split-init #9
|
@ -13,6 +13,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
|
* status output (number of # in headers)
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
## [22.04] - 2022-04-28
|
## [22.04] - 2022-04-28
|
||||||
|
|
14
README.md
14
README.md
|
@ -8,9 +8,13 @@ See https://gitea.evolix.org/evolix/minifirewall
|
||||||
## Install
|
## Install
|
||||||
|
|
||||||
~~~
|
~~~
|
||||||
install --mode 0700 minifirewall /etc/init.d/minifirewall
|
install --mode 0700 minifirewall /usr/local/sbin/
|
||||||
|
install --mode 0700 init.sh /etc/init.d/minifirewall
|
||||||
install --mode 0600 minifirewall.conf /etc/default/minifirewall
|
install --mode 0600 minifirewall.conf /etc/default/minifirewall
|
||||||
mkdir --mode 0700 /etc/minifirewall.d
|
mkdir --mode 0700 /etc/minifirewall.d
|
||||||
|
|
||||||
|
install --mode 0644 minifirewall.service /etc/systemd/system/minifirewall.service
|
||||||
|
systemctl daemon-reload
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
## Config
|
## Config
|
||||||
|
@ -37,11 +41,17 @@ you need to use the port used by the container (ie: 8080) in the public/semi-pub
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
|
~~~
|
||||||
|
systemctl start/stop/restart minifirewall
|
||||||
|
minifirewall status
|
||||||
|
~~~
|
||||||
|
|
||||||
|
Formerly :
|
||||||
~~~
|
~~~
|
||||||
/etc/init.d/minifirewall start/stop/restart
|
/etc/init.d/minifirewall start/stop/restart
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
If you want to add minifirewall in boot sequence, add the start command to `/usr/share/scripts/alert5`.
|
If you want to add minifirewall in SysV Init boot sequence, add the start command to `/usr/share/scripts/alert5`.
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
|
|
44
init.sh
Normal file
44
init.sh
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
### BEGIN INIT INFO
|
||||||
|
# Provides: minifirewall
|
||||||
|
# Required-Start:
|
||||||
|
# Required-Stop:
|
||||||
|
# Should-Start: $network $syslog $named
|
||||||
|
# Should-Stop: $syslog
|
||||||
|
# Default-Start: 2 3 4 5
|
||||||
|
# Default-Stop: 0 1 6
|
||||||
|
# Short-Description: start and stop the firewall
|
||||||
|
# Description: Firewall designed for standalone server
|
||||||
|
### END INIT INFO
|
||||||
|
|
||||||
|
minifirewall_bin=/usr/local/sbin/minifirewall
|
||||||
|
|
||||||
|
if [ -z "${minifirewall_bin}" ]; then
|
||||||
|
echo "${minifirewall_bin}: not found"
|
||||||
|
elif [ ! -x "${minifirewall_bin}" ]; then
|
||||||
|
echo "${minifirewall_bin}: not executable"
|
||||||
|
fi
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
systemctl start minifirewall
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
systemctl stop minifirewall
|
||||||
|
;;
|
||||||
|
status)
|
||||||
|
systemctl status minifirewall
|
||||||
|
;;
|
||||||
|
restart|reload|condrestart)
|
||||||
|
systemctl restart minifirewall
|
||||||
|
;;
|
||||||
|
reset)
|
||||||
|
${minifirewall_bin} reset
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Usage: $0 {start|stop|restart|status|reset}"
|
||||||
|
exit 1
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit 0
|
332
minifirewall
332
minifirewall
|
@ -1,159 +1,51 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
# shellcheck disable=SC2059
|
# shellcheck disable=SC2059
|
||||||
|
|
||||||
# minifirewall is a shell script for easy firewalling on a standalone server
|
PROGNAME="minifirewall"
|
||||||
# It uses netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
|
|
||||||
# See https://gitea.evolix.org/evolix/minifirewall
|
|
||||||
|
|
||||||
# Copyright (c) 2007-2022 Evolix
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of the GNU General Public License
|
|
||||||
# as published by the Free Software Foundation; either version 3
|
|
||||||
# of the License.
|
|
||||||
|
|
||||||
# Description
|
|
||||||
# script for standalone server
|
|
||||||
|
|
||||||
# Start or stop minifirewall
|
|
||||||
#
|
|
||||||
|
|
||||||
### BEGIN INIT INFO
|
|
||||||
# Provides: minifirewall
|
|
||||||
# Required-Start:
|
|
||||||
# Required-Stop:
|
|
||||||
# Should-Start: $network $syslog $named
|
|
||||||
# Should-Stop: $syslog
|
|
||||||
# Default-Start: 2 3 4 5
|
|
||||||
# Default-Stop: 0 1 6
|
|
||||||
# Short-Description: start and stop the firewall
|
|
||||||
# Description: Firewall designed for standalone server
|
|
||||||
### END INIT INFO
|
|
||||||
|
|
||||||
VERSION="22.04"
|
|
||||||
|
|
||||||
NAME="minifirewall"
|
|
||||||
# shellcheck disable=SC2034
|
# shellcheck disable=SC2034
|
||||||
DESC="Firewall designed for standalone server"
|
REPOSITORY="https://gitea.evolix.org/evolix/minifirewall"
|
||||||
|
|
||||||
|
VERSION="22.04.3"
|
||||||
|
readonly VERSION
|
||||||
|
|
||||||
set -u
|
set -u
|
||||||
|
|
||||||
# Variables configuration
|
show_version() {
|
||||||
#########################
|
cat <<END
|
||||||
|
${PROGNAME} version ${VERSION}
|
||||||
|
|
||||||
config_file="/etc/default/minifirewall"
|
Copyright 2007-2022 Evolix <info@evolix.fr>.
|
||||||
includes_dir="/etc/minifirewall.d"
|
|
||||||
|
|
||||||
# iptables paths
|
${PROGNAME} comes with ABSOLUTELY NO WARRANTY.
|
||||||
IPT=$(command -v iptables)
|
This program is free software; you can redistribute it and/or
|
||||||
if [ -z "${IPT}" ]; then
|
modify it under the terms of the GNU General Public License
|
||||||
echo "Unable to find 'iptables\` command in PATH." >&2
|
as published by the Free Software Foundation; either version 3
|
||||||
exit 1
|
of the License.
|
||||||
fi
|
END
|
||||||
IPT6=$(command -v ip6tables)
|
}
|
||||||
if [ -z "${IPT6}" ]; then
|
show_help() {
|
||||||
echo "Unable to find 'ip6tables\` command in PATH." >&2
|
cat <<END
|
||||||
exit 1
|
minifirewall is wrapper around netfilter/iptables for easy local firewalling on Linux.
|
||||||
fi
|
|
||||||
|
|
||||||
# TCP/IP variables
|
Usage: systemctl start minifirewall
|
||||||
LOOPBACK='127.0.0.0/8'
|
or systemctl stop minifirewall
|
||||||
CLASSA='10.0.0.0/8'
|
or systemctl restart minifirewall
|
||||||
CLASSB='172.16.0.0/12'
|
or systemctl status minifirewall
|
||||||
CLASSC='192.168.0.0/16'
|
or minifirewall status
|
||||||
CLASSD='224.0.0.0/4'
|
or minifirewall reset
|
||||||
CLASSE='240.0.0.0/5'
|
or minifirewall {version|--version|-V}
|
||||||
ALL='0.0.0.0'
|
or minifirewall {help|--help|-h|-?}
|
||||||
BROAD='255.255.255.255'
|
END
|
||||||
PORTSROOT='0:1023'
|
}
|
||||||
PORTSUSER='1024:65535'
|
|
||||||
|
|
||||||
# Configuration
|
|
||||||
|
|
||||||
INT=''
|
|
||||||
IPV6=''
|
|
||||||
DOCKER=''
|
|
||||||
INTLAN=''
|
|
||||||
TRUSTEDIPS=''
|
|
||||||
PRIVILEGIEDIPS=''
|
|
||||||
SERVICESTCP1p=''
|
|
||||||
SERVICESUDP1p=''
|
|
||||||
SERVICESTCP1=''
|
|
||||||
SERVICESUDP1=''
|
|
||||||
SERVICESTCP2=''
|
|
||||||
SERVICESUDP2=''
|
|
||||||
SERVICESTCP3=''
|
|
||||||
SERVICESUDP3=''
|
|
||||||
DNSSERVEURS=''
|
|
||||||
HTTPSITES=''
|
|
||||||
HTTPSSITES=''
|
|
||||||
FTPSITES=''
|
|
||||||
SSHOK=''
|
|
||||||
SMTPOK=''
|
|
||||||
SMTPSECUREOK=''
|
|
||||||
NTPOK=''
|
|
||||||
PROXY=''
|
|
||||||
PROXYBYPASS=''
|
|
||||||
PROXYPORT=''
|
|
||||||
BACKUPSERVERS=''
|
|
||||||
|
|
||||||
LEGACY_CONFIG='off'
|
|
||||||
|
|
||||||
STATE_FILE_LATEST='/var/run/minifirewall_state_latest'
|
|
||||||
STATE_FILE_CURRENT='/var/run/minifirewall_state_current'
|
|
||||||
STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous'
|
|
||||||
STATE_FILE_DIFF='/var/run/minifirewall_state_diff'
|
|
||||||
|
|
||||||
LOGGER_BIN=$(command -v logger)
|
|
||||||
|
|
||||||
# No colors by default
|
|
||||||
RED=''
|
|
||||||
GREEN=''
|
|
||||||
YELLOW=''
|
|
||||||
BLUE=''
|
|
||||||
MAGENTA=''
|
|
||||||
CYAN=''
|
|
||||||
WHITE=''
|
|
||||||
BOLD=''
|
|
||||||
RESET=''
|
|
||||||
# check if stdout is a terminal...
|
|
||||||
if [ -t 1 ]; then
|
|
||||||
|
|
||||||
# see if it supports colors...
|
|
||||||
ncolors=$(tput colors)
|
|
||||||
|
|
||||||
if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then
|
|
||||||
RED=$(tput setaf 1)
|
|
||||||
GREEN=$(tput setaf 2)
|
|
||||||
YELLOW=$(tput setaf 3)
|
|
||||||
BLUE=$(tput setaf 4)
|
|
||||||
MAGENTA=$(tput setaf 5)
|
|
||||||
CYAN=$(tput setaf 6)
|
|
||||||
WHITE=$(tput setaf 7)
|
|
||||||
BOLD=$(tput bold)
|
|
||||||
RESET='\e[m'
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
## pseudo dry-run :
|
|
||||||
## Uncomment and call these functions instead of the real iptables and ip6tables commands
|
|
||||||
# IPT="fake_iptables"
|
|
||||||
# IPT6="fake_ip6tables"
|
|
||||||
# fake_iptables() {
|
|
||||||
# printf "DRY-RUN iptables %s\n" "$*"
|
|
||||||
# }
|
|
||||||
# fake_ip6tables() {
|
|
||||||
# printf "DRY-RUN ip6tables %s\n" "$*"
|
|
||||||
# }
|
|
||||||
## Beware that commands executed from included files are not modified by this trick.
|
|
||||||
|
|
||||||
syslog_info() {
|
syslog_info() {
|
||||||
if [ -x "${LOGGER_BIN}" ]; then
|
if [ -x "${LOGGER_BIN}" ]; then
|
||||||
${LOGGER_BIN} -t "${NAME}" -p daemon.info "$1"
|
${LOGGER_BIN} -t "${PROGNAME}" -p daemon.info "$1"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
syslog_error() {
|
syslog_error() {
|
||||||
if [ -x "${LOGGER_BIN}" ]; then
|
if [ -x "${LOGGER_BIN}" ]; then
|
||||||
${LOGGER_BIN} -t "${NAME}" -p daemon.error "$1"
|
${LOGGER_BIN} -t "${PROGNAME}" -p daemon.error "$1"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
sort_values() {
|
sort_values() {
|
||||||
|
@ -258,6 +150,13 @@ source_includes() {
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
exit_if_not_systemd() {
|
||||||
|
if [ $PPID -ne 1 ]; then
|
||||||
|
echo "Error: Please use minifirewall systemd service instead of direct call." 1>&2
|
||||||
|
show_help
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
check_unpersisted_state() {
|
check_unpersisted_state() {
|
||||||
cmp_bin=$(command -v cmp)
|
cmp_bin=$(command -v cmp)
|
||||||
diff_bin=$(command -v diff)
|
diff_bin=$(command -v diff)
|
||||||
|
@ -335,11 +234,11 @@ report_state_changes() {
|
||||||
|
|
||||||
start() {
|
start() {
|
||||||
syslog_info "starting"
|
syslog_info "starting"
|
||||||
printf "${BOLD}${NAME} starting${RESET}\n"
|
printf "${BOLD}${PROGNAME} starting${RESET}\n"
|
||||||
|
|
||||||
# Stop and warn if error!
|
# Stop and warn if error!
|
||||||
set -e
|
set -e
|
||||||
trap 'printf "${RED}${NAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT
|
trap 'printf "${RED}${PROGNAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT
|
||||||
|
|
||||||
# sysctl network security settings
|
# sysctl network security settings
|
||||||
##################################
|
##################################
|
||||||
|
@ -890,7 +789,7 @@ start() {
|
||||||
trap - INT TERM EXIT
|
trap - INT TERM EXIT
|
||||||
|
|
||||||
syslog_info "started"
|
syslog_info "started"
|
||||||
printf "${GREEN}${BOLD}${NAME} started${RESET}\n"
|
printf "${GREEN}${BOLD}${PROGNAME} started${RESET}\n"
|
||||||
|
|
||||||
# No need to exit on error anymore
|
# No need to exit on error anymore
|
||||||
set +e
|
set +e
|
||||||
|
@ -900,7 +799,7 @@ start() {
|
||||||
|
|
||||||
stop() {
|
stop() {
|
||||||
syslog_info "stopping"
|
syslog_info "stopping"
|
||||||
printf "${BOLD}${NAME} stopping${RESET}\n"
|
printf "${BOLD}${PROGNAME} stopping${RESET}\n"
|
||||||
|
|
||||||
printf "${BLUE}flushing all rules and accepting everything${RESET}\n"
|
printf "${BLUE}flushing all rules and accepting everything${RESET}\n"
|
||||||
|
|
||||||
|
@ -983,13 +882,13 @@ stop() {
|
||||||
rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}"
|
rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}"
|
||||||
|
|
||||||
syslog_info "stopped"
|
syslog_info "stopped"
|
||||||
printf "${GREEN}${BOLD}${NAME} stopped${RESET}\n"
|
printf "${GREEN}${BOLD}${PROGNAME} stopped${RESET}\n"
|
||||||
}
|
}
|
||||||
|
|
||||||
status() {
|
status() {
|
||||||
printf "${BLUE}#### iptables --list ###############################${RESET}\n"
|
printf "${BLUE}#### iptables --list ###############################${RESET}\n"
|
||||||
${IPT} --list --numeric --verbose --line-numbers
|
${IPT} --list --numeric --verbose --line-numbers
|
||||||
printf "\n${BLUE}### iptables --table nat --list ####################${RESET}\n"
|
printf "\n${BLUE}#### iptables --table nat --list ###################${RESET}\n"
|
||||||
${IPT} --table nat --list --numeric --verbose --line-numbers
|
${IPT} --table nat --list --numeric --verbose --line-numbers
|
||||||
printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n"
|
printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n"
|
||||||
${IPT} --table mangle --list --numeric --verbose --line-numbers
|
${IPT} --table mangle --list --numeric --verbose --line-numbers
|
||||||
|
@ -1004,7 +903,7 @@ status() {
|
||||||
status_without_numbers() {
|
status_without_numbers() {
|
||||||
printf "${BLUE}#### iptables --list ###############################${RESET}\n"
|
printf "${BLUE}#### iptables --list ###############################${RESET}\n"
|
||||||
${IPT} --list --numeric
|
${IPT} --list --numeric
|
||||||
printf "\n${BLUE}### iptables --table nat --list ####################${RESET}\n"
|
printf "\n${BLUE}#### iptables --table nat --list ###################${RESET}\n"
|
||||||
${IPT} --table nat --list --numeric
|
${IPT} --table nat --list --numeric
|
||||||
printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n"
|
printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n"
|
||||||
${IPT} --table mangle --list --numeric
|
${IPT} --table mangle --list --numeric
|
||||||
|
@ -1018,7 +917,7 @@ status_without_numbers() {
|
||||||
|
|
||||||
reset() {
|
reset() {
|
||||||
syslog_info "resetting"
|
syslog_info "resetting"
|
||||||
printf "${BOLD}${NAME} resetting${RESET}\n"
|
printf "${BOLD}${PROGNAME} resetting${RESET}\n"
|
||||||
|
|
||||||
${IPT} -Z
|
${IPT} -Z
|
||||||
if is_ipv6_enabled; then
|
if is_ipv6_enabled; then
|
||||||
|
@ -1033,24 +932,13 @@ reset() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
syslog_info "reset"
|
syslog_info "reset"
|
||||||
printf "${GREEN}${BOLD}${NAME} reset${RESET}\n"
|
printf "${GREEN}${BOLD}${PROGNAME} reset${RESET}\n"
|
||||||
}
|
|
||||||
show_version() {
|
|
||||||
cat <<END
|
|
||||||
${NAME} version ${VERSION}
|
|
||||||
|
|
||||||
Copyright 2007-2022 Evolix <info@evolix.fr>.
