diff -Nru firehol-3.1.7+ds/debian/changelog firehol-3.1.7+ds/debian/changelog --- firehol-3.1.7+ds/debian/changelog 2022-10-15 10:04:21.000000000 +0000 +++ firehol-3.1.7+ds/debian/changelog 2024-01-24 21:34:39.000000000 +0000 @@ -1,9 +1,26 @@ -firehol (3.1.7+ds-2.1) unstable; urgency=medium +firehol (3.1.7+ds-3) unstable; urgency=medium - * Non-maintainer upload. - * No source change upload to rebuild with debhelper 13.10. + * Debianization + - introduce a START_FIREHOL=AUTO scheme that allows one to handle firehol + with a third-party like ifupdown (Closes: #993322, #536362, #309198); + - firehol.NEWS, concisely introduce the START_FIREHOL=AUTO scheme; + - firehol.README.Debian, describe the START_FIREHOL=AUTO scheme; + - material to handle firehol via the ifupdown tools, introduce; + - d/firehol.init, d/p/debianization-source-etc_default.patch, + set explicitly the START_FIREHOL=NO scheme as the default scheme + (inconsistency fix) (Closes: 976014); + - contrib/ipset-apply.sh, now part of firehol-tools (Closes: #1050664); + - d/control: + - firehol-{,tools-}doc, fireqos-doc, add Multi-Arch: foreign, + thanks to Jelmer Vernooij ; + - debhelper, migrate to debhelper-compat (=13); + - Standards-Version, bump to 4.6.2 (scripts under /usr/libexec); + - Dependencies over lsb-base, remove; + - firehol scripts, now under the /usr/libexec hierarchy; + - d/copyright: + - copyright year tuples, refresh. - -- Michael Biebl Sat, 15 Oct 2022 12:04:21 +0200 + -- Jerome Benoit Wed, 24 Jan 2024 21:34:39 +0000 firehol (3.1.7+ds-2) unstable; urgency=medium @@ -35,7 +52,7 @@ - debian/patches: - d/p/debianization-source-etc_default.patch , introduce (Closes: #944022); - - debian/upstream/metadat, introduce; + - debian/upstream/metadata, introduce; - debian/changelog, correct. -- Jerome Benoit Fri, 08 May 2020 16:16:21 +0000 diff -Nru firehol-3.1.7+ds/debian/control firehol-3.1.7+ds/debian/control --- firehol-3.1.7+ds/debian/control 2021-02-21 12:32:57.000000000 +0000 +++ firehol-3.1.7+ds/debian/control 2024-01-22 18:41:48.000000000 +0000 @@ -4,7 +4,7 @@ Maintainer: Jerome Benoit Rules-Requires-Root: no Build-Depends: - debhelper-compat (= 12), + debhelper-compat (= 13), Build-Depends-Indep: libxml2-utils, texlive-base, @@ -18,7 +18,7 @@ procps, curl, wget, whois, jq, unzip, git, graphviz, screen -Standards-Version: 4.5.1 +Standards-Version: 4.6.2 Homepage: https://firehol.org Vcs-Git: https://salsa.debian.org/debian/firehol.git Vcs-Browser: https://salsa.debian.org/debian/firehol @@ -28,7 +28,7 @@ Replaces: firehol-doc (<< 3.1.5+ds1-1) Breaks: firehol-doc (<< 3.1.5+ds1-1) Pre-Depends: ${misc:Pre-Depends} -Depends: firehol-common (= ${binary:Version}), lsb-base, ${misc:Depends} +Depends: firehol-common (= ${binary:Version}), ${misc:Depends} Recommends: fireqos (= ${binary:Version}) Suggests: firehol-tools (= ${binary:Version}), firehol-doc (= ${binary:Version}), ulogd2 Description: easy to use but powerful iptables stateful firewall (program) @@ -49,6 +49,7 @@ Depends: ${misc:Depends} Suggests: pdf-viewer, www-browser Enhances: firehol (= ${binary:Version}) +Multi-Arch: foreign Description: easy to use but powerful iptables stateful firewall (docs) FireHOL generates generic firewalls with an extremely simple but powerful configuration language based on bash, enabling you to design any kind of @@ -64,7 +65,7 @@ Replaces: fireqos-doc (<< 3.1.5+ds1-1) Breaks: fireqos-doc (<< 3.1.5+ds1-1) Pre-Depends: ${misc:Pre-Depends} -Depends: firehol-common (= ${binary:Version}), lsb-base, ${misc:Depends} +Depends: firehol-common (= ${binary:Version}), ${misc:Depends} Recommends: firehol (= ${binary:Version}) Suggests: firehol-tools (= ${binary:Version}), fireqos-doc (= ${binary:Version}) Description: easy to use but powerful traffic shaping tool (program) @@ -85,6 +86,7 @@ Depends: ${misc:Depends} Suggests: pdf-viewer, www-browser Enhances: fireqos (= ${binary:Version}) +Multi-Arch: foreign Description: easy to use but powerful traffic shaping tool (docs) FireQOS generates generic traffic shapers with an extremely simple but powerful configuration language based on bash, enabling you to design @@ -122,6 +124,7 @@ Depends: ${misc:Depends} Suggests: pdf-viewer, www-browser Enhances: firehol-tools (= ${binary:Version}) +Multi-Arch: foreign Description: easy to use but powerful traffic suite (extra tools docs) FireHOL suite is a powerful traffic suite of tools that generate generic firewalls, traffic shappers, and more with an extremely simple but powerful @@ -133,7 +136,7 @@ Package: firehol-common Architecture: all Depends: - lsb-base, kmod, + kmod, iptables (>= 1.8.2), iproute2, ipset, iprange, nfacct, tcpdump, inetutils-ping | iputils-ping , traceroute, procps, diff -Nru firehol-3.1.7+ds/debian/copyright firehol-3.1.7+ds/debian/copyright --- firehol-3.1.7+ds/debian/copyright 2021-02-21 12:13:37.000000000 +0000 +++ firehol-3.1.7+ds/debian/copyright 2024-01-20 14:15:38.000000000 +0000 @@ -49,13 +49,13 @@ Files: * Copyright: - 2012-2021 Phil Whineray - 2003-2021 Costa Tsaousis + 2012-2024 Phil Whineray + 2003-2024 Costa Tsaousis License: GPL-2+ Files: debian/* Copyright: - 2013-2021 Jerome Benoit + 2013-2024 Jerome Benoit 2004-2009 Alexander Wirt 2003-2004 Marc Brockschmidt License: GPL-2+ diff -Nru firehol-3.1.7+ds/debian/examples/ifupdown/firehol-ifupdown.conf firehol-3.1.7+ds/debian/examples/ifupdown/firehol-ifupdown.conf --- firehol-3.1.7+ds/debian/examples/ifupdown/firehol-ifupdown.conf 1970-01-01 00:00:00.000000000 +0000 +++ firehol-3.1.7+ds/debian/examples/ifupdown/firehol-ifupdown.conf 2024-01-22 13:47:10.000000000 +0000 @@ -0,0 +1,186 @@ +## firehol.conf IFUPDOWN_COMPATIBLE_FIREHOL_CONFIG_FILE example + +version 6 + +FIREHOLCONF_DEBUG="NO" + +if [ "$FIREHOLCONF_DEBUG" = "YES" -o -n "$IF_IFUPDOWN_FIREHOL_MAINT_DEBUG" ]; then +cat <<-EOF >> /tmp/firehol.log + $(date): dumping variables + IFACE: ${IFACE} + LOGICAL: ${LOGICAL} + ADDRFAM: ${ADDRFAM} + CLASS: ${CLASS} + METHOD: ${METHOD} + MODE: ${MODE} + PHASE: ${PHASE} + VERBOSITY: ${VERBOSITY} + PATH: ${PATH} + ------------------------------ + EOF +fi + +##[ "${ADDRFAM}" = "meta" ] && exit 0 + +if [ -z "${MODE}" ]; then + if [ -n "${COMMAND}" ]; then + case "${COMMAND}" in + start) + MODE=start + ;; + stop) + MODE=stop + ;; + *) + ;; + esac + fi +fi + +fireholconf_firewall_generic() { + local my_iface=${1:-gieth0} +# local my_lww=${2:-'10.0.0.0/24'} +# local my_variant=${3:-none} +# local my_subnetprefix=${my_lww%.*} + + /usr/bin/logger -t firehol "generic firewall" + + ## Interface: World Wide Generic Interface + interface ${my_iface} WWGI src4 not "${RESERVED_IPS} ${my_lww}" src6 not "${RESERVED_IPS}" + policy drop + protection strong + client dns accept + client ntp accept user "ntpsec" + client smtp accept user "Debian-exim" + client ssh accept + client http accept + client https accept + client rsync accept + +} + +fireholconf_firewall_office() { + local my_iface=${1:-wlan0} + local my_lww=${2:-'10.0.0.0/24'} + local my_variant=${3:-none} +# local my_subnetprefix=${my_lww%.