RELATED is not needed and could be a security problem : https://gist.github.com/azlux/6a70bd38bb7c525ab26efe7e3a7ea8ac

These commands will run a background safety check to stop the firewall if a safety lock is removed in 30 seconds.
This will reduce the risk to get locked out because of a bad configuration.

CHANGELOG.md

@@ -0,0 +1,76 @@
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
+and this project **does not adhere to [Semantic Versioning](http://semver.org/spec/v2.0.0.html)**.
+
+## [Unreleased]
+
+### Added
+
+* safe-start and safe-restart
+* Chain MINIFW-DOCKER-INPUT-MANUAL for more granular/manual filtering of incoming traffic to services inside docker
+
+### Changed
+
+### Deprecated
+
+### Removed
+
+### Fixed
+
+* fix interactive mode detection
+
+### Security
+
+## [23.07] - 2023-07-04
+
+### Added
+
+* new "check-active-config" command to check if the active configuration is th e same as the one persisted to disk
+
+### Changed
+
+* capture cmp(1) error output
+* early error if script is not run as root
+* extract "include_files" function
+* print help/usage with list of possible commands
+
+## [23.02] - 2023-02-01
+
+* Export status without colors (to keep clean diffs)
+
+## [22.06] - 2022-06-06
+
+### Changed
+
+* Configure sysctl values to IPv6 when applicable
+
+### Fixed
+
+* status output (number of # in headers)
+
+## [22.05] - 2022-05-10
+
+#### Fixed
+
+* status output (number of # in headers)
+
+## [22.04] - 2022-04-28
+
+### Added
+
+* markers for each section of status output
+* store and compare state between restart
+* colorize output if terminal supports colors
+* simple syslog logging
+* "version" action
+
+### Changed
+
+* use long options in some places
+* output is normalized
+* source legacy config after macros but before DROP policy
+* source configuration only for valid actions
+* improve legacy config parsing
+
+### Fixed
+
+* force remove temporary files

Vagrantfile

@@ -1,8 +1,6 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :
 
-Vagrant::DEFAULT_SERVER_URL.replace('https://vagrantcloud.com')
-
 # Load ~/.VagrantFile if exist, permit local config provider
 vagrantfile = File.join("#{Dir.home}", '.VagrantFile')
 load File.expand_path(vagrantfile) if File.exists?(vagrantfile)
@@ -11,16 +9,26 @@ Vagrant.configure('2') do |config|
   config.vm.synced_folder "./", "/vagrant", type: "rsync", rsync__exclude: [ '.vagrant', '.git' ]
   config.ssh.shell="/bin/sh"
 
-  $install = <<SCRIPT
-DEBIAN_FRONTEND=noninteractive apt-get -yq install iptables
+  deps = <<SCRIPT
+  DEBIAN_FRONTEND=noninteractive apt-get -yq install iptables
+SCRIPT
+
+  install = <<SCRIPT
 ln -fs /vagrant/minifirewall /etc/init.d/minifirewall
 ln -fs /vagrant/minifirewall.conf /etc/default/minifirewall
+mkdir -p /etc/minifirewall.d
+SCRIPT
+
+  post = <<SCRIPT
+sed -i "s|^TRUSTEDIPS='|TRUSTEDIPS='192.168.121.0/24 |" /etc/default/minifirewall
 SCRIPT
 
   config.vm.define "minifirewall" do |node|
     node.vm.hostname = "minifirewall"
-    node.vm.box = "debian/stretch64"
-    config.vm.provision "install", type: "shell", :inline => $install
+    node.vm.box = "debian/bookworm64"
+    config.vm.provision "deps", type: "shell", inline: deps
+    config.vm.provision "install", type: "shell", inline: install
+    config.vm.provision "post", type: "shell", inline: post
   end
 
 end

minifirewall

@@ -1,10 +1,11 @@
 #!/bin/sh
+# shellcheck disable=SC2059
 
-# minifirewall is shellscripts for easy firewalling on a standalone server
-# we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
+# minifirewall is a shell script for easy firewalling on a standalone server
+# It uses netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
 # See https://gitea.evolix.org/evolix/minifirewall
 
-# Copyright (c) 2007-2021 Evolix
+# Copyright (c) 2007-2023 Evolix
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
 # as published by the Free Software Foundation; either version 3
@@ -17,7 +18,7 @@
 #
 
 ### BEGIN INIT INFO
-# Provides:          minfirewall
+# Provides:          minifirewall
 # Required-Start:
 # Required-Stop:
 # Should-Start:      $network $syslog $named
@@ -28,13 +29,19 @@
 # Description:       Firewall designed for standalone server
 ### END INIT INFO
 
-VERSION="21.12"
+VERSION="23.07"
 
-DESC="minifirewall"
-NAME="minifirewall"
+PROGNAME="minifirewall"
+# shellcheck disable=SC2034
+DESC="Firewall designed for standalone server"
 
 set -u
 
+if [ "$(id -u)" -ne "0" ] ; then
+    echo "${PROGNAME} must be run as root." >&2
+    exit 1
+fi
+
 # Variables configuration
 #########################
 
@@ -96,6 +103,86 @@ BACKUPSERVERS=''
 
 LEGACY_CONFIG='off'
 
+STATE_FILE_LATEST='/var/run/minifirewall_state_latest'
+STATE_FILE_CURRENT='/var/run/minifirewall_state_current'
+STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous'
+STATE_FILE_DIFF='/var/run/minifirewall_state_diff'
+
+ACTIVE_CONFIG='/var/run/minifirewall_active_config'
+ACTIVE_CONFIG_DIFF="${ACTIVE_CONFIG}.diff"
+
+SAFETY_LOCK='/var/run/minifirewall_safety.lock'
+SAFETY_OUTPUT='/var/run/minifirewall_safety.out'
+SAFETY_TIMER=30
+
+LOGGER_BIN=$(command -v logger)
+
+# No colors by default
+RED=''
+GREEN=''
+YELLOW=''
+BLUE=''
+MAGENTA=''
+CYAN=''
+WHITE=''
+BOLD=''
+RESET=''
+
+# check if stdout is a terminal...
+if [ -t 1 ]; then
+    INTERACTIVE=1
+
+    # see if it supports colors...
+    ncolors=$(tput colors)
+
+    # shellcheck disable=SC2086
+    if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then
+        RED=$(tput setaf 1)
+        GREEN=$(tput setaf 2)
+        YELLOW=$(tput setaf 3)
+        BLUE=$(tput setaf 4)
+        MAGENTA=$(tput setaf 5)
+        CYAN=$(tput setaf 6)
+        WHITE=$(tput setaf 7)
+        BOLD=$(tput bold)
+        RESET='\e[m'
+    fi
+else
+    INTERACTIVE=0
+fi
+readonly INTERACTIVE
+
+## pseudo dry-run :
+## Uncomment and call these functions instead of the real iptables and ip6tables commands
+# IPT="fake_iptables"
+# IPT6="fake_ip6tables"
+# fake_iptables() {
+#     printf "DRY-RUN iptables %s\n" "$*"
+# }
+# fake_ip6tables() {
+#     printf "DRY-RUN ip6tables %s\n" "$*"
+# }
+## Beware that commands executed from included files are not modified by this trick.
+
+is_interactive() {
+    test "${INTERACTIVE}" = "1"
+}
+remove_colors() {
+    sed -r 's/\x1B\[(;?[0-9]{1,3})+[mGK]//g'
+}
+syslog_info() {
+    if [ -x "${LOGGER_BIN}" ]; then
+        ${LOGGER_BIN} -t "${PROGNAME}" -p daemon.info "$1"
+    fi
+}
+syslog_error() {
+    if [ -x "${LOGGER_BIN}" ]; then
+        ${LOGGER_BIN} -t "${PROGNAME}" -p daemon.error "$1"
+    fi
+}
+sort_values() {
+    echo "$*" | tr ' ' '\n' | sort -h
+}
 is_ipv6_enabled() {
     test "${IPV6}" != "off"
 }
@@ -115,43 +202,48 @@ chain_exists() {
     chain_name="$1"
     if [ $# -ge 2 ]; then
         intable="--table $2"
+    else
+        intable=""
     fi
     # shellcheck disable=SC2086
     iptables ${intable} -nL "${chain_name}" >/dev/null 2>&1
 }
 source_file_or_error() {
     file=$1
-    echo "...sourcing '${file}\`"
+    syslog_info "sourcing \`${file}'"
+    printf "${BLUE}sourcing \`%s'${RESET}\n" "${file}"
 
     tmpfile=$(mktemp --tmpdir=/tmp minifirewall.XXX)
     . "${file}" 2>"${tmpfile}" >&2
 
     if [ -s "${tmpfile}" ]; then
-            echo "${file} returns standard or error output (see below). Stopping." >&2
+            syslog_error "Error while sourcing ${file}"
+            printf "${RED}%s returns standard or error output (see below). Stopping.${RESET}\n" ${file} >&2
             cat "${tmpfile}"
             exit 1
     fi
-    rm "${tmpfile}"
+    rm -f "${tmpfile}"
 }
 source_configuration() {
     if ! test -f ${config_file}; then
-        echo "${config_file} does not exist" >&2
+        printf "${RED}%s does not exist${RESET}\n" "${config_file}" >&2
 
         ## We still want to deal with this really old configuration file
         ## even if it has been deprecated since Debian 8
         old_config_file="/etc/firewall.rc"
         if test -f ${old_config_file}; then
-            echo "${old_config_file} is deprecated. Rename it to ${config_file}" >&2
+            printf "${YELLOW}%s is deprecated and ignored. Rename it to %s${RESET}\n" "${old_config_file}" "${config_file}" >&2
         fi
 
         exit 1
     fi
 
-    if grep -e "iptables" -e "ip6tables" "${config_file}" | grep -qvE "^#"; then
+    # If we find something other than a blank line, a comment or a variable assignment
+    if grep --quiet --extended-regexp --invert-match "^\s*(#|$|\w+=)" "${config_file}"; then
         # Backward compatible mode
         ###########################
 
-        echo "Legacy config detected"
+        printf "${YELLOW}legacy config detected${RESET}\n"
         LEGACY_CONFIG='on'
 
         # Non-backward compatible mode
@@ -173,77 +265,238 @@ source_configuration() {
         # and not interfere with the configuration step.
 
