diff --git a/security/crowdsec-firewall-bouncer/Makefile b/security/crowdsec-firewall-bouncer/Makefile index a52441bcfc53..db4d992dcf88 100644 --- a/security/crowdsec-firewall-bouncer/Makefile +++ b/security/crowdsec-firewall-bouncer/Makefile @@ -1,64 +1,54 @@ PORTNAME= crowdsec-firewall-bouncer -PORTVERSION= 0.0.20 # NOTE: change BUILD_VERSION and BUILD_TAG as well +PORTVERSION= 0.0.23.r2 # NOTE: change BUILD_VERSION and BUILD_TAG as well DISTVERSIONPREFIX= v CATEGORIES= security MAINTAINER= marco@crowdsec.net COMMENT= CrowdSec bouncer written in golang for firewalls LICENSE= MIT LICENSE_FILE= ${WRKSRC}/LICENSE BUILD_DEPENDS= git:devel/git@lite \ go:lang/go USES= gmake -RUN_DEPENDS= crowdsec>0:security/crowdsec - USE_GITHUB= yes GH_ACCOUNT= crowdsecurity GH_PROJECT= cs-firewall-bouncer -GH_TAGNAME= v0.0.20-freebsd +GH_TAGNAME= v0.0.23.r2-freebsd #GH_TAGNAME is automatically set from DISTVERSION USE_RC_SUBR= crowdsec_firewall -SUB_FILES= pkg-message \ - pkg-install \ - pkg-deinstall +SUB_FILES= pkg-deinstall pkg-install pkg-message # BUILD_VERSION=$(git describe --tags $(git rev-list --tags --max-count=1)) # BUILD_TAG=$(git rev-parse HEAD) -MAKE_ENV= BUILD_VERSION="v0.0.20" \ - BUILD_TAG="a456a4debdf3d3551c89b8490bb942f626027310" +MAKE_ENV= BUILD_TAG="bc4bb1d531d47ad94ead2dce3a11f6391b1e8619" \ + BUILD_VERSION="v0.0.23-rc2" ETCDIR= ${PREFIX}/etc/crowdsec/bouncers post-patch: ${REINPLACE_CMD} 's,$${BACKEND},pf,g' \ ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml do-install: # # Binaries # ${INSTALL_PROGRAM} ${WRKSRC}/crowdsec-firewall-bouncer \ ${STAGEDIR}${PREFIX}/bin/crowdsec-firewall-bouncer # # Configuration # @${MKDIR} ${STAGEDIR}${ETCDIR} ${INSTALL_DATA} ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml \ ${STAGEDIR}${ETCDIR}/crowdsec-firewall-bouncer.yaml.sample - # - # Log rotation - # - - ${INSTALL_DATA} ${FILESDIR}/crowdsec-firewall-bouncer.conf-newsyslog ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d/crowdsec-firewall-bouncer.conf.sample - .include diff --git a/security/crowdsec-firewall-bouncer/distinfo b/security/crowdsec-firewall-bouncer/distinfo index 1548b93d6c60..0cdb9bb30d8c 100644 --- a/security/crowdsec-firewall-bouncer/distinfo +++ b/security/crowdsec-firewall-bouncer/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1640213523 -SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.20-v0.0.20-freebsd_GH0.tar.gz) = 95f8abf5f44e700e7f0a41edf5367715ce06918cb0de7a5d084bdca277563171 -SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.20-v0.0.20-freebsd_GH0.tar.gz) = 3018717 +TIMESTAMP = 1645218461 +SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.23.r2-v0.0.23.r2-freebsd_GH0.tar.gz) = efb34044e8a648c1ec505fef64de3e4901ac760e732b647650f8e46547c7fe87 +SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.23.r2-v0.0.23.r2-freebsd_GH0.tar.gz) = 3053462 diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog b/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog deleted file mode 100644 index b26fae25b5ce..000000000000 --- a/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog +++ /dev/null @@ -1,2 +0,0 @@ -# logfilename [owner:group] mode count size(kb) when flags [/pid_file] [sig_num] -/var/log/crowdsec-firewall-bouncer.log root:wheel 644 10 5120 * JC /var/run/crowdsec_firewall.pid diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in index 6a0f96f26f8f..9ae41cef717b 100755 --- a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in +++ b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in @@ -1,60 +1,59 @@ #!/bin/sh # # PROVIDE: crowdsec_firewall -# REQUIRE: LOGIN DAEMON NETWORKING crowdsec +# REQUIRE: LOGIN DAEMON NETWORKING # KEYWORD: shutdown # # Add the following lines to /etc/rc.conf.local or /etc/rc.conf # to enable this service: # # crowdsec_firewall_enable (bool): Set it to YES to enable crowdsec firewall. # Default is "NO" +# crowdsec_firewall_config (str): Set the bouncer config path. +# Default is "%%ETCDIR%%/crowdsec-firewall-bouncer.yaml" +# crowdsec_firewall_flags (str): extra flags to run bouncer. +# Default is "" . /etc/rc.subr name=crowdsec_firewall desc="Crowdsec Firewall" rcvar=crowdsec_firewall_enable load_rc_config $name : "${crowdsec_firewall_enable:=NO}" : "${crowdsec_firewall_config:=%%ETCDIR%%/crowdsec-firewall-bouncer.yaml}" +: "${crowdsec_firewall_flags:=}" pidfile=/var/run/${name}.pid required_files="$crowdsec_firewall_config" command="%%PREFIX%%/bin/crowdsec-firewall-bouncer" start_cmd="${name}_start" start_precmd="${name}_precmd" crowdsec_firewall_precmd() { CSCLI=%%PREFIX%%/bin/cscli