diff --git a/README.md b/README.md index ed0b614..c43c801 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Update a firewall rule that relies on dynamic DNS names -## What +# What * This script assumes exclusive ownership of the `firewalld` direct rules file `/etc/firewalld/direct.xml` or whereever configured @@ -18,8 +18,16 @@ Update a firewall rule that relies on dynamic DNS names * added in order * related, established? needed? * section names as comments? +* Comment max 256 chars -## Config structure +# Prep + +Python dependencies aside make sure that your OS has headers and static libraries for D-Bus GLib bindings installed as well as generic D-Bus development files. On a Rocky Linux 8 installation for example these come via: +``` +dnf -y install dbus-glib-devel dbus-devel +``` + +# Config structure Package configuration happens via a `config.ini` file that follows INI-style syntax. Copy [examples/config.ini.example](examples/config.ini.example) to `config.ini` to get started: @@ -76,15 +84,13 @@ do_ipv6 = true ``` -### Layout +# Layout A config file can have an optional `[DEFAULT]` section and must have at least one `[section]` other than `[DEFAULT]`. Any `[DEFAULT]` option that's undefined retains its default value. Feel free to delete the entire `[DEFAULT]` section from your file. A setting changed in `[DEFAULT]` section affects all sections. A setting changed only in a custom `[section]` overwrites it for only the section. Custom sections such as `[maybe-a-webserver]` in above example file are treated as organizational helper constructs. You can but don't have to group IP address rules by sections. Technically nothing's stopping you from adding all IP allow list entries into a single section. -### Example explanation - -With `config_check_after_change` +# Example explanation Setting `restart_firewalld_after_change` controls if you want the `firewalld` systemd unit to be restarted @@ -102,9 +108,9 @@ do_ipv6 = true ``` If a packet has traversed rules this far without being accepted it will be dropped. Note that if any of your custom `[sections]` use `do_ipv6 = true` your final `DROP` rule should do the same. Otherwise you'll just get `DROP` rule in `iptables` but not in `ip6tables`. -## Options +# Options -### Globals +## Globals In `[DEFAULT]` section the following settings are called globals. They're only valid in `[DEFAULT]` context. Adding them to a custom `[section]` (see [Locals](#locals) below) won't do anything, in a custom `[section]` the following settings are ignored. @@ -112,7 +118,7 @@ In `[DEFAULT]` section the following settings are called globals. They're only v * `restart_firewalld_after_change`, __*optional*__, defaults to `true`: After putting a new `/etc/firewalld/direct.xml` file in place restart the `firewalld` systemd service unit. -### Locals +## Locals A custom `[section]` has the following options. We're calling them locals most of which are optional.