diff options
Diffstat (limited to 'share/provision/files')
9 files changed, 0 insertions, 665 deletions
diff --git a/share/provision/files/desktop-basic/etc/default/keyboard b/share/provision/files/desktop-basic/etc/default/keyboard deleted file mode 100644 index f18fc73..0000000 --- a/share/provision/files/desktop-basic/etc/default/keyboard +++ /dev/null @@ -1,10 +0,0 @@ -# KEYBOARD CONFIGURATION FILE - -# Consult the keyboard(5) manual page. - -XKBMODEL="abnt2" -XKBLAYOUT="br" -XKBVARIANT="thinkpad" -XKBOPTIONS="compose:ralt,terminate:ctrl_alt_bksp" - -BACKSPACE="guess" diff --git a/share/provision/files/desktop-basic/etc/lightdm/lightdm.conf b/share/provision/files/desktop-basic/etc/lightdm/lightdm.conf deleted file mode 100644 index 7614cc2..0000000 --- a/share/provision/files/desktop-basic/etc/lightdm/lightdm.conf +++ /dev/null @@ -1,165 +0,0 @@ -# -# General configuration -# -# start-default-seat = True to always start one seat if none are defined in the configuration -# greeter-user = User to run greeter as -# minimum-display-number = Minimum display number to use for X servers -# minimum-vt = First VT to run displays on -# lock-memory = True to prevent memory from being paged to disk -# user-authority-in-system-dir = True if session authority should be in the system location -# guest-account-script = Script to be run to setup guest account -# logind-check-graphical = True to on start seats that are marked as graphical by logind -# log-directory = Directory to log information to -# run-directory = Directory to put running state in -# cache-directory = Directory to cache to -# sessions-directory = Directory to find sessions -# remote-sessions-directory = Directory to find remote sessions -# greeters-directory = Directory to find greeters -# backup-logs = True to move add a .old suffix to old log files when opening new ones -# -[LightDM] -#start-default-seat=true -#greeter-user=lightdm -#minimum-display-number=0 -#minimum-vt=7 -#lock-memory=true -#user-authority-in-system-dir=false -#guest-account-script=guest-account -#logind-check-graphical=false -#log-directory=/var/log/lightdm -#run-directory=/var/run/lightdm -#cache-directory=/var/cache/lightdm -#sessions-directory=/usr/share/lightdm/sessions:/usr/share/xsessions:/usr/share/wayland-sessions -#remote-sessions-directory=/usr/share/lightdm/remote-sessions -#greeters-directory=/usr/share/lightdm/greeters:/usr/share/xgreeters -#backup-logs=true - -# -# Seat configuration -# -# Seat configuration is matched against the seat name glob in the section, for example: -# [Seat:*] matches all seats and is applied first. -# [Seat:seat0] matches the seat named "seat0". -# [Seat:seat-thin-client*] matches all seats that have names that start with "seat-thin-client". -# -# type = Seat type (xlocal, xremote, unity) -# pam-service = PAM service to use for login -# pam-autologin-service = PAM service to use for autologin -# pam-greeter-service = PAM service to use for greeters -# xserver-command = X server command to run (can also contain arguments e.g. X -special-option) -# xmir-command = Xmir server command to run (can also contain arguments e.g. Xmir -special-option) -# xserver-config = Config file to pass to X server -# xserver-layout = Layout to pass to X server -# xserver-allow-tcp = True if TCP/IP connections are allowed to this X server -# xserver-share = True if the X server is shared for both greeter and session -# xserver-hostname = Hostname of X server (only for type=xremote) -# xserver-display-number = Display number of X server (only for type=xremote) -# xdmcp-manager = XDMCP manager to connect to (implies xserver-allow-tcp=true) -# xdmcp-port = XDMCP UDP/IP port to communicate on -# xdmcp-key = Authentication key to use for XDM-AUTHENTICATION-1 (stored in keys.conf) -# unity-compositor-command = Unity compositor command to run (can also contain arguments e.g. unity-system-compositor -special-option) -# unity-compositor-timeout = Number of seconds to wait for compositor to start -# greeter-session = Session to load for greeter -# greeter-hide-users = True to hide the user list -# greeter-allow-guest = True if the greeter should show a guest login option -# greeter-show-manual-login = True if the greeter should offer a manual login option -# greeter-show-remote-login = True if the greeter should offer a remote login option -# user-session = Session to load for users -# allow-user-switching = True if allowed to switch users -# allow-guest = True if guest login is allowed -# guest-session = Session to load for guests (overrides user-session) -# session-wrapper = Wrapper script to run session with -# greeter-wrapper = Wrapper script to run greeter with -# guest-wrapper = Wrapper script to run guest sessions with -# display-setup-script = Script to run when starting a greeter session (runs as root) -# display-stopped-script = Script to run after stopping the display server (runs as root) -# greeter-setup-script = Script to run when starting a greeter (runs as root) -# session-setup-script = Script to run when starting a user session (runs as root) -# session-cleanup-script = Script to run when quitting a user session (runs as root) -# autologin-guest = True to log in as guest by default -# autologin-user = User to log in with by default (overrides autologin-guest) -# autologin-user-timeout = Number of seconds to wait before loading default user -# autologin-session = Session to load for automatic login (overrides user-session) -# autologin-in-background = True if autologin session should not be immediately activated -# exit-on-failure = True if the daemon should exit if this seat fails -# -[Seat:*] -#type=xlocal -#pam-service=lightdm -#pam-autologin-service=lightdm-autologin -#pam-greeter-service=lightdm-greeter -#xserver-command=X -#xmir-command=Xmir -#xserver-config= -#xserver-layout= -xserver-allow-tcp=true -#xserver-share=true -#xserver-hostname= -#xserver-display-number= -#xdmcp-manager= -#xdmcp-port=177 -#xdmcp-key= -#unity-compositor-command=unity-system-compositor -#unity-compositor-timeout=60 -#greeter-session=example-gtk-gnome -#greeter-hide-users=false -#greeter-allow-guest=true -#greeter-show-manual-login=false -#greeter-show-remote-login=true -#user-session=default -#allow-user-switching=true -#allow-guest=true -#guest-session= -#session-wrapper=lightdm-session -#greeter-wrapper= -#guest-wrapper= -#display-setup-script= -#display-stopped-script= -#greeter-setup-script= -#session-setup-script= -#session-cleanup-script= -#autologin-guest=false -autologin-user=user -autologin-user-timeout=0 -#autologin-in-background=false -#autologin-session= -#exit-on-failure=false - -# -# XDMCP Server configuration -# -# enabled = True if XDMCP connections should be allowed -# port = UDP/IP port to listen for connections on -# listen-address = Host/address to listen for XDMCP connections (use all addresses if not present) -# key = Authentication key to use for XDM-AUTHENTICATION-1 or blank to not use authentication (stored in keys.conf) -# hostname = Hostname to report to XDMCP clients (defaults to system hostname if unset) -# -# The authentication key is a 56 bit DES key specified in hex as 0xnnnnnnnnnnnnnn. Alternatively -# it can be a word and the first 7 characters are used as the key. -# -[XDMCPServer] -enabled=true -port=177 -#listen-address= -#key= -#hostname= - -# -# VNC Server configuration -# -# enabled = True if VNC connections