orig_line="api_key: \${API_KEY}" + # IF the bouncer is not configured if grep -q "^${orig_line}" "${crowdsec_firewall_config}"; then SUFFIX=$(LC_CTYPE=C tr -dc A-Za-z0-9 /dev/null; then + # THEN, register it to the local API API_KEY=$($CSCLI bouncers add "${BOUNCER}" -o raw) if [ -n "$API_KEY" ]; then sed -i "" "s/^${orig_line}/api_key: ${API_KEY} # ${BOUNCER}/" "${crowdsec_firewall_config}" echo "Registered: ${BOUNCER}" fi fi fi - - # needs real tabs - cat <<-EOT | /sbin/pfctl -f /dev/fd/0 - table persist - table persist - block drop in quick from to any - block drop in quick from to any - EOT - } crowdsec_firewall_start() { /usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \ - ${command} -c "${crowdsec_firewall_config}" + ${command} -c "${crowdsec_firewall_config}" ${crowdsec_firewall_flags} } run_rc_command "$1" diff --git a/security/crowdsec-firewall-bouncer/files/patch-Makefile b/security/crowdsec-firewall-bouncer/files/patch-Makefile index df450e5e1b27..d8f1e8f79f4e 100644 --- a/security/crowdsec-firewall-bouncer/files/patch-Makefile +++ b/security/crowdsec-firewall-bouncer/files/patch-Makefile @@ -1,11 +1,15 @@ ---- Makefile.orig 2021-12-22 22:57:23 UTC +--- Makefile.orig 2022-02-11 13:22:37 UTC +++ Makefile -@@ -11,7 +11,7 @@ BUILD_VERSION?="$(shell git describe --tags `git rev-l - BUILD_GOVERSION="$(shell go version | cut -d " " -f3 | sed -r 's/[go]+//g')" - BUILD_TIMESTAMP=$(shell date +%F"_"%T) - BUILD_TAG?="$(shell git rev-parse HEAD)" --export LD_OPTS=-ldflags "-s -w -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=$(BUILD_VERSION) \ -+export LD_OPTS=-mod vendor -modcacherw --ldflags "-s -w -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=$(BUILD_VERSION) \ - -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.BuildDate=$(BUILD_TIMESTAMP) \ - -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Tag=$(BUILD_TAG) \ - -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.GoVersion=$(BUILD_GOVERSION)" +@@ -54,10 +54,10 @@ lint: + golangci-lint run + + static: goversion clean +- $(GOBUILD) -ldflags "$(LDFLAGS_STATIC)" -o $(BINARY_NAME) -v -a -tags netgo ++ $(GOBUILD) -mod vendor -modcacherw -ldflags "$(LDFLAGS_STATIC)" -o $(BINARY_NAME) -v -a -tags netgo + + build: goversion clean +- $(GOBUILD) -ldflags "$(LDFLAGS_DYNAMIC)" -o $(BINARY_NAME) -v ++ $(GOBUILD) -mod vendor -modcacherw -ldflags "$(LDFLAGS_DYNAMIC)" -o $(BINARY_NAME) -v + + test: + @$(GOTEST) -ldflags "$(LDFLAGS_DYNAMIC)" -v ./... diff --git a/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in b/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in old mode 100644 new mode 100755 diff --git a/security/crowdsec-firewall-bouncer/files/pkg-install.in b/security/crowdsec-firewall-bouncer/files/pkg-install.in old mode 100644 new mode 100755 diff --git a/security/crowdsec-firewall-bouncer/files/pkg-message.in b/security/crowdsec-firewall-bouncer/files/pkg-message.in index 8bcdc8d1d9d6..489267594020 100644 --- a/security/crowdsec-firewall-bouncer/files/pkg-message.in +++ b/security/crowdsec-firewall-bouncer/files/pkg-message.in @@ -1,45 +1,47 @@ [ { type: install message: < YES # service pf start Enabling pf. ---------- -Then activate the bouncer via sysrc: +Add the following in /etc/pf.conf to create the firewall tables and rules: ---------- -# sysrc crowdsec_firewall_enable="YES" -crowdsec_firewall_enable: NO -> YES -# service crowdsec_firewall start +table persist +table persist +block drop in quick from to any +block drop in quick from to any ---------- -After a few seconds, the bouncer should have created the tables and rules: +To apply the file: + +# pfctl -f /etc/pf.conf + +Then activate the bouncer via sysrc and run it: ---------- -# pfctl -s Tables -crowdsec-blacklists -crowdsec6-blacklists -# pfctl -s Tables -s rules -block drop in quick from to any -block drop in quick from to any +# sysrc crowdsec_firewall_enable="YES" +crowdsec_firewall_enable: NO -> YES +# service crowdsec_firewall start ---------- EOM } ] diff --git a/security/crowdsec-firewall-bouncer/pkg-plist b/security/crowdsec-firewall-bouncer/pkg-plist index ecbf8e901981..6a41287c1e57 100644 --- a/security/crowdsec-firewall-bouncer/pkg-plist +++ b/security/crowdsec-firewall-bouncer/pkg-plist @@ -1,7 +1,4 @@ @mode 0755 bin/crowdsec-firewall-bouncer -@dir etc/newsyslog.conf.d @mode 0600 @sample %%ETCDIR%%/crowdsec-firewall-bouncer.yaml.sample -@mode 0644 -@sample etc/newsyslog.conf.d/crowdsec-firewall-bouncer.conf.sample