         tmp_config_file=$(mktemp --tmpdir=/tmp minifirewall.XXX)
-        grep -E "^\s*[_a-zA-Z0-9]+=" "${config_file}" > "${tmp_config_file}"
+        # get only variable assignments
+        grep -E "^\s*\w+=" "${config_file}" > "${tmp_config_file}"
 
         source_file_or_error "${tmp_config_file}"
-        rm "${tmp_config_file}"
+        rm -f "${tmp_config_file}"
     else
         source_file_or_error "${config_file}"
     fi
 }
+include_files() {
+    if [ -d "${includes_dir}" ]; then
+        find ${includes_dir} -type f -readable -not -name '*.*' | sort -h
+    else
+        echo ""
+    fi
+}
 source_includes() {
     if [ -d "${includes_dir}" ]; then
-        include_files=$(find ${includes_dir} -type f -readable -not -name '*.*' | sort -h)
-        for include_file in ${include_files}; do
+        for include_file in $(include_files); do
             source_file_or_error "${include_file}"
         done
     fi
 }
+filter_config_file() {
+    # Remove lines with:
+    # * empty or only whitespaces
+    # * comments
+    grep --extended-regexp --invert-match -e "^(\s*#)" -e "^\s*$" "${1}"
+}
+save_active_configuration() {
+    dest_file=${1}
+    rm -f "${dest_file}"
+
+    echo "# ${config_file}" >> "${dest_file}"
+    filter_config_file "${config_file}" >> "${dest_file}"
+
+    found_include_files=$(include_files)
+    if [ -n "${found_include_files}" ]; then
+        for include_file in ${found_include_files}; do
+            echo "# ${include_file}" >> "${dest_file}"
+            filter_config_file "${include_file}" >> "${dest_file}"
+        done
+    fi
+}
+check_active_configuration() {
+    # NRPE-compatible return codes
+    # 0: OK
+    # 1: WARNING
+    # 2: CRITICAL
+    # 3: UNKNOWN 
+    rc=0
+
+    if [ -f "${ACTIVE_CONFIG}" ]; then
+        cmp_bin=$(command -v cmp)
+        diff_bin=$(command -v diff)
+
+        if [ -z "${cmp_bin}" ]; then
+            printf "${YELLOW}WARNING: Skipped active configuration check (Can't find cmp(1) command)${RESET}\n"
+            rc=1
+        elif [ -z "${diff_bin}" ]; then
+            printf "${YELLOW}WARNING: Skipped active configuration check (Can't find diff(1) command)${RESET}\n"
+            rc=1
+        else
+            rm -f "${ACTIVE_CONFIG_DIFF}"
+
+            tmp_config_file=$(mktemp --tmpdir=/tmp minifirewall.XXX)
+            save_active_configuration "${tmp_config_file}"
+
+            cmp_result=$(cmp "${ACTIVE_CONFIG}" "${tmp_config_file}" 2>&1)
+            cmp_rc=$?
+
+            if [ ${cmp_rc} -eq 0 ]; then
+                # echo "   config has not changed since latest start"
+                printf "${GREEN}OK: Active configuration is up-to-date.${RESET}\n"
+                rc=0
+            elif [ ${cmp_rc} -eq 1 ]; then
+                diff -u "${ACTIVE_CONFIG}" "${tmp_config_file}" > "${ACTIVE_CONFIG_DIFF}"
+
+                printf "${RED}CRITICAL: Active configuration is not up-to-date (minifirewall not restarted after config change?), check %s${RESET}\n" "${ACTIVE_CONFIG_DIFF}"
+                rc=2
+            else
+                printf "${RED}CRITICAL: Error while comparing rules:${RESET}\n"
+                printf "${cmp_result}\n"
+                rc=2
+            fi
+
+            rm -f "${tmp_config_file}"
+        fi
+    else
+        printf "${YELLOW}WARNING: Skipped active configuration check (missing file ${ACTIVE_CONFIG})${RESET}\n"
+        rc=1
+    fi
+    exit ${rc}
+}
+check_unpersisted_state() {
+    cmp_bin=$(command -v cmp)
+    diff_bin=$(command -v diff)
+
+    if [ -z "${cmp_bin}" ]; then
+        printf "${YELLOW}skip state comparison (Can't find cmp command)${RESET}\n" >&2
+    elif [ -z "${diff_bin}" ]; then
+        printf "${YELLOW}skip state comparison (Can't find diff command)${RESET}\n" >&2
+    else
+        # store current state (without colors)
+        mkdir -p "$(dirname "${STATE_FILE_CURRENT}")"
+        status_without_numbers | remove_colors > "${STATE_FILE_CURRENT}"
+
+        # clean previous diff file
+        rm -f "${STATE_FILE_DIFF}"
+
+        if [ -f "${STATE_FILE_LATEST}" ]; then
+            cmp_result=$(cmp "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}" 2>&1)
+            cmp_rc=$?
+
+            if [ ${cmp_rc} -eq 0 ]; then
+                # echo "   rules have not changed since latest start"
+                :
+            elif [ ${cmp_rc} -eq 1 ]; then
+                diff -u "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}" > "${STATE_FILE_DIFF}"
+                printf "${YELLOW}WARNING: current state is different than persisted state, check %s${RESET}\n" "${STATE_FILE_DIFF}" >&2
+            else
+                printf "${RED}ERROR comparing rules:${RESET}\n" >&2
+                echo "${cmp_result}" >&2
+            fi
+        fi
+        # cleanup
+        rm -f "${STATE_FILE_CURRENT}"
+    fi
+}
+report_state_changes() {
+    cmp_bin=$(command -v cmp)
+    diff_bin=$(command -v diff)
+
+    if [ -z "${cmp_bin}" ]; then
+        printf "${YELLOW}skip state comparison (Can't find cmp command)${RESET}\n" >&2
+        return
+    elif [ -z "${diff_bin}" ]; then
+        printf "${YELLOW}skip state comparison (Can't find diff command)${RESET}\n" >&2
+    else
+        # If there is a known state
+        # let's compare it with the current state
+        if [ -f "${STATE_FILE_LATEST}" ]; then
+            check_unpersisted_state
+        fi
+
+        # Then reset the known state (without colors)
+        mkdir -p "$(dirname "${STATE_FILE_LATEST}")"
+        status_without_numbers | remove_colors > "${STATE_FILE_LATEST}"
+
+        # But if there is a previous known state
+        # let's compare with the new known state
+        if [ -f "${STATE_FILE_PREVIOUS}" ]; then
+            cmp_result=$(cmp "${STATE_FILE_PREVIOUS}" "${STATE_FILE_LATEST}" 2>&1)
+            cmp_rc=$?
+
+            if [ ${cmp_rc} -eq 0 ]; then
+                # echo "Rules have not changed since previous start"
+                :
+            elif [ ${cmp_rc} -eq 1 ]; then
+                diff -u "${STATE_FILE_PREVIOUS}" "${STATE_FILE_LATEST}" > "${STATE_FILE_DIFF}"
+                printf "${YELLOW}INFO: rules have changed since latest start, check %s${RESET}\n" "${STATE_FILE_DIFF}" >&2
+            else
+                printf "${RED}ERROR comparing rules:${RESET}\n" >&2
+                echo "${cmp_result}" >&2
+            fi
+        fi
+    fi
+}
 
