reachableceo
2b422cf62c
Addresses findings C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08, M-01, M-02, M-05, M-07, M-08, M-12, plus encryption script fixes. Changes: - run.sh: Enforce host FDE check (C-02), make sbverify fatal (H-07), add module.sig_enforce to Docker-embedded UKI (H-08) - usb-automount.sh: Add noexec,nosuid,nodev mount options (C-05), restrict dmask/fmask, add input validation, add audit logging (M-08) - security-hardening.sh (live): Set StrictHostKeyChecking yes (H-01), remove sshd_config generation (H-02), expand WiFi blacklist (M-12) - firewall-setup.sh (live): Remove inbound ICMP echo, narrow WG port range to 51820 only (M-05) - firewall-setup.sh (src): Add ct state established,related (H-03) - security-hardening.sh (src): Fix apply_security_hardening to call configure_ssh_client and configure_fim with separate output paths (M-01) - install-scripts.sh: Remove football from sudo group (M-02) - mount-hardening.sh: Ensure /tmp,/var/tmp,/dev/shm always hardened even without existing fstab entries (M-07) - encryption-setup.sh: Fix cryptsetup stdin syntax (H-05), add dynamic LUKS device discovery (H-06), fix recovery key generation (M-04), fix crypttab sed pattern - qr-code-import.sh: Restrict temp file permissions (H-04) - Tests updated to match new security posture All 786+ tests pass. Zero shellcheck warnings. Reference: DeepReport-2026-05-08.md findings C-02, C-05, H-01 through H-08, M-01, M-02, M-05, M-07, M-08, M-12 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
72 lines
2.3 KiB
Bash
Executable File
72 lines
2.3 KiB
Bash
Executable File
#!/bin/bash
|
|
# Dynamic firewall setup hook - PRD FR-004
|
|
# Default deny with WireGuard VPN allow, DNS via VPN, DHCP on LAN
|
|
set -euo pipefail
|
|
|
|
echo "Setting up firewall configuration..."
|
|
|
|
cat >/etc/nftables.conf <<'EOF'
|
|
#!/usr/sbin/nft -f
|
|
# KNEL-Football Secure Firewall - PRD FR-004
|
|
# Default deny, WireGuard VPN outbound only, DNS through VPN tunnel
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0; policy drop
|
|
|
|
# Accept loopback
|
|
iif lo accept comment "Accept loopback"
|
|
|
|
# Accept established/related connections
|
|
ct state established,related accept comment "Accept established/related"
|
|
|
|
# Accept DHCP (client requests)
|
|
udp sport 67 udp dport 68 accept comment "Accept DHCP offers"
|
|
udp sport 68 udp dport 67 accept comment "Accept DHCP requests"
|
|
|
|
# Accept essential ICMP only
|
|
icmp type destination-unreachable accept comment "Accept dest unreachable"
|
|
icmp type time-exceeded accept comment "Accept time exceeded"
|
|
|
|
# Drop invalid
|
|
ct state invalid drop comment "Drop invalid packets"
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0; policy drop
|
|
|
|
# Accept loopback
|
|
oif lo accept comment "Accept loopback"
|
|
|
|
# Accept established/related connections (return traffic)
|
|
ct state established,related accept comment "Accept established/related"
|
|
|
|
# Accept DHCP client requests (broadcast to find DHCP server)
|
|
udp dport 67 accept comment "Allow DHCP client requests"
|
|
|
|
# Accept WireGuard UDP (any endpoint - dynamic config determines actual peer)
|
|
# Once WireGuard is configured, firewall-setup.sh locks to specific endpoint
|
|
udp dport 51820 accept comment "Allow WireGuard VPN"
|
|
|
|
# Accept DNS over WireGuard tunnel interface
|
|
oifname "wg*" accept comment "Accept all traffic via VPN tunnel"
|
|
|
|
# Accept ICMP
|
|
icmp type echo-request accept comment "Allow ping"
|
|
icmp type destination-unreachable accept comment "Allow dest unreachable"
|
|
|
|
# Drop invalid
|
|
ct state invalid drop comment "Drop invalid packets"
|
|
}
|
|
}
|
|
EOF
|
|
|
|
systemctl enable nftables
|
|
|
|
echo "Firewall setup hook completed."
|