Package: harden-doc Severity: wishlist Version: 3.15.1 Tags: patch Patch rewrites firewall section to reflect Debian's usage (since Squeeze) of dependency based boot sequencing. Also, fixes a bug in the script and re-writes some of the comments.
Index: en/services.sgml =================================================================== --- en/services.sgml (revision 10419) +++ en/services.sgml (working copy) @@ -1697,10 +1697,17 @@ <item>Move the script to <file>/etc/init.d/myfirewall</file> -<item>Configure the system to run the script before any network is -configured: +<item>The below script takes advantage of Debian's use (since Squeeze) +of dependency based boot sequencing. For more information see: +<url id="https://wiki.debian.org/LSBInitScripts/DependencyBasedBoot"; +name="Debian Dependency Based Boot"> and +<url id="https://wiki.debian.org/LSBInitScripts"; +name="How to write an LSB Init Script">. With the LSB headers set as +they are in the script, insserv will automatically configure the +system to start the firewall before any network is brought up, and +stop the firewall after any network is brought down. <example> -#update-rc.d myfirewall start 40 S . stop 89 0 6 . +# insserv myfirewall </example> </list> @@ -1709,6 +1716,17 @@ <example> #!/bin/sh +### BEGIN INIT INFO +# Provides: myfirewall +# Required-Start: $local_fs +# Required-Stop: $local_fs +# Default-Start: S +# Default-Stop: 0 6 +# X-Start-Before: $network +# X-Stop-After: $network +# Short-Description: My custom firewall. +### END INIT INFO +# # Simple example firewall configuration. # # Caveats: @@ -1740,8 +1758,10 @@ # Network that will be used for remote mgmt # (if undefined, no rules will be setup) # NETWORK_MGMT=192.168.0.0/24 -# Port used for the SSH service, define this is you have setup a -# management network but remove it from TCP_SERVICES +# If you want to setup a management network (i.e. you've uncommented +# the above line) you will need to define the SSH port as well (i.e. +# uncomment the below line.) Remember to remove the SSH port from the +# TCP_SERVICES string. # SSH_PORT="22" if ! [ -x /sbin/iptables ]; then @@ -1766,8 +1786,6 @@ # Remote management if [ -n "$NETWORK_MGMT" ] ; then /sbin/iptables -A INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT - else - /sbin/iptables -A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT fi # Remote testing /sbin/iptables -A INPUT -p icmp -j ACCEPT
-- System Information: Debian Release: 7.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
