"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "bin/arno-iptables-firewall" between
aif-2.1.0.tar.gz and aif-2.1.1.tar.gz

About: Arno’s iptables firewall is a stateful firewall script for both single and multi-homed machines with DSL/ADSL support.

arno-iptables-firewall  (aif-2.1.0):arno-iptables-firewall  (aif-2.1.1)
#!/bin/sh #!/bin/sh
MY_VERSION="2.1.0" MY_VERSION="2.1.1"
# Location of the main configuration file for the firewall # Location of the main configuration file for the firewall
########################################################## ##########################################################
CONFIG_FILE=/etc/arno-iptables-firewall/firewall.conf CONFIG_FILE=/etc/arno-iptables-firewall/firewall.conf
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# -= Arno's Iptables Firewall(AIF) =- # -= Arno's Iptables Firewall(AIF) =-
# Single- & multi-homed firewall script with DSL/ADSL support # Single- & multi-homed firewall script with DSL/ADSL support
# #
# ~ In memory of my dear father ~ # ~ In memory of my dear father ~
# #
# (C) Copyright 2001-2020 by Arno van Amersfoort & Lonnie Abelbeck # (C) Copyright 2001-2020 by Arno van Amersfoort & Lonnie Abelbeck
# Homepage : https://rocky.eld.leidenuniv.nl/ # Homepage : https://rocky.eld.leidenuniv.nl/
# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
# (note: you must remove all spaces and substitute the @ and the . # (note: you must remove all spaces and substitute the @ and the .
# at the proper locations!) # at the proper locations!)
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License # modify it under the terms of the GNU General Public License
# version 2 as published by the Free Software Foundation. # version 2 as published by the Free Software Foundation.
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of # but WITHOUT ANY WARRANTY; without even the implied warranty of
skipping to change at line 40 skipping to change at line 40
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
printf "\033[40m\033[1;32mArno's Iptables Firewall(AIF) v$MY_VERSION\033[0m\n" printf "\033[40m\033[1;32mArno's Iptables Firewall(AIF) v$MY_VERSION\033[0m\n"
echo "-------------------------------------------------------------------------- -----" echo "-------------------------------------------------------------------------- -----"
# Check if the main config file exists and if so load it # Check if the main config file exists and if so load it
######################################################## ########################################################
if [ -e "$CONFIG_FILE" ]; then if [ -f "$CONFIG_FILE" ]; then
. "$CONFIG_FILE" . "$CONFIG_FILE"
else else
printf "\033[40m\033[1;31mERROR: Could not read configuration file $CONFIG_FIL E!\033[0m\n" >&2 printf "\033[40m\033[1;31mERROR: Could not read configuration file $CONFIG_FIL E!\033[0m\n" >&2
printf "\033[40m\033[1;31m Please, check the file's location and (root) rights.\033[0m\n\n" >&2 printf "\033[40m\033[1;31m Please, check the file's location and (root) rights.\033[0m\n\n" >&2
exit 2 exit 2
fi fi
# Check if the environment file exists and if so, load it # Check if the environment file exists and if so, load it
######################################################### #########################################################
if [ -z "$ENV_FILE" ]; then
if [ -f /usr/local/share/arno-iptables-firewall/environment ]; then # Autodetect according to standard paths
ENV_FILE="/usr/local/share/arno-iptables-firewall/environment" ENV_FILE="/usr/local/share/arno-iptables-firewall/environment"
else if [ ! -f "$ENV_FILE" ]; then
if [ -f /usr/share/arno-iptables-firewall/environment ]; then ENV_FILE="/usr/share/arno-iptables-firewall/environment"
ENV_FILE="/usr/share/arno-iptables-firewall/environment" if [ ! -f "$ENV_FILE" ]; then
