uif 1.1.1-1 / postinst

This file is indexed.

postinst is in uif 1.1.1-1.

This file is a maintainer script. It is executed when installing (*inst) or removing (*rm) the package.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
#!/bin/sh

set -e

# Source debconf library.
. /usr/share/debconf/confmodule

# We exit unless the package is being configured
case "$1" in
        abort*upgrade)         exit 0;;
        abort*remove)          exit 0;;
        abort*deconfigure)     exit 0;;
        configure) ;;
        *)                     exit 0;
esac

# Check their answer.
db_get uif/conf_method

case "$RET" in
	workstation)
		PINGS=0
		TRACERT=0
		TRUSTED=""
		
		# show message
		db_get uif/workstation

		# configure ping / traceroutes
		db_get uif/pings
		
		[ "$RET" = "true" ] && PINGS=1

		db_get uif/traceroute

		[ "$RET" = "true" ] && TRACERT=1

		# configure trusted hosts
		db_get uif/trusted

		if [ -n "$RET" ]; then
			TRUSTED="$TRUSTED $RET"
		fi

		if [ "$PINGS" = "1" -o "$TRACERT" = "1" ]; then
			ICMP_RULE="in+  p="
		else
			ICMP_RULE="#in+  p=ping,traceroute"
		fi
		[ "$PINGS" = "1" ] && ICMP_RULE="${ICMP_RULE}ping"
		[ "$PINGS" = "1" -a "$TRACERT" = "1" ] && ICMP_RULE="${ICMP_RULE},"
		[ "$TRACERT" = "1" ] && ICMP_RULE="${ICMP_RULE}traceroute"
		if [ -n "$TRUSTED" ]; then
			TRUSTED="trusted    $TRUSTED"
			TRUSTED_RULE="in+  s=trusted(4)"
		else
			TRUSTED="#trusted    10.0.0.1"
			TRUSTED_RULE="#in+  s=trusted(4)"
		fi

		if [ -f /etc/uif/uif.conf ]; then
			echo "Backing up your old uif.conf to uif.conf.old..."
			cp /etc/uif/uif.conf /etc/uif/uif.conf.old
		fi

		cat > /etc/uif/uif-ipv4-networks.inc <<EOF
## IPv4 network name definitions for UIF

## automatically configured for Debian systems...
## This file has been automatically generated by debconf. It will be overwritten
## the next time you configure firewall without choosing "don't touch".

#  In the network section you're asked to provide informations on all
#  IPv4 hosts and/or networks running in your setup.
#
#  syntax: net_name [ip-address[=mac-address]] [network] [net_name]
#  examples: webserver 192.168.1.5
#            intranet  10.1.0.0/16
#            dmz       10.5.0.0/255.255.0.0
#            some      intranet dmz 10.2.1.1
#            router    10.1.0.1=0A:32:F2:C7:1A:31

network {
    localhost   127.0.0.1
    all         0.0.0.0/0
    $TRUSTED
}
EOF

		cat > /etc/uif/uif-ipv6-networks.inc <<EOF
## IPv6 network name definitions for UIF

## automatically configured for Debian systems...
## This file has been automatically generated by debconf. It will be overwritten
## the next time you configure firewall without choosing "don't touch".

#  In the network section you're asked to provide informations on all
#  IPv6 hosts and/or networks running in your setup.
#
#  syntax: net_name [ip-address[=mac-address]] [network] [net_name]
#  examples: webserver 2001:610:1908:b000::148:14
#            intranet  fd00:0:0:1::/64
#            dmz       fd00:0:0:5::/64
#            some      intranet dmz fd00:0:2:1::1
#            router    fd00:0:0:1::1=0A:32:F2:C7:1A:31

network {
    localhost   ::1
    all         ::/0
#   trusted     fd00:1:2:3::/64
}
EOF

		cat > /etc/uif/uif.conf << EOF
## uif Firewall Configuration

## automatically configured for Debian systems...
## This file has been automatically generated by debconf. It will be overwritten
## the next time you configure firewall without choosing "don't touch".

