In this part we will cover the topics listed below:

• git (version control)

I use git for keeping track of changes within the firewall script

First of all, you need a git repo server. This should ideally not be the same host as the firewall for obvious reasons.

In this case I will create the repo on the lan pc.

user@lan01:~ $ sudo apt install git

user@lan01:~ $ sudo useradd -m -s /bin/bash git

user@lan01:~ $ sudo passwd git
user@lan01:~ $ sudo su - git

As user 'git', create an empty repository in the home directory

git@lan01:~ $ mkdir repos
git@lan01:~ $ cd repos
git@lan01:~ $ git init --bare firewall.git

You should now have this strcture in the new repo

git@lan01:~ $ ll repos/firewall.git
total 40
drwxrwxr-x 7 git git 4096 Mai 12 10:15 ./
drwxrwxr-x 3 git git 4096 Mai 12 10:15 ../
drwxrwxr-x 2 git git 4096 Mai 12 10:15 branches/
-rw-rw-r-- 1 git git   66 Mai 12 10:15 config
-rw-rw-r-- 1 git git   73 Mai 12 10:15 description
-rw-rw-r-- 1 git git   23 Mai 12 10:15 HEAD
drwxrwxr-x 2 git git 4096 Mai 12 10:15 hooks/
drwxrwxr-x 2 git git 4096 Mai 12 10:15 info/
drwxrwxr-x 4 git git 4096 Mai 12 10:15 objects/
drwxrwxr-x 4 git git 4096 Mai 12 10:15 refs/

user@fw01:~ $ sudo apt install git

Change to the directory, where you stored the scripts, in my case /home/user/scripts/firewall

user@fw01:~ $ cd scripts/firewall
user@fw01:~/scripts/firewall $ ls -la
total 16
drwxrwxr-x 2 user user 4096 Mai 12 10:31 .
drwxrwxr-x 3 user user 4096 Mai 12 10:30 ..
-rwxr-xr-x 1 user user 2488 Mai 12 10:31 firewall.sh
-rwxr-xr-x 1 user user  394 Mai 12 10:31 fwstop.sh

for initializing the current directory as git repo you simple need this command

user@fw01:~/scripts/firewall $ git init
Initialized empty Git repository in /home/striep/scripts/firewall/.git/

user@fw01:~/scripts/firewall $ ls -la
total 20
drwxrwxr-x 3 striep striep 4096 Mai 13 10:11 .
drwxrwxr-x 3 striep striep 4096 Mai 12 10:30 ..
-rwxr-xr-x 1 striep striep 2488 Mai 12 10:31 firewall.sh
-rwxr-xr-x 1 striep striep  394 Mai 12 10:31 fwstop.sh
drwxrwxr-x 7 striep striep 4096 Mai 13 10:11 .git

There should be a new direktory called .git

Now we should set an email address and username for git, to avoid getting messages when commiting changes

user@fw01:~/scripts/firewall $ git config --global user.name "John Doe"
user@fw01:~/scripts/firewall $ git config --global user.email john.doe@example.com

To check, if changes are stored simply list the config

user@fw01:~/scripts/firewall $ git config -l
user.name=John Doe
user.email=john.doe@example.com
...

user@fw01:~$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa
Your public key has been saved in /home/user/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:vZwPgSsVlG0n4VE686fCMBFVBPpzizOjUy+3N6H1JYM user@fw01
The key's randomart image is:
+---[RSA 3072]----+
|        o+=*+    |
|       ..++o.    |
|        +.=o     |
|         * +     |
|        S = o..  |
|       . *.BE+= .|
|      . ..%.oo =.|
|       ....B+ o .|
|        .. ooo . |
+----[SHA256]-----+

As this is just a test installation for demonstration, I didn't set a passphrase for the key, this is not recommended and you should always set a passphrase!

user@fw01:~$ ssh-copy-id git@lan01
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/user/.ssh/id_rsa.pub"
The authenticity of host 'lan01 (192.168.38.2)' can't be established.
ED25519 key fingerprint is SHA256:oJRs3yYRlawZqkHCFv0b2qbV+zGv/ygtczRMsj7USYg.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
git@lan01's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'git@lan01'"
and check to make sure that only the key(s) you wanted were added.

