diff options
| author | Marco Mariani <marco@crowdsec.net> | 2022-02-21 20:25:17 +0000 |
|---|---|---|
| committer | Florian Smeets <flo@FreeBSD.org> | 2022-02-21 20:27:44 +0000 |
| commit | 286b8544474d3cf3d457cf42e0e70183f12c8850 (patch) | |
| tree | 4f6eee6d9c4766a6523a1d7461d643f299f7f958 /security/crowdsec-firewall-bouncer | |
| parent | eec9ee622163d81127dd0841113c7c55e3cc0a85 (diff) | |
| download | ports-286b8544474d3cf3d457cf42e0e70183f12c8850.tar.gz ports-286b8544474d3cf3d457cf42e0e70183f12c8850.zip | |
security/crowdsec-firewall-bouncer: Update to 0.0.23.r2
- updated executable to upstream v0.0.23-rc2
- reverted configuration to manual editing of pf.conf (optionally
with an anchor)
- removed log rotation with newsyslog (implemented natively in the
executable)
- removed dependency on crowdsec package (can be on an external host)
Diffstat (limited to 'security/crowdsec-firewall-bouncer')
| -rw-r--r-- | security/crowdsec-firewall-bouncer/Makefile | 20 | ||||
| -rw-r--r-- | security/crowdsec-firewall-bouncer/distinfo | 6 | ||||
| -rw-r--r-- | security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog | 2 | ||||
| -rwxr-xr-x | security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in | 21 | ||||
| -rw-r--r-- | security/crowdsec-firewall-bouncer/files/patch-Makefile | 24 | ||||
| -rwxr-xr-x[-rw-r--r--] | security/crowdsec-firewall-bouncer/files/pkg-deinstall.in | 0 | ||||
| -rwxr-xr-x[-rw-r--r--] | security/crowdsec-firewall-bouncer/files/pkg-install.in | 0 | ||||
| -rw-r--r-- | security/crowdsec-firewall-bouncer/files/pkg-message.in | 28 | ||||
| -rw-r--r-- | security/crowdsec-firewall-bouncer/pkg-plist | 3 |
9 files changed, 47 insertions, 57 deletions
diff --git a/security/crowdsec-firewall-bouncer/Makefile b/security/crowdsec-firewall-bouncer/Makefile index a52441bcfc53..db4d992dcf88 100644 --- a/security/crowdsec-firewall-bouncer/Makefile +++ b/security/crowdsec-firewall-bouncer/Makefile @@ -1,5 +1,5 @@ PORTNAME= crowdsec-firewall-bouncer -PORTVERSION= 0.0.20 # NOTE: change BUILD_VERSION and BUILD_TAG as well +PORTVERSION= 0.0.23.r2 # NOTE: change BUILD_VERSION and BUILD_TAG as well DISTVERSIONPREFIX= v CATEGORIES= security @@ -14,24 +14,20 @@ BUILD_DEPENDS= git:devel/git@lite \ USES= gmake -RUN_DEPENDS= crowdsec>0:security/crowdsec - USE_GITHUB= yes GH_ACCOUNT= crowdsecurity GH_PROJECT= cs-firewall-bouncer -GH_TAGNAME= v0.0.20-freebsd +GH_TAGNAME= v0.0.23.r2-freebsd #GH_TAGNAME is automatically set from DISTVERSION USE_RC_SUBR= crowdsec_firewall -SUB_FILES= pkg-message \ - pkg-install \ - pkg-deinstall +SUB_FILES= pkg-deinstall pkg-install pkg-message # BUILD_VERSION=$(git describe --tags $(git rev-list --tags --max-count=1)) # BUILD_TAG=$(git rev-parse HEAD) -MAKE_ENV= BUILD_VERSION="v0.0.20" \ - BUILD_TAG="a456a4debdf3d3551c89b8490bb942f626027310" +MAKE_ENV= BUILD_TAG="bc4bb1d531d47ad94ead2dce3a11f6391b1e8619" \ + BUILD_VERSION="v0.0.23-rc2" ETCDIR= ${PREFIX}/etc/crowdsec/bouncers @@ -55,10 +51,4 @@ do-install: ${INSTALL_DATA} ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml \ ${STAGEDIR}${ETCDIR}/crowdsec-firewall-bouncer.yaml.sample - # - # Log rotation - # - - ${INSTALL_DATA} ${FILESDIR}/crowdsec-firewall-bouncer.conf-newsyslog ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d/crowdsec-firewall-bouncer.conf.sample - .include <bsd.port.mk> diff --git a/security/crowdsec-firewall-bouncer/distinfo b/security/crowdsec-firewall-bouncer/distinfo index 1548b93d6c60..0cdb9bb30d8c 100644 --- a/security/crowdsec-firewall-bouncer/distinfo +++ b/security/crowdsec-firewall-bouncer/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1640213523 -SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.20-v0.0.20-freebsd_GH0.tar.gz) = 95f8abf5f44e700e7f0a41edf5367715ce06918cb0de7a5d084bdca277563171 -SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.20-v0.0.20-freebsd_GH0.tar.gz) = 3018717 +TIMESTAMP = 1645218461 +SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.23.r2-v0.0.23.r2-freebsd_GH0.tar.gz) = efb34044e8a648c1ec505fef64de3e4901ac760e732b647650f8e46547c7fe87 +SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.23.r2-v0.0.23.r2-freebsd_GH0.tar.gz) = 3053462 diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog b/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog deleted file mode 100644 index b26fae25b5ce..000000000000 --- a/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog +++ /dev/null @@ -1,2 +0,0 @@ -# logfilename [owner:group] mode count size(kb) when flags [/pid_file] [sig_num] -/var/log/crowdsec-firewall-bouncer.log root:wheel 644 10 5120 * JC /var/run/crowdsec_firewall.pid diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in index 6a0f96f26f8f..9ae41cef717b 100755 --- a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in +++ b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in @@ -1,7 +1,7 @@ #!/bin/sh # # PROVIDE: crowdsec_firewall -# REQUIRE: LOGIN DAEMON NETWORKING crowdsec +# REQUIRE: LOGIN DAEMON NETWORKING # KEYWORD: shutdown # # Add the following lines to /etc/rc.conf.local or /etc/rc.conf @@ -9,6 +9,10 @@ # # crowdsec_firewall_enable (bool): Set it to YES to enable crowdsec firewall. # Default is "NO" +# crowdsec_firewall_config (str): Set the bouncer config path. +# Default is "%%ETCDIR%%/crowdsec-firewall-bouncer.yaml" +# crowdsec_firewall_flags (str): extra flags to run bouncer. +# Default is "" . /etc/rc.subr @@ -20,6 +24,7 @@ load_rc_config $name : "${crowdsec_firewall_enable:=NO}" : "${crowdsec_firewall_config:=%%ETCDIR%%/crowdsec-firewall-bouncer.yaml}" +: "${crowdsec_firewall_flags:=}" pidfile=/var/run/${name}.pid required_files="$crowdsec_firewall_config" @@ -30,10 +35,13 @@ start_precmd="${name}_precmd" crowdsec_firewall_precmd() { CSCLI=%%PREFIX%%/bin/cscli orig_line="api_key: \${API_KEY}" + # IF the bouncer is not configured if grep -q "^${orig_line}" "${crowdsec_firewall_config}"; then SUFFIX=$(LC_CTYPE=C tr -dc A-Za-z0-9 </dev/urandom | head -c 8) BOUNCER="cs-firewall-bouncer-${SUFFIX}" + # AND crowdsec is installed.. if command -v "$CSCLI" >/dev/null; then + # THEN, register it to the local API API_KEY=$($CSCLI bouncers add "${BOUNCER}" -o raw) if [ -n "$API_KEY" ]; then sed -i "" "s/^${orig_line}/api_key: ${API_KEY} # ${BOUNCER}/" "${crowdsec_firewall_config}" @@ -41,20 +49,11 @@ crowdsec_firewall_precmd() { fi fi fi - - # needs real tabs - cat <<-EOT | /sbin/pfctl -f /dev/fd/0 - table <crowdsec-blacklists> persist - table <crowdsec6-blacklists> persist - block drop in quick from <crowdsec-blacklists> to any - block drop in quick from <crowdsec6-blacklists> to any - EOT - } crowdsec_firewall_start() { /usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \ - ${command} -c "${crowdsec_firewall_config}" + ${command} -c "${crowdsec_firewall_config}" ${crowdsec_firewall_flags} } run_rc_command "$1" diff --git a/security/crowdsec-firewall-bouncer/files/patch-Makefile b/security/crowdsec-firewall-bouncer/files/patch-Makefile index df450e5e1b27..d8f1e8f79f4e 100644 --- a/security/crowdsec-firewall-bouncer/files/patch-Makefile +++ b/security/crowdsec-firewall-bouncer/files/patch-Makefile @@ -1,11 +1,15 @@ ---- Makefile.orig 2021-12-22 22:57:23 UTC +--- Makefile.orig 2022-02-11 13:22:37 UTC +++ Makefile -@@ -11,7 +11,7 @@ BUILD_VERSION?="$(shell git describe --tags `git rev-l - BUILD_GOVERSION="$(shell go version | cut -d " " -f3 | sed -r 's/[go]+//g')" - BUILD_TIMESTAMP=$(shell date +%F"_"%T) - BUILD_TAG?