From 09b93bc80e65bbd932c6109fab83a93cb22d1736 Mon Sep 17 00:00:00 2001 From: pvincent Date: Fri, 26 Apr 2024 22:32:05 +0400 Subject: [PATCH] firewall.table detect dev windowmanager samba --- README.md | 9 --------- TODO.md | 14 ++++++++++++++ lib/functions.sh | 20 ++++++++++++++++---- templates/nftables/firewall.table.j2 | 10 +++++++++- 4 files changed, 39 insertions(+), 14 deletions(-) create mode 100644 TODO.md diff --git a/README.md b/README.md index 5e351e1..ae77674 100644 --- a/README.md +++ b/README.md @@ -8,15 +8,6 @@ provisioning tool for building opinionated architecture following these principl * secured: NFT * monitored: MONIT -TODO ----- - -* [ ] backup postgresql missing out on **saturday** -* [ ] TOOLBOOX/nc (binary) -* [ ] final ansible-like indicators: same/new -* [ ] patched editor (backup+editor+diff+patch) -* [ ] to improve log journal for each `recipe` (apache, for example) in order to shorten disk space - ORIGIN ------ diff --git a/TODO.md b/TODO.md new file mode 100644 index 0000000..3fa75b8 --- /dev/null +++ b/TODO.md @@ -0,0 +1,14 @@ +TODO +==== + +* [ ] backup postgresql missing out on **saturday** +* [ ] TOOLBOOX/nc (binary) +* [ ] final ansible-like indicators: same/new +* [ ] patched editor (backup+editor+diff+patch) +* [ ] to improve log journal for each `recipe` (apache, for example) in order to shorten disk space + + +DONE + +* [x] detect running on window-manager desktop + * [x] `command -v xprop` \ No newline at end of file diff --git a/lib/functions.sh b/lib/functions.sh index feb6afb..c857f70 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -112,14 +112,26 @@ function prepare_nftables() { fi current_target="${TARGET:-not_defined_yet}" + desktop=false + samba=false if [[ $current_target == not_defined_yet ]]; then echo -n "generating new firewall table first time... " else - echo -n "generating new firewall table according to target=<${current_target}>... " + if [[ $current_target == 'dev' ]]; then + if exist_command 'xprop'; then + desktop=true + fi + if exist_command 'smbstatus'; then + samba=true + fi + echo -n "generating new firewall table according to target=<${current_target}>, desktop=<$desktop>, samba=<$samba> ..." + else + echo -n "generating new firewall table according to target=<${current_target}>..." + fi fi - sudo env target="$current_target" tera -e --env-only --env-key env -t "$MIAOU_BASEDIR/templates/nftables/firewall.table.j2" -o /etc/nftables.rules.d/firewall.table &>/dev/null + sudo env target="$current_target" desktop="$desktop" samba="$samba" tera -e --env-only --env-key env -t "$MIAOU_BASEDIR/templates/nftables/firewall.table.j2" -o /etc/nftables.rules.d/firewall.table &>/dev/null sudo systemctl reload nftables - echo "OK" + PREFIX="" echoinfo "DONE" } @@ -196,7 +208,7 @@ function trap_error() { # test all commands exist, else fail function exist_command() { for i in "$@"; do - command -v "$i" &>/dev/null || return 50 + command -v "$i" >/dev/null || return 50 done } diff --git a/templates/nftables/firewall.table.j2 b/templates/nftables/firewall.table.j2 index cc3cfdb..e3e487b 100644 --- a/templates/nftables/firewall.table.j2 +++ b/templates/nftables/firewall.table.j2 @@ -17,15 +17,23 @@ table inet firewall { tcp dport {22, 2222, 80, 443} accept {%- if env.target == 'dev' %} - + {%- if env.desktop == 'true' %} + + # DESKTOP RULES BELOW + # ------------------- + # allow mDNS udp dport mdns accept + {%- if env.samba == 'true' %} + # allow SAMBA udp dport netbios-ns accept comment "Accept NetBIOS Name Service (nmbd)" udp dport netbios-dgm accept comment "Accept NetBIOS Datagram Service (nmbd)" tcp dport netbios-ssn accept comment "Accept NetBIOS Session Service (smbd)" tcp dport microsoft-ds accept comment "Accept Microsoft Directory Service (smbd)" + {%- endif %} + {%- endif %} {%- endif %} }