more better services

author Justin Wind <justin.wind+git@gmail.com>

Wed, 25 Jan 2017 01:19:03 +0000 (20:19 -0500)

committer Justin Wind <justin.wind+git@gmail.com>

Wed, 25 Jan 2017 01:19:03 +0000 (20:19 -0500)
author Justin Wind <justin.wind+git@gmail.com>
Wed, 25 Jan 2017 01:19:03 +0000 (20:19 -0500)
committer Justin Wind <justin.wind+git@gmail.com>
Wed, 25 Jan 2017 01:19:03 +0000 (20:19 -0500)
diff --git a/firewall.sh b/firewall.sh

index eab2cb3404574a08d4f8b914022ee7c3d7ef9786..dbc0c3f47328828a09938e1083c0ff1fdfcaa41e 100755 (executable)
--- a/firewall.sh
+++ b/firewall.sh
@@ -74,15 +74,17 @@ done
  create_set allowed_udp bitmap:port range 0-65535
  create_set allowed_tcp bitmap:port range 0-65535
  
-# common services
-allow_services ssh smtp submission domain ntp
-
-# per-host services
-srv_file="services.$(hostname -s)"
-if [ -e "${srv_file}" ]
-then
-       . "${srv_file}"
-fi
+for sfx in '' ".$(hostname -s)"
+do
+       if [ -e "services${sfx}" ]
+       then
+
+               for l in $(decommentcat "services${sfx}")
+               do
+                       allow_services "${l}"
+               done
+       fi
+done
  
  $IPTABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
  $IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
diff --git a/services b/services

new file mode 100644 (file)

index 0000000..9b2cb2a
--- /dev/null
+++ b/services
@@ -0,0 +1,6 @@
+# These are either names as appearing in /etc/services or port/proto
+ssh
+smtp
+submission
+domain
+ntp
author	Justin Wind <justin.wind+git@gmail.com>
	Wed, 25 Jan 2017 01:19:03 +0000 (20:19 -0500)
committer	Justin Wind <justin.wind+git@gmail.com>
	Wed, 25 Jan 2017 01:19:03 +0000 (20:19 -0500)
firewall.sh		patch \| blob \| history
services	[new file with mode: 0644]	patch \| blob