From 610f6c5312a2654b94eaae2138808487bb6f0195 Mon Sep 17 00:00:00 2001
From: Martin Zobel-Helas <zobel@debian.org>
Date: Mon, 20 May 2013 14:18:20 +0200
Subject: [PATCH] ferm: save a checksum of just applied rules

The idea behind this is to have a nagios check to compare the sha256sum
of it's output with this file. If they differ, someone changed the local
firewall rules without using ferm. This should result in a nagios
warning.
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
---
 modules/ferm/files/ferm.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/ferm/files/ferm.conf b/modules/ferm/files/ferm.conf
index 5b38e34c..c2eda8a7 100644
--- a/modules/ferm/files/ferm.conf
+++ b/modules/ferm/files/ferm.conf
@@ -63,4 +63,6 @@ domain (ip ip6) {
                 jump log_or_drop;
         }
 }
+
+@hook post "umask 0177; iptables-save | sed -e 's/\[.*//' -e 's/^#.*//' | sha256sum > /var/run/iptables-ferm.checksum"
 # vim:set et:
-- 
2.39.2