msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f8b13063a8922388463d5af1f0ad20359f30309ce788dd3ac210416e944d270c
CISS.debian.installer/func/cdi_4400_hardening/4470_hardening_ufw.sh
Marc S. Weidner 75ff61e256 V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-14 13:37:54 +01:00

101 lines
4.8 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Hardening 'ufw'.
# Globals:
# TARGET
# VAR_SSH_PORT
# VAR_UFW_OUT
# Arguments:
# None
# Returns:
# 0: on success
#######################################
hardening_ufw() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4470_hardening_ufw.log"
declare -r var_rules="${TARGET}/etc/ufw/before6.rules"
chroot_logger "${TARGET}${var_logfile}"
if [[ ! -f "${TARGET}/var/log/ufw.log" ]]; then
touch "${TARGET}/var/log/ufw.log"
chmod 0640 "${TARGET}/var/log/ufw.log"
fi
chroot_script "${TARGET}" "
ufw --force reset
ufw logging medium
ufw default deny incoming
ufw default ${VAR_UFW_OUT} outgoing
ufw default deny forward
ufw allow in ${VAR_SSH_PORT}/tcp comment 'Incoming SSH'
ufw limit ${VAR_SSH_PORT}/tcp comment 'Incoming SSH'
"
### Ensure that a standard set of the most commonly used ports are open if a default-'deny'-outbound policy is selected.
if [[ "${VAR_UFW_OUT}" = "deny" ]]; then
chroot_script "${TARGET}" "
ufw allow out 21/tcp comment 'Outgoing FTP'
ufw allow out 22/tcp comment 'Outgoing SSH'
ufw allow out 25/tcp comment 'Outgoing SMTP'
ufw allow out 53/tcp comment 'Outgoing DNS'
ufw allow out 80/tcp comment 'Outgoing HTTP'
ufw allow out 123/tcp comment 'Outgoing NTP'
ufw allow out 143/tcp comment 'Outgoing IMAP'
ufw allow out 443/tcp comment 'Outgoing HTTPS'
ufw allow out 465/tcp comment 'Outgoing SMTPS'
ufw allow out 587/tcp comment 'Outgoing SMTPS'
ufw allow out 993/tcp comment 'Outgoing IMAPS'
ufw allow out 4460/tcp comment 'Outgoing NTS'
ufw allow out ${VAR_SSH_PORT}/tcp comment 'Outgoing SSH'
ufw allow out 53/udp comment 'Outgoing DNS'
ufw allow out 123/udp comment 'Outgoing NTP'
ufw allow out 443/udp comment 'Outgoing QUIC'
ufw allow out 853/udp comment 'Outgoing DoQ'
"
fi
### Allowing ICMP IPv4 outgoing per default.
sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" "${TARGET}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
### Remove previous custom blocks (idempotent).
sed -i "/^# BEGIN custom MLD rules/,/^# END custom MLD rules/d" "${var_rules}"
sed -i "/^# BEGIN custom MLD OUTPUT rules/,/^# END custom MLD OUTPUT rules/d" "${var_rules}"
### Inbound MLD (INPUT chain) insert before the existing echo-request rule.
### Allows MLDv1 (130/131/132) and MLDv2 (143) to link-local multicast (ff02::/16)
sed -i "/-A ufw6-before-input .*--icmpv6-type echo-request -j ACCEPT/i # BEGIN custom MLD rules\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 130 -d ff02::/16 -j ACCEPT\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 131 -d ff02::/16 -j ACCEPT\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 132 -d ff02::/16 -j ACCEPT\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 143 -d ff02::/16 -j ACCEPT\n# END custom MLD rules" "${var_rules}"
### Outbound MLD (OUTPUT chain) insert before echo-request.
### Useful if local daemons join multicast groups, and you want clean logs.
sed -i "/-A ufw6-before-output .*--icmpv6-type echo-request -j ACCEPT/i # BEGIN custom MLD OUTPUT rules\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 131 -d ff02::/16 -j ACCEPT\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 143 -d ff02::/16 -j ACCEPT\n# END custom MLD OUTPUT rules" "${var_rules}"
chroot_script "${TARGET}" "echo 'y' | ufw enable 2>&1"
chroot_script "${TARGET}" "ufw status verbose >> ${var_logfile}"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink