add firewalld config file
This commit is contained in:
parent
b238424c01
commit
b54aa22381
|
|
@ -55,6 +55,7 @@ mkdir -p $uchinanchu/fusato/config/includes.chroot/boot/grub
|
|||
mkdir -p $uchinanchu/fusato/config/includes.chroot/etc/default
|
||||
mkdir -p $uchinanchu/fusato/config/includes.installer/usr/share
|
||||
mkdir -p $uchinanchu/fusato/config/includes.chroot/etc
|
||||
mkdir -p $uchinanchu/fusato/config/includes.chroot/etc/firewalld/zones
|
||||
|
||||
# Install software
|
||||
echo "#Install system packages.
|
||||
|
|
@ -88,7 +89,7 @@ gvfs-backends
|
|||
cp $uchinanchu/pepgrub/grub $uchinanchu/fusato/config/includes.chroot/etc/default
|
||||
cp $uchinanchu/pephooks/normal/* $uchinanchu/fusato/config/hooks/normal
|
||||
cp $uchinanchu/peprepo/* $uchinanchu/fusato/config/archives
|
||||
#cp $uchinanchu/pepfirewall/* $uchinanchu/fusato/config/includes.chroot/etc
|
||||
cp $uchinanchu/pepfirewall/* $uchinanchu/fusato/config/includes.chroot/etc/firewalld/zones
|
||||
cp $uchinanchu/pepinstaller/preseed/preseed.cfg $uchinanchu/fusato/config/includes.installer
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -64,6 +64,7 @@ mkdir -p $uchinanchu/fusato/config/includes.chroot/boot/grub
|
|||
mkdir -p $uchinanchu/fusato/config/includes.chroot/etc/default
|
||||
mkdir -p $uchinanchu/fusato/config/includes.installer/usr/share
|
||||
mkdir -p $uchinanchu/fusato/config/includes.chroot/etc
|
||||
mkdir -p $uchinanchu/fusato/config/includes.chroot/etc/firewalld/zones
|
||||
|
||||
# Install software
|
||||
echo "#Install system packages.
|
||||
|
|
@ -95,7 +96,7 @@ podman
|
|||
cp $uchinanchu/pepgrub/grub $uchinanchu/fusato/config/includes.chroot/etc/default
|
||||
cp $uchinanchu/pephooks/normal/* $uchinanchu/fusato/config/hooks/normal
|
||||
cp $uchinanchu/peprepo/* $uchinanchu/fusato/config/archives
|
||||
cp $uchinanchu/pepfirewall/* $uchinanchu/fusato/config/includes.chroot/etc
|
||||
cp $uchinanchu/pepfirewall/* $uchinanchu/fusato/config/includes.chroot/etc/firewalld/zones
|
||||
cp $uchinanchu/pepinstaller/preseed/preseed.cfg $uchinanchu/fusato/config/includes.installer
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,65 +0,0 @@
|
|||
#!/usr/sbin/nft -f
|
||||
|
||||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
|
||||
chain inbound_ipv4 {
|
||||
# accepting ping (icmp-echo-request) for diagnostic purposes.
|
||||
# However, it also lets probes discover this host is alive.
|
||||
# This sample accepts them within a certain rate limit:
|
||||
#
|
||||
# icmp type echo-request limit rate 5/second accep
|
||||
}
|
||||
|
||||
chain inbound_ipv6 {
|
||||
# accept neighbour discovery otherwise connectivity breaks
|
||||
#
|
||||
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
||||
|
||||
# accepting ping (icmpv6-echo-request) for diagnostic purposes.
|
||||
# However, it also lets probes discover this host is alive.
|
||||
# This sample accepts them within a certain rate limit:
|
||||
#
|
||||
# icmpv6 type echo-request limit rate 5/second accept
|
||||
}
|
||||
|
||||
chain inbound {
|
||||
|
||||
# By default, drop all traffic unless it meets a filter
|
||||
# criteria specified by the rules that follow below.
|
||||
type filter hook input priority 0; policy drop;
|
||||
|
||||
# Allow traffic from established and related packets, drop invalid
|
||||
ct state vmap { established : accept, related : accept, invalid : drop }
|
||||
|
||||
# Allow loopback traffic.
|
||||
iifname lo accept
|
||||
|
||||
# Jump to chain according to layer 3 protocol using a verdict map
|
||||
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
|
||||
|
||||
# Allow SSH on port TCP/22 and allow HTTP(S) TCP/80 and TCP/443
|
||||
# for IPv4 and IPv6.
|
||||
tcp dport { 22, 80, 443, 9090 } accept
|
||||
|
||||
# Uncomment to enable logging of denied inbound traffic
|
||||
# log prefix "[nftables] Inbound Denied: " counter drop
|
||||
}
|
||||
|
||||
chain forward {
|
||||
# Drop everything (assumes this device is not a router)
|
||||
type filter hook forward priority 0; policy drop;
|
||||
}
|
||||
chain input {
|
||||
type filter hook input priority 0;
|
||||
}
|
||||
chain forward {
|
||||
type filter hook forward priority 0;
|
||||
}
|
||||
chain output {
|
||||
type filter hook output priority 0;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<zone>
|
||||
<short>Public</short>
|
||||
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
|
||||
<service name="ssh"/>
|
||||
<service name="dhcpv6-client"/>
|
||||
<service name="cockpit"/>
|
||||
<service name="dhcpv6"/>
|
||||
<service name="dhcp"/>
|
||||
<service name="dns"/>
|
||||
<service name="https"/>
|
||||
<service name="http"/>
|
||||
<port port="9090" protocol="tcp"/>
|
||||
<port port="22" protocol="tcp"/>
|
||||
<port port="80" protocol="tcp"/>
|
||||
<port port="443" protocol="tcp"/>
|
||||
<forward/>
|
||||
</zone>
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||
#
|
||||
# SPDX-FileCopyrightText: 2023 PeppemrintOS Team (peppermintosteam@proton.me)
|
||||
|
||||
# Define the ports you want to open
|
||||
PORTS=("80/tcp" "22/tcp" "9090/tcp" "443/tcp")
|
||||
|
||||
# Check if firewalld is running
|
||||
if systemctl is-active --quiet firewalld; then
|
||||
# Add the specified ports
|
||||
for PORT in "${PORTS[@]}"; do
|
||||
firewall-cmd --add-port="$PORT" --permanent
|
||||
done
|
||||
|
||||
# Reload the firewall rules to apply the changes
|
||||
firewall-cmd --reload
|
||||
fi
|
||||
Loading…
Reference in New Issue