else printf "\033[40m\033[1;31mERROR: Unable to locate environment file in /usr/(
printf "\033[40m\033[1;31mERROR: The environment file (ENV_FILE) has not b local/)/share/arno-iptables-firewall/\033[0m\n" >&2
een specified\033[0m\n" >&2 printf "\033[40m\033[1;31m Please, check the file's location and (root
printf "\033[40m\033[1;31m in the configuration file. Try upgrading ) rights.\033[0m\n\n" >&2
your config-file!\033[0m\n\n" >&2 exit 2
exit 2
fi
fi fi
fi fi
if [ -e "$ENV_FILE" ]; then # Source environment file
. "$ENV_FILE" . "$ENV_FILE"
else
printf "\033[40m\033[1;31mERROR: Could not read environment file \"$ENV_FILE\"
!\033[0m\n" >&2
printf "\033[40m\033[1;31m Please, check the file's location and (root)
rights.\033[0m\n\n" >&2
exit 2
fi
sanity_check() sanity_check()
{ {
local ip4t_ver ip6t_ver local ip4t_ver ip6t_ver
# Show uname & iptables information # Show uname & iptables information
echo "Platform: $(uname -s -r -m)" echo "Platform: $(uname -s -r -m)"
ip4t_ver="$($IP4TABLES --version)" ip4t_ver="$($IP4TABLES --version)"
ip4t_ver="${ip4t_ver#* v}" ip4t_ver="${ip4t_ver#* v}"
ip4t_ver="${ip4t_ver%% *}" ip4t_ver="${ip4t_ver%% *}"
skipping to change at line 305 skipping to change at line 298
# Required; all IPv4 modules depend on this one # Required; all IPv4 modules depend on this one
modprobe ip_tables modprobe ip_tables
if [ "$IPV6_SUPPORT" = "1" ]; then if [ "$IPV6_SUPPORT" = "1" ]; then
modprobe ip6_tables modprobe ip6_tables
fi fi
# Allows connection tracking state match, which allows you to # Allows connection tracking state match, which allows you to
# write rules matching the state of a connection # write rules matching the state of a connection
modprobe_multi nf_conntrack ip_conntrack modprobe_multi nf_conntrack ip_conntrack
if [ "$IPV6_SUPPORT" = "1" ]; then if [ "$IPV6_SUPPORT" = "1" ]; then
modprobe nf_conntrack_ipv6 ## kernel >= 4.19 merged nf_conntrack_ipv{4,6} into nf_conntrack
if ! kernel_ver_chk 4 19 0; then
modprobe nf_conntrack_ipv6
fi
fi fi
# Allows tracking for various protocols, placing entries in the conntrack tabl e etc. # Allows tracking for various protocols, placing entries in the conntrack tabl e etc.
if [ "$IPV6_SUPPORT" = "1" ]; then if [ "$IPV6_SUPPORT" = "1" ]; then
modprobe_multi xt_conntrack "ipt_conntrack,ip6t_conntrack" modprobe_multi xt_conntrack "ipt_conntrack,ip6t_conntrack"
else else
modprobe_multi xt_conntrack ipt_conntrack modprobe_multi xt_conntrack ipt_conntrack
fi fi
# Allows log limits # Allows log limits
skipping to change at line 598 skipping to change at line 594
echo " Disabling reduction of the DoS'ing ability" echo " Disabling reduction of the DoS'ing ability"
# Defaults: # Defaults:
sysctl -w net.ipv4.tcp_fin_timeout=60 sysctl -w net.ipv4.tcp_fin_timeout=60
sysctl -w net.ipv4.tcp_keepalive_time=7200 sysctl -w net.ipv4.tcp_keepalive_time=7200
sysctl -w net.ipv4.tcp_syn_retries=5 sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.tcp_synack_retries=5 sysctl -w net.ipv4.tcp_synack_retries=5
sysctl -w net.ipv4.tcp_rfc1337=0 sysctl -w net.ipv4.tcp_rfc1337=0
fi fi
# Set out local port range. Kernel default = "1024 4999" # Set our local port range. Kernel default = "32768 60999"
######################################################## ##########################################################
if [ -z "$LOCAL_PORT_RANGE" ]; then if [ -z "$LOCAL_PORT_RANGE" ]; then
LOCAL_PORT_RANGE="32768 61000" LOCAL_PORT_RANGE="32768 60999"
fi fi
sysctl -w net.ipv4.ip_local_port_range="$LOCAL_PORT_RANGE" sysctl -w net.ipv4.ip_local_port_range="$LOCAL_PORT_RANGE"
# Now we change the LOCAL_PORT_RANGE for further use by iptables (replace spac e with :) # Now we change the LOCAL_PORT_RANGE for further use by iptables (replace spac e with :)
LOCAL_PORT_RANGE="$(echo "$LOCAL_PORT_RANGE" |tr ' ' ':')" LOCAL_PORT_RANGE="$(echo "$LOCAL_PORT_RANGE" |tr ' ' ':')"