|
|
||||||
|
|
||||||
${NAME} comes with ABSOLUTELY NO WARRANTY.
|
|
||||||
This program is free software; you can redistribute it and/or
|
|
||||||
modify it under the terms of the GNU General Public License
|
|
||||||
as published by the Free Software Foundation; either version 3
|
|
||||||
of the License.
|
|
||||||
END
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
main() {
|
||||||
case "${1:-''}" in
|
case "${1:-''}" in
|
||||||
start)
|
start)
|
||||||
|
exit_if_not_systemd
|
||||||
source_configuration
|
source_configuration
|
||||||
check_unpersisted_state
|
check_unpersisted_state
|
||||||
|
|
||||||
|
@ -1058,6 +946,7 @@ case "${1:-''}" in
|
||||||
;;
|
;;
|
||||||
|
|
||||||
stop)
|
stop)
|
||||||
|
exit_if_not_systemd
|
||||||
source_configuration
|
source_configuration
|
||||||
check_unpersisted_state
|
check_unpersisted_state
|
||||||
|
|
||||||
|
@ -1079,6 +968,7 @@ case "${1:-''}" in
|
||||||
;;
|
;;
|
||||||
|
|
||||||
restart)
|
restart)
|
||||||
|
exit_if_not_systemd
|
||||||
source_configuration
|
source_configuration
|
||||||
check_unpersisted_state
|
check_unpersisted_state
|
||||||
|
|
||||||
|
@ -1086,14 +976,128 @@ case "${1:-''}" in
|
||||||
start
|
start
|
||||||
;;
|
;;
|
||||||
|
|
||||||
version)
|
version|--version|-V)
|
||||||
show_version
|
show_version
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
|
||||||
|
help|-h|-\?|--help)
|
||||||
|
show_help
|
||||||
|
exit 0
|
||||||
;;
|
;;
|
||||||
|
|
||||||
*)
|
*)
|
||||||
echo "Usage: $0 {start|stop|restart|status|reset|version}"
|
show_help
|
||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
exit 0
|
config_file="/etc/default/minifirewall"
|
||||||
|
includes_dir="/etc/minifirewall.d"
|
||||||
|
|
||||||
|
# iptables paths
|
||||||
|
IPT=$(command -v iptables)
|
||||||
|
if [ -z "${IPT}" ]; then
|
||||||
|
echo "Unable to find 'iptables\` command in PATH." >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
IPT6=$(command -v ip6tables)
|
||||||
|
if [ -z "${IPT6}" ]; then
|
||||||
|
echo "Unable to find 'ip6tables\` command in PATH." >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