should be allowed -# command = Command to run Xvnc server with -# port = TCP/IP port to listen for connections on -# listen-address = Host/address to listen for VNC connections (use all addresses if not present) -# width = Width of display to use -# height = Height of display to use -# depth = Color depth of display to use -# -[VNCServer] -#enabled=false -#command=Xvnc -#port=5900 -#listen-address= -#width=1024 -#height=768 -#depth=8 diff --git a/share/provision/files/desktop-basic/home/user/.custom/xsession b/share/provision/files/desktop-basic/home/user/.custom/xsession deleted file mode 100644 index ee206e0..0000000 --- a/share/provision/files/desktop-basic/home/user/.custom/xsession +++ /dev/null @@ -1,48 +0,0 @@ -# -# Custom X11 session config -# - -# Parameters -HOSTNAME="`cat /etc/hostname | cut -d . -f 1`" - -# Set window manager -WINDOW_MANAGER="ratpoison" - -# Display device -DISPLAY_DEVICE="Virtual-0" # or maybe qlx-0 - -# -# Set screen size -# - -# Modeline determined by running "cvt 1280 780" -#xrandr --newmode "1280x780_60.00" 81.50 1280 1352 1480 1680 780 783 793 810 -hsync +vsync -#xrandr --addmode $DISPLAY_DEVICE 1280x780_60.00 - -# Modeline determined by running "cvt 1368 748" -#xrandr --newmode "1368x748_60.00" 83.00 1368 1440 1576 1784 748 751 761 777 -hsync +vsync -#xrandr --addmode $DISPLAY_DEVICE 1368x748_60.00 - -# Set default modeline -#xrandr --output $DISPLAY_DEVICE --mode 1368x748_60.00 -#xrandr --output $DISPLAY_DEVICE --mode 1280x780_60.00 - -# Workaround for programs that depend on a system fully operational -# Example: chromium browser running with firejail when your ${DOWNLOADS} -# path is a shared folder to be mounted by kvmx. If you don't sleep here, -# you mind find a whitelisting error at the firejail profile in your -# ~/.xsession-errors. -sleep 8 - -# Startup programs -if [ "$HOSTNAME" = "web" ]; then - PROGRAMS="$PROGRAMS tor-browser" -elif [ "$HOSTNAME" = "vnc" ]; then - PROGRAMS="$PROGRAMS vnc" -else - PROGRAMS="$PROGRAMS terminal" -fi - -# Fix keyboard layout if needed -# https://wiki.debian.org/Keyboard -#setxkbmap -model abnt2 -layout br -variant thinkpad diff --git a/share/provision/files/njalla-openvpn/etc/ferm/ferm.conf b/share/provision/files/njalla-openvpn/etc/ferm/ferm.conf deleted file mode 100644 index a25a3d2..0000000 --- a/share/provision/files/njalla-openvpn/etc/ferm/ferm.conf +++ /dev/null @@ -1,181 +0,0 @@ -# -*- shell-script -*- -# -# Configuration file for ferm(1). -# -# V: 0.1 -# -# ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html -# Blog post: https://blog.ipredator.se/linux-firewall-howto.html -# - -# Really make sure that these modules exist and are loaded. -@hook pre "/sbin/modprobe nf_conntrack_ftp"; -@hook pre "/sbin/modprobe nfnetlink_log"; - -# Network interfaces. -#@def $DEV_LAN = eth0; -@def $DEV_LAN = ens3; -@def $DEV_LOOPBACK = lo0; -@def $DEV_VPN = tun0; - -# Network definition for the loopback device. This is needed to allow -# DNS resolution on Ubuntu Linux where the local resolver is bound -# to 127.0.1.1 - as opposed to the default 127.0.0.1. -@def $NET_LOOPBACK = 127.0.0.0/8; - -# Common application ports. -@def $PORT_DNS = 53; -@def $PORT_FTP = ( 20 21 ); -@def $PORT_NTP = 123; -@def $PORT_SSH = 22; -@def $PORT_WEB = ( 80 443 ); - -# The ports we allow OpenVPN to connect to. IPredator allows you -# to connect on _any_ port. Simply add more ports if desired but -# stick to only those that you really need. -@def $PORT_OPENVPN = (1194 1234 1337 2342 5060); - -# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html -# Ports Transmission is allowed to use. -@def $PORT_TRANSMISSION = 16384:65535; - -# Public DNS servers and those that are only reachable via