*} + + /usr/bin/logger -t firehol "office firewall" + + ## Interface: World Wide Office Interface + interface ${my_iface} WWOI src4 not "${RESERVED_IPS} ${my_lww}" src6 not "${RESERVED_IPS}" + policy drop + protection strong + server icmp accept + client dhcp accept + client icmp accept + client dns accept + client ntp accept user "ntpsec" + client smtp accept user "Debian-exim" + client ssh accept + + ## Interface: Local Wide Office Interface + interface4 ${my_iface} LWOI src4 "${my_lww}" + policy reject + protection strong + #server icmp accept + client dhcp accept + client dns accept + client ssh accept + case ${my_variant} in + with_printer) + client cupss accept user "lp" + ;; + *) + ;; + esac + +} + +fireholconf_firewall_default() { + local my_iface=${1:-any} + + /usr/bin/logger -t firehol "default firewall" + + interface4 $my_iface world + policy drop + protection strong + client dhcp accept + +} + +fireholconf_preamble() { + /usr/bin/logger -t firehol "preamble" + } + +fireholconf_postamble() { + /usr/bin/logger -t firehol "postamble" + } + +fireholconf_preup() { + + if [ "${IFACE:=undefined}" = "gieth0" -o "${IFACE:=undefined}" = "wlan0" ]; then + + /usr/bin/logger -t firehol "firewall (${IFACE}=${LOGICAL}): ${MODE} <${IFACE}>" + + case "${LOGICAL}" in + office_a) + fireholconf_firewall_office ${IFACE} "192.168.0.0/24" + ;; + office_b) + fireholconf_firewall_office ${IFACE} "10.6.0.0/24" "with_printer" + ;; + gieth0|generic) + fireholconf_firewall_generic ${IFACE} + ;; + *) + fireholconf_firewall_default ${IFACE} + ;; + esac + + else + + /usr/bin/logger -t firehol "firewall (${IFACE}=${LOGICAL}): ${MODE} <${IFACE}> (UNKNOWN)" + + fireholconf_firewall_default + + fi + + } + +fireholconf_postdown() { + + if [ "${IFACE:=undefined}" = "gieth0" -o "${IFACE:=undefined}" = "wlan0" ]; then + + /usr/bin/logger -t firehol "firewall (${IFACE}=${LOGICAL}): ${MODE} <${IFACE}>" + + fireholconf_firewall_default ${IFACE} + + else + + /usr/bin/logger -t firehol "firewall (${IFACE}=${LOGICAL}): ${MODE} <${IFACE}> (UNKNOWN)" + + fireholconf_firewall_default + + fi + + } + +case "$ADDRFAM" in + meta) + case "$MODE" in + start) fireholconf_preamble() ;; + stop) fireholconf_postamble() ;; + *) ;; + esac + ;; + *) + case "$PHASE" in + pre-up) fireholconf_preup() ;; + post-down) fireholconf_postdown() ;; + *) ;; + esac + ;; +esac + +## vim:syntax=sh diff -Nru firehol-3.1.7+ds/debian/firehol-common.install firehol-3.1.7+ds/debian/firehol-common.install --- firehol-3.1.7+ds/debian/firehol-common.install 2018-11-04 12:28:11.000000000 +0000 +++ firehol-3.1.7+ds/debian/firehol-common.install 2024-01-22 18:15:51.000000000 +0000 @@ -1,3 +1,3 @@ -usr/lib/firehol/install.config -usr/lib/firehol/functions.common -usr/lib/firehol/services.common +usr/lib/firehol/install.config usr/lib/firehol +usr/lib/firehol/functions.common usr/lib/firehol +usr/lib/firehol/services.common usr/lib/firehol diff -Nru firehol-3.1.7+ds/debian/firehol-common.links firehol-3.1.7+ds/debian/firehol-common.links --- firehol-3.1.7+ds/debian/firehol-common.links 1970-01-01 00:00:00.000000000 +0000 +++ firehol-3.1.7+ds/debian/firehol-common.links 2024-01-22 18:24:03.000000000 +0000 @@ -0,0 +1,3 @@ +usr/lib/firehol/install.config usr/libexec/firehol/install.config +usr/lib/firehol/functions.common usr/libexec/firehol/functions.common +usr/lib/firehol/services.common usr/libexec/firehol/services.common diff -Nru firehol-3.1.7+ds/debian/firehol-tools.install firehol-3.1.7+ds/debian/firehol-tools.install --- firehol-3.1.7+ds/debian/firehol-tools.install 2018-06-09 11:40:41.000000000 +0000 +++ firehol-3.1.7+ds/debian/firehol-tools.install 2024-01-22 17:43:56.000000000 +0000 @@ -1,5 +1,6 @@ -usr/lib/firehol/vnetbuild -usr/lib/firehol/update-ipsets -usr/lib/firehol/link-balancer +usr/lib/firehol/vnetbuild usr/libexec/firehol +usr/lib/firehol/update-ipsets usr/libexec/firehol +usr/lib/firehol/link-balancer usr/libexec/firehol usr/share/doc/firehol/contrib/dnsbl-ipset.sh usr/share/doc/firehol-tools/examples/contrib +usr/share/doc/firehol/contrib/ipset-apply.sh usr/share/doc/firehol-tools/examples/contrib debian/adhoc/contrib/README.firehol-tools usr/share/doc/firehol-tools/examples/contrib diff -Nru firehol-3.1.7+ds/debian/firehol-tools.links firehol-3.1.7+ds/debian/firehol-tools.links --- firehol-3.1.7+ds/debian/firehol-tools.links 2017-09-20 18:25:59.000000000 +0000 +++ firehol-3.1.7+ds/debian/firehol-tools.links 2024-01-22 17:38:27.000000000 +0000 @@ -1,4 +1,4 @@ -usr/lib/firehol/vnetbuild usr/sbin/vnetbuild -usr/lib/firehol/update-ipsets usr/sbin/update-ipsets -usr/lib/firehol/link-balancer usr/sbin/link-balancer +usr/libexec/firehol/vnetbuild usr/sbin/vnetbuild +usr/libexec/firehol/update-ipsets usr/sbin/update-ipsets +usr/libexec/firehol/link-balancer usr/sbin/link-balancer usr/share/doc/firehol-tools/examples/contrib usr/share/doc/firehol-tools/contrib diff -Nru firehol-3.1.7+ds/debian/firehol.NEWS firehol-3.1.7+ds/debian/firehol.NEWS --- firehol-3.1.7+ds/debian/firehol.NEWS 2017-09-20 18:25:59.000000000 +0000 +++ firehol-3.1.7+ds/debian/firehol.NEWS 2024-01-24 19:21:25.000000000 +0000 @@ -1,3 +1,18 @@ +firehol (3.1.7+ds-3) unstable; urgency=medium + + Now the firehol package allows one to handle FireHOL via a third party- + package like ifupdown. To enable this new scheme firehol 3.1.7+ds-3 added + a third possible value for the initscript parameter START_FIREHOL, AUTO/auto. + This parameter must be set up in /etc/default/firehol. This package also + added scripts meant to act along the ifupdown machinery (interface(5)). The + conf file /usr/share/doc/firehol/examples/ifupdown/firehol-ifupdown.conf + examplifies the usage of this scheme and might be used as a template; + this example is distributed with the firehol-doc package. In other words, + this new scheme START_FIREHOL=(AUTO|auto) brings to FireHOL the fine + granuality offered by ifupdown (see interfaces(5)). + + -- Jerome Benoit Tue, 25 Jan 2024 11:19:01 +0000 + firehol (2.0.0~rc.1+ds-1) experimental; urgency=medium IPv6 is supported, from this major release of FireHOL, besides IPv4. diff -Nru firehol-3.1.7+ds/debian/firehol.README.Debian firehol-3.1.7+ds/debian/firehol.README.Debian --- firehol-3.1.7+ds/debian/firehol.README.Debian 2020-05-08 15:26:44.000000000 +0000 +++ firehol-3.1.7+ds/debian/firehol.README.Debian 2024-01-24 18:01:42.000000000 +0000 @@ -6,10 +6,44 @@ else than NO/no. Variables set into /etc/default/firehol are exported into -by the init script /etc/init.d/firehol, such that they are +by the initscript /etc/init.d/firehol, such that they are carried out when firehol is launched from it while, otherwise, they are generally ignored. +Handling FireHOL with ifupdowm-like machineries +=============================================== + +FireHOL is meant to be handled by a third-party software +like ifupdown (interfaces(5)) when the initscript parameter +START_FIREHOL is set to AUTO/auto. For now only the necessary +ifupdown material is provided. The FireHOL configuration file +/usr/share/doc/firehol/examples/ifupdown/firehol-ifupdown.conf +(distributed in the documentation package firehol-doc) exemplifies +the usage of this scheme with ifupdown and might be used as a template. + +To be fully functional with the provided ifupdown material, +the actual FireHOL configuration /etc/firehol/firehol.conf