Allow group 'users' or /etc/fireall.d/phoneout.groups in default config

vaeth · Sep 12, 2017 · 453914e · 453914e
1 parent 66987aa
commit 453914e
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 15 deletions.
diff --git a/Makefile b/Makefile
@@ -31,6 +31,7 @@ install: firewall-scripted.sh
 	install -m 644 sbin/firewall-scripted.sh '$(DESTDIR)$(DATADIR)/firewall-scripted.sh'
 	install -m 644 etc/firewall.config '$(DESTDIR)$(LIBDIR)/firewall.config'
 	install -m 644 etc/firewall.d/README '$(DESTDIR)$(ETCDIR)/firewall.d/README'
+	install -m 644 etc/firewall.d/phoneout.groups '$(DESTDIR)$(ETCDIR)/firewall.d/phoneout.groups'
 	[ -z '$(OPENRCDIR)' ] || install -d '$(DESTDIR)$(OPENRCDIR)/init.d'
 	[ -z '$(OPENRCDIR)' ] || install -d '$(DESTDIR)$(OPENRCDIR)/conf.d'
 	[ -z '$(OPENRCDIR)' ] || install -m 755 openrc/init.d/firewall '$(DESTDIR)$(OPENRCDIR)/init.d/firewall'
@@ -54,6 +55,7 @@ uninstall: FORCE
 	rm -f '$(DESTDIR)/$(LIBDIR)/firewall-scripted.sh'
 	-rmdir '$(DESTDIR)/$(LIBDIR)'
 	rm -f '$(DESTDIR)/$(ETCDIR)/firewall.d/README'
+	rm -f '$(DESTDIR)/$(ETCDIR)/firewall.d/phoneout.groups'
 	-rmdir '$(DESTDIR)/$(ETCDIR)/firewall.d'
 	-rmdir '$(DESTDIR)/$(ETCDIR)'
 	[ -z '$(OPENRCDIR)' ] || rm -f '$(DESTDIR)$(OPENRCDIR)/init.d/firewall'

diff --git a/etc/firewall.config b/etc/firewall.config
@@ -55,21 +55,31 @@ fi
 
 
 # Who may phone outside?
-
-Push -c OUTONLYGID \
-	0 \
-	$(id -g ddclient 2>/dev/null) \
-	$(id -g ez-ipupd 2>/dev/null) \
-	$(id -g pdnsd 2>/dev/null) \
-	$(id -g privoxy 2>/dev/null) \
-	$(id -g tor 2>/dev/null) \
-	$(id -g unbound 2>/dev/null) \
-	$(id -g tlsdate 2>/dev/null) \
-	$(id -g wwwoffle 2>/dev/null) \
-	$(id -g portage 2>/dev/null) \
-	$(id -g www 2>/dev/null) \
-	$(id -g mwww 2>/dev/null) \
-	$(id -g edi 2>/dev/null)
+# The root group may always:
+
+Push -c OUTONLYGID 0
+
+# All groups listed in /etc/firewall.d/phoneout.groups may phone outside.
+phoneoutgroups=`sed -n -e '/^[^#]/p' -- /etc/firewall.d/phoneout.groups 2>/dev/null` \
+	|| phoneoutgroups=
+
+# If no group is listed there, we choose "users":
+: ${phoneoutgroups:=users}
+
+# In addition, we always allow the following groups if the exist:
+phoneoutgroups=$phoneoutgroups' ddclient'
+phoneoutgroups=$phoneoutgroups' ez-ipupd'
+phoneoutgroups=$phoneoutgroups' pdnsd'
+phoneoutgroups=$phoneoutgroups' privoxy'
+phoneoutgroups=$phoneoutgroups' tor'
+phoneoutgroups=$phoneoutgroups' unbound'
+phoneoutgroups=$phoneoutgroups' tlsdate'
+phoneoutgroups=$phoneoutgroups' wwwoffle'
+phoneoutgroups=$phoneoutgroups' portage'
+
+for i in $phoneoutgroups
+do	Push OUTONLYGID `id -g "$i" 2>/dev/null`
+done
 
 # To LOCALNETSOUT everybody may "phone":
 

diff --git a/etc/firewall.d/phoneout.groups b/etc/firewall.d/phoneout.groups
@@ -0,0 +1,2 @@
+# The default firewall.config lets only groups listed here phone outside.
+# If no group is specified, the single group "users" is chosen.