diff options
Diffstat (limited to 'net-firewall/firehol')
| -rw-r--r-- | net-firewall/firehol/Manifest | 2 | ||||
| -rw-r--r-- | net-firewall/firehol/files/RESERVED_IPS | 19 | ||||
| -rw-r--r-- | net-firewall/firehol/files/firehol-1.273-CVE-2008-4953.patch | 58 | ||||
| -rw-r--r-- | net-firewall/firehol/files/firehol-1.273-log-output.patch | 11 | ||||
| -rw-r--r-- | net-firewall/firehol/files/firehol-2.0.2-autosave.patch | 18 | ||||
| -rw-r--r-- | net-firewall/firehol/files/firehol.conf.d | 2 | ||||
| -rw-r--r-- | net-firewall/firehol/files/firehol.initrd.1 | 67 | ||||
| -rw-r--r-- | net-firewall/firehol/files/fireqos.conf.d | 2 | ||||
| -rw-r--r-- | net-firewall/firehol/files/fireqos.initrd | 45 | ||||
| -rw-r--r-- | net-firewall/firehol/firehol-1.273-r3.ebuild | 78 | ||||
| -rw-r--r-- | net-firewall/firehol/firehol-2.0.2.ebuild | 61 | ||||
| -rw-r--r-- | net-firewall/firehol/metadata.xml | 7 |
12 files changed, 370 insertions, 0 deletions
diff --git a/net-firewall/firehol/Manifest b/net-firewall/firehol/Manifest new file mode 100644 index 000000000000..e571ba74fdef --- /dev/null +++ b/net-firewall/firehol/Manifest @@ -0,0 +1,2 @@ +DIST firehol-1.273.tar.bz2 128128 SHA256 e8d3b4ac3e54097c0e0f14bfab773a75d43b522fa123a42088b7f23f13495ea2 SHA512 dbb311fb9d4fa8861480bae1fac449ce85f52612264ec21658946d87be02027c37af13b754acd791ad454964c588897f8187ec8ce80de3b3ed8a888429bfd708 WHIRLPOOL 0fa7f7644d7bf0268bfc6e817eeb95e7c1784cefa6d4a930c2fec6644774347c28e7a4d39c55df7a4e0f7a0c4697ce6b3c4bafdf6e2124bd478c097b9a6cfb27 +DIST firehol-2.0.2.tar.xz 918860 SHA256 8778d0fc891676777b55e68d852a765205a995029f6e9f599c0090a14ca8ee7c SHA512 d125c4ca7d60494afde04f806bb0fc44ebdb12d7bf59e027c441a087082d9c326d009ba568ef640b01409abdecc3c192a9ae6db6c7370ad0221a19cb3a706902 WHIRLPOOL 10b6edee6a4db07a217e7d13eea4dc5ba02d7f3a44ba1955a5b138a09aa41aea6e39acbcdb04e0ee80d22f3f1d9fc1f061d26d7a10a9d1a7f02230ca21efe514 diff --git a/net-firewall/firehol/files/RESERVED_IPS b/net-firewall/firehol/files/RESERVED_IPS new file mode 100644 index 000000000000..2cfd261c132c --- /dev/null +++ b/net-firewall/firehol/files/RESERVED_IPS @@ -0,0 +1,19 @@ +0.0.0.0/8 +10.0.0.0/8 +127.0.0.0/8 +240.0.0.0/8 +241.0.0.0/8 +242.0.0.0/8 +243.0.0.0/8 +244.0.0.0/8 +245.0.0.0/8 +246.0.0.0/8 +247.0.0.0/8 +248.0.0.0/8 +249.0.0.0/8 +250.0.0.0/8 +251.0.0.0/8 +252.0.0.0/8 +253.0.0.0/8 +254.0.0.0/8 +255.0.0.0/8 diff --git a/net-firewall/firehol/files/firehol-1.273-CVE-2008-4953.patch b/net-firewall/firehol/files/firehol-1.273-CVE-2008-4953.patch new file mode 100644 index 000000000000..99a958aa701f --- /dev/null +++ b/net-firewall/firehol/files/firehol-1.273-CVE-2008-4953.patch @@ -0,0 +1,58 @@ +From 545db8cd292957158bf3fa1c1c370e4be83c6688 Mon Sep 17 00:00:00 2001 +From: Robert Buchholz <rbu@goodpoint.de> +Date: Tue, 6 Jan 2009 23:26:00 +0100 +Subject: [PATCH] Use mktemp instead of relying that $$-$RANDOM-$RANDOM does not exist. + +References: +* CVE-2008-4953 +* https://bugs.gentoo.org/246013 +--- + firehol.sh | 25 +++++++++---------------- + 1 files changed, 9 insertions(+), 16 deletions(-) + +diff --git a/firehol.sh b/firehol.sh +index 6acb497..f5dba16 100755 +--- a/firehol.sh ++++ b/firehol.sh +@@ -238,8 +238,15 @@ ${IPTABLES_CMD} -nxvL >/dev/null 2>&1 + # ---------------------------------------------------------------------- + # Directories and files + +-# These files will be created and deleted during our run. +-FIREHOL_DIR="/tmp/.firehol-tmp-$$-${RANDOM}-${RANDOM}" ++# Create an empty temporary directory we need for this run. ++if ! FIREHOL_DIR="`mktemp -d -t .firehol-tmp-XXXXXX`" ++then ++ echo >&2 ++ echo >&2 ++ echo >&2 "Cannot create temporary directory." ++ echo >&2 ++ exit 1 ++fi + FIREHOL_CHAINS_DIR="${FIREHOL_DIR}/chains" + FIREHOL_OUTPUT="${FIREHOL_DIR}/firehol-out.sh" + FIREHOL_SAVED="${FIREHOL_DIR}/firehol-save.sh" +@@ -329,20 +336,6 @@ then + "${CHMOD_CMD}" 700 "${FIREHOL_CONFIG_DIR}/services" + fi + +-# Remove any old directories that might be there. +-if [ -d "${FIREHOL_DIR}" ] +-then +- "${RM_CMD}" -rf "${FIREHOL_DIR}" +- if [ $? -ne 0 -o -e "${FIREHOL_DIR}" ] +- then +- echo >&2 +- echo >&2 +- echo >&2 "Cannot clean temporary directory '${FIREHOL_DIR}'." +- echo >&2 +- exit 1 +- fi +-fi +-"${MKDIR_CMD}" "${FIREHOL_DIR}" || exit 1 + "${MKDIR_CMD}" "${FIREHOL_CHAINS_DIR}" || exit 1 + + # prepare the file that will hold all modules to be loaded. +-- +1.6.0.4 + diff --git a/net-firewall/firehol/files/firehol-1.273-log-output.patch b/net-firewall/firehol/files/firehol-1.273-log-output.patch new file mode 100644 index 000000000000..66f0fd4c9b2e --- /dev/null +++ b/net-firewall/firehol/files/firehol-1.273-log-output.patch @@ -0,0 +1,11 @@ +--- firehol.sh-old 2010-08-11 09:01:29.000000000 -0600 ++++ firehol.sh 2010-08-12 09:22:07.000000000 -0600 +@@ -5212,7 +5212,7 @@ + printf >&2 "\n" + echo >&2 "OUTPUT : " + echo >&2 +- ${CAT_CMD} ${FIREHOL_OUTPUT}.log ++ ${CAT_CMD} ${FIREHOL_OUTPUT}.log >&2 + echo >&2 + + return 0 diff --git a/net-firewall/firehol/files/firehol-2.0.2-autosave.patch b/net-firewall/firehol/files/firehol-2.0.2-autosave.patch new file mode 100644 index 000000000000..f552b2b167b3 --- /dev/null +++ b/net-firewall/firehol/files/firehol-2.0.2-autosave.patch @@ -0,0 +1,18 @@ +diff -urNp firehol-2.0.1/sbin/firehol.in firehol-2.0.1.new/sbin/firehol.in +--- firehol-2.0.1/sbin/firehol.in 2015-02-15 17:08:03.000000000 +0200 ++++ firehol-2.0.1.new/sbin/firehol.in 2015-04-14 18:05:22.262234003 +0300 +@@ -846,12 +846,12 @@ test -z "$FIREHOL_ROUTING" && \ + # Where /etc/init.d/iptables expects its configuration? + # Leave it empty for automatic detection + test -z "$FIREHOL_AUTOSAVE" && \ +- FIREHOL_AUTOSAVE= ++ FIREHOL_AUTOSAVE="@FIREHOL_AUTOSAVE@" + + # Where /etc/init.d/ip6tables expects its configuration? + # Leave it empty for automatic detection + test -z "$FIREHOL_AUTOSAVE6" && \ +- FIREHOL_AUTOSAVE6= ++ FIREHOL_AUTOSAVE6="@FIREHOL_AUTOSAVE6@" + + # Set to non-empty to wait (max 60 seconds) for a network interface + test -z "$WAIT_FOR_IFACE" && \ diff --git a/net-firewall/firehol/files/firehol.conf.d b/net-firewall/firehol/files/firehol.conf.d new file mode 100644 index 000000000000..c8b06e0eaf09 --- /dev/null +++ b/net-firewall/firehol/files/firehol.conf.d @@ -0,0 +1,2 @@ +#Locate of FireHOL conf file +FIREHOL_CONF="/etc/firehol/firehol.conf" diff --git a/net-firewall/firehol/files/firehol.initrd.1 b/net-firewall/firehol/files/firehol.initrd.1 new file mode 100644 index 000000000000..8d34b68b14ee --- /dev/null +++ b/net-firewall/firehol/files/firehol.initrd.1 @@ -0,0 +1,67 @@ +#!/sbin/runscript +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +extra_commands="save panic try" +extra_started_commands="reload" + +depend() { + need localmount + after bootmisc + before net + provide firewall +} + +checkrules() { + if [ ! -f ${FIREHOL_CONF} ]; then + eerror "Not starting FireHOL. Create ${FIREHOL_CONF}" + eerror "and fill it with some rules." + eerror "man firehol.conf for more info." + return 1 + fi +} + +start() { + checkrules || return 1 + ebegin "Starting FireHOL" + /usr/sbin/firehol ${FIREHOL_CONF} start > /dev/null + eend $? +} + +stop() { + ebegin "Stopping FireHOL" + /usr/sbin/firehol stop > /dev/null + eend $? +} + +restart() { + ebegin "Restarting Firewall" + svc_stop; + svc_start; + eend $? +} + +try() { + ebegin "Trying FireHOL configuration" + /usr/sbin/firehol ${FIREHOL_CONF} try + eend $? +} + +status() { + ebegin "Showing FireHOL status" + /usr/sbin/firehol status + eend $? +} + +panic() { + ebegin "FireHOL PANIC" + /usr/sbin/firehol panic + eend $? +} + +save() { + ebegin "Saving FireHOL configuration" + /usr/sbin/firehol save + eend $? +} diff --git a/net-firewall/firehol/files/fireqos.conf.d b/net-firewall/firehol/files/fireqos.conf.d new file mode 100644 index 000000000000..55fa2e037e01 --- /dev/null +++ b/net-firewall/firehol/files/fireqos.conf.d @@ -0,0 +1,2 @@ +#Locate of FireQOS conf file +FIREQOS="/etc/firehol/fireqos.conf" diff --git a/net-firewall/firehol/files/fireqos.initrd b/net-firewall/firehol/files/fireqos.initrd new file mode 100644 index 000000000000..ebfbaac5b6e2 --- /dev/null +++ b/net-firewall/firehol/files/fireqos.initrd @@ -0,0 +1,45 @@ +#!/sbin/runscript +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +depend() { + need localmount + after bootmisc + before net +} + +checkrules() { + if [ ! -f ${FIREQOS_CONF} ]; then + eerror "Not starting FireQOS. Create ${FIREQOS_CONF}" + eerror "and fill it with some rules." + eerror "man fireqos.conf for more info." + return 1 + fi +} + +start() { + checkrules || return 1 + ebegin "Starting FireQOS" + /usr/sbin/fireqos start ${FIREQOS_CONF} -- ${FIREQOS_EXTRA_ARGS} > /dev/null + eend $? +} + +stop() { + ebegin "Stopping FireQOS" + /usr/sbin/fireqos stop > /dev/null + eend $? +} + +restart() { + ebegin "Restarting FireQOS" + svc_stop; + svc_start; + eend $? +} + +status() { + ebegin "Showing FireQOS status" + /usr/sbin/fireqos status + eend $? +} diff --git a/net-firewall/firehol/firehol-1.273-r3.ebuild b/net-firewall/firehol/firehol-1.273-r3.ebuild new file mode 100644 index 000000000000..d5f5d8b2757f --- /dev/null +++ b/net-firewall/firehol/firehol-1.273-r3.ebuild @@ -0,0 +1,78 @@ +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=4 +inherit eutils linux-info + +DESCRIPTION="iptables firewall generator" +HOMEPAGE="http://firehol.sourceforge.net/" +SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +IUSE="" +KEYWORDS="amd64 ~ppc ~sparc x86" + +DEPEND="sys-apps/iproute2" +RDEPEND="net-firewall/iptables + sys-apps/iproute2[-minimal] + virtual/modutils + || ( + net-misc/wget + net-misc/curl + )" + +src_prepare() { + epatch "${FILESDIR}"/${P}-CVE-2008-4953.patch + epatch "${FILESDIR}"/${P}-log-output.patch #332507 +} + +pkg_setup() { + local KCONFIG_OPTS="~NF_CONNTRACK_IPV4 ~NF_CONNTRACK_MARK ~NF_NAT ~NF_NAT_FTP ~NF_NAT_IRC \ + ~IP_NF_IPTABLES ~IP_NF_FILTER ~IP_NF_TARGET_REJECT ~IP_NF_TARGET_LOG ~IP_NF_TARGET_ULOG \ + ~IP_NF_TARGET_MASQUERADE ~IP_NF_TARGET_REDIRECT ~IP_NF_MANGLE \ + ~NETFILTER_XT_MATCH_LIMIT ~NETFILTER_XT_MATCH_STATE ~NETFILTER_XT_MATCH_OWNER" + + get_version + if [ ${KV_PATCH} -ge 