From e205fe0e6df30e10ee8c65ab9aaf0c618b3ec680 Mon Sep 17 00:00:00 2001
From: Marc Haber <mh+mr-git@zugschlus.de>
Date: Fri, 13 Oct 2017 15:45:22 +0200
Subject: [PATCH] modularize default config

---
 debian/ferm.conf           | 42 --------------------------------------
 debian/ferm.d/10-policy    | 18 ++++++++++++++++
 debian/ferm.d/20-conntrack | 24 ++++++++++++++++++++++
 debian/ferm.d/30-local     | 12 +++++++++++
 debian/ferm.d/40-ping      | 12 +++++++++++
 debian/ferm.d/50-ipsec     | 17 +++++++++++++++
 debian/ferm.d/60-ssh       | 12 +++++++++++
 debian/ferm.install        |  1 +
 8 files changed, 96 insertions(+), 42 deletions(-)
 create mode 100644 debian/ferm.d/10-policy
 create mode 100644 debian/ferm.d/20-conntrack
 create mode 100644 debian/ferm.d/30-local
 create mode 100644 debian/ferm.d/40-ping
 create mode 100644 debian/ferm.d/50-ipsec
 create mode 100644 debian/ferm.d/60-ssh

diff --git a/debian/ferm.conf b/debian/ferm.conf
index 227c565..599ec3e 100644
--- a/debian/ferm.conf
+++ b/debian/ferm.conf
@@ -2,47 +2,5 @@
 #
 #  Configuration file for ferm(1).
 #
-domain (ip ip6) {
-    table filter {
-        chain INPUT {
-            policy DROP;
-
-            # connection tracking
-            mod state state INVALID DROP;
-            mod state state (ESTABLISHED RELATED) ACCEPT;
-
-            # allow local packet
-            interface lo ACCEPT;
-
-            # respond to ping
-            proto icmp ACCEPT; 
-
-            # allow IPsec
-            proto udp dport 500 ACCEPT;
-	    @if @eq($DOMAIN, ip) {
-	      proto (esp ah) ACCEPT;
-	    } @else {
-	      proto (esp) ACCEPT;
-	    }
-
-            # allow SSH connections
-            proto tcp dport ssh ACCEPT;
-        }
-        chain OUTPUT {
-            policy ACCEPT;
-
-            # connection tracking
-            #mod state state INVALID DROP;
-            mod state state (ESTABLISHED RELATED) ACCEPT;
-        }
-        chain FORWARD {
-            policy DROP;
-
-            # connection tracking
-            mod state state INVALID DROP;
-            mod state state (ESTABLISHED RELATED) ACCEPT;
-        }
-    }
-}
 
 @include ferm.d/;
diff --git a/debian/ferm.d/10-policy b/debian/ferm.d/10-policy
new file mode 100644
index 0000000..df5b7c2
--- /dev/null
+++ b/debian/ferm.d/10-policy
@@ -0,0 +1,18 @@
+# -*- shell-script -*-
+#
+#  Configuration file for ferm(1).
+#
+domain (ip ip6) {
+    table filter {
+        chain INPUT {
+            policy DROP;
+        }
+        chain OUTPUT {
+            policy ACCEPT;
+        }
+        chain FORWARD {
+            policy DROP;
+        }
+    }
+}
+
diff --git a/debian/ferm.d/20-conntrack b/debian/ferm.d/20-conntrack
new file mode 100644
index 0000000..529b675
--- /dev/null
+++ b/debian/ferm.d/20-conntrack
@@ -0,0 +1,24 @@
+# -*- shell-script -*-
+#
+#  Configuration file for ferm(1).
+#
+domain (ip ip6) {
+    table filter {
+        chain INPUT {
+            # connection tracking
+            mod state state INVALID DROP;
+            mod state state (ESTABLISHED RELATED) ACCEPT;
+        }
+        chain OUTPUT {
+            # connection tracking
+            #mod state state INVALID DROP;
+            mod state state (ESTABLISHED RELATED) ACCEPT;
+        }
+        chain FORWARD {
+            # connection tracking
+            mod state state INVALID DROP;
+            mod state state (ESTABLISHED RELATED) ACCEPT;
+        }
+    }
+}
+
diff --git a/debian/ferm.d/30-local b/debian/ferm.d/30-local
new file mode 100644
index 0000000..e097c2f
--- /dev/null
+++ b/debian/ferm.d/30-local
@@ -0,0 +1,12 @@
+# -*- shell-script -*-
+#
+#  Configuration file for ferm(1).
+#
+domain (ip ip6) {
+    table filter {
+        chain INPUT {
+            # allow local packet
+            interface lo ACCEPT;
+        }
+    }
+}
diff --git a/debian/ferm.d/40-ping b/debian/ferm.d/40-ping
new file mode 100644
index 0000000..bceb6ef
--- /dev/null
+++ b/debian/ferm.d/40-ping
@@ -0,0 +1,12 @@
+# -*- shell-script -*-
+#
+#  Configuration file for ferm(1).
+#
+domain (ip ip6) {
+    table filter {
+        chain INPUT {
+            # respond to ping
+            proto icmp ACCEPT; 
+        }
+    }
+}
diff --git a/debian/ferm.d/50-ipsec b/debian/ferm.d/50-ipsec
new file mode 100644
index 0000000..70c1281
--- /dev/null
+++ b/debian/ferm.d/50-ipsec
@@ -0,0 +1,17 @@
+# -*- shell-script -*-
+#
+#  Configuration file for ferm(1).
+#
+domain (ip ip6) {
+    table filter {
+        chain INPUT {
+            # allow IPsec
+            proto udp dport 500 ACCEPT;
+	    @if @eq($DOMAIN, ip) {
+	      proto (esp ah) ACCEPT;
+	    } @else {
+	      proto (esp) ACCEPT;
+	    }
+        }
+    }
+}
diff --git a/debian/ferm.d/60-ssh b/debian/ferm.d/60-ssh
new file mode 100644
index 0000000..e448608
--- /dev/null
+++ b/debian/ferm.d/60-ssh
@@ -0,0 +1,12 @@
+# -*- shell-script -*-
+#
+#  Configuration file for ferm(1).
+#
+domain (ip ip6) {
+    table filter {
+        chain INPUT {
+            # allow SSH connections
+            proto tcp dport ssh ACCEPT;
+        }
+    }
+}
diff --git a/debian/ferm.install b/debian/ferm.install
index 007c33a..7c07e1e 100644
--- a/debian/ferm.install
+++ b/debian/ferm.install
@@ -1,4 +1,5 @@
 debian/ferm.conf etc/ferm
+debian/ferm.d etc/ferm
 examples usr/share/doc/ferm
 src/ferm usr/sbin
 src/import-ferm usr/sbin