VPN. -# DNS servers are specified in the outbound DNS rules to prevent DNS leaks -# (https://www.dnsleaktest.com/). The public DNS servers configured on your -# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns), -# but you need to verify this. -# -@def $IP_DNS_IPR_PUBLIC = (194.132.32.32/32 46.246.46.246/32); - -# Add your ISP name server to this object if you want to restrict -# which DNS servers can be queried. -@def $IP_DNS_PUBLIC = 0.0.0.0/0; - -# DNS server available within the VPN. -@def $IP_DNS_VPN = ( 46.246.46.46/32 194.132.32.23/32 ); - -# Make sure to use the proper VPN interface (e.g. tun0 in this case). -# Note: You cannot reference $DEV_VPN here, substition does not take -# place for commands passed to a sub shell. -@def $VPN_ACTIVE = `ip link show tun0 >/dev/null 2>/dev/null && echo 1 || echo`; - -# VPN interface conditional. If true the following rules are loaded. -@if $VPN_ACTIVE { - domain ip { - table filter { - chain INPUT { - interface $DEV_VPN { - proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT; - } - } - chain OUTPUT { - # Default allowed outbound services on the VPN interface. - # If you need more simply add your rules here. - outerface $DEV_VPN { - proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT; - proto tcp dport $PORT_FTP ACCEPT; - proto udp dport $PORT_NTP ACCEPT; - proto tcp dport $PORT_SSH ACCEPT; - proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT; - proto tcp dport $PORT_WEB ACCEPT; - } - } - } - } -} - -# The main IPv4 rule set. -domain ip { - table filter { - chain INPUT { - # The default policy for the chain. Usually ACCEPT or DROP or REJECT. - policy DROP; - - # Connection tracking. - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # Allow local traffic to loopback interface. - daddr $NET_LOOPBACK ACCEPT; - - # Allow inbound SSH on your LAN interface _only_. - interface $DEV_LAN { - proto tcp dport $PORT_SSH ACCEPT; - } - - # Respond to ping ... makes debugging easier. - proto icmp icmp-type echo-request ACCEPT; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - - chain OUTPUT { - policy DROP; - - # Connection tracking. - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # Allow local traffic from the loopback interface. - saddr $NET_LOOPBACK ACCEPT; - - # Respond to ping. - proto icmp icmp-type echo-request ACCEPT; - - # Allowed services on the LAN interface. - outerface $DEV_LAN { - proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT; - proto udp dport $PORT_NTP ACCEPT; - proto (tcp udp) dport $PORT_OPENVPN ACCEPT; - proto tcp dport $PORT_SSH ACCEPT; - } - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - - chain FORWARD { - policy DROP; - - # If you use your machine to route traffic eg. - # from a VM you have to add rules here! - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - } -} - -# IPv6 is generally disabled, communication on the loopback device is allowed. -domain ip6 { - table filter { - chain INPUT { - policy DROP; - - # Allow local traffic. - interface $DEV_LOOPBACK ACCEPT; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - chain OUTPUT { - policy DROP; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - chain FORWARD { - policy DROP; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - } -} diff --git a/share/provision/files/njalla-openvpn/etc/udev/rules.d/81-vpn-firewall.rules b/share/provision/files/njalla-openvpn/etc/udev/rules.d/81-vpn-firewall.rules deleted file mode 100644 index 64d8bd1..0000000 --- a/share/provision/files/njalla-openvpn/etc/udev/rules.d/81-vpn-firewall.rules +++ /dev/null @@ -1,2 +0,0 @@ -KERNEL=="tun0", ACTION=="add", RUN+="/usr/local/bin/fermreload.sh add" -KERNEL=="tun0", ACTION=="remove", RUN+="/usr/local/bin/fermreload.sh remove" diff --git a/share/provision/files/njalla-openvpn/usr/local/bin/fermreload.sh b/share/provision/files/njalla-openvpn/usr/local/bin/fermreload.sh deleted file mode 100755 index cebf7cc..0000000 --- a/share/provision/files/njalla-openvpn/usr/local/bin/fermreload.