Packaging ufw

Packaging ufw

[swedebugia]

Hi

I like this firewall, has anybody started packaging it?

If not I'm going to try.

-- 
Cheers
Swedebugia

Re: Packaging ufw

[swedebugia]

On 2018-11-10 17:01, swedebugia wrote:
> Hi
>
> I like this firewall, has anybody started packaging it?
>
> If not I'm going to try.
>
Where should it be? In networking.scm or python.scm?

We have no other firewall packages judging from my emacs-guix regex search.

-- 
Cheers
Swedebugia

Re: Packaging ufw

[Brett Gilio]

swedebugia writes:

> On 2018-11-10 17:01, swedebugia wrote:
>> Hi
>>
>> I like this firewall, has anybody started packaging it?
>>
>> If not I'm going to try.
>>
> Where should it be? In networking.scm or python.scm?
>
> We have no other firewall packages judging from my emacs-guix regex search.

Since it is not a python library, I think it would make more sense for
it to be located in the networking module.

Re: Packaging ufw

[swedebugia]

[-- Attachment #1: Type: text/plain, Size: 1371 bytes --]

Hi

On 2018-11-10 19:24, Brett Gilio wrote:
> swedebugia writes:
>
>> On 2018-11-10 17:01, swedebugia wrote:
>>> Hi
>>>
>>> I like this firewall, has anybody started packaging it?
>>>
>>> If not I'm going to try.
>>>
>> Where should it be? In networking.scm or python.scm?
>>
>> We have no other firewall packages judging from my emacs-guix regex search.
> Since it is not a python library, I think it would make more sense for
> it to be located in the networking module.

Ok.

I need help.

It fails with

starting phase `install'
running "python setup.py" with command "install" and parameters 
("--prefix=/gnu/store/v8kzgqs1jdfg7wzqr9c02719ada6x8bm-ufw-0.35" 
"--single-version-externally-managed" "--root=/" "--root=/")
Found 
'/gnu/store/8assqq8vmmvn09cysg5nm3kf2075hvxd-iptables-1.6.2/sbin/iptables' 
version '1.6.2\n''
usage: -c [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
    or: -c --help [cmd1 cmd2 ...]
    or: -c --help-commands
    or: -c cmd --help

error: option --single-version-externally-managed not recognized

This option comes from the python-build-system.

Replacing the install phase seems necessary. But I don't know how to do 
that and did not find good examples in python.scm.

Logs and patch attached...

(also the tests fail see comment in the patch)

-- 
Cheers
Swedebugia


[-- Attachment #2: 46z1sp5bnh0j8dli9g2ppinkss6km9-ufw-0.35.drv.bz2 --]
[-- Type: application/x-bzip, Size: 5338 bytes --]

[-- Attachment #3: 0001-gnu-Add-ufw.patch --]
[-- Type: text/x-patch, Size: 2592 bytes --]

From fda52be7de905c3f73f301ac1b218fdd026deece Mon Sep 17 00:00:00 2001
From: swedebugia <swedebugia@riseup.net>
Date: Sat, 10 Nov 2018 21:39:04 +0100
Subject: [PATCH] gnu: Add ufw

