu/fusato/config/includes.chroot/boot/grub mkdir -p $uchinanchu/fusato/config/includes.chroot/etc/default mkdir -p $uchinanchu/fusato/config/includes.installer/usr/share mkdir -p $uchinanchu/fusato/config/includes.chroot/etc +mkdir -p $uchinanchu/fusato/config/includes.chroot/etc/firewalld/zones # Install software echo "#Install system packages. @@ -88,7 +89,7 @@ gvfs-backends cp $uchinanchu/pepgrub/grub $uchinanchu/fusato/config/includes.chroot/etc/default cp $uchinanchu/pephooks/normal/* $uchinanchu/fusato/config/hooks/normal cp $uchinanchu/peprepo/* $uchinanchu/fusato/config/archives -#cp $uchinanchu/pepfirewall/* $uchinanchu/fusato/config/includes.chroot/etc +cp $uchinanchu/pepfirewall/* $uchinanchu/fusato/config/includes.chroot/etc/firewalld/zones cp $uchinanchu/pepinstaller/preseed/preseed.cfg $uchinanchu/fusato/config/includes.installer diff --git a/daedalus/pepbld.sh b/daedalus/pepbld.sh index 39176b7..255604a 100755 --- a/daedalus/pepbld.sh +++ b/daedalus/pepbld.sh @@ -64,6 +64,7 @@ mkdir -p $uchinanchu/fusato/config/includes.chroot/boot/grub mkdir -p $uchinanchu/fusato/config/includes.chroot/etc/default mkdir -p $uchinanchu/fusato/config/includes.installer/usr/share mkdir -p $uchinanchu/fusato/config/includes.chroot/etc +mkdir -p $uchinanchu/fusato/config/includes.chroot/etc/firewalld/zones # Install software echo "#Install system packages. @@ -95,7 +96,7 @@ podman cp $uchinanchu/pepgrub/grub $uchinanchu/fusato/config/includes.chroot/etc/default cp $uchinanchu/pephooks/normal/* $uchinanchu/fusato/config/hooks/normal cp $uchinanchu/peprepo/* $uchinanchu/fusato/config/archives -cp $uchinanchu/pepfirewall/* $uchinanchu/fusato/config/includes.chroot/etc +cp $uchinanchu/pepfirewall/* $uchinanchu/fusato/config/includes.chroot/etc/firewalld/zones cp $uchinanchu/pepinstaller/preseed/preseed.cfg $uchinanchu/fusato/config/includes.installer diff --git a/pepfirewall/nftables.conf b/pepfirewall/nftables.conf deleted file mode 100755 index 0310b95..0000000 --- a/pepfirewall/nftables.conf +++ /dev/null @@ -1,65 +0,0 @@ -#!/usr/sbin/nft -f - -flush ruleset - -table inet filter { - - chain inbound_ipv4 { - # accepting ping (icmp-echo-request) for diagnostic purposes. - # However, it also lets probes discover this host is alive. - # This sample accepts them within a certain rate limit: - # - # icmp type echo-request limit rate 5/second accep - } - - chain inbound_ipv6 { - # accept neighbour discovery otherwise connectivity breaks - # - icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept - - # accepting ping (icmpv6-echo-request) for diagnostic purposes. - # However, it also lets probes discover this host is alive. - # This sample accepts them within a certain rate limit: - # - # icmpv6 type echo-request limit rate 5/second accept - } - - chain inbound { - - # By default, drop all traffic unless it meets a filter - # criteria specified by the rules that follow below. - type filter hook input priority 0; policy drop; - - # Allow traffic from established and related packets, drop invalid - ct state vmap { established : accept, related : accept, invalid : drop } - - # Allow loopback traffic. - iifname lo accept - - # Jump to chain according to layer 3 protocol using a verdict map - meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 } - - # Allow SSH on port TCP/22 and allow HTTP(S) TCP/80 and TCP/443 - # for IPv4 and IPv6. - tcp dport { 22, 80, 443, 9090 } accept - - # Uncomment to enable logging of denied inbound traffic - # log prefix "[nftables] Inbound Denied: " counter drop - } - - chain forward { - # Drop everything (assumes this device is not a router) - type filter hook forward priority 0; policy drop; - } - chain input { - type filter hook input priority 0; - } - chain forward { - type filter hook forward priority 0; - } - chain output { - type filter hook output priority 0; - } -} - - diff --git a/pepfirewall/public.xml b/pepfirewall/public.xml new file mode 100755 index 0000000..23a8ff8 --- /dev/null +++ b/pepfirewall/public.xml @@ -0,0 +1,18 @@ + + + Public + For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. + + + + + + + + + + + + + + diff --git a/pephooks/normal/0680-open-firewalld-ports.hook.chroot b/pephooks/normal/0680-open-firewalld-ports.hook.chroot deleted file mode 100755 index 85739e2..0000000 --- a/pephooks/normal/0680-open-firewalld-ports.hook.chroot +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -# SPDX-License-Identifier: GPL-3.0-or-later -# -# SPDX-FileCopyrightText: 2023 PeppemrintOS Team (peppermintosteam@proton.me) - -# Define the ports you want to open -PORTS=("80/tcp" "22/tcp" "9090/tcp" "443/tcp") - -# Check if firewalld is running -if systemctl is-active --quiet firewalld; then - # Add the specified ports - for PORT in "${PORTS[@]}"; do - firewall-cmd --add-port="$PORT" --permanent - done - - # Reload the firewall rules to apply the changes - firewall-cmd --reload -fi