3 files changed, 0 insertions, 220 deletions
diff --git a/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf b/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf
deleted file mode 100644
index 9ef8208..0000000
--- a/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf
+++ /dev/null
@@ -1,179 +0,0 @@
-# -*- shell-script -*-
-#
-#  Configuration file for ferm(1).
-#
-#  V: 0.1
-#
-#  ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html
-#  Blog post:   https://blog.ipredator.se/linux-firewall-howto.html
-#
-
-# Really make sure that these modules exist and are loaded.
-@hook pre "/sbin/modprobe nf_conntrack_ftp";
-@hook pre "/sbin/modprobe nfnetlink_log";
-
-# Network interfaces.
-#@def $DEV_LAN = eth0;
-@def $DEV_LAN = ens3;
-@def $DEV_LOOPBACK = lo0;
-@def $DEV_VPN = wg0;
-
-# Network definition for the loopback device. This is needed to allow
-# DNS resolution on Ubuntu Linux where the local resolver is bound
-# to 127.0.1.1 - as opposed to the default 127.0.0.1.
-@def $NET_LOOPBACK = 127.0.0.0/8;
-
-# Common application ports.
-@def $PORT_DNS = 53;
-@def $PORT_FTP = ( 20 21 );
-@def $PORT_NTP = 123;
-@def $PORT_SSH = 22;
-@def $PORT_WEB = ( 80 443 );
-
-# The ports we allow to connect to.
-@def $PORT_WIREGUARD = ( 51820 );
-
-# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html
-# Ports Transmission is allowed to use.
-@def $PORT_TRANSMISSION = 16384:65535;
-
-# Public DNS servers and those that are only reachable via VPN.
-# DNS servers are specified in the outbound DNS rules to prevent DNS leaks
-# (https://www.dnsleaktest.com/). The public DNS servers configured on your
-# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns),
-# but you need to verify this.
-#
-@def $IP_DNS_IPR_PUBLIC = ( 95.215.19.53/32 );
-
-# Add your ISP name server to this object if you want to restrict 
-# which DNS servers can be queried.
-@def $IP_DNS_PUBLIC = 0.0.0.0/0;
-
-# DNS server available within the VPN.
-@def $IP_DNS_VPN = ( 95.215.19.53/32 );
-
-# Make sure to use the proper VPN interface (e.g. wg0 in this case).
-# Note: You cannot reference $DEV_VPN here, substition does not take
-#       place for commands passed to a sub shell.
-@def $VPN_ACTIVE = `ip link show wg0 >/dev/null 2>/dev/null && echo 1 || echo`;
-
-# VPN interface conditional. If true the following rules are loaded.
-@if $VPN_ACTIVE {
-    domain ip {
-        table filter {
-            chain INPUT {
-                interface $DEV_VPN {
-                    proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT;
-                }
-            }
-            chain OUTPUT {
-                # Default allowed outbound services on the VPN interface.
-                # If you need more simply add your rules here.
-                outerface $DEV_VPN {
-                    proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT;
-                    proto tcp dport $PORT_FTP ACCEPT;
-                    proto udp dport $PORT_NTP ACCEPT;
-                    proto tcp dport $PORT_SSH ACCEPT;
-                    proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT;
-                    proto tcp dport $PORT_WEB ACCEPT;
-                }
-            }
-        }
-    }
-}
-
-# The main IPv4 rule set.
-domain ip {
-    table filter {
-        chain INPUT {
-            # The default policy for the chain. Usually ACCEPT or DROP or REJECT.
-            policy DROP;
-
-            # Connection tracking.
-            mod state state INVALID DROP;
-            mod state state (ESTABLISHED RELATED) ACCEPT;
-
-            # Allow local traffic to loopback interface.
-            daddr $NET_LOOPBACK ACCEPT;
- 
-            # Allow inbound SSH on your LAN interface _only_.
-            interface $DEV_LAN {
-                proto tcp dport $PORT_SSH ACCEPT;
-            }
-
-            # Respond to ping ... makes debugging easier.
-            proto icmp icmp-type echo-request ACCEPT;
-
-            # Log dropped packets.
-            NFLOG nflog-group 1;
-            DROP;
-        }
-
-        chain OUTPUT {
-            policy DROP;
-
-            # Connection tracking.
-            mod state state INVALID DROP;
-            mod state state (ESTABLISHED RELATED) ACCEPT;
-
-            # Allow local traffic from the loopback interface.
-            saddr $NET_LOOPBACK ACCEPT;
-  
-            # Respond to ping.
-            proto icmp icmp-type echo-request ACCEPT;
-
-            # Allowed services on the LAN interface.
-            outerface $DEV_LAN {
-                proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT;
-                proto udp dport $PORT_NTP ACCEPT;
-                proto (tcp udp) dport $PORT_WIREGUARD ACCEPT;
-                proto tcp dport $PORT_SSH ACCEPT;
-            }
-
-            # Log dropped packets.
-            NFLOG nflog-group 1;
-            DROP;
-        }
-
-        chain FORWARD {
-            policy DROP;
-
-            # If you use your machine to route traffic eg. 
-            # from a VM you have to add rules here!
-
-            # Log dropped packets.
-            NFLOG nflog-group 1;
-            DROP;
-        }
-    }
-}
-
-# IPv6 is generally disabled, communication on the loopback device is allowed.
-domain ip6 {
-    table filter {
-        chain INPUT {
-            policy DROP;
-
-            # Allow local traffic.
-            interface $DEV_LOOPBACK ACCEPT;
-
-            # Log dropped packets.
-            NFLOG nflog-group 1;
-            DROP;
-        }
-        chain OUTPUT {
-            policy DROP;
-
-            # Log dropped packets.
-            NFLOG nflog-group 1;
-            DROP;
-        }
-        chain FORWARD {
-            policy DROP;
-
-            # Log dropped packets.
-            NFLOG nflog-group 1;
-            DROP;
-        }
-    }
-}
diff --git a/share/provision/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules b/share/provision/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules
deleted file mode 100644
index 8c9d744..0000000
--- a/share/provision/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules
+++ /dev/null
@@ -1,2 +0,0 @@
-KERNEL=="wg0", ACTION=="add",    RUN+="/usr/local/bin/fermreload.sh add"
-KERNEL=="wg0", ACTION=="remove", RUN+="/usr/local/bin/fermreload.sh remove"
diff --git a/share/provision/files/njalla-wireguard/usr/local/bin/fermreload.sh b/share/provision/files/njalla-wireguard/usr/local/bin/fermreload.sh
deleted file mode 100755
index cebf7cc..0000000
--- a/share/provision/files/njalla-wireguard/usr/local/bin/fermreload.sh
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/bash
-#
-# fermreload.sh
-# V: 0.1
-#
-# Reloads the ferm firewall ruleset and is invoked by
-# the udev via /etc/udev/rules.d/81-vpn-firewall.rules.
-#
-# IPredator 2014
-# Released under the Kopimi license.
-#
-# Blog post:   https://blog.ipredator.se/linux-firewall-howto.html
-#
-
-LOGGER=/usr/bin/logger
-LOGGER_TAG=$0
-
-UDEV_ACTION=$1
-
-FERM=/usr/sbin/ferm
-FERM_CONF=/etc/ferm/ferm.conf
-
-MSG_FW_RULE_ADD="Adding VPN firewall rules."
-MSG_FW_RULE_REMOVE="Removing VPN firewall rules."
-MSG_UDEV_ACTION_UNKNOWN="Unknown udev action."
-
-case "$UDEV_ACTION" in
-    add)
-        $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_ADD
-        $FERM $FERM_CONF
-        ;;
-    remove)
-        $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_REMOVE
-        $FERM $FERM_CONF
-        ;;
-    *)
-        $LOGGER -t $LOGGER_TAG $MSG_UDEV_ACTION_UNKNOWN
-        exit 1
-esac