Merge pull request #1114 from kernelkit/fw

Add basic zone-based firewall

Author: troglobit

.github/workflows/docs.yml

@@ -41,6 +41,7 @@ jobs:
           pipx inject mkdocs mkdocs-callouts
           pipx inject mkdocs mike
           pipx inject mkdocs mkdocs-to-pdf
+          pipx inject mkdocs mkdocs-glightbox
           # Workaround, if pipx inject fails to install symlink
           ln -s "$(pipx environment -V PIPX_LOCAL_VENVS)/mkdocs/bin/mike" \
                 "$(pipx environment -V PIPX_BIN_DIR)/mike" || true

README.md

@@ -1,6 +1,6 @@
 [![License Badge][]][License] [![GitHub Status][]][GitHub] [![Coverity Status][]][Coverity Scan] [![Discord][discord-badge]][discord-url]
 
-<img align="right" src="doc/logo.png" alt="Infix - Linux <3 NETCONF" width=480 border=10>
+<img align="right" src="doc/logo.png" alt="Infix — Immutable.Friendly.Secure" width=480 border=10>
 
 Turn any ARM or x86 device into a powerful, manageable network appliance
 in minutes. From $35 Raspberry Pi boards to enterprise switches — deploy

board/common/rootfs/etc/finit.d/available/firewalld.conf

@@ -0,0 +1,3 @@
+service [2345] <!pid/syslogd> reload:'firewall-cmd -q --reload' \
+	firewalld --nofork --log-target syslog                  \
+	-- Firewall daemon

board/common/rootfs/etc/syslog.d/firewall.conf

@@ -0,0 +1,6 @@
+# Log firewall denied/rejected packet logs to dedicated file
+# https://www.cyberciti.biz/faq/enable-firewalld-logging-for-denied-packets-on-linux/
+:msg, contains, "_DROP"
+kern.*                  -/var/log/firewall.log
+:msg, contains, "_REJECT"
+kern.*                  -/var/log/firewall.log

board/common/rootfs/usr/bin/yorn

@@ -1,11 +1,18 @@
 #!/bin/sh
+opts="-n1"
+
+if [ "$1" = "-q" ]; then
+    opts="$opts -s"
+    shift
+fi
+
 Q=$@
 
 /bin/echo -n "$Q, are you sure (y/N)? "
-read -n1 yorn
+read $opts yorn
 echo
 
-if [ x$yorn != "xy" ] && [ x$yorn != "xY" ]; then
+if [ "x$yorn" != "xy" ] && [ "x$yorn" != "xY" ]; then
    echo "OK, aborting."
    exit 1
 fi

buildroot

@@ -73,6 +73,7 @@ BR2_PACKAGE_CONNTRACK_TOOLS=y
 BR2_PACKAGE_DNSMASQ=y
 BR2_PACKAGE_ETHTOOL=y
 BR2_PACKAGE_FPING=y
+BR2_PACKAGE_FIREWALL=y
 BR2_PACKAGE_FRR=y
 # BR2_PACKAGE_IFUPDOWN_SCRIPTS is not set
 BR2_PACKAGE_IPERF3=y

configs/aarch64_defconfig

@@ -67,6 +67,7 @@ BR2_PACKAGE_AVAHI_DEFAULT_SERVICES=y
 BR2_PACKAGE_CHRONY=y
 BR2_PACKAGE_DNSMASQ=y
 BR2_PACKAGE_ETHTOOL=y
+BR2_PACKAGE_FIREWALL=y
 BR2_PACKAGE_FRR=y
 # BR2_PACKAGE_IFUPDOWN_SCRIPTS is not set
 BR2_PACKAGE_IPROUTE2=y

configs/aarch64_minimal_defconfig

@@ -91,6 +91,7 @@ BR2_PACKAGE_CONNTRACK_TOOLS=y
 BR2_PACKAGE_DNSMASQ=y
 BR2_PACKAGE_ETHTOOL=y
 BR2_PACKAGE_FPING=y
+BR2_PACKAGE_FIREWALL=y
 BR2_PACKAGE_FRR=y
 # BR2_PACKAGE_IFUPDOWN_SCRIPTS is not set
 BR2_PACKAGE_IPERF3=y

configs/r2s_defconfig

@@ -86,6 +86,7 @@ BR2_PACKAGE_CONNTRACK_TOOLS=y
 BR2_PACKAGE_DNSMASQ=y
 BR2_PACKAGE_ETHTOOL=y
 BR2_PACKAGE_FPING=y
+BR2_PACKAGE_FIREWALL=y
 BR2_PACKAGE_FRR=y
 # BR2_PACKAGE_IFUPDOWN_SCRIPTS is not set
 BR2_PACKAGE_IPERF3=y