 start() {
-    echo "Start IPTables rules..."
+    syslog_info "starting"
+    printf "${BOLD}${PROGNAME} starting${RESET}\n"
 
     # Stop and warn if error!
     set -e
-    trap 'echo "ERROR in minifirewall configuration (fix it now!) or script manipulation (fix yourself)." ' INT TERM EXIT
+    trap 'printf "${RED}${PROGNAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT
 
     # sysctl network security settings
     ##################################
 
     # Set 1 to ignore broadcast pings (default)
-    : "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS:='1'}"
+    : "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS:=1}"
     # Set 1 to ignore bogus ICMP responses (default)
-    : "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES:='1'}"
+    : "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES:=1}"
     # Set 0 to disable source routing (default)
-    : "${SYSCTL_ACCEPT_SOURCE_ROUTE:='0'}"
+    : "${SYSCTL_ACCEPT_SOURCE_ROUTE:=0}"
     # Set 1 to enable TCP SYN cookies (default)
     # cf http://cr.yp.to/syncookies.html
-    : "${SYSCTL_TCP_SYNCOOKIES:='1'}"
+    : "${SYSCTL_TCP_SYNCOOKIES:=1}"
     # Set 0 to disable ICMP redirects (default)
-    : "${SYSCTL_ICMP_REDIRECTS:='0'}"
+    : "${SYSCTL_ICMP_REDIRECTS:=0}"
     # Set 1 to enable Reverse Path filtering (default)
     # Set 0 if VRRP is used
-    : "${SYSCTL_RP_FILTER:='1'}"
+    : "${SYSCTL_RP_FILTER:=1}"
     # Set 1 to log packets with inconsistent address (default)
-    : "${SYSCTL_LOG_MARTIANS:='1'}"
+    : "${SYSCTL_LOG_MARTIANS:=1}"
 
     if [ "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" = "1" ] || [ "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" = "0" ]; then
         echo "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+        # Apparently not applicable to IPv6
     else
-        echo "Invalid SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS value '${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}', must be '0' or '1'." >&2
+        printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS" "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" >&2
         exit 1
     fi
 
     if [ "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" = "1" ] || [ "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" = "0" ]; then
         echo "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
+        # Apparently not applicable to IPv6
     else
-        echo "Invalid SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES value '${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}', must be '0' or '1'." >&2
+        printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES" "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" >&2
         exit 1
     fi
 
     if [ "${SYSCTL_ACCEPT_SOURCE_ROUTE}" = "1" ] || [ "${SYSCTL_ACCEPT_SOURCE_ROUTE}" = "0" ]; then
         for proc_sys_file in /proc/sys/net/ipv4/conf/*/accept_source_route; do
-            echo "${SYSCTL_ACCEPT_SOURCE_ROUTE}" = > "${proc_sys_file}"
+            echo "${SYSCTL_ACCEPT_SOURCE_ROUTE}" > "${proc_sys_file}"
         done
+        if is_ipv6_enabled; then
+            for proc_sys_file in /proc/sys/net/ipv6/conf/*/accept_source_route; do
+                echo "${SYSCTL_ACCEPT_SOURCE_ROUTE}" > "${proc_sys_file}"
+            done
+        fi
     else
-        echo "Invalid SYSCTL_ACCEPT_SOURCE_ROUTE value '${SYSCTL_ACCEPT_SOURCE_ROUTE}', must be '0' or '1'." >&2
+        printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_ACCEPT_SOURCE_ROUTE" "${SYSCTL_ACCEPT_SOURCE_ROUTE}" >&2
         exit 1
     fi
 
     if [ "${SYSCTL_TCP_SYNCOOKIES}" = "1" ] || [ "${SYSCTL_TCP_SYNCOOKIES}" = "0" ]; then
         echo "${SYSCTL_TCP_SYNCOOKIES}" > /proc/sys/net/ipv4/tcp_syncookies
+        # Apparently not applicable to IPv6
     else
-        echo "Invalid SYSCTL_TCP_SYNCOOKIES value '${SYSCTL_TCP_SYNCOOKIES}', must be '0' or '1'." >&2
+        printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_TCP_SYNCOOKIES" "${SYSCTL_TCP_SYNCOOKIES}" >&2
         exit 1
     fi
 
@@ -254,8 +507,13 @@ start() {
         for proc_sys_file in /proc/sys/net/ipv4/conf/*/send_redirects; do
             echo "${SYSCTL_ICMP_REDIRECTS}" > "${proc_sys_file}"
         done
+        if is_ipv6_enabled; then
+            for proc_sys_file in /proc/sys/net/ipv6/conf/*/accept_redirects; do
+                echo "${SYSCTL_ICMP_REDIRECTS}" > "${proc_sys_file}"
+            done
+        fi
     else
-        echo "Invalid SYSCTL_ICMP_REDIRECTS value '${SYSCTL_ICMP_REDIRECTS}', must be '0' or '1'." >&2
+        printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_ICMP_REDIRECTS" "${SYSCTL_ICMP_REDIRECTS}" >&2
         exit 1
     fi
 
@@ -263,8 +521,9 @@ start() {
         for proc_sys_file in /proc/sys/net/ipv4/conf/*/rp_filter; do
             echo "${SYSCTL_RP_FILTER}" > "${proc_sys_file}"
         done
+        # Apparently not applicable to IPv6
     else
-        echo "Invalid SYSCTL_RP_FILTER value '${SYSCTL_RP_FILTER}', must be '0' or '1'." >&2
+        printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_RP_FILTER" "${SYSCTL_RP_FILTER}" >&2
         exit 1
     fi
 
@@ -272,8 +531,9 @@ start() {
         for proc_sys_file in /proc/sys/net/ipv4/conf/*/log_martians; do
             echo "${SYSCTL_LOG_MARTIANS}" > "${proc_sys_file}"
         done
+        # Apparently not applicable to IPv6
     else
-        echo "Invalid SYSCTL_LOG_MARTIANS value '${SYSCTL_LOG_MARTIANS}', must be '0' or '1'." >&2
+        printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_LOG_MARTIANS" "${SYSCTL_LOG_MARTIANS}" >&2
         exit 1
     fi
 
@@ -295,6 +555,40 @@ start() {
         ${IPT6} -A LOG_ACCEPT -j ACCEPT
     fi
 
+    if is_docker_enabled; then
+        ${IPT} -N MINIFW-DOCKER-INPUT-MANUAL
+    fi
+
+    # Source additional rules and commands
+    # * from legacy configuration file (/etc/default/minifirewall)
+    # * from configuration directory (/etc/minifirewall.d/*)
+    source_includes
+
+    # IP/ports lists are sorted to have consistent ordering
+    # You can disable this feature by simply commenting the following lines
+    LOOPBACK=$(sort_values ${LOOPBACK})
+    INTLAN=$(sort_values ${INTLAN})
+    TRUSTEDIPS=$(sort_values ${TRUSTEDIPS})
+    PRIVILEGIEDIPS=$(sort_values ${PRIVILEGIEDIPS})
+    SERVICESTCP1p=$(sort_values ${SERVICESTCP1p})
+    SERVICESUDP1p=$(sort_values ${SERVICESUDP1p})
+    SERVICESTCP1=$(sort_values ${SERVICESTCP1})
+    SERVICESUDP1=$(sort_values ${SERVICESUDP1})
+    SERVICESTCP2=$(sort_values ${SERVICESTCP2})
+    SERVICESUDP2=$(sort_values ${SERVICESUDP2})
+    SERVICESTCP3=$(sort_values ${SERVICESTCP3})
+    SERVICESUDP3=$(sort_values ${SERVICESUDP3})
+    DNSSERVEURS=$(sort_values ${DNSSERVEURS})
+    HTTPSITES=$(sort_values ${HTTPSITES})
+    HTTPSSITES=$(sort_values ${HTTPSSITES})
+    FTPSITES=$(sort_values ${FTPSITES})
+    SSHOK=$(sort_values ${SSHOK})
+    SMTPOK=$(sort_values ${SMTPOK})
+    SMTPSECUREOK=$(sort_values ${SMTPSECUREOK})
+    NTPOK=$(sort_values ${NTPOK})
+    PROXYBYPASS=$(sort_values ${PROXYBYPASS})
+    BACKUPSERVERS=$(sort_values ${BACKUPSERVERS})
+
     # Trusted ip addresses
     ${IPT} -N ONLYTRUSTED
     ${IPT} -A ONLYTRUSTED -j LOG_DROP
@@ -373,6 +667,10 @@ start() {
         ${IPT} -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED
         ${IPT} -A MINIFW-DOCKER-PUB -j RETURN
 
+        # Chain MINIFW-DOCKER-INPUT-MANUAL is created earlier, to allow usage in additionnal config/command files
+        ${IPT} -A MINIFW-DOCKER-INPUT-MANUAL -j MINIFW-DOCKER-PUB
+        ${IPT} -A MINIFW-DOCKER-INPUT-MANUAL -j RETURN
+
         # Flush DOCKER-USER if exist, create it if absent
         if chain_exists 'DOCKER-USER'; then
             ${IPT} -F DOCKER-USER
@@ -380,8 +678,8 @@ start() {
             ${IPT} -N DOCKER-USER
         fi;
 
-        # Pipe new connection through MINIFW-DOCKER-PUB
-        ${IPT} -A DOCKER-USER -i ${INT} -m state  --state NEW -j MINIFW-DOCKER-PUB
+        # Pipe new connection through MINIFW-DOCKER-INPUT-MANUAL
+        ${IPT} -A DOCKER-USER -i ${INT} -m state  --state NEW -j MINIFW-DOCKER-INPUT-MANUAL
         ${IPT} -A DOCKER-USER -j RETURN
     fi
 
