ferm: save a checksum of just applied rules

The idea behind this is to have a nagios check to compare the sha256sum
of it's output with this file. If they differ, someone changed the local
firewall rules without using ferm. This should result in a nagios
warning.
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>

diff --git a/modules/ferm/files/ferm.conf b/modules/ferm/files/ferm.conf
index 5b38e34c31723e0379157a63e1dad0a9e8e390e6..c2eda8a73b0ad494a4a1763e41c4ef9bb7712f44 100644 (file)
--- a/modules/ferm/files/ferm.conf
+++ b/modules/ferm/files/ferm.conf
@@ -63,4 +63,6 @@ domain (ip ip6) {
                 jump log_or_drop;
         }
 }
+
+@hook post "umask 0177; iptables-save | sed -e 's/\[.*//' -e 's/^#.*//' | sha256sum > /var/run/iptables-ferm.checksum"
 # vim:set et: