0b9ede5f84
- fix(shellcheck): SC2016 in encryption-setup.sh - remove non-expanding $(blkid...) - fix(shellcheck): SC1091 in firewall-setup.sh and security-hardening.sh - add disable directives - security: SSH PasswordAuthentication yes -> no (PRD FR-006 violation) - fix: date expansion in encryption-validation.sh heredoc - docs: create SDLC.md with TDD workflow and security requirements - docs: update AGENTS.md to reference SDLC.md - chore: update STATUS.md with build completion - chore: minor build-iso.sh output formatting All 78 tests pass (63 run, 15 skip for libvirt). Zero shellcheck warnings. 💘 Generated with Crush Assisted-by: GLM-5 via Crush <crush@charm.land>
41 lines
1.0 KiB
Bash
Executable File
41 lines
1.0 KiB
Bash
Executable File
#!/bin/bash
|
|
# Dynamic firewall setup hook
|
|
set -euo pipefail
|
|
|
|
echo "Setting up firewall configuration..."
|
|
|
|
# Load firewall setup functions from proper volume path
|
|
# Note: Source path exists at build time in Docker container
|
|
# shellcheck disable=SC1091
|
|
source /build/src/firewall-setup.sh
|
|
|
|
# Install nftables rules (default deny policy)
|
|
cat >/etc/nftables.conf <<'EOF'
|
|
#!/usr/sbin/nft -f
|
|
# Default secure firewall rules for KNEL-Football
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0; policy drop
|
|
iif lo accept comment "Accept loopback"
|
|
icmp type echo-request accept comment "Accept ping"
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0; policy drop
|
|
oif lo accept comment "Accept loopback"
|
|
icmp type echo-request accept comment "Allow ping"
|
|
}
|
|
}
|
|
EOF
|
|
|
|
# Enable nftables service
|
|
systemctl enable nftables
|
|
|
|
echo "Firewall setup hook completed."
|