@@ -476,34 +774,46 @@ start() {
         # Privileged services (accessible from privileged & trusted IPs)
         for dstport in ${SERVICESTCP2}; do
             for srcip in ${PRIVILEGIEDIPS}; do
-                ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
+                if ! is_ipv6 ${srcip}; then
+                    ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
+                fi
             done
 
             for srcip in ${TRUSTEDIPS}; do
-                ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
+                if ! is_ipv6 ${srcip}; then
+                    ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
+                fi
             done
         done
 
         for dstport in ${SERVICESUDP2}; do
             for srcip in ${PRIVILEGIEDIPS}; do
-                ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
+                if ! is_ipv6 ${srcip}; then
+                    ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
+                fi
             done
 
             for srcip in ${TRUSTEDIPS}; do
-                ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
+                if ! is_ipv6 ${srcip}; then
+                    ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
+                fi
             done
         done
 
         # Trusted services (accessible from trusted IPs)
         for dstport in ${SERVICESTCP3}; do
             for srcip in ${TRUSTEDIPS}; do
-                ${IPT} -I MINIFW-DOCKER-TRUSTED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
+                if ! is_ipv6 ${srcip}; then
+                    ${IPT} -I MINIFW-DOCKER-TRUSTED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
+                fi
             done
         done
 
         for dstport in ${SERVICESUDP3}; do
             for srcip in ${TRUSTEDIPS}; do
-                ${IPT} -I MINIFW-DOCKER-TRUSTED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
+                if ! is_ipv6 ${srcip}; then
+                    ${IPT} -I MINIFW-DOCKER-TRUSTED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
+                fi
             done
         done
     fi
@@ -516,12 +826,12 @@ start() {
         if is_ipv6 ${IP}; then
             if is_ipv6_enabled; then
                 ${IPT6} -A INPUT -p tcp ! --syn --sport 53 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
-                ${IPT6} -A INPUT -p udp --sport 53 --dport ${PORTSUSER} -s ${IP} -m state --state ESTABLISHED,RELATED -j ACCEPT
+                ${IPT6} -A INPUT -p udp --sport 53 --dport ${PORTSUSER} -s ${IP} -m state --state ESTABLISHED -j ACCEPT
                 ${IPT6} -A OUTPUT -o ${INT} -p udp -d ${IP} --dport 53 --match state --state NEW -j ACCEPT
             fi
         else 
             ${IPT} -A INPUT -p tcp ! --syn --sport 53 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
-            ${IPT} -A INPUT -p udp --sport 53 --dport ${PORTSUSER} -s ${IP} -m state --state ESTABLISHED,RELATED -j ACCEPT
+            ${IPT} -A INPUT -p udp --sport 53 --dport ${PORTSUSER} -s ${IP} -m state --state ESTABLISHED -j ACCEPT
             ${IPT} -A OUTPUT -o ${INT} -p udp -d ${IP} --dport 53 --match state --state NEW -j ACCEPT
         fi
     done
@@ -641,13 +951,13 @@ start() {
         if [ -n "${server_ip}" ] && [ -n "${server_port}" ]; then
             if is_ipv6 ${server_ip}; then
                 if is_ipv6_enabled; then
-                    ${IPT6} -A INPUT -p tcp --sport "${server_port}" --dport 1024:65535 -s "${server_ip}" -m state --state ESTABLISHED,RELATED -j ACCEPT
+                    ${IPT6} -A INPUT -p tcp --sport "${server_port}" --dport 1024:65535 -s "${server_ip}" -m state --state ESTABLISHED -j ACCEPT
                 fi
             else 
-                ${IPT} -A INPUT -p tcp --sport "${server_port}" --dport 1024:65535 -s "${server_ip}" -m state --state ESTABLISHED,RELATED -j ACCEPT
+                ${IPT} -A INPUT -p tcp --sport "${server_port}" --dport 1024:65535 -s "${server_ip}" -m state --state ESTABLISHED -j ACCEPT
             fi
         else
-            echo "Unrecognized syntax for BACKUPSERVERS '${server}\`. Use space-separated IP:PORT tuples." >&2
+            printf "${RED}ERROR: unrecognized syntax for BACKUPSERVERS '%s\`. Use space-separated IP:PORT tuples.${RESET}\n" "${server}" >&2
             exit 1
         fi
     done
@@ -658,6 +968,10 @@ start() {
         ${IPT6} -A INPUT -p icmpv6 -j ACCEPT
     fi
 
+    # source config file for remaining commands
+    if is_legacy_config; then
+        source_file_or_error "${config_file}"
+    fi
 
     # IPTables policy
     #################
@@ -684,9 +998,9 @@ start() {
         ${IPT6} -A OUTPUT -o ${INT} -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
     fi
 
-    ${IPT} -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
+    ${IPT} -A OUTPUT -p udp --match state --state ESTABLISHED -j ACCEPT
     if is_ipv6_enabled; then
-        ${IPT6} -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
+        ${IPT6} -A OUTPUT -p udp --match state --state ESTABLISHED -j ACCEPT
     fi
 
     ${IPT} -A OUTPUT -p udp -j DROP
@@ -694,20 +1008,32 @@ start() {
         ${IPT6} -A OUTPUT -p udp -j DROP
     fi
 