## pseudo dry-run :
|
||||||
|
## Uncomment and call these functions instead of the real iptables and ip6tables commands
|
||||||
|
# IPT="fake_iptables"
|
||||||
|
# IPT6="fake_ip6tables"
|
||||||
|
# fake_iptables() {
|
||||||
|
# printf "DRY-RUN iptables %s\n" "$*"
|
||||||
|
# }
|
||||||
|
# fake_ip6tables() {
|
||||||
|
# printf "DRY-RUN ip6tables %s\n" "$*"
|
||||||
|
# }
|
||||||
|
## Beware that commands executed from included files are not modified by this trick.
|
||||||
|
|
||||||
|
# TCP/IP variables
|
||||||
|
LOOPBACK='127.0.0.0/8'
|
||||||
|
CLASSA='10.0.0.0/8'
|
||||||
|
CLASSB='172.16.0.0/12'
|
||||||
|
CLASSC='192.168.0.0/16'
|
||||||
|
CLASSD='224.0.0.0/4'
|
||||||
|
CLASSE='240.0.0.0/5'
|
||||||
|
ALL='0.0.0.0'
|
||||||
|
BROAD='255.255.255.255'
|
||||||
|
PORTSROOT='0:1023'
|
||||||
|
PORTSUSER='1024:65535'
|
||||||
|
|
||||||
|
# Configuration
|
||||||
|
|
||||||
|
INT=''
|
||||||
|
IPV6=''
|
||||||
|
DOCKER=''
|
||||||
|
INTLAN=''
|
||||||
|
TRUSTEDIPS=''
|
||||||
|
PRIVILEGIEDIPS=''
|
||||||
|
SERVICESTCP1p=''
|
||||||
|
SERVICESUDP1p=''
|
||||||
|
SERVICESTCP1=''
|
||||||
|
SERVICESUDP1=''
|
||||||
|
SERVICESTCP2=''
|
||||||
|
SERVICESUDP2=''
|
||||||
|
SERVICESTCP3=''
|
||||||
|
SERVICESUDP3=''
|
||||||
|
DNSSERVEURS=''
|
||||||
|
HTTPSITES=''
|
||||||
|
HTTPSSITES=''
|
||||||
|
FTPSITES=''
|
||||||
|
SSHOK=''
|
||||||
|
SMTPOK=''
|
||||||
|
SMTPSECUREOK=''
|
||||||
|
NTPOK=''
|
||||||
|
PROXY=''
|
||||||
|
PROXYBYPASS=''
|
||||||
|
PROXYPORT=''
|
||||||
|
BACKUPSERVERS=''
|
||||||
|
|
||||||
|
LEGACY_CONFIG='off'
|
||||||
|
|
||||||
|
STATE_FILE_LATEST='/var/run/minifirewall_state_latest'
|
||||||
|
STATE_FILE_CURRENT='/var/run/minifirewall_state_current'
|
||||||
|
STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous'
|
||||||
|
STATE_FILE_DIFF='/var/run/minifirewall_state_diff'
|
||||||
|
|
||||||
|
LOGGER_BIN=$(command -v logger)
|
||||||
|
|
||||||
|
# No colors by default
|
||||||
|
RED=''
|
||||||
|
GREEN=''
|
||||||
|
YELLOW=''
|
||||||
|
BLUE=''
|
||||||
|
MAGENTA=''
|
||||||
|
CYAN=''
|
||||||
|
WHITE=''
|
||||||
|
BOLD=''
|
||||||
|
RESET=''
|
||||||
|
# check if stdout is a terminal...
|
||||||
|
if [ -t 1 ]; then
|
||||||
|
|
||||||
|
# see if it supports colors...
|
||||||
|
ncolors=$(tput colors)
|
||||||
|
|
||||||
|
if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then
|
||||||
|
RED=$(tput setaf 1)
|
||||||
|
GREEN=$(tput setaf 2)
|
||||||
|
YELLOW=$(tput setaf 3)
|
||||||
|
BLUE=$(tput setaf 4)
|
||||||
|
MAGENTA=$(tput setaf 5)
|
||||||
|
CYAN=$(tput setaf 6)
|
||||||
|
WHITE=$(tput setaf 7)
|
||||||
|
BOLD=$(tput bold)
|
||||||
|
RESET='\e[m'
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# shellcheck disable=SC2086
|
||||||
|
main $@
|
||||||
|
|
18
minifirewall.service
Normal file
18
minifirewall.service
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
# /etc/systemd/system/minifirewall.service
|
||||||
|
|
||||||
|
[Unit]
|
||||||
|
Description=Control the firewall
|
||||||
|
After=network-online.target
|
||||||
|
Wants=network-online.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
Restart=no
|
||||||
|
TimeoutSec=5min
|
||||||
|
IgnoreSIGPIPE=no
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/usr/local/sbin/minifirewall start
|
||||||
|
ExecStop=/usr/local/sbin/minifirewall stop
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=default.target
|
Loading…
Reference in a new issue