="$(shell git rev-parse HEAD)" --export LD_OPTS=-ldflags "-s -w -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=$(BUILD_VERSION) \ -+export LD_OPTS=-mod vendor -modcacherw --ldflags "-s -w -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=$(BUILD_VERSION) \ - -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.BuildDate=$(BUILD_TIMESTAMP) \ - -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Tag=$(BUILD_TAG) \ - -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.GoVersion=$(BUILD_GOVERSION)" +@@ -54,10 +54,10 @@ lint: + golangci-lint run + + static: goversion clean +- $(GOBUILD) -ldflags "$(LDFLAGS_STATIC)" -o $(BINARY_NAME) -v -a -tags netgo ++ $(GOBUILD) -mod vendor -modcacherw -ldflags "$(LDFLAGS_STATIC)" -o $(BINARY_NAME) -v -a -tags netgo + + build: goversion clean +- $(GOBUILD) -ldflags "$(LDFLAGS_DYNAMIC)" -o $(BINARY_NAME) -v ++ $(GOBUILD) -mod vendor -modcacherw -ldflags "$(LDFLAGS_DYNAMIC)" -o $(BINARY_NAME) -v + + test: + @$(GOTEST) -ldflags "$(LDFLAGS_DYNAMIC)" -v ./... diff --git a/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in b/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in index 8167b3f0167f..8167b3f0167f 100644..100755 --- a/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in +++ b/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in diff --git a/security/crowdsec-firewall-bouncer/files/pkg-install.in b/security/crowdsec-firewall-bouncer/files/pkg-install.in index f75e58ce4685..f75e58ce4685 100644..100755 --- a/security/crowdsec-firewall-bouncer/files/pkg-install.in +++ b/security/crowdsec-firewall-bouncer/files/pkg-install.in diff --git a/security/crowdsec-firewall-bouncer/files/pkg-message.in b/security/crowdsec-firewall-bouncer/files/pkg-message.in index 8bcdc8d1d9d6..489267594020 100644 --- a/security/crowdsec-firewall-bouncer/files/pkg-message.in +++ b/security/crowdsec-firewall-bouncer/files/pkg-message.in @@ -4,8 +4,8 @@ crowdsec-firewall-bouncer is installed. -The bouncer should register itself but you may want to check the -configuration file, which is now in %%ETCDIR%%/crowdsec-firewall-bouncer.yaml +The bouncer should register itself with the Local API but you may want to check the +configuration file, which has been moved to %%ETCDIR%%/crowdsec-firewall-bouncer.yaml (for consistency with the other platforms). In previous versions, the configuration was in /usr/local/etc/crowdsec-firewall-bouncer, you may need @@ -21,23 +21,25 @@ pf_enable: NO -> YES Enabling pf. ---------- -Then activate the bouncer via sysrc: +Add the following in /etc/pf.conf to create the firewall tables and rules: ---------- -# sysrc crowdsec_firewall_enable="YES" -crowdsec_firewall_enable: NO -> YES -# service crowdsec_firewall start +table <crowdsec-blacklists> persist +table <crowdsec6-blacklists> persist +block drop in quick from <crowdsec-blacklists> to any +block drop in quick from <crowdsec6-blacklists> to any ---------- -After a few seconds, the bouncer should have created the tables and rules: +To apply the file: + +# pfctl -f /etc/pf.conf + +Then activate the bouncer via sysrc and run it: ---------- -# pfctl -s Tables -crowdsec-blacklists -crowdsec6-blacklists -# pfctl -s Tables -s rules -block drop in quick from <crowdsec-blacklists> to any -block drop in quick from <crowdsec6-blacklists> to any +# sysrc crowdsec_firewall_enable="YES" +crowdsec_firewall_enable: NO -> YES +# service crowdsec_firewall start ---------- EOM diff --git a/security/crowdsec-firewall-bouncer/pkg-plist b/security/crowdsec-firewall-bouncer/pkg-plist index ecbf8e901981..6a41287c1e57 100644 --- a/security/crowdsec-firewall-bouncer/pkg-plist +++ b/security/crowdsec-firewall-bouncer/pkg-plist @@ -1,7 +1,4 @@ @mode 0755 bin/crowdsec-firewall-bouncer -@dir etc/newsyslog.conf.d @mode 0600 @sample %%ETCDIR%%/crowdsec-firewall-bouncer.yaml.sample -@mode 0644 -@sample etc/newsyslog.conf.d/crowdsec-firewall-bouncer.conf.sample |