Alan Orth
d7c34a30a3
This configures the recommended DROP, EDROP, and DROPv6 lists from Spamhaus as ipsets in firewalld. First we copy an empty placeholder ipset to seed firewalld, then we use a shell script to download the real lists and activate them. The same shell script is run daily as a service (update-spamhaus-lists.service) by a systemd timer. I am strictly avoiding any direct ipset commands here because I want to make sure that this works on older hosts where ipsets is used as well as newer hosts that have moved to nftables such as Ubuntu 20.04. So far I have tested this on Ubuntu 16.04, 18.04, and 20.04, but ev- entually I need to abstract the tasks and run them on CentOS 7+ as well. See: https://www.spamhaus.org/drop/
28 lines
902 B
Desktop File
28 lines
902 B
Desktop File
[Unit]
|
|
Description=Update Spamhaus lists
|
|
# This service will fail if firewalld is not running so we use Requires to make
|
|
# sure that firewalld is started.
|
|
Requires=firewalld.service
|
|
# Make sure the network is up and firewalld is started
|
|
After=network-online.target firewalld.service
|
|
Wants=network-online.target update-spamhaus-lists.timer
|
|
|
|
[Service]
|
|
# https://www.ctrl.blog/entry/systemd-service-hardening.html
|
|
# Doesn't need access to /home or /root
|
|
ProtectHome=true
|
|
# Possibly only works on Ubuntu 18.04+
|
|
ProtectKernelTunables=true
|
|
ProtectSystem=full
|
|
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
|
|
ReadWriteDirectories=/etc/firewalld/ipsets
|
|
PrivateTmp=true
|
|
WorkingDirectory=/var/tmp
|
|
|
|
SyslogIdentifier=update-spamhaus-lists
|
|
ExecStart=/usr/bin/flock -x update-spamhaus-lists.lck \
|
|
/usr/local/bin/update-spamhaus-lists.sh
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|