IS_MINIFW: better detection of minifirewall status

linux/CHANGELOG

@@ -4,8 +4,9 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
 ## [Unreleased]
 
 ### Added
-* IS_OLDPUB: pub.evolix.net has been supersed by pub.evolix.org since Stretch
 
+* IS_MINIFW: better detection of minifirewall status
+* IS_OLDPUB: pub.evolix.net has been supersed by pub.evolix.org since Stretch
 ### Changed
 
 ### Deprecated
@@ -13,6 +14,7 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
 ### Removed
 
 ### Fixed
+
 * IS_BINDCHROOT: fix /etc/default path for Debian >= 11 (renamed from bind9 to named)
 
 ### Security

linux/evocheck.sh

@@ -281,8 +281,17 @@ check_alert5minifw() {
     fi
 }
 check_minifw() {
-    /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*(all|0)\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
-        || failed "IS_MINIFW" "minifirewall seems not started"
+    {
+        if [ -f /etc/systemd/system/minifirewall.service ]; then
+            systemctl is-active minifirewall > /dev/null 2>&1
+        else
+            if test -x /usr/share/scripts/minifirewall_status; then
+                /usr/share/scripts/minifirewall_status > /dev/null 2>&1
+            else
+                /sbin/iptables -L -n 2> /dev/null | grep -q -E "^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
+            fi
+        fi
+    } || failed "IS_MINIFW" "minifirewall seems not started"
 }
 check_minifw_includes() {
     if is_debian_bullseye; then