file +must be marked/stamped as IFUPDOWN_COMPATIBLE_FIREHOL_CONFIG_FILE. +This is done by putting the entire ``word'' + IFUPDOWN_COMPATIBLE_FIREHOL_CONFIG_FILE +somewhere inside a comment. In the aforementioned example, +this marker was placed in the very first line of the file as follows: + +==8><--------------------------------------------------------------- +## firehol.conf IFUPDOWN_COMPATIBLE_FIREHOL_CONFIG_FILE example +---------------------------------------------------------------><8== + +This maker is the guarantee by the system administrators that the +FireHOL configuration file handles the ifupdowm MODE stop properly. +When the maker is not matched, firehol is dictated to stop normally. +For further information and details, you may want to peruse interfaces(5) +and have a look to /etc/firehol/ifupdown-firehol.sh . + +From a technical perspective, the scheme START_FIREHOL=AUTO neutralizes the +start and stop behaviours (commands) in the initscript /etc/init.d/firehol . +For this reason, the new behaviours force-start and force-stop have been +introduced to force the start and stop behaviours, respectively. + Log FireHOL messages to a separate log file with rsyslog [1] ============================================================ @@ -68,4 +102,4 @@ to use iptables-legacy(8) instead of iptables-nft(8). - -- Jerome Benoit Fri, 08 May 2020 15:26:18 +0000 + -- Jerome Benoit Fri, 24 Jan 2024 17:19:23 +0000 diff -Nru firehol-3.1.7+ds/debian/firehol.default firehol-3.1.7+ds/debian/firehol.default --- firehol-3.1.7+ds/debian/firehol.default 2017-09-20 18:25:59.000000000 +0000 +++ firehol-3.1.7+ds/debian/firehol.default 2024-01-22 22:20:00.000000000 +0000 @@ -1,16 +1,27 @@ # FireHOL application default file # sourced by the initscript `/etc/init.d/firehol'. # + +# START_FIREHOL(=NO|AUTO|YES) init script variable: +# - to disable firehol at startup set START_FIREHOL=NO (default) +START_FIREHOL=NO +# - to handle firehol with a third-party machinery (like ifupdown) +# set START_FIREHOL=AUTO . This scheme empties the WAIT_FOR_IFACE +# list (see below) +#START_FIREHOL=AUTO +# - to effectively start firehol at startup set START_FIREHOL=YES +#START_FIREHOL=YES + + +# # See firehol-variables(5) manual page or FireHOL Manual # for the full list of exportable variables that control the # behaviour of FireHOL and their respective description. # -# To enable firehol at startup set START_FIREHOL=YES (init script variable) -START_FIREHOL=NO - # If you want to have firehol wait for an iface to be up add it here WAIT_FOR_IFACE="" +# This list is set to the empty list in the START_FIREHOL=AUTO scheme. # Disallow pre-established traffic to continue whilst the firewall is activated FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT=0 diff -Nru firehol-3.1.7+ds/debian/firehol.init firehol-3.1.7+ds/debian/firehol.init --- firehol-3.1.7+ds/debian/firehol.init 2017-09-20 18:25:59.000000000 +0000 +++ firehol-3.1.7+ds/debian/firehol.init 2024-01-24 21:33:42.000000000 +0000 @@ -16,6 +16,8 @@ test -x /usr/sbin/firehol || exit 0 +START_FIREHOL=NO +export START_FIREHOL [ -r /etc/default/firehol ] && set -a && . /etc/default/firehol # load the VERBOSE setting and other rcS variables @@ -28,11 +30,25 @@ NO|no) START_FIREHOL=NO ;; + AUTO|auto) + START_FIREHOL=AUTO + ;; *) START_FIREHOL=YES ;; esac +do_metastart () { + # return + # 0 000 if firewall has been handled + # 1 001 if firewall could not be activated + # 2 010 if firewall is delegated to a third-party + # 4 100 if FireHOL is disabled via /etc/default/firehol + [ "$START_FIREHOL" = "NO" ] && return 