Alan Orth
5b1530fa91
Use firehol instead of all the others. AbuseIPDB.com can't be upd- ated automatically, Abuse.ch is no longer maintained, and Spamhaus is already in firehol.
28 lines
896 B
Desktop File
28 lines
896 B
Desktop File
[Unit]
|
|
Description=Update FireHOL lists
|
|
# This service will fail if nftables is not running so we use Requires to make
|
|
# sure that nftables is started.
|
|
Requires=nftables.service
|
|
# Make sure the network is up and nftables is started
|
|
After=network-online.target nftables.service
|
|
Wants=network-online.target update-firehol-nftables.timer
|
|
|
|
[Service]
|
|
# https://www.ctrl.blog/entry/systemd-service-hardening.html
|
|
# Doesn't need access to /home or /root
|
|
ProtectHome=true
|
|
# Possibly only works on Ubuntu 18.04+
|
|
ProtectKernelTunables=true
|
|
ProtectSystem=full
|
|
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
|
|
ReadWriteDirectories=/etc/nftables
|
|
PrivateTmp=true
|
|
WorkingDirectory=/var/tmp
|
|
|
|
SyslogIdentifier=update-firehol-nftables
|
|
ExecStart=/usr/bin/flock -x update-firehol-nftables.lck \
|
|
/usr/local/bin/update-firehol-nftables.sh
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|