2016-07-03 17:13:34 +02:00
|
|
|
#!/bin/bash
|
|
|
|
|
#
|
|
|
|
|
# .---. . .
|
|
|
|
|
# | | |
|
|
|
|
|
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
|
|
|
|
|
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
|
|
|
|
|
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
|
|
|
|
|
#
|
|
|
|
|
# Freedom in the Cloud
|
|
|
|
|
#
|
|
|
|
|
# Firewall functions
|
|
|
|
|
#
|
|
|
|
|
# License
|
|
|
|
|
# =======
|
|
|
|
|
#
|
|
|
|
|
# Copyright (C) 2014-2016 Bob Mottram <bob@robotics.uk.to>
|
|
|
|
|
#
|
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
|
|
|
# it under the terms of the GNU Affero General Public License as published by
|
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
# (at your option) any later version.
|
|
|
|
|
#
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU Affero General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
|
function save_firewall_settings {
|
2016-07-12 09:27:11 +02:00
|
|
|
iptables-save > /etc/firewall.conf
|
|
|
|
|
ip6tables-save > /etc/firewall6.conf
|
|
|
|
|
printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables
|
|
|
|
|
printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables
|
|
|
|
|
printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables
|
|
|
|
|
chmod +x /etc/network/if-up.d/iptables
|
2016-07-03 17:13:34 +02:00
|
|
|
}
|
|
|
|
|
|
2016-08-10 23:16:34 +02:00
|
|
|
function global_rate_limit {
|
|
|
|
|
if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
|
|
|
|
|
echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
|
|
|
|
|
else
|
|
|
|
|
sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
|
|
|
|
|
fi
|
2016-09-29 13:41:26 +02:00
|
|
|
sysctl -p 2> /dev/null
|
2016-08-10 23:16:34 +02:00
|
|
|
}
|
|
|
|
|
|
2016-07-03 17:13:34 +02:00
|
|
|
function enable_ipv6 {
|
2016-07-12 09:27:11 +02:00
|
|
|
# endure that ipv6 is enabled and can route
|
|
|
|
|
sed -i 's/net.ipv6.conf.all.disable_ipv6.*/net.ipv6.conf.all.disable_ipv6 = 0/g' /etc/sysctl.conf
|
|
|
|
|
#sed -i "s/net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 1/g" /etc/sysctl.conf
|
|
|
|
|
#sed -i "s/net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 1/g" /etc/sysctl.conf
|
|
|
|
|
sed -i "s/net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=1/g" /etc/sysctl.conf
|
|
|
|
|
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
|
2016-07-03 17:13:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function configure_firewall {
|
2016-08-10 23:16:34 +02:00
|
|
|
if [ $INSTALLING_MESH ]; then
|
|
|
|
|
mesh_firewall
|
|
|
|
|
return
|
|
|
|
|
fi
|
2016-07-12 09:27:11 +02:00
|
|
|
if grep -q "RELATED" /etc/firewall.conf; then
|
|
|
|
|
# recreate the firewall to remove RELATED
|
|
|
|
|
sed -i "/firewall/d" $COMPLETION_FILE
|
|
|
|
|
fi
|
|
|
|
|
if grep -Fxq "configure_firewall" $COMPLETION_FILE; then
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
|
|
|
|
|
# docker does its own firewalling
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
iptables -P INPUT ACCEPT
|
|
|
|
|
ip6tables -P INPUT ACCEPT
|
|
|
|
|
iptables -F
|
|
|
|
|
ip6tables -F
|
|
|
|
|
iptables -t nat -F
|
|
|
|
|
ip6tables -t nat -F
|
|
|
|
|
iptables -X
|
|
|
|
|
ip6tables -X
|
|
|
|
|
iptables -P INPUT DROP
|
|
|
|
|
ip6tables -P INPUT DROP
|
|
|
|
|
iptables -A INPUT -i lo -j ACCEPT
|
|
|
|
|
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
|
|
|
|
|
|
|
# Make sure incoming tcp connections are SYN packets
|
|
|
|
|
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
|
|
|
|
|
|
|
|
|
|
# Drop packets with incoming fragments
|
|
|
|
|
iptables -A INPUT -f -j DROP
|
|
|
|
|
|
|
|
|
|
# Drop bogons
|
|
|
|
|
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
|
|
|
|
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
|
|
|
|
|
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
|
|
|
|
|
|
|
|
|
|
# Incoming malformed NULL packets:
|
|
|
|
|
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
|
|
|
|
|
|
|
|
|
echo 'configure_firewall' >> $COMPLETION_FILE
|
2016-07-03 17:13:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function configure_firewall_ping {
|
2016-07-12 09:27:11 +02:00
|
|
|
if grep -Fxq "configure_firewall_ping" $COMPLETION_FILE; then
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
