debian/0000755000000000000000000000000012202242155007161 5ustar debian/init0000644000000000000000000000372012202240653010052 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: firewall # Required-Start: $local_fs $remote_fs # Required-Stop: # Default-Start: S # Default-Stop: # Short-Description: Initialize iptables firewall via pyroman # Description: Initialize iptables firewall via pyroman ### END INIT INFO # Author: Erich Schubert . PATH=/usr/sbin:/usr/bin:/sbin:/bin DESC="Pyroman firewall" NAME=pyroman DAEMON=/usr/sbin/$NAME DAEMON_ARGS="-i" SCRIPTNAME=/etc/init.d/$NAME # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 # Read configuration variable file if it is present [ -r /etc/default/$NAME ] && . /etc/default/$NAME # quit when pyroman is not enabled [ "$PYROMAN_ENABLED" = "y" ] || exit 0 # # Function that starts the daemon/service # do_start() { # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started $DAEMON $DAEMON_ARGS || return 2 return 0 } # # Function that stops the daemon/service # do_stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred # there is no "stop" defined, this is not a daemon return 1 } . /lib/lsb/init-functions case "$1" in start) log_daemon_msg "Starting $DESC" do_start case "$?" in 0|1) log_end_msg 0 ;; 2) log_end_msg 1 ;; esac ;; stop) log_daemon_msg "Stopping $DESC" "$NAME" do_stop case "$?" in 0|1) log_end_msg 0 ;; 2) log_end_msg 1 ;; esac ;; restart|force-reload) # # If the "reload" option is implemented then remove the # 'force-reload' alias # log_daemon_msg "Restarting $DESC" do_stop case "$?" in 0|1) do_start case "$?" in 0) log_end_msg 0 ;; 1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start esac ;; *) # Failed to stop log_end_msg 1 ;; esac ;; *) echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2 exit 3 ;; esac : debian/source/0000755000000000000000000000000012201516027010462 5ustar debian/source/format0000644000000000000000000000001412201516027011670 0ustar 3.0 (quilt) debian/rules0000755000000000000000000000012212202240614010232 0ustar #!/usr/bin/make -f # Default Debhelper 7 mostly %: dh $@ --with=python2,systemd debian/install0000644000000000000000000000057312201516027010560 0ustar bin/pyroman /usr/sbin pyroman/*.py /usr/share/pyshared/pyroman examples/base/* /etc/pyroman examples/base/* /usr/share/doc/pyroman/examples/base examples/example1/* /usr/share/doc/pyroman/examples/example1 examples/xml/* /usr/share/doc/pyroman/examples/xml examples/personal-firewall/* /usr/share/doc/pyroman/examples/personal-firewall debian/pyroman.service /lib/systemd/system debian/changelog0000644000000000000000000001674012202241406011041 0ustar pyroman (0.5.0~beta1-1) unstable; urgency=low * Let's call this a beta release. No negative feedback on the alpha for a year, but as this includes new functionality (IPSec) I want to give this version some extra time. * Merge patch to support IPSec by Wil Tan (Closes: #719054) * Skip "ah" protocol for IPv6. You would need to use the header match! * Use dh-systemd for better systemd support (Closes: #715248) * Drop patch hotfix-nat.patch, included in new SVN checkout. * Some minor packaging cleanups (empty dir) * Update to standards 3.9.4 * Use machine-readable copyright information format -- Erich Schubert Mon, 12 Aug 2013 21:52:56 +0200 pyroman (0.5.0~alpha1-3) unstable; urgency=low * Upload to unstable, to get more feedback on IPv6 support * Add systemd service file. Enable pyroman via: systemctl enable pyroman -- Erich Schubert Tue, 12 Jun 2012 22:56:48 +0200 pyroman (0.5.0~alpha1-2) experimental; urgency=low * Fix Nat support, discovered by trying to regenerate the 1300+ lines iptables of a four-if hot-standby firewall. -- Erich Schubert Thu, 18 Aug 2011 01:28:12 +0200 pyroman (0.5.0~alpha1-1) experimental; urgency=low * New pre-release with experimental IPv6 support. * Please help me test and debug! -- Erich Schubert Wed, 17 Aug 2011 20:49:27 +0200 pyroman (0.4.6-5) unstable; urgency=low * Switch to quilt source format * Use debhelper 7 instead of CDBS * Use dh_python2 * Update to policy 3.9.2.0 (no changes) * Yes, this project is still alive. It just does all I currently need. -- Erich Schubert Mon, 25 Jul 2011 20:36:39 +0200 pyroman (0.4.6-4) unstable; urgency=low * Try to ensure python-support has run before we run the init script. -- Erich Schubert Wed, 09 Jun 2010 02:50:38 +0200 pyroman (0.4.6-3) unstable; urgency=low * Fix init script missing dependency on $remote_fs * Increase debhelper level to 7 * Also update to latest policy 3.8.4.0 (no changes) -- Erich Schubert Thu, 03 Jun 2010 18:45:37 +0200 pyroman (0.4.6-2) unstable; urgency=low * Call dh_pysupport in binary-install instead of install target to make it build with python-support from experimental (Closes: #516903) * Resolve lintian warnings * Remove prerm, postinst scripts that