25 ]; then + CONFIG_CHECK="~NF_CONNTRACK ${KCONFIG_OPTS}" + else + CONFIG_CHECK="~NF_CONNTRACK_ENABLED ${KCONFIG_OPTS}" + fi + linux-info_pkg_setup +} + +src_install() { + newsbin firehol.sh firehol + + dodir /etc/firehol /etc/firehol/examples /etc/firehol/services + insinto /etc/firehol/examples + doins examples/* || die + + newconfd "${FILESDIR}"/firehol.conf.d firehol + newinitd "${FILESDIR}"/firehol.initrd.1 firehol + + dodoc ChangeLog README TODO WhatIsNew + dohtml doc/*.html doc/*.css + + docinto scripts + dodoc get-iana.sh adblock.sh + + doman man/*.1 man/*.5 + + # Install this RESERVED_IPS as discussed in bug #332135 + insinto /etc/firehol + doins "${FILESDIR}"/RESERVED_IPS +} + +pkg_postinst() { + elog "The default path to firehol's configuration file is /etc/firehol/firehol.conf" + elog "See /etc/firehol/examples for configuration examples." + # + # Install a default configuration if none is available yet + if [[ ! -e "${ROOT}/etc/firehol/firehol.conf" ]]; then + einfo "Installing a sample configuration as ${ROOT}/etc/firehol/firehol.conf" + cp "${ROOT}/etc/firehol/examples/client-all.conf" "${ROOT}/etc/firehol/firehol.conf" + fi +} diff --git a/net-firewall/firehol/firehol-2.0.2.ebuild b/net-firewall/firehol/firehol-2.0.2.ebuild new file mode 100644 index 000000000000..f39413ce29c1 --- /dev/null +++ b/net-firewall/firehol/firehol-2.0.2.ebuild @@ -0,0 +1,61 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 +inherit eutils linux-info + +DESCRIPTION="iptables firewall generator" +HOMEPAGE="http://firehol.sourceforge.net/" +SRC_URI="http://firehol.org/download/releases/v${PV}/${P}.tar.xz" + +LICENSE="GPL-2" +SLOT="0" +IUSE="doc" +KEYWORDS="~amd64 ~ppc ~sparc ~x86" + +RDEPEND="net-firewall/iptables + sys-apps/iproute2[-minimal] + virtual/modutils + app-arch/gzip" +DEPEND="${RDEPEND}" + +pkg_setup() { + local KCONFIG_OPTS="~NF_CONNTRACK_IPV4 ~NF_CONNTRACK_MARK ~NF_NAT ~NF_NAT_FTP ~NF_NAT_IRC \ + ~IP_NF_IPTABLES ~IP_NF_FILTER ~IP_NF_TARGET_REJECT ~IP_NF_TARGET_LOG ~IP_NF_TARGET_ULOG \ + ~IP_NF_TARGET_MASQUERADE ~IP_NF_TARGET_REDIRECT ~IP_NF_MANGLE \ + ~NETFILTER_XT_MATCH_LIMIT ~NETFILTER_XT_MATCH_STATE ~NETFILTER_XT_MATCH_OWNER" + + get_version + if [ ${KV_PATCH} -ge 25 ]; then + CONFIG_CHECK="~NF_CONNTRACK ${KCONFIG_OPTS}" + else + CONFIG_CHECK="~NF_CONNTRACK_ENABLED ${KCONFIG_OPTS}" + fi + linux-info_pkg_setup +} + +src_prepare() { + epatch "${FILESDIR}/${P}-autosave.patch" +} + +src_configure() { + # removing IP6TABLES_CMD has no effect and enable build + # without ipv6 available + econf \ + --docdir="${EPREFIX}/usr/share/doc/${PF}" \ + --with-autosave="${EPREFIX}/var/lib/iptables/rules-save" \ + --with-autosave6="${EPREFIX}/var/lib/ip6tables/rules-save" \ + $(use_enable doc) \ + IP6TABLES_CMD=/bin/false \ + IP6TABLES_SAVE_CMD=/bin/false +} + +src_install() { + default + + newconfd "${FILESDIR}"/firehol.conf.d firehol + newinitd "${FILESDIR}"/firehol.initrd.1 firehol + newconfd "${FILESDIR}"/fireqos.conf.d fireqos + newinitd "${FILESDIR}"/fireqos.initrd fireqos +} diff --git a/net-firewall/firehol/metadata.xml b/net-firewall/firehol/metadata.xml new file mode 100644 index 000000000000..7f679d64a788 --- /dev/null +++ b/net-firewall/firehol/metadata.xml @@ -0,0 +1,7 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> + <maintainer> + <email>alonbl@gentoo.org</email> + </maintainer> +</pkgmetadata> |