## Sysconfig definitions
#  These entries define the global behaviour of the firewall package. Normally
#  they are preset in /etc/default/uif and may be overwritten by this
#  section.
#
#  syntax:   LogLevel : set the kernel loglevel for iptables rules
#            LogPrefix: prepend this string to all iptables logs
#            LogLimit:  set packet limit per time interval (times/interval)
#            LogBurst:  set packet log burst
#  example:
#   sysconfig {
#      LogLevel      debug
#      LogPrefix     FW
#      LogLimit      20/minute
#      LogBurst      5
#      AccountPrefix ACC_
#   }


## Include predefined services
#  The include section takes a bunch of files and includes them into this
#  configuration file.
#
#  syntax:  "filename"
#include {
#    "/etc/uif/services"
#}


## Services needed for workstation setup
#  The service section provides the protocol definitions you're
#  using in the rules. You're forced to declare everything you
#  need for your setup.
#
#  syntax: service_name [tcp([source:range]/[dest:range])] [udp([source:range]/[dest:range])]
#                       [protocol_name([source:range][/][dest:range])] [service_name] ...
#  examples: http  tcp(/80)
#            dns   tcp(/53) udp(/53)
#            group http dns tcp(/443)
#            ipsec esp(/) udp(/500)
service {
    traceroute  udp(32769:65535/33434:33523) icmp(11)
    ping        icmp(8)
}

## Network definitions needed for IPv4+6 workstation setup
# The network definitions are included from two separate files.
#   1. /etc/uif/uif-ipv4-networks.inc
#   2. /etc/uif/uif-ipv6-networks.inc
#
# If you want to setup IPv4 and IPv6 firewalling easily,
# make sure that all network names you use in your ruleset
# in both include files.
#
# Additionally make /etc/uif/uif6.conf a symlink that points to
# /etc/uif/uif.conf.
#

# IPv4 network definitions
#
# If you update from a version of UIF that supported IPv4 only, then
# you probably want to leave the uif.conf file untouched for now and
# move your network definitions block from uif.conf to uif-ipv4-networks.inc
# manually later.

include4 {
    "/etc/uif/uif-ipv4-networks.inc"
}

# IPv6 network definitions
#
# Make sure IPV6MODE is set to 1 in /etc/default/uif if you want to use
# IPv6 support on your UIF based firewall.

include6 {
    "/etc/uif/uif-ipv6-networks.inc"
}

## Interface definitions
#  Since all definitions used in the filter section are symbolic,
#  you've to specify symbolic names for all your interfaces you're
#  going to use.
#
#  syntax: interface_name [unix network interface] [interface_name]
#  examples: internal eth0
#            external ippp0 ipsec0
#            allppp   ppp+
#            group    external allppp eth3
interface {
    loop     lo
}

## Filter definitions
#  The filter section defines the rules for in, out, forward, masquerading
#  and nat. All rules make use of the symbolic names defined above. This
#  section can be used multiple times in one config file. This makes more
#  senese when using one of these alias names:
#  filter, nat, input, output, forward, masquerade
#
#  syntax: in[-/+]  [i=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
#          out[-/+] [o=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
#          fw[-/+]  [i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
#          masq[-/+][i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
#          nat[-/+] additionally allows [S=from source] [D=to destination] [P=to port:[range]]
#  flags:  limit([count/time[,burst]])
#          reject([reject type])
#          log([name])
#          account(name)
#  examples:
#       masq+  o=extern s=intranet
#       nat+   s=intranet p=http   D=relayintern   P=squid
#       in+    s=trusted  p=ssh,ping,traceroute,http
#       out-   s=intranet p=smb    f=reject
#       fw-    d=microsoft         f=reject,log(ms-alert)
#       fw+    p=myhttp            f=account(HTTP)
#              Take an attention about the protocol for your accounting rules. If you
#              want to count user http traffice, you may need a "myhttp tcp(80/)".
filter {
    in+  i=loop    s=localhost
    out+ o=loop    d=localhost

    $ICMP_RULE
    $TRUSTED_RULE
    out+ d=all

    in-  f=log(input),reject
    out- f=log(output),reject
    fw-  f=log(forward),reject
}
EOF
	;;

	*)
	;;

esac

# protect the uif configuration files against other users
chmod 600 /etc/uif/uif.conf
chmod 600 /etc/uif/uif-ipv*-networks.inc

# Automatically added by dh_installinit
if [ -x "/etc/init.d/uif" ] || [ -e "/etc/init/uif.conf" ]; then
	if [ ! -e "/etc/init/uif.conf" ]; then
		update-rc.d uif defaults >/dev/null
	fi
	invoke-rc.d uif start || exit $?
fi
# End automatically added section


exit 0

APT Browse - Built by Thomas Orozco.