Firewalld lockdown mode

Signed-off-by: Tommy <contact@tommytran.io>
2024-09-16 12:44:42 -04:00 · 2023-12-12 07:40:17 -07:00 · 2023-12-12 07:40:17 -07:00 · 1a4336a20f
commit 1a4336a20f
parent fdb0e8aac1
6 changed files with 46 additions and 1 deletions
--- a/Docker-Compose.ign
+++ b/Docker-Compose.ign
@ -201,6 +201,11 @@
        "enabled": true,
        "name": "postinst.service"
      },
+      {
+        "contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/firewall-cmd --lockdown-on\n\n[Install]\nWantedBy=multi-user.target\n",
+        "enabled": true,
+        "name": "postinst2.service"
+      },
      {
        "contents": "[Service]\nType=oneshot\nExecStart=/usr/sbin/setsebool container_use_cephfs off\nExecStart=/usr/sbin/setsebool virt_use_nfs off\nExecStart=/usr/sbin/setsebool virt_use_samba off\nRemainAfterExit=yes\n[Install]\nWantedBy=multi-user.target\n",
        "enabled": true,
--- a/Docker-Compose.yml
+++ b/Docker-Compose.yml
@ -66,6 +66,23 @@ systemd:
        ExecStart=/usr/bin/touch /var/lib/%N.stamp
        ExecStart=/usr/bin/systemctl --no-block reboot

+        [Install]
+        WantedBy=multi-user.target
+    - name: postinst2.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=Initial System Setup Part 2
+        # We run this after the packages have been overlayed
+        After=network-online.target
+        ConditionPathExists=!/var/lib/%N.stamp
+        ConditionPathExists=/var/lib/postinst.stamp
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=/usr/bin/firewall-cmd --lockdown-on
+
        [Install]
        WantedBy=multi-user.target
    - name: setsebool.service
--- a/Generic.ign
+++ b/Generic.ign
@ -195,7 +195,7 @@
        "name": "postinst.service"
      },
      {
-        "contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped --runtime=runc -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule \"0 15 0 * * 0\"\nExecStart=/bin/touch /var/lib/%N.stamp\n\n[Install]\nWantedBy=multi-user.target\n",
+        "contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/firewall-cmd --lockdown-on\nExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped --runtime=runc -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule \"0 15 0 * * 0\"\nExecStart=/bin/touch /var/lib/%N.stamp\n\n[Install]\nWantedBy=multi-user.target\n",
        "enabled": true,
        "name": "postinst2.service"
      },
--- a/Generic.yml
+++ b/Generic.yml
@ -81,6 +81,7 @@ systemd:
        [Service]
        Type=oneshot
        RemainAfterExit=yes
+        ExecStart=/usr/bin/firewall-cmd --lockdown-on
        ExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped --runtime=runc -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule "0 15 0 * * 0"
        ExecStart=/bin/touch /var/lib/%N.stamp

--- a/UTM.ign
+++ b/UTM.ign
@ -180,6 +180,11 @@
        "enabled": true,
        "name": "postinst.service"
      },
+      {
+        "contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/firewall-cmd --lockdown-on\n\n[Install]\nWantedBy=multi-user.target\n",
+        "enabled": true,
+        "name": "postinst2.service"
+      },
      {
        "contents": "[Service]\nType=oneshot\nExecStart=/usr/sbin/setsebool container_use_cephfs off\nExecStart=/usr/sbin/setsebool virt_use_nfs off\nExecStart=/usr/sbin/setsebool virt_use_samba off\nRemainAfterExit=yes\n[Install]\nWantedBy=multi-user.target\n",
        "enabled": true,
--- a/UTM.yml
+++ b/UTM.yml
@ -67,6 +67,23 @@ systemd:
        ExecStart=/usr/bin/touch /var/lib/%N.stamp
        ExecStart=/usr/bin/systemctl --no-block reboot

+        [Install]
+        WantedBy=multi-user.target
+    - name: postinst2.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=Initial System Setup Part 2
+        # We run this after the packages have been overlayed
+        After=network-online.target
+        ConditionPathExists=!/var/lib/%N.stamp
+        ConditionPathExists=/var/lib/postinst.stamp
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=/usr/bin/firewall-cmd --lockdown-on
+
        [Install]
        WantedBy=multi-user.target
    - name: setsebool.service