.gitlab-ci.yml

-include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-common.yml"
+include: "https://git.autistici.org/pipelines/debian/raw/master/common.yml"

Makefile

@@ -6,31 +6,37 @@ fwconfdir = $(sysconfdir)/firewall
 sharedir = $(prefix)/share/firewall
 INSTALL = install
 TABLES = filter nat mangle raw
+CONF_DIST_DIRS = $(TABLES:%=%.d) reload-hooks
 
-all:
+all: update-firewall
 
 clean:
+	-rm -f update-firewall
 
-install:
+install: all
 	$(INSTALL) -d $(DESTDIR)$(sbindir)
 	$(INSTALL) -d $(DESTDIR)$(sharedir)
 	$(INSTALL) -d $(DESTDIR)$(fwconfdir)
 	$(INSTALL) -m 755 update-firewall $(DESTDIR)$(sbindir)/update-firewall
 	$(INSTALL) -m 755 update-ipset $(DESTDIR)$(sbindir)/update-ipset
-	(for t in $(TABLES); do \
-	  $(INSTALL) -d $(DESTDIR)$(fwconfdir)/$$t.d ; \
-	  $(INSTALL) -d $(DESTDIR)$(sharedir)/$$t.d ; \
-	  if [ -d conf-dist/$$t.d ]; then \
-	   for f in conf-dist/$$t.d/* ; do \
-	    $(INSTALL) -m 644 $$f $(DESTDIR)$(sharedir)/$$t.d ; \
+	(for d in $(CONF_DIST_DIRS); do \
+	  $(INSTALL) -d $(DESTDIR)$(fwconfdir)/$$d ; \
+	  $(INSTALL) -d $(DESTDIR)$(sharedir)/$$d ; \
+	  if [ -d conf-dist/$$d ]; then \
+	   for f in conf-dist/$$d/* ; do \
+	    $(INSTALL) -m 644 $$f $(DESTDIR)$(sharedir)/$$d ; \
 	    b=$$(basename $$f) ; \
-	    ln -s $(sharedir)/$$t.d/$$b $(DESTDIR)$(fwconfdir)/$$t.d/$$b ; \
+	    ln -s $(sharedir)/$$d/$$b $(DESTDIR)$(fwconfdir)/$$d/$$b ; \
 	   done ; \
 	  fi ; \
 	done)
+	chmod a+x $(DESTDIR)$(sharedir)/reload-hooks/*
 	(for type in ip net ; do \
 	  $(INSTALL) -d $(DESTDIR)$(fwconfdir)/blocked/$$type ; \
 	  for proto in ipv4 ipv6 ; do \
 	    $(INSTALL) -d $(DESTDIR)$(fwconfdir)/blocked/$$type/$$proto ; \
 	  done ; \
 	done)
+
+%: %.in
+	sed -e s,@PREFIX@,$(prefix),g -e s,@FWCONFDIR@,$(fwconfdir),g $< > $@

README.md

@@ -19,6 +19,11 @@ configured independently from its own subdirectory named after the
 table, with a `.d` extension. Individual files from each directory are
 loaded in lexicographical order using *run-parts(8)*.
 
+The default configuration of this package delegates large-scale IP
+blocking to *ipset*, using configuration files under
+/etc/firewall/blocked, supporting single IPs and netblocks for both
+IPv4 and IPv6.
+
 Once the new rules have been loaded, the firewall script will invoke
 all executable scripts from the */etc/firewall/reload-hooks* directory
 (again using *run-parts*). Use this to reload daemons that maintain
@@ -67,11 +72,45 @@ iptables options (the default is simply `-j ALLOW`).
 Allow incoming traffic to the specified ports. *PORT_SPEC*
 should be a comma-separated list of destination ports.
 
