188 lines
5.6 KiB
Bash
Executable File
188 lines
5.6 KiB
Bash
Executable File
#!/bin/sh -e
|
|
|
|
# Only source /usr/share/debconf/confmodule when not called with 'triggered'
|
|
# to avoid LP: #618410.
|
|
if [ "$1" != "triggered" ]; then
|
|
. /usr/share/debconf/confmodule
|
|
fi
|
|
|
|
RULES_PATH="/etc/ufw"
|
|
USER_PATH="$RULES_PATH"
|
|
TEMPLATE_PATH="/usr/share/ufw"
|
|
|
|
enable_ufw() {
|
|
ans=""
|
|
if [ "$1" = "true" ]; then
|
|
ans="yes"
|
|
elif [ "$1" = "false" ]; then
|
|
ans="no"
|
|
else
|
|
return 1
|
|
fi
|
|
|
|
test -f /etc/ufw/ufw.conf && sed -i "s/^ENABLED=.*/ENABLED=$ans/" /etc/ufw/ufw.conf
|
|
}
|
|
|
|
allow_port() {
|
|
ufw allow "$@" >/dev/null || true
|
|
}
|
|
|
|
allow_service() {
|
|
service=`echo "$@" | sed 's/#/ /g'`
|
|
if [ "$service" = "CUPS" ]; then
|
|
allow_port 631
|
|
elif [ "$service" = "DNS" ]; then
|
|
allow_port 53
|
|
elif [ "$service" = "IMAPS" ]; then
|
|
allow_port 993/tcp
|
|
elif [ "$service" = "POP3S" ]; then
|
|
allow_port 995/tcp
|
|
elif [ "$service" = "SSH" ]; then
|
|
allow_port 22/tcp
|
|
elif [ "$service" = "CIFS (Samba)" ]; then
|
|
allow_port 137/udp
|
|
allow_port 138/udp
|
|
allow_port 139/tcp
|
|
allow_port 445/tcp
|
|
elif [ "$service" = "SMTP" ]; then
|
|
allow_port 25/tcp
|
|
elif [ "$service" = "HTTP" ]; then
|
|
allow_port 80/tcp
|
|
elif [ "$service" = "HTTPS" ]; then
|
|
allow_port 443/tcp
|
|
fi
|
|
}
|
|
|
|
# If a primary chain is added to upstream, we should add it on upgrade so
|
|
# reload works correctly
|
|
add_primary_chain() {
|
|
chain="$1"
|
|
builtin="$2"
|
|
ver="$3"
|
|
|
|
exe="iptables"
|
|
if [ "$ver" = "6" ]; then
|
|
exe="ip6tables"
|
|
fi
|
|
if $exe -L "$chain" -n >/dev/null 2>&1 ; then
|
|
return
|
|
fi
|
|
$exe -N "$chain" || true
|
|
$exe -A "$builtin" -j "$chain" || true
|
|
}
|
|
|
|
case "$1" in
|
|
configure)
|
|
# these files are required, but don't want to change them if
|
|
# the user modified them
|
|
for f in before.rules before6.rules after.rules after6.rules
|
|
do
|
|
ucf --debconf-ok $TEMPLATE_PATH/iptables/$f $RULES_PATH/$f
|
|
test -f $RULES_PATH/$f && chmod 640 $RULES_PATH/$f
|
|
done
|
|
|
|
for f in user.rules user6.rules
|
|
do
|
|
if [ ! -e "$USER_PATH/$f" ]; then
|
|
# if no config, copy the template
|
|
cp $TEMPLATE_PATH/iptables/$f $USER_PATH/$f
|
|
chmod 640 $USER_PATH/$f
|
|
fi
|
|
done
|
|
|
|
for f in before.init after.init
|
|
do
|
|
if [ ! -e "/etc/ufw/$f" ]; then
|
|
cp $TEMPLATE_PATH/$f /etc/ufw
|
|
chmod 640 /etc/ufw/$f
|
|
fi
|
|
done
|
|
|
|
if [ ! -e "/etc/ufw/ufw.conf" ]; then
|
|
cp $TEMPLATE_PATH/ufw.conf /etc/ufw
|
|
fi
|
|
|
|
# configure ufw with debconf values
|
|
db_get ufw/enable
|
|
enabled="$RET"
|
|
|
|
db_fget ufw/existing_configuration seen
|
|
seen_warning="$RET"
|
|
if [ "$enabled" = "true" ] && [ "$seen_warning" = "false" ] ; then
|
|
db_get ufw/allow_known_ports
|
|
CHOICES="$RET"
|
|
for service in `echo "$CHOICES" | sed 's/, /\n/g' | sed 's/ /#/g'`; do
|
|
allow_service "$service"
|
|
done
|
|
|
|
db_get ufw/allow_custom_ports
|
|
PORTS="$RET"
|
|
for port in $PORTS ; do
|
|
allow_port "$port"
|
|
done
|
|
|
|
db_fset ufw/existing_configuration seen true
|
|
fi
|
|
|
|
# need to do this after all 'allow_service' calls, otherwise ufw may
|
|
# try to use iptables, which breaks the installer
|
|
enable_ufw "$enabled"
|
|
|
|
# add new primary chains on upgrade
|
|
if [ "$enabled" = "true" ] && [ ! -z "$2" ] && dpkg --compare-versions "$2" lt "0.34~rc-0ubuntu2" ; then
|
|
add_primary_chain ufw-track-forward FORWARD
|
|
add_primary_chain ufw6-track-forward FORWARD 6
|
|
fi
|
|
;;
|
|
triggered)
|
|
ufw app update all || echo "Processing ufw triggers failed. Ignoring."
|
|
exit 0
|
|
;;
|
|
abort-upgrade|abort-remove|abort-deconfigure)
|
|
;;
|
|
*)
|
|
echo "postinst called with unknown argument '$1'" >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
|
|
# Automatically added by dh_python3
|
|
if command -v py3compile >/dev/null 2>&1; then
|
|
py3compile -p ufw
|
|
fi
|
|
if command -v pypy3compile >/dev/null 2>&1; then
|
|
pypy3compile -p ufw || true
|
|
fi
|
|
|
|
# End automatically added section
|
|
# Automatically added by dh_installdeb/13.14.1ubuntu5
|
|
dpkg-maintscript-helper rm_conffile /etc/init/ufw.conf 0.35-5\~ ufw -- "$@"
|
|
dpkg-maintscript-helper rm_conffile /etc/bash_completion.d/ufw 0.34-1\~ ufw -- "$@"
|
|
# End automatically added section
|
|
# Automatically added by dh_installinit/13.14.1ubuntu5
|
|
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
|
|
if [ -x "/etc/init.d/ufw" ]; then
|
|
update-rc.d ufw defaults >/dev/null || exit 1
|
|
fi
|
|
fi
|
|
# End automatically added section
|
|
# Automatically added by dh_installsystemd/13.14.1ubuntu5
|
|
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
|
|
# The following line should be removed in trixie or trixie+1
|
|
deb-systemd-helper unmask 'ufw.service' >/dev/null || true
|
|
|
|
# was-enabled defaults to true, so new installations run enable.
|
|
if deb-systemd-helper --quiet was-enabled 'ufw.service'; then
|
|
# Enables the unit on first installation, creates new
|
|
# symlinks on upgrades if the unit file has changed.
|
|
deb-systemd-helper enable 'ufw.service' >/dev/null || true
|
|
else
|
|
# Update the statefile to add new symlinks (if any), which need to be
|
|
# cleaned up on purge. Also remove old symlinks.
|
|
deb-systemd-helper update-state 'ufw.service' >/dev/null || true
|
|
fi
|
|
fi
|
|
# End automatically added section
|
|
|