Now test connectivity as recommended

user@fw01:~$ ssh 'git@lan01'
Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.15.0-27-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

14 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Last login: Thu May 12 10:28:03 2022 from 127.0.0.1

Everything looks ok so far

First we need to to check, which files are already tracked, so we invoke this command

user@fw01:~/scripts/firewall$ git status
On branch master

No commits yet

Untracked files:
  (use "git add <file>..." to include in what will be committed)
	firewall.sh
	fwstop.sh

nothing added to commit but untracked files present (use "git add" to track)

We see two files untracked. We need to add those files to be tracked. We will add the current directory to be tracked.

user@fw01:~/scripts/firewall$ git add .
user@fw01:~/scripts/firewall$ git status
On branch master

No commits yet

Changes to be committed:
  (use "git rm --cached <file>..." to unstage)
	new file:   firewall.sh
	new file:   fwstop.sh

The files are tracked now

To get changes transferred to the repository, we first need to commit the changes.

user@fw01:~/scripts/firewall$ git commit -a -m "Initial commit"
[master (root-commit) 90775f0] Initial commit
 2 files changed, 78 insertions(+)
 create mode 100755 firewall.sh
 create mode 100755 fwstop.sh

Tell git to push changes to remote repository

user@fw01:~/scripts/firewall$ git remote add master ssh://git@localhost:/home/git/repos/firewall

Check if command was successfull

user@fw01:~/scripts/firewall$ git remote -v
master	ssh://git@localhost:/home/git/repos/firewall (fetch)
master	ssh://git@localhost:/home/git/repos/firewall (push)

user@fw01:~/scripts/firewall $git push master
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 2 threads
Compressing objects: 100% (4/4), done.
Writing objects: 100% (4/4), 1.17 KiB | 400.00 KiB/s, done.
Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
To ssh://lan01:/home/git/repos/firewall
 * [new branch]      master -> master

user@fw01:~/scripts/firewall $git log
commit 90775f09fdce37417cb090c21c48e0bb6df8d107 (HEAD -> master, master/master)
Author: John Doe <john.doe@example.com>
Date:   Fri May 13 11:22:57 2022 +0200

    Initial commit

To automatically commit and push a revision, I created a small script, to create a revision label, commit changes and push the changes to remote repo.

push-rev.sh

#!/usr/bin/bash
 
NOW=$(date '+%F-%R')
 
echo "Adding untracked files"
git add .
 
echo "Commit new revision"
git commit -a -m 'Revision: '${NOW}
 
echo "Push new revision to git repo"
git push master

Save the script in the same folder and give execution permissions.

user@fw01:~/scripts/firewall $chmod +x push-rev.sh

Now test the script

user@fw01:~/scripts/firewall $./push-rev.sh 
Adding untracked files
Commit new revision
[master 9bfb401] Revision: 2022-05-13-11:55
 1 file changed, 12 insertions(+)
 create mode 100755 push-rev.sh
Push new revision to git repo
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 2 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 466 bytes | 466.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
To ssh://lan01:/home/git/repos/firewall
   90775f0..9bfb401  master -> master

If you now have a look at the git log, you will see the new commit with revision label.

user@fw01:~/scripts/firewall $git log
commit 9bfb4018b54d6e8005b3adc0cbb89c28f170f092 (HEAD -> master, master/master)
Author: John Doe <john.doe@example.com>
Date:   Fri May 13 11:55:26 2022 +0200

    Revision: 2022-05-13-11:55

commit 90775f09fdce37417cb090c21c48e0bb6df8d107
Author: John Doe <john.doe@example.com>
Date:   Fri May 13 11:22:57 2022 +0200

    Initial commit

Firewall Part 1 - Firewall Part 2 - Firewall Part 3 - Firewall Part 4 - Firewall Part 5