-    if is_legacy_config; then
-        source_file_or_error "${config_file}"
-    fi
-
-    # Source files present in optional directory
-    source_includes
+    # Finish
+    ########################
 
     trap - INT TERM EXIT
 
-    echo "...starting IPTables rules is now finish : OK"
+    syslog_info "started"
+    printf "${GREEN}${BOLD}${PROGNAME} started${RESET}\n"
+
+    # No need to exit on error anymore
+    set +e
+
+    # save active configuration
+    save_active_configuration "${ACTIVE_CONFIG}"
+
+    report_state_changes
 }
 
 stop() {
-    echo "Flush all rules and accept everything..."
+    syslog_info "stopping"
+    printf "${BOLD}${PROGNAME} stopping${RESET}\n"
+
+    printf "${BLUE}flushing all rules and accepting everything${RESET}\n"
+
+    # Save previous state (without colors)
+    mkdir -p "$(dirname "${STATE_FILE_PREVIOUS}")"
+    status_without_numbers | remove_colors > "${STATE_FILE_PREVIOUS}"
 
     # Delete all rules
     ${IPT} -F INPUT
@@ -744,6 +1070,8 @@ stop() {
         ${IPT} -F DOCKER-USER
         ${IPT} -A DOCKER-USER -j RETURN
 
+        ${IPT} -F MINIFW-DOCKER-INPUT-MANUAL
+        ${IPT} -X MINIFW-DOCKER-INPUT-MANUAL
         ${IPT} -F MINIFW-DOCKER-PUB
         ${IPT} -X MINIFW-DOCKER-PUB
         ${IPT} -F MINIFW-DOCKER-PRIVILEGED
@@ -782,19 +1110,45 @@ stop() {
         ${IPT6} -X NEEDRESTRICT
     fi
 
-    echo "...flushing IPTables rules is now finish : OK"
+    rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}" "${ACTIVE_CONFIG}"
+
+    syslog_info "stopped"
+    printf "${GREEN}${BOLD}${PROGNAME} stopped${RESET}\n"
 }
 
 status() {
-    ${IPT} -L -n -v --line-numbers
-    ${IPT} -t nat -L -n -v --line-numbers
-    ${IPT} -t mangle -L -n -v --line-numbers
-    ${IPT6} -L -n -v --line-numbers
-    ${IPT6} -t mangle -L -n -v --line-numbers
+    printf "${BLUE}#### iptables --list ###############################${RESET}\n"
+    ${IPT} --list --numeric --verbose --line-numbers
+    printf "\n${BLUE}#### iptables --table nat --list ###################${RESET}\n"
+    ${IPT} --table nat --list --numeric --verbose --line-numbers
+    printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n"
+    ${IPT} --table mangle --list --numeric --verbose --line-numbers
+    if is_ipv6_enabled; then
+        printf "\n${BLUE}#### ip6tables --list ##############################${RESET}\n"
+        ${IPT6} --list --numeric --verbose --line-numbers
+        printf "\n${BLUE}#### ip6tables --table mangle --list ###############${RESET}\n"
+        ${IPT6} --table mangle --list --numeric --verbose --line-numbers
+    fi
+}
+
+status_without_numbers() {
+    printf "${BLUE}#### iptables --list ###############################${RESET}\n"
+    ${IPT} --list --numeric
+    printf "\n${BLUE}#### iptables --table nat --list ###################${RESET}\n"
+    ${IPT} --table nat --list --numeric
+    printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n"
+    ${IPT} --table mangle --list --numeric
+    if is_ipv6_enabled; then
+        printf "\n${BLUE}#### ip6tables --list ##############################${RESET}\n"
+        ${IPT6} --list --numeric
+        printf "\n${BLUE}#### ip6tables --table mangle --list ###############${RESET}\n"
+        ${IPT6} --table mangle --list --numeric
+    fi
 }
 
 reset() {
-    echo "Reset all IPTables counters..."
+    syslog_info "resetting"
+    printf "${BOLD}${PROGNAME} resetting${RESET}\n"
 
     ${IPT} -Z
     if is_ipv6_enabled; then
@@ -808,37 +1162,182 @@ reset() {
         ${IPT6} -t mangle -Z
     fi
 
-    echo "...reseting IPTables counters is now finish : OK"
+    syslog_info "reset"
+    printf "${GREEN}${BOLD}${PROGNAME} reset${RESET}\n"
 }
 