# Only allow ping for mesh installs
|
|
|
|
|
if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
|
|
|
|
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
|
|
|
|
|
function_check save_firewall_settings
|
|
|
|
|
save_firewall_settings
|
|
|
|
|
echo 'configure_firewall_ping' >> $COMPLETION_FILE
|
2016-07-03 17:13:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function configure_firewall_for_avahi {
|
2016-07-12 09:27:11 +02:00
|
|
|
if grep -Fxq "configure_firewall_for_avahi" $COMPLETION_FILE; then
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
iptables -A INPUT -p tcp --dport 548 -j ACCEPT
|
|
|
|
|
iptables -A INPUT -p udp --dport 548 -j ACCEPT
|
|
|
|
|
iptables -A INPUT -p tcp --dport 5353 -j ACCEPT
|
|
|
|
|
iptables -A INPUT -p udp --dport 5353 -j ACCEPT
|
|
|
|
|
iptables -A INPUT -p tcp --dport 5354 -j ACCEPT
|
|
|
|
|
iptables -A INPUT -p udp --dport 5354 -j ACCEPT
|
|
|
|
|
function_check save_firewall_settings
|
|
|
|
|
save_firewall_settings
|
|
|
|
|
echo 'configure_firewall_for_avahi' >> $COMPLETION_FILE
|
2016-07-03 17:13:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function configure_firewall_for_dns {
|
2016-07-12 09:27:11 +02:00
|
|
|
if grep -Fxq "configure_firewall_for_dns" $COMPLETION_FILE; then
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
|
|
|
|
|
# docker does its own firewalling
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
|
|
|
|
|
function_check save_firewall_settings
|
|
|
|
|
save_firewall_settings
|
|
|
|
|
echo 'configure_firewall_for_dns' >> $COMPLETION_FILE
|
2016-07-03 17:13:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function configure_firewall_for_web_access {
|
2016-07-12 09:27:11 +02:00
|
|
|
if grep -Fxq "configure_firewall_for_web_access" $COMPLETION_FILE; then
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
|
|
|
|
|
# docker does its own firewalling
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
if [[ $ONION_ONLY != "no" ]]; then
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
iptables -A INPUT -p tcp --dport 32768:61000 --sport 80 -j ACCEPT
|
|
|
|
|
iptables -A INPUT -p tcp --dport 32768:61000 --sport 443 -j ACCEPT
|
|
|
|
|
function_check save_firewall_settings
|
|
|
|
|
save_firewall_settings
|
|
|
|
|
|
|
|
|
|
echo 'configure_firewall_for_web_access' >> $COMPLETION_FILE
|
2016-07-03 17:13:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function configure_firewall_for_web_server {
|
2016-07-12 09:27:11 +02:00
|
|
|
if grep -Fxq "configure_firewall_for_web_server" $COMPLETION_FILE; then
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
|
|
|
|
|
# docker does its own firewalling
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
if [[ $ONION_ONLY != "no" ]]; then
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
|
|
|
|
|
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
|
|
|
|
|
function_check save_firewall_settings
|
|
|
|
|
save_firewall_settings
|
|
|
|
|
|
|
|
|
|
OPEN_PORTS+=('HTTP 80')
|
|
|
|
|
OPEN_PORTS+=('HTTPS 443')
|
|
|
|
|
echo 'configure_firewall_for_web_server' >> $COMPLETION_FILE
|
2016-07-03 17:13:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function configure_firewall_for_ssh {
|
2016-07-12 09:27:11 +02:00
|
|
|
if grep -Fxq "configure_firewall_for_ssh" $COMPLETION_FILE; then
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
|
|
|
|
|
# docker does its own firewalling
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
|
|
|
|
|
iptables -A INPUT -p tcp --dport $SSH_PORT -j ACCEPT
|
|
|
|
|
function_check save_firewall_settings
|
|
|
|
|
save_firewall_settings
|
|
|
|
|
|
|
|
|
|
OPEN_PORTS+=("SSH $SSH_PORT")
|
|
|
|
|
echo 'configure_firewall_for_ssh' >> $COMPLETION_FILE
|
2016-07-03 17:13:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function configure_firewall_for_git {
|
2016-07-12 09:27:11 +02:00
|
|
|
if grep -Fxq "configure_firewall_for_git" $COMPLETION_FILE; then
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
|
|
|
|
|
# docker does its own firewalling
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
if [[ $ONION_ONLY != "no" ]]; then
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
iptables -A INPUT -p tcp --dport 9418 -j ACCEPT
|
|
|
|
|
function_check save_firewall_settings
|
|
|
|
|