* gnu/packages/networking.scm: New variable.
---
 gnu/packages/networking.scm | 43 +++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 5504742fa..b630676db 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2262,3 +2262,46 @@ allow all other machines, without direct access to that network, to be relayed
 through the machine the Dante server is running on.  The external network will
 never see any machines other than the one Dante is running on.")
     (license (license:non-copyleft "file://LICENSE"))))
+
+(define-public ufw
+  ;; Select the branch named "release/0.35":
+  (let* ((commit "fd93d37a782d4f736201df508fb86e72641874d8"))
+    (package
+    (name "ufw")
+    (version "0.35")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://git.launchpad.net/ufw")
+                    (commit commit)))
+              (sha256
+               (base32
+                "10r2ga1w5vmg8m4z5yim01cd0g8cs6ws2h65vaj6ilg8yp8d90f9"))
+              (file-name (git-file-name name version))))
+    (build-system python-build-system)
+    (inputs `(("iptables" ,iptables)))
+    (arguments
+     ;; FIXME: All tests fail with: ModuleNotFoundError: No module named
+     ;; 'ufw'
+     '(#:tests? #f
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'build 'fix-iptables-path
+           (lambda* (#:key inputs #:allow-other-keys)
+             (substitute* "setup.py"
+               (("iptables_exe = ''")
+                (string-append "iptables_exe = '"
+                               (assoc-ref inputs "iptables")
+                               "/sbin/iptables'")))
+             (substitute* "setup.py"
+               (("iptables_dir = ''")
+                (string-append "iptables_dir = '"
+                               (assoc-ref inputs "iptables")
+                               "/sbin/'"))))))))
+    (home-page "https://launchpad.net/ufw")
+    (synopsis "Uncomplicated firewall")
+    (description "Uncomplicated Firewall (UFW) is a program for managing a
+netfilter firewall designed to be easy to use.  It uses a command-line
+interface consisting of a small number of simple commands, and uses iptables
+for configuration.")
+    (license license:gpl3))))
-- 
2.18.0

Re: Packaging ufw

[Danny Milosavljevic]

[-- Attachment #1: Type: text/plain, Size: 2269 bytes --]

Hi,

On Sat, 10 Nov 2018 21:42:38 +0100
swedebugia <swedebugia@riseup.net> wrote:

> I need help.
> 
> It fails with
> 
> starting phase `install'
> running "python setup.py" with command "install" and parameters 
> ("--prefix=/gnu/store/v8kzgqs1jdfg7wzqr9c02719ada6x8bm-ufw-0.35" 
> "--single-version-externally-managed" "--root=/" "--root=/")
> Found 
> '/gnu/store/8assqq8vmmvn09cysg5nm3kf2075hvxd-iptables-1.6.2/sbin/iptables' 
> version '1.6.2\n''
> usage: -c [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
>     or: -c --help [cmd1 cmd2 ...]
>     or: -c --help-commands
>     or: -c cmd --help
> 
> error: option --single-version-externally-managed not recognized
> 
> This option comes from the python-build-system.

Yes, and it elaborates (in guix/guix/build/python-build-system.scm):

>;; Pip behaves a bit different then easy_install: it always executes
>;; "setup.py" with the option "--single-version-externally-managed" set.  This
>;; makes setuptools' "install" command run the original "install" command
>;; instead of the "easy_install" command, so no .pth file (and no site.py)
>;; will be created.  The "site-packages" directory only contains the package
>;; and the related .egg-info directory.
>;;
>;; This is exactly what we need for Guix and this is what we mimic in the
>;; install phase below.

>(define* (install #:key outputs (configure-flags '()) use-setuptools?
>                  #:allow-other-keys)
>  "Install a given Python package."
>  (let* ((out (assoc-ref outputs "out"))
>         (params (append (list (string-append "--prefix=" out))
>                         (if use-setuptools?

                              ^---- Aha!

>                             ;; distutils does not accept these flags
>
>                             (list "--single-version-externally-managed"
>                                    "--root=/")
>                             '())
>                         configure-flags)))
>    (call-setuppy "install" params use-setuptools?)
>    #t))

Try specifying

(arguments
 `(#:use-setuptools? #f))

in the package.

But if ufw doesn't use "--single-version-externally-managed", that implies
that ufw is not available on PyPI.  Weird.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: Packaging ufw

[Pierre Neidhardt]

[-- Attachment #1: Type: text/plain, Size: 113 bytes --]

Well, we have iptables, but ufw would probably not fit there :p

-- 
Pierre Neidhardt
https://ambrevar.xyz/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: Packaging ufw

[Jeremiah]

> I like this firewall, has anybody started packaging it?
No, possibly because it doesn't add much when one has iptables and a
guix configuration script for it.

> We have no other firewall packages judging from my emacs-guix regex
> search.
We have iptables and ebtables
and I suggest you consider the following iptables/ip6tables rules:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

You could easily lock it down further but one piece of software needed
on servers missing on guix is port knocking software.

-Jeremiah