-echo "${NAME} version ${VERSION}"
-source_configuration
+safety_timer() {
+    if [ "${SAFETY_TIMER}" -le "0" ] || [ "${SAFETY_TIMER}" -gt "3600" ]; then
+        syslog_info "safety timer value '${SAFETY_TIMER}' is out of range (1 < 3600), reverted to default value of '30'."
+        SAFETY_TIMER=30
+        readonly SAFETY_TIMER
+    fi
+    echo "${SAFETY_TIMER}"
+}
+
+stop_if_locked() {
+    count=0
+
+    while [ "${count}" -lt "$(safety_timer)" ] && [ -f "${SAFETY_LOCK}" ]; do
+        count=$(( count + 1 ))
+        sleep 1
+    done
+
+    if [ -f "${SAFETY_LOCK}" ]; then
+        syslog_error "safety lock is still here after $(safety_timer) seconds, we need to stop"
+
+        stop
+
+        syslog_info "remove safety lock"
+        rm -f "${SAFETY_LOCK}"
+    else
+        syslog_info "safety lock is not there anymore, life goes on"
+    fi
+}
+
+safe_start() {
+    # start the firewall
+    start
+
+    # create the lock file
+    syslog_info "add safety lock"
+    touch "${SAFETY_LOCK}"
+
+    # run the special background command
+    nohup "${0}" stop-if-locked > "${SAFETY_OUTPUT}" 2>&1 &
+
+    if is_interactive; then
+        syslog_info "safe-restart in interactive mode ; if safety lock (${SAFETY_LOCK}) is not removed in the next $(safety_timer) seconds, minifirewall will be stopped."
+        # Ask for input
+        confirm_default="I'm locked out, please stop the firewall"
+        # printf "If the restart has locked you out you might see this but you shouldn't be able to type anything.\n"
+        printf "Minifirewall will be stopped in $(safety_timer) seconds if you do nothing.\n"
+        printf "Remove \`${SAFETY_LOCK}' or type anything to keep minifirewall started: "
+
+        read -r confirm
+
+        if [ ! -f "${SAFETY_LOCK}" ]; then
+            printf "${YELLOW}Safety lock is not there anymore.\nYou've probably been rescued by the safety checks.\n${BOLD}Minifirewall is probably stopped.${RESET}\n"
+        elif [ "${confirm}" != "${confirm_default}" ]; then
+            rm -f "${SAFETY_LOCK}" && printf "${GREEN}OK. Safety lock is removed.${RESET}\n"
+        fi
+    else
+        syslog_info "safe-restart in non-interactive mode ; if safety lock (${SAFETY_LOCK}) is not removed in the next $(safety_timer) seconds, minifirewall will be stopped."
+    fi
+}
+
+show_version() {
+    cat <<END
+${PROGNAME} version ${VERSION}
+
+Copyright 2007-2023 Evolix <info@evolix.fr>.
+
+${PROGNAME} comes with ABSOLUTELY NO WARRANTY.
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 3
+of the License.
+END
+}
+show_help() {
+    cat <<END
+${PROGNAME} ${DESC}
+
+END
+    show_usage
+}
+show_usage() {
+    cat <<END
+Usage: ${PROGNAME} [COMMAND]
+
+Commands
+ start                  Start minifirewall
+ safe-start             Start minifirewall, with baground safety checks
+ stop                   Stop minifirewall
+ restart                Stop then start minifirewall
+ safe-restart           Restart minifirewall, with background safety checks
+ status                 Print minifirewall status
+ reset                  Reset iptables tables
+ check-active-config    Check if active config is up-to-date with stored config
+ version                Print version and exit
+ help                   Print this message and exit
+END
+}
 
 case "${1:-''}" in
     start)
+        source_configuration
+        check_unpersisted_state
+
         start
     ;;
 
+    safe-start)
+        source_configuration
+        check_unpersisted_state
+
+        safe_start
+    ;;
+
     stop)
+        source_configuration
+        check_unpersisted_state
+
         stop
     ;;
 
     status)
+        source_configuration
+        check_unpersisted_state
+
         status
     ;;
 
     reset)
+        source_configuration
+        check_unpersisted_state
+
         reset
     ;;
 
     restart)
+        source_configuration
+        check_unpersisted_state
+
         stop
         start
     ;;
 
+    safe-restart)
+        source_configuration
+        check_unpersisted_state
+
+        stop
+        safe_start
+    ;;
+
+    stop-if-locked)
+        source_configuration
+
+        stop_if_locked
+    ;;
+
+    check-active-config)
+        check_active_configuration
+    ;;
+
+    version)
+        show_version
+    ;;
+
+    help)
+        show_help
+    ;;
+
     *)
-        echo "Usage: $0 {start|stop|restart|status|reset}" 
-        exit 1
+        printf "%s: %s: unknown option\n" "${PROGNAME}" "${1}"
+        show_usage
+        exit 128
     ;;
 esac
 

minifirewall.conf

@@ -1,5 +1,5 @@
 # Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
-# Version 22.3 — 2022-03-15
+# Version 23.07
 # shellcheck shell=sh disable=SC2034
 
 # Main interface
@@ -17,9 +17,6 @@ IPV6='on'
 # (ie: Listen on :8090 on host, but :8080 in container)
 # then you need to give the port used inside the container
 DOCKER='off'
-# WARNING : If the port mapping is different between host and container
-# (ie: Listen on :8090 on host but :8080 in container)
-# Then you need to makes the rules with the port used inside the container
 
 # Trusted local network
 # ...will be often IPv4/32 or IPv6/128 if you don't trust anything
@@ -27,7 +24,7 @@ INTLAN='192.0.2.1/32 2001:db8::1/128'
 
 # Trusted IP addresses for private and semi-public services
 # TODO: add all our IPv6 adresses
-TRUSTEDIPS='31.170.9.129 2a01:9500:37:129::/64 62.212.121.90 31.170.8.4 2a01:9500::fada/128 82.65.34.85 54.37.106.210 51.210.84.146'
+TRUSTEDIPS='31.170.9.129 2a01:9500:37:129::/64 31.170.8.4 2a01:9500::fada 82.65.34.85 2a01:e0a:571:2a10::1 54.37.106.210 51.210.84.146'
 
 # Privilegied IP addresses for semi-public services
 # (no need to add again TRUSTEDIPS)
@@ -136,4 +133,4 @@ BACKUPSERVERS=''
 # SYSCTL_RP_FILTER='1'
 
 # Set 1 to log packets with inconsistent address (default)
-# SYSCTL_LOG_MARTIANS='1'
+# SYSCTL_LOG_MARTIANS='1'