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash -# -# fermreload.sh -# V: 0.1 -# -# Reloads the ferm firewall ruleset and is invoked by -# the udev via /etc/udev/rules.d/81-vpn-firewall.rules. -# -# IPredator 2014 -# Released under the Kopimi license. -# -# Blog post: https://blog.ipredator.se/linux-firewall-howto.html -# - -LOGGER=/usr/bin/logger -LOGGER_TAG=$0 - -UDEV_ACTION=$1 - -FERM=/usr/sbin/ferm -FERM_CONF=/etc/ferm/ferm.conf - -MSG_FW_RULE_ADD="Adding VPN firewall rules." -MSG_FW_RULE_REMOVE="Removing VPN firewall rules." -MSG_UDEV_ACTION_UNKNOWN="Unknown udev action." - -case "$UDEV_ACTION" in - add) - $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_ADD - $FERM $FERM_CONF - ;; - remove) - $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_REMOVE - $FERM $FERM_CONF - ;; - *) - $LOGGER -t $LOGGER_TAG $MSG_UDEV_ACTION_UNKNOWN - exit 1 -esac diff --git a/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf b/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf deleted file mode 100644 index 9ef8208..0000000 --- a/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf +++ /dev/null @@ -1,179 +0,0 @@ -# -*- shell-script -*- -# -# Configuration file for ferm(1). -# -# V: 0.1 -# -# ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html -# Blog post: https://blog.ipredator.se/linux-firewall-howto.html -# - -# Really make sure that these modules exist and are loaded. -@hook pre "/sbin/modprobe nf_conntrack_ftp"; -@hook pre "/sbin/modprobe nfnetlink_log"; - -# Network interfaces. -#@def $DEV_LAN = eth0; -@def $DEV_LAN = ens3; -@def $DEV_LOOPBACK = lo0; -@def $DEV_VPN = wg0; - -# Network definition for the loopback device. This is needed to allow -# DNS resolution on Ubuntu Linux where the local resolver is bound -# to 127.0.1.1 - as opposed to the default 127.0.0.1. -@def $NET_LOOPBACK = 127.0.0.0/8; - -# Common application ports. -@def $PORT_DNS = 53; -@def $PORT_FTP = ( 20 21 ); -@def $PORT_NTP = 123; -@def $PORT_SSH = 22; -@def $PORT_WEB = ( 80 443 ); - -# The ports we allow to connect to. -@def $PORT_WIREGUARD = ( 51820 ); - -# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html -# Ports Transmission is allowed to use. -@def $PORT_TRANSMISSION = 16384:65535; - -# Public DNS servers and those that are only reachable via VPN. -# DNS servers are specified in the outbound DNS rules to prevent DNS leaks -# (https://www.dnsleaktest.com/). The public DNS servers configured on your -# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns), -# but you need to verify this. -# -@def $IP_DNS_IPR_PUBLIC = ( 95.215.19.53/32 ); - -# Add your ISP name server to this object if you want to restrict -# which DNS servers can be queried. -@def $IP_DNS_PUBLIC = 0.0.0.0/0; - -# DNS server available within the VPN. -@def $IP_DNS_VPN = ( 95.215.19.53/32 ); - -# Make sure to use the proper VPN interface (e.g. wg0 in this case). -# Note: You cannot reference $DEV_VPN here, substition does not take -# place for commands passed to a sub shell. -@def $VPN_ACTIVE = `ip link show wg0 >/dev/null 2>/dev/null && echo 1 || echo`; - -# VPN interface conditional. If true the following rules are loaded. -@if $VPN_ACTIVE { - domain ip { - table filter { - chain INPUT { - interface $DEV_VPN { - proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT; - } - } - chain OUTPUT { - # Default allowed outbound services on the VPN interface. - # If you need more simply add your rules here. - outerface $DEV_VPN { - proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT; - proto tcp dport $PORT_FTP ACCEPT; - proto udp dport $PORT_NTP ACCEPT; - proto tcp dport $PORT_SSH ACCEPT; - proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT; - proto tcp dport $PORT_WEB ACCEPT; - } - } - } - } -} - -# The main IPv4 rule set. -domain ip { - table filter { - chain INPUT { - # The default policy for the chain. Usually ACCEPT or DROP or REJECT. - policy DROP; - - # Connection tracking. - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # Allow local traffic to loopback interface. - daddr $NET_LOOPBACK ACCEPT; - - # Allow inbound SSH on your LAN interface _only_. - interface $DEV_LAN { - proto tcp dport $PORT_SSH ACCEPT; - } - - # Respond to ping ... makes debugging easier. - proto icmp icmp-type echo-request ACCEPT; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - - chain OUTPUT { - policy DROP; - - # Connection tracking. - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # Allow local traffic from the loopback interface. - saddr $NET_LOOPBACK ACCEPT; - - # Respond to ping. - proto icmp icmp-type echo-request ACCEPT; - - # Allowed services on the LAN interface. - outerface $DEV_LAN { - proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT; - proto udp dport $PORT_NTP ACCEPT; - proto (tcp udp) dport $PORT_WIREGUARD ACCEPT; - proto tcp dport $PORT_SSH ACCEPT; - } - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - - chain FORWARD { - policy DROP; - - # If you use your machine to route traffic eg. - # from a VM you have to add rules here! - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - } -} - -# IPv6 is generally disabled, communication on the loopback device is allowed. -domain ip6 { - table filter { - chain INPUT { - policy DROP; - - # Allow local traffic. - interface $DEV_LOOPBACK ACCEPT; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - chain OUTPUT { - policy DROP; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - chain FORWARD { - policy DROP; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - } -} diff --git a/share/provision/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules b/share/provision/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules deleted file mode 100644 index 8c9d744..0000000 --- a/share/provision/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules +++ /dev/null @@ -1,2 +0,0 @@ -KERNEL=="wg0", ACTION=="add", RUN+="/usr/local/bin/fermreload.sh add" -KERNEL=="wg0", ACTION=="remove", RUN+="/usr/local/bin/fermreload.sh remove" diff --git a/share/provision/files/njalla-wireguard/usr/local/bin/fermreload.sh b/share/provision/files/njalla-wireguard/usr/local/bin/fermreload.sh deleted file mode 100755 index cebf7cc..0000000 --- a/share/provision/files/njalla-wireguard/usr/local/bin/fermreload.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash -# -# fermreload.sh -# V: 0.1 -# -# Reloads the ferm firewall ruleset and is invoked by -# the udev via /etc/udev/rules.d/81-vpn-firewall.rules. -# -# IPredator 2014 -# Released under the Kopimi license. -# -# Blog post: https://blog.ipredator.se/linux-firewall-howto.html -# - -LOGGER=/usr/bin/logger -LOGGER_TAG=$0 - -UDEV_ACTION=$1 - -FERM=/usr/sbin/ferm -FERM_CONF=/etc/ferm/ferm.conf - -MSG_FW_RULE_ADD="Adding VPN firewall rules." -MSG_FW_RULE_REMOVE="Removing VPN firewall rules." -MSG_UDEV_ACTION_UNKNOWN="Unknown udev action." - -case "$UDEV_ACTION" in - add) - $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_ADD - $FERM $FERM_CONF - ;; - remove) - $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_REMOVE - $FERM $FERM_CONF - ;; - *) - $LOGGER -t $LOGGER_TAG $MSG_UDEV_ACTION_UNKNOWN - exit 1 -esac |