4 + [ "$START_FIREHOL" = "AUTO" ] && return 2 + /usr/sbin/firehol start "$@" > /dev/null 2>&1 || return 1 +} + do_start () { # return # 0 000 if firewall has been handled @@ -42,6 +58,15 @@ /usr/sbin/firehol start "$@" > /dev/null 2>&1 || return 1 } +do_metastop () { + # return + # 0 000 if firewall has been cleaned up properly + # 1 001 if firewall could not be cleaned up properly + # 2 010 if firewall is delegated to a third-party + [ "$START_FIREHOL" = "AUTO" ] && return 2 + /usr/sbin/firehol stop > /dev/null 2>&1 || return 1 +} + do_stop () { # return # 0 000 if firewall has been cleaned up properly @@ -64,20 +89,22 @@ case "$COMMAND" in start) [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start "$@" + do_metastart "$@" case "$?" in 0) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 1) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + 2) [ "$VERBOSE" != no ] && { log_progress_msg "delegated to a third-party" ; log_end_msg 0 ; } ;; 4) [ "$VERBOSE" != no ] && { log_progress_msg "disabled, see /etc/default/firehol" ; log_end_msg 255 ; } ;; esac ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop + do_metastop case "$?" in 0) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 1) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + 2) [ "$VERBOSE" != no ] && { log_progress_msg "delegated to a third-party" ; log_end_msg 0 ; } ;; esac ;; @@ -91,7 +118,18 @@ esac ;; - restart|force-reload) + restart) + log_daemon_msg "Restarting $DESC" "$NAME" + do_metastart "$@" + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; + 2) log_progress_msg "delegated to a third-party" ; log_end_msg 0 ; ;; + 4) log_progress_msg "disabled, see /etc/default/firehol" ; log_end_msg 255 ; ;; + esac + ;; + + force-reload) log_daemon_msg "Restarting $DESC" "$NAME" do_start "$@" case "$?" in @@ -101,18 +139,48 @@ esac ;; + force-start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start "$@" + case "$?" in + 0) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 1) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + 4) [ "$VERBOSE" != no ] && { log_progress_msg "disabled, see /etc/default/firehol" ; log_end_msg 255 ; } ;; + esac + ;; + + force-stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 1) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + status) - if [ "$START_FIREHOL" = "NO" ]; then - log_warning_msg "$DESC $NAME disabled via /etc/default/firehol" - exit 0 - else - log_success_msg "$DESC $NAME enabled via /etc/default/firehol" - exit 4 - fi + case "$START_FIREHOL" in + NO) + log_warning_msg "$DESC $NAME disabled via /etc/default/firehol" + exit 0 + ;; + AUTO) + log_success_msg "$DESC $NAME delegated via /etc/default/firehol" + exit 4 + ;; + YES) + log_success_msg "$DESC $NAME enabled via /etc/default/firehol" + exit 4 + ;; + *) + log_success_msg "$DESC $NAME confused by /etc/default/firehol" + exit 4 + ;; + esac ;; *) - echo "Usage: $SCRIPTNAME {start|stop|condrestart|restart|force-reload|status|helpme|wizard} []" >&2 + echo "Usage: $SCRIPTNAME {start|stop|condrestart|restart|force-reload|force-start|force-stop|status|helpme|wizard} []" >&2 exit 3 ;; esac diff -Nru firehol-3.1.7+ds/debian/firehol.install firehol-3.1.7+ds/debian/firehol.install --- firehol-3.1.7+ds/debian/firehol.install 2018-11-07 06:14:47.000000000 +0000 +++ firehol-3.1.7+ds/debian/firehol.install 2024-01-22 18:16:55.000000000 +0000 @@ -1,5 +1,6 @@ -usr/lib/firehol/firehol -usr/lib/firehol/services.firehol -debian/firehol.conf etc/firehol +usr/lib/firehol/firehol usr/libexec/firehol +usr/lib/firehol/services.firehol usr/lib/firehol +debian/firehol.conf etc/firehol +debian/ifupdown/ifupdown-firehol.sh etc/firehol usr/share/doc/firehol/contrib/firehol.service usr/share/doc/firehol/examples/contrib/systemd debian/adhoc/contrib/systemd/README.firehol usr/share/doc/firehol/examples/contrib/systemd diff -Nru firehol-3.1.7+ds/debian/firehol.links firehol-3.1.7+ds/debian/firehol.links --- firehol-3.1.7+ds/debian/firehol.links 2017-09-20 18:25:59.000000000 +0000 +++ firehol-3.1.7+ds/debian/firehol.links 2024-01-22 18:20:43.000000000 +0000 @@ -1,2 +1,7 @@ -usr/lib/firehol/firehol usr/sbin/firehol +etc/firehol/ifupdown-firehol.sh etc/network/if-pre-up.d/zz-firehol +etc/firehol/ifupdown-firehol.sh etc/network/if-up.d/firehol +etc/firehol/ifupdown-firehol.sh etc/network/if-down.d/firehol +etc/firehol/ifupdown-firehol.sh etc/network/if-post-down.d/00-firehol +usr/libexec/firehol/firehol usr/sbin/firehol +usr/lib/firehol/services.firehol usr/libexec/firehol/services.firehol usr/share/doc/firehol/examples/contrib usr/share/doc/firehol/contrib diff -Nru firehol-3.1.7+ds/debian/firehol.service firehol-3.1.7+ds/debian/firehol.service --- firehol-3.1.7+ds/debian/firehol.service 2021-02-21 11:58:56.000000000 +0000 +++ firehol-3.1.7+ds/debian/firehol.service 2024-01-24 21:25:16.000000000 +0000 @@ -16,9 +16,10 @@ [Service] Type=oneshot RemainAfterExit=yes -ExecStart=/usr/sbin/firehol start -ExecStop=/usr/sbin/firehol stop -ExecReload=/usr/sbin/firehol start +EnvironmentFile=-/etc/default/firehol +ExecStart=/bin/sh -c 'case "$START_FIREHOL" in (AUTO|auto) ;; (*) /usr/sbin/firehol start ;; esac' +ExecStop=/bin/sh -c 'case "$START_FIREHOL" in (AUTO|auto) ;; (*) /usr/sbin/firehol stop ;; esac' +ExecReload=/bin/sh -c 'case "$START_FIREHOL" in (AUTO|auto) ;; (*) /usr/sbin/firehol start ;; esac' [Install] WantedBy=multi-user.target diff -Nru firehol-3.1.7+ds/debian/fireqos.install firehol-3.1.7+ds/debian/fireqos.install --- firehol-3.1.7+ds/debian/fireqos.install 2018-11-07 06:15:24.000000000 +0000 +++ firehol-3.1.7+ds/debian/fireqos.install 2024-01-22 18:17:37.000000000 +0000 @@ -1,5 +1,5 @@ -usr/lib/firehol/fireqos -usr/lib/firehol/services.fireqos +usr/lib/firehol/fireqos usr/libexec/firehol +usr/lib/firehol/services.fireqos usr/lib/firehol debian/fireqos.conf etc/firehol usr/share/doc/firehol/contrib/fireqos.service usr/share/doc/fireqos/examples/contrib/systemd debian/adhoc/contrib/systemd/README.fireqos usr/share/doc/fireqos/examples/contrib/systemd diff -Nru firehol-3.1.7+ds/debian/fireqos.links firehol-3.1.7+ds/debian/fireqos.links --- firehol-3.1.7+ds/debian/fireqos.links 2017-09-20 18:25:59.000000000 +0000 +++ firehol-3.1.7+ds/debian/fireqos.links 2024-01-22 18:20:11.000000000 +0000 @@ -1,2 +1,3 @@ -usr/lib/firehol/fireqos usr/sbin/fireqos +usr/libexec/firehol/fireqos usr/sbin/fireqos +usr/lib/firehol/services.fireqos usr/libexec/firehol/services.fireqos usr/share/doc/fireqos/examples/contrib usr/share/doc/fireqos/contrib diff -Nru firehol-3.1.7+ds/debian/ifupdown/ifupdown-firehol.sh firehol-3.1.7+ds/debian/ifupdown/ifupdown-firehol.sh --- firehol-3.1.7+ds/debian/ifupdown/ifupdown-firehol.sh 1970-01-01 00:00:00.000000000 +0000 +++ firehol-3.1.7+ds/debian/ifupdown/ifupdown-firehol.sh 2024-01-24 16:18:03.000000000 +0000 @@ -0,0 +1,110 @@ +#!/bin/sh + +##################################################################### +## Purpose +# This file is executed by ifupdown in {pre,post}-{up,down} phases +# of network interface configuration. It allows ifup(8) and ifdown(8) +# to pre-load and post-load FireHOL firewalls provided that +# START_FIREHOL is set to AUTO (or auto) in /etc/default/firehol . +# +# /etc/default/firehol is sourced by this file. +# +# This file is provided by the firehol package. + +##################################################################### +# Copyright (C) 2024 Jerome Benoit +# +# This package is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This package is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this package. If not, see . +# +# On Debian systems, the complete text of the GNU General +# Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". + + +DAEMON=/usr/sbin/firehol +NAME="firehol" +DESC="Firewall" + +test -x $DAEMON || exit 0 + +if [ -n "$IF_IFUPDOWN_FIREHOL_MAINT_DEBUG" ]; then + if [ -z "$MODE" -o -z "$PHASE" ]; then + case $(dirname "$0") in + */if-pre-up.d) + PHASE=pre-up; + MODE=start; + ;; + */if-up.d) + PHASE=up; + MODE=start; + ;; + */if-down.d) + PHASE=down; + MODE=stop; + ;; + */if-post-down.d) + PHASE=post-down; + MODE=stop; + ;; + esac + fi + set -x +fi + +[ "$IFACE" != "lo" ] || exit 0 + +set -e + +START_FIREHOL=NO +export START_FIREHOL +if [ -r /etc/default/firehol ]; then + if [ -o allexport ]; then + . /etc/default/firehol + else + set -a + . /etc/default/firehol + set +a + fi +fi +case "$START_FIREHOL" in + AUTO|auto) ;; + *) exit 0 ;; +esac + +ifud_firehol_do_forceload () { + /usr/sbin/firehol start > /dev/null 2>&1 + } + +ifud_firehol_do_forcestop () { + /usr/sbin/firehol stop > /dev/null 2>&1 + } + +case "$MODE" in + start) + ifud_firehol_do_forceload + ;; + stop) + if $(grep -sqm1 '#.*\' /etc/firehol/firehol.conf) + then + ifud_firehol_do_forceload + else + ifud_firehol_do_forcestop + fi + ;; + *) + echo "$0: unkexpected MODE [$MODE]" >&2 + exit 1 + ;; +esac + +exit 0 diff -Nru firehol-3.1.7+ds/debian/patches/debianization-source-etc_default.patch firehol-3.1.7+ds/debian/patches/debianization-source-etc_default.patch --- firehol-3.1.7+ds/debian/patches/debianization-source-etc_default.patch 2020-05-08 16:05:37.000000000 +0000 +++ firehol-3.1.7+ds/debian/patches/debianization-source-etc_default.patch 2024-01-24 17:52:36.000000000 +0000 @@ -2,26 +2,40 @@ Meant to take into account /etc/defaults in order to avoid security surprises. Thanks to Toni Mueller - for pointing out the issue and providing - a patch. + for pointing out the issue and introducing + the patch. Origin: vendor, Debian Forwarded: not-needed Author: Toni Mueller -Last-Update: 2020-05-08 +Author: Jerome Benoit +Last-Update: 2024-01-24 --- a/sbin/firehol +++ b/sbin/firehol -@@ -24,6 +24,15 @@ +@@ -24,6 +24,28 @@ # # See the file COPYING for details. # ++START_FIREHOL=NO +if [ -r /etc/default/firehol ]; then + source /etc/default/firehol -+ if [ ${START_FIREHOL:-NO} != YES ]; then -+ 1>&2 echo "FireHOL needs to be enabled in /etc/default/firehol in order to run." -+ 1>&2 echo "Not starting - your system may be unprotected!" -+ exit 1 -+ fi ++ case "$START_FIREHOL" in ++ NO|no) ++ START_FIREHOL=NO ++ ;; ++ AUTO|auto) ++ WAIT_FOR_IFACE="" ++ START_FIREHOL=AUTO ++ ;; ++ *) ++ START_FIREHOL=YES ++ ;; ++ esac ++fi ++if [ "${START_FIREHOL}" = "NO" ]; then ++ 1>&2 echo "FireHOL needs to be enabled in /etc/default/firehol in order to run." ++ 1>&2 echo "Not starting - your system may be unprotected!" ++ exit 1 +fi +# READLINK_CMD=${READLINK_CMD:-readlink} diff -Nru firehol-3.1.7+ds/debian/rules firehol-3.1.7+ds/debian/rules --- firehol-3.1.7+ds/debian/rules 2021-02-28 09:09:11.000000000 +0000 +++ firehol-3.1.7+ds/debian/rules 2024-01-22 18:53:59.000000000 +0000 @@ -25,3 +25,6 @@ override_dh_compress: dh_compress -X.pdf -Xexamples + +override_dh_missing: + dh_missing --list-missing