save_firewall_settings
|
|
|
|
|
|
|
|
|
|
OPEN_PORTS+=("Git 9418")
|
|
|
|
|
echo 'configure_firewall_for_git' >> $COMPLETION_FILE
|
2016-07-03 17:13:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function configure_internet_protocol {
|
2016-07-12 09:27:11 +02:00
|
|
|
if grep -Fxq "configure_internet_protocol" $COMPLETION_FILE; then
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
sed -i "s/#net.ipv4.tcp_syncookies=1/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf
|
|
|
|
|
sed -i "s/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
|
|
|
|
|
sed -i "s/#net.ipv6.conf.all.accept_redirects = 0/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
|
|
|
|
|
sed -i "s/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf
|
|
|
|
|
sed -i "s/#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
|
|
|
|
|
sed -i "s/#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
|
|
|
|
|
sed -i "s/#net.ipv4.conf.default.rp_filter=1/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf
|
|
|
|
|
sed -i "s/#net.ipv4.conf.all.rp_filter=1/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf
|
|
|
|
|
sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=0/g" /etc/sysctl.conf
|
|
|
|
|
sed -i "s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf
|
|
|
|
|
if ! grep -q "ignore pings" /etc/sysctl.conf; then
|
|
|
|
|
echo '# ignore pings' >> /etc/sysctl.conf
|
|
|
|
|
echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
|
|
|
|
|
echo 'net.ipv6.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
|
|
|
|
|
fi
|
|
|
|
|
if ! grep -q "disable ipv6" /etc/sysctl.conf; then
|
|
|
|
|
echo '# disable ipv6' >> /etc/sysctl.conf
|
|
|
|
|
echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf
|
|
|
|
|
fi
|
|
|
|
|
if ! grep -q "net.ipv4.tcp_synack_retries" /etc/sysctl.conf; then
|
|
|
|
|
echo 'net.ipv4.tcp_synack_retries = 2' >> /etc/sysctl.conf
|
|
|
|
|
echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf
|
|
|
|
|
fi
|
|
|
|
|
if ! grep -q "keepalive" /etc/sysctl.conf; then
|
|
|
|
|
echo '# keepalive' >> /etc/sysctl.conf
|
|
|
|
|
echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf
|
|
|
|
|
echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf
|
|
|
|
|
echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf
|
|
|
|
|
fi
|
|
|
|
|
echo 'configure_internet_protocol' >> $COMPLETION_FILE
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function mesh_firewall {
|
|
|
|
|
FIREWALL_FILENAME=${rootdir}/etc/systemd/system/meshfirewall.service
|
|
|
|
|
MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall
|
|
|
|
|
|
|
|
|
|
echo '#!/bin/bash' > $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'iptables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'ip6tables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'iptables -F' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'ip6tables -F' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'iptables -t nat -F' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'ip6tables -t nat -F' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'iptables -X' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'ip6tables -X' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo '' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo '' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo '' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo '' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo '' >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
|
|
|
|
chmod +x $MESH_FIREWALL_SCRIPT
|
|
|
|
|
|
|
|
|
|
echo '[Unit]' > $FIREWALL_FILENAME
|
|
|
|
|
echo 'Description=Mesh Firewall' >> $FIREWALL_FILENAME
|
|
|
|
|
echo '' >> $FIREWALL_FILENAME
|
|
|
|
|
echo '[Service]' >> $FIREWALL_FILENAME
|
|
|
|
|
echo 'Type=oneshot' >> $FIREWALL_FILENAME
|
|
|
|
|
echo 'ExecStart=/usr/bin/mesh-firewall' >> $FIREWALL_FILENAME
|
|
|
|
|
echo 'RemainAfterExit=no' >> $FIREWALL_FILENAME
|
|
|
|
|
echo '' >> $FIREWALL_FILENAME
|
|
|
|
|
echo 'TimeoutSec=30' >> $FIREWALL_FILENAME
|
|
|
|
|
echo '' >> $FIREWALL_FILENAME
|
|
|
|
|
echo '[Install]' >> $FIREWALL_FILENAME
|
|
|
|
|
echo 'WantedBy=multi-user.target' >> $FIREWALL_FILENAME
|
|
|
|
|
chroot "$rootdir" systemctl enable meshfirewall
|
2016-07-03 17:13:34 +02:00
|
|
|
}
|