cleaned up early (pre-lenny) versions. -- Erich Schubert Sat, 28 Feb 2009 13:57:27 +0100 pyroman (0.4.6-1) unstable; urgency=low * New upstream version * Clean up handling of input/output/forward and accept/reject/drop chain names, they are now all configured in the example rules files, and default to the kernel values otherwise. They are also configureable via XML now. * Bounce policy version to 3.8.0.0 (no changes) -- Erich Schubert Sat, 02 Aug 2008 01:46:21 +0200 pyroman (0.4.5-1) unstable; urgency=low * New upstream version * Add external verification command (e.g. try a ssh-out-ssh-in command to verify network functionality) * Use subprocess module (thus requiring python 2.4 or later) Add debian/pyversions accordingly. -- Erich Schubert Fri, 01 Aug 2008 15:13:52 +0200 pyroman (0.4.4-2) unstable; urgency=low * The 'lenny is freezing, time to prepare for release' upload. * Remove /etc/pyroman/000_README on install and purge, that file was renamed to just README. Check md5sum. (Closes: #454400) * Fix lintian warnings: * Remove empty directory /usr/share/pyroman/ from package * Improve copyright notice * Spelling of Python in description (uppercase) * Current dpkg-source should strip .svn directories from diff * Update policy to 3.7.3 (no changes) * Improve package description -- Erich Schubert Tue, 15 Apr 2008 00:09:27 +0200 pyroman (0.4.4-1) unstable; urgency=low * New upstream version * Some restructuring of the python code, not many user-visible changes * iptables-save re-parsing (to keep traffic information) not yet added. * Remove XS-Python-Version. Thanks Josselin. (Closes: #445408) * Move Homepage into Homepage field in control * Add Vcs-Svn and Vcs-Browser fields -- Erich Schubert Tue, 16 Oct 2007 05:27:19 +0200 pyroman (0.4.3-1) unstable; urgency=low * New upstream version * New XML syntax as alternative to python syntax (see examples/xml). * Error reporting was improved. * Less verbose init script thanks to new --init option. * Add support to disable generation of forward chains (for sharing the firewall configuration files over non-forwarding hosts more cleanly) -- Erich Schubert Fri, 04 May 2007 20:18:41 +0200 pyroman (0.4.2-1) unstable; urgency=low * New upstream release: * Add example configuration files for a single host setup ("personal firewall"). Also adding support for interface wildcards. * cp /usr/share/doc/pyroman/examples/personal-firewall/*.py /etc/pyroman and then running pyroman (use /etc/default/pyroman to enable on boot) should give you a working firewall for a single host setup. * Update to policy 3.7.2 (no changes) -- Erich Schubert Thu, 1 Mar 2007 15:10:52 +0100 pyroman (0.4-3) unstable; urgency=low * Fix init script sequence with small hack in CDBS. -- Erich Schubert Mon, 11 Sep 2006 13:46:18 +0200 pyroman (0.4-2) unstable; urgency=low * Fix python packaging brokenness. -- Erich Schubert Mon, 11 Sep 2006 12:43:12 +0200 pyroman (0.4-1) unstable; urgency=low * New upstream version. * has --print and --print-verbose options (Closes: #377398) * has --rules=dir option (Closes: #377397) * has explicit drop for state=INVALID (Closes: #377396) * has --no-act option * has --timeout=seconds option for different timeouts * removed duplicate rule (Closes: #377393) * Try to do the python transition... (Closes: #380917) -- Erich Schubert Thu, 10 Aug 2006 03:42:49 +0200 pyroman (0.3-2) unstable; urgency=low * Gnah. Really add python build-dep (Closes: #363311, #358402) -- Erich Schubert Tue, 18 Apr 2006 14:42:19 +0200 pyroman (0.3-1) unstable; urgency=low * New upstream version * The package now installs the base example as configfiles * Enhanced examples (with bittorrent filter) -- Erich Schubert Sun, 16 Apr 2006 18:31:06 +0200 pyroman (0.2-4) unstable; urgency=low * Add build-dependency on python (Closes: #358402) -- Erich Schubert Sun, 16 Apr 2006 15:42:20 +0200 pyroman (0.2-3) unstable; urgency=low * The "yes, I'm in a work frenzy, so I can avoid preparing for my final exams" release * Try to follow Debian Python Policy literally, although 3.1.1 seems not well suited here (why not prevent .pyc generation altogether?) * Move example rules to /usr/share/doc/pyroman/examples -- Erich Schubert Fri, 17 Feb 2006 00:30:03 +0100 pyroman (0.2-2) unstable; urgency=low * Source lsb init functions in init script (was missing from skeleton provided by init-scripts...) * Don't create /etc/defaults directory, that is /etc/default and the installation is done by debhelper anyway. * Document two more commands of pyroman, from SVN. -- Erich Schubert Thu, 16 Feb 2006 22:09:11 +0100 pyroman (0.2-1) unstable; urgency=low * Initial release. -- Erich Schubert Thu, 16 Feb 2006 20:07:56 +0100 debian/pyroman.service0000644000000000000000000000033412202236755012241 0ustar # # Pyroman Firewall # [Unit] Description=Pyroman firewall Before=network.target [Service] Type=oneshot RemainAfterExit=yes StandardOutput=syslog ExecStart=/usr/sbin/pyroman --init [Install] WantedBy=multi-user.target debian/copyright0000644000000000000000000000246212202241663011123 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: Pyroman Upstream-Contact: Erich Schubert Source: http://pyroman.alioth.debian.org/ Files: * Copyright: 2006-2013 Erich Schubert License: Expat License: Expat Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: . The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. . THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. debian/dirs0000644000000000000000000000026012202237335010047 0ustar etc/pyroman usr/sbin usr/share/doc/pyroman/examples usr/share/doc/pyroman/examples/example1 usr/share/doc/pyroman/examples/personal-firewall usr/share/doc/pyroman/examples/xml debian/control0000644000000000000000000000273312202242146010571 0ustar Source: pyroman Section: admin Priority: optional Maintainer: Erich Schubert Build-Depends: debhelper (>= 7), python (>= 2.6.6-3~), quilt (>= 0.40), dh-systemd (>= 1.4) Standards-Version: 3.9.4 Vcs-Svn: svn://anonscm.debian.org/pyroman/debian/trunk Vcs-Browser: http://anonscm.debian.org/viewvc/pyroman/debian/trunk Homepage: http://pyroman.alioth.debian.org/ X-Python-Version: >= 2.4 Package: pyroman Architecture: all Depends: iptables, ${python:Depends}, ${misc:Depends} Description: Very fast firewall configuration tool Pyroman is a firewall tool written in Python for complex networks, but it can of course also handle simple single-host-single-link setups. . Interesting features: * Fast, due to use of iptables-restore for mass setting of rules * Rollback to previous firewall configuration on errors * Safety options to prevent mistakes in configuration (success confirmation prompt and/or scripted external verification) * Detailed error reporting * Lots of verification checks done before execution * Powerful yet clean configuration files (in Python and/or XML) * Designed for multiple hosts, firewalls, networks * Consistent firewalls for IPv4 and IPv6 . Pyroman is inspired by Shorewall and FireHOL, but tries to improve upon them with respect to performance and ease of configuration. . Pyroman currently only configures iptables/netfilter firewalls, it does not include configuration utilities for setting up VPN or traffic shaping. debian/compat0000644000000000000000000000000212201516027010360 0ustar 7 debian/python-module-stampdir/0000755000000000000000000000000012201516027013607 5ustar debian/patches/0000755000000000000000000000000012201516753010617 5ustar debian/patches/01pyroman-system-install.patch0000644000000000000000000000154512201516027016453 0ustar Index: pyroman-0.4.6/bin/pyroman =================================================================== --- pyroman-0.4.6.orig/bin/pyroman 2011-07-25 20:33:21.000000000 +0200 +++ pyroman-0.4.6/bin/pyroman 2011-07-25 20:34:23.000000000 +0200 @@ -1,9 +1,7 @@ #!/usr/bin/python """ Pyroman, an iptables firewall configuration tool """ -# where the pyroman libraries are found - e.g. /usr/share/pyroman -library_path = "./" # where the rules are located - e.g. /etc/pyroman -default_rules_path = "./examples/base" +default_rules_path = "/etc/pyroman" # timeout for the "safe" mode invocation safe_timeout_default = 30 @@ -28,9 +26,6 @@ #SOFTWARE. import sys, glob, os, getopt -# path to the main pyroman code -sys.path.insert(0, library_path) - # usercommands, the Firewall class and the firewall object # should be available to user rules from pyroman import * debian/patches/series0000644000000000000000000000003712201516742012032 0ustar 01pyroman-system-install.patch debian/README.Debian0000644000000000000000000000136612201516027011231 0ustar pyroman for Debian ------------------ When you have configured pyroman, edit /etc/defaults/pyroman and set the variable there to "y" to have it setup the firewall at boot time. (For systemd, use "systemctl enable pyroman.service") To test new firewall configurations, I recommend to make use of $ pyroman safe Which will rollback firewall changes if you fail to acknowledge them within 30 seconds, in the case you've locked yourself out. (You could of course setup some at job to do the same, but this is easier) It is perfectly acceptable (and a planned feature) to use pyroman primarily to pre-generate an iptables script, and load this directly via iptables-restore at boot time. -- Erich Schubert , Tue, 12 Jun 2012 22:53:19 +0200 debian/default0000644000000000000000000000010212201516027010522 0ustar # Set to "y" once you have configured pyroman PYROMAN_ENABLED="n" debian/rules.README0000644000000000000000000000007612201516027011176 0ustar You can find example rules in /usr/share/doc/pyroman/examples debian/manpages0000644000000000000000000000001612201516027010675 0ustar doc/pyroman.8