+## Default configuration
+
+The default configuration shipped with this Debian package (found in
+the *conf-dist* directory in this repository) implements some simple
+functionality to build upon:
+
+* allow incoming SSH connections on port 22
+* support for all essential ICMP types
+* support DHCP and DHCPv6
+* large-scale efficient blocking of IPs and netblocks via *ipset*
+* integration with fail2ban via dedicated ipsets
+* preserves Docker-owned iptables rules
+
+A few chains are defined, of which the most interesting one is
+*user-input*, where you're supposed to add rules controlling incoming
+traffic to the host.
+
+## IP blocking
+
+By putting IPs and network ranges (in CIDR syntax) in files below
+/etc/firewall/blocked it is possible to block (drop) incoming traffic
+from them.
+
+The following files are supported, one IP or network range per line:
+
+* /etc/firewall/blocked/ip/ipv4 - IPv4 addresses
+* /etc/firewall/blocked/ip/ipv6 - IPv6 addresses
+* /etc/firewall/blocked/net/ipv4 - IPv4 network ranges
+* /etc/firewall/blocked/net/ipv6 - IPv6 network ranges
+
 # Usage
 
 Run *update-firewall* to set up iptables whenever the rules below
 /etc/firewall change.
 
+It is possible to run just *update-ipset* if one only desires to
+quickly update the ipset lists. Invoking *update-firewall* will also
+call *update-ipset* so it is not necessary to call them both.
+
 # Notes
 
 The firewall script will always attempt to setup IPv6 rules, even if

conf-dist/filter.d/00base

@@ -46,9 +46,9 @@ add_rule4 -A base-input -p icmp -m icmp --icmp-type 8 \
 add_rule6 -A base-input -p ipv6-icmp -m icmp6 --icmpv6-type 128 \
           -m limit --limit 3/s -j ACCEPT
 
-# IPv6 autodiscovery.
-#add_rule6 -A base-input -s fe80::/10 -d fe80::/10 -p udp -m udp \
-#    --sport 547 --dport 546 -j ACCEPT
+# DHCPv6.
+add_rule6 -A base-input -s fe80::/10 -d fe80::/10 -p udp -m udp \
+    --sport 547 --dport 546 -j ACCEPT
 
 # This must go after the ICMP v6 matches.
 add_rule -A base-input -m conntrack --ctstate INVALID -j DROP

conf-dist/filter.d/01docker

-# Preserve docker-related firewall rules (IPv4-only).
-iptables-save -t filter \
-    | grep \
-          -e '^:DOCKER' \
-          -e '^-A DOCKER' \
-          -e '-[io] docker[0-9]' \
-          -e '-j DOCKER' \
-    | (while read line; do add_rule4 "${line}"; done)

conf-dist/nat.d/01docker

-# Preserve docker-related firewall rules (IPv4-only).
-iptables-save -t nat \
-    | grep \
-          -e '^:DOCKER' \
-          -e '^-A DOCKER' \
-          -e '-[io] docker[0-9]' \
-          -e '-j DOCKER' \
-    | (while read line; do add_rule4 "${line}"; done)

conf-dist/reload-hooks/10podman

+#!/bin/sh
+
+set -e
+
+if [ -x /usr/bin/podman -a -e /run/podman/podman.sock ]; then
+    podman --noout network reload --all
+fi
+
+exit 0

debian/changelog

+firewall (0.3) unstable; urgency=medium
+
+  * Unify update-firewall and update-ipset
+
+ -- Autistici/Inventati <debian@autistici.org>  Sat, 26 Aug 2023 08:14:40 +0100
+
 firewall (0.2) unstable; urgency=medium
 
   * New package.

debian/compat

-10

debian/control

 Source: firewall
 Section: net
-Priority: extra
+Priority: optional
 Maintainer: Autistici/Inventati <debian@autistici.org>
-Build-Depends: debhelper (>= 7)
+Build-Depends: debhelper-compat (= 12)
 Standards-Version: 3.8.0.1
 
 Package: firewall
@@ -10,4 +10,3 @@ Architecture: all
 Depends: ${misc:Depends}, iptables, ipset
 Description: A/I Firewall Script
  Automatically maintain local firewalls for A/I servers.
-

debian/copyright

+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: firewall
+Upstream-Contact: https://git.autistici.org/ai3/tools/firewall
+Source: https://git.autistici.org/ai3/tools/firewall
+
+Files: *
+Copyright: (C) 2012-2018, Autistici/Inventati <info@inventati.org>.
+License: Expat
+  Permission is hereby granted, free of charge, to any person obtaining
+  a copy of this software and associated documentation files (the
+  "Software"), to deal in the Software without restriction, including
+  without limitation the rights to use, copy, modify, merge, publish,
+  distribute, sublicense, and/or sell copies of the Software, and to
+  permit persons to whom the Software is furnished to do so, subject to
+  the following conditions:
+  .
+  The above copyright notice and this permission notice shall be included
+  in all copies or substantial portions of the Software.
+  .
+  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+  EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+  MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+  IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+  CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+  TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+  SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

debian/firewall.service

@@ -4,7 +4,6 @@ Description=Set up firewall
 [Service]
 Type=oneshot
 EnvironmentFile=-/etc/default/firewall
-ExecStart=/usr/sbin/update-ipset
 ExecStart=/usr/sbin/update-firewall
 
 [Install]

debian/rules

@@ -5,4 +5,3 @@ export DH_OPTIONS
 
 %:
 	dh $@
-

debian/source/format

+3.0 (native)

update-firewall → update-firewall.in

 #!/bin/bash
 
 # Directory containing the configuration snippets.
-CONFIG_DIR="${CONFIG_DIR:-/etc/firewall}"
+CONFIG_DIR="${CONFIG_DIR:-@FWCONFDIR@}"
 
 # List of tables to manage.
 TABLES="filter nat mangle raw"
@@ -18,7 +18,7 @@ resolve_addr() {
         ipv4) af=AF_INET ;;
         ipv6) af=AF_INET6 ;;
     esac
-    python -c "import socket ; print '\n'.join(x[4][0] for x in socket.getaddrinfo('${addr}', 0, socket.${af}, socket.SOCK_STREAM))" 2>/dev/null || true
+    python3 -c "import socket ; print '\n'.join(x[4][0] for x in socket.getaddrinfo('${addr}', 0, socket.${af}, socket.SOCK_STREAM))" 2>/dev/null || true
 }
 
 resolve_addr4() {
@@ -164,12 +164,12 @@ load_firewall() {
     fi
     trap "rm -f ${tmpfiles} 2>/dev/null; trap - EXIT; exit 0" EXIT
 
-    # Setup the various tables. Note that IPv6 only has the
-    # 'filter' and 'raw' tables.
+    # Setup the various tables. Note that not all tables are
+    # available for IPv6.
     for table in ${TABLES} ; do
         table_dir=${CONFIG_DIR}/${table}.d
         case "$table" in
-            filter|raw)
+            filter|raw|nat)
                 run_with_fds ${v4rules} ${v6rules} \
                     generate ${table} ${table_dir}
                 ;;
@@ -226,7 +226,7 @@ while [ $# -gt 0 ]; do
             exit 0
             ;;
         --version)
-            echo "firewall v0.2"
+            echo "firewall v0.3"
             exit 0
             ;;
         *)
@@ -238,6 +238,17 @@ while [ $# -gt 0 ]; do
     shift
 done
 
+# We need to run update-ipset first, so that we can reference the sets
+# from iptables "-m set" rules.
+if [ -x @PREFIX@/sbin/update-ipset ]; then
+    @PREFIX@/sbin/update-ipset
+    if [ $? -gt 0 ]; then
+        echo "update-ipset failed, aborting..." >&2
+        exit 1
+    fi
+fi
+
+# Update firewall rules.
 load_firewall
 
 exit 0