# Add synflood protection? # Add synflood protection?
########################## ##########################
if [ "$SYN_PROT" != "0" ]; then if [ "$SYN_PROT" != "0" ]; then
echo " Enabling SYN-flood protection via SYN-cookies" echo " Enabling SYN-flood protection via SYN-cookies"
skipping to change at line 4376 skipping to change at line 4372
if [ "$IPV6_SUPPORT" = "1" ]; then if [ "$IPV6_SUPPORT" = "1" ]; then
ipset create -exist aif_blocklistv6 hash:net family inet6 hashsize $hashsi ze maxelem $maxelem ipset create -exist aif_blocklistv6 hash:net family inet6 hashsize $hashsi ze maxelem $maxelem
ip6tables -A HOST_BLOCK_SRC -m set --match-set aif_blocklistv6 src -j HOST _BLOCK_SRC_DROP ip6tables -A HOST_BLOCK_SRC -m set --match-set aif_blocklistv6 src -j HOST _BLOCK_SRC_DROP
if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then
ip6tables -A HOST_BLOCK_DST -m set --match-set aif_blocklistv6 dst -j HO ST_BLOCK_DST_DROP ip6tables -A HOST_BLOCK_DST -m set --match-set aif_blocklistv6 dst -j HO ST_BLOCK_DST_DROP
fi fi
fi fi
fi fi
if [ -n "$BLOCK_NETSET_DIR" ] && [ -d "$BLOCK_NETSET_DIR" ] && ls "$BLOCK_NETS ET_DIR"/*.netset >/dev/null 2>&1; then if [ -d "$BLOCK_NETSET_DIR" ] && ls "$BLOCK_NETSET_DIR"/*.netset >/dev/null 2> &1; then
setup_ipset_netset "$BLOCK_NETSET_DIR" $hashsize $maxelem setup_ipset_netset "$BLOCK_NETSET_DIR" $hashsize $maxelem
## Optimization, add ipsets to iptables (above) first, then apply ipset cont ents (below) which takes time ## Optimization, add ipsets to iptables (above) first, then apply ipset cont ents (below) which takes time
apply_ipset_netset "$BLOCK_NETSET_DIR" $hashsize $maxelem apply_ipset_netset "$BLOCK_NETSET_DIR" $hashsize $maxelem
fi fi
if [ -z "$BLOCK_HOSTS" -a -z "$BLOCK_HOSTS_FILE" ]; then if [ -z "$BLOCK_HOSTS" -a -z "$BLOCK_HOSTS_FILE" ]; then
return return
fi fi
skipping to change at line 4432 skipping to change at line 4428
fi fi
;; ;;
esac esac
done done
done done
echo "" echo ""
fi fi
# Setup the blocked hosts from our file # Setup the blocked hosts from our file
if [ -n "$BLOCK_HOSTS_FILE" ]; then if [ -n "$BLOCK_HOSTS_FILE" ]; then
if [ -e "$BLOCK_HOSTS_FILE" ]; then if [ -f "$BLOCK_HOSTS_FILE" ]; then
local cur_cnt=0 total_cnt local cur_cnt=0 total_cnt
total_cnt=$(( $(cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' -e '/^$/d' |wc -l) )) total_cnt=$(( $(cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' -e '/^$/d' |wc -l) ))
: > "$IP4TABLES_BATCH_FILE" : > "$IP4TABLES_BATCH_FILE"
if [ "$IPV6_SUPPORT" = "1" ]; then if [ "$IPV6_SUPPORT" = "1" ]; then
: > "$IP6TABLES_BATCH_FILE" : > "$IP6TABLES_BATCH_FILE"
fi fi
echo "(Re)loading list of BLOCKED hosts from $BLOCK_HOSTS_FILE..." echo "(Re)loading list of BLOCKED hosts from $BLOCK_HOSTS_FILE..."
if [ $total_cnt -gt 0 ]; then if [ $total_cnt -gt 0 ]; then
skipping to change at line 4556 skipping to change at line 4552
fi fi
;; ;;
esac esac
done done
done done
echo "" echo ""
fi fi
# Setup the blocked hosts from our file # Setup the blocked hosts from our file
if [ -n "$BLOCK_HOSTS_FILE" ]; then if [ -n "$BLOCK_HOSTS_FILE" ]; then
if [ -e "$BLOCK_HOSTS_FILE" ]; then if [ -f "$BLOCK_HOSTS_FILE" ]; then
local cur_cnt=0 total_cnt local cur_cnt=0 total_cnt
total_cnt=$(( $(cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' -e '/^$/d' |wc -l) )) total_cnt=$(( $(cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' -e '/^$/d' |wc -l) ))
echo "(Re)loading list of BLOCKED hosts from $BLOCK_HOSTS_FILE..." echo "(Re)loading list of BLOCKED hosts from $BLOCK_HOSTS_FILE..."
if [ $total_cnt -gt 0 ]; then if [ $total_cnt -gt 0 ]; then
progress_bar $cur_cnt $total_cnt progress_bar $cur_cnt $total_cnt
# Support both a '#' and a ';' as a comment delimiter in BLOCK_HOSTS_FIL E file # Support both a '#' and a ';' as a comment delimiter in BLOCK_HOSTS_FIL E file
unset IFS unset IFS
cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' -e '/^$/d' |wh ile read hosts; do cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' -e '/^$/d' |wh ile read hosts; do
skipping to change at line 4738 skipping to change at line 4734
PLUGIN_ERRORS=0 PLUGIN_ERRORS=0
# Check for plugins in our plugins binary path: # Check for plugins in our plugins binary path:
if ls "$PLUGIN_BIN_PATH"/*.plugin >/dev/null 2>&1; then if ls "$PLUGIN_BIN_PATH"/*.plugin >/dev/null 2>&1; then
echo "" echo ""
unset IFS unset IFS
for plugin in "$PLUGIN_BIN_PATH"/*.plugin; do for plugin in "$PLUGIN_BIN_PATH"/*.plugin; do
PLUGIN_CMD=start PLUGIN_CMD=start
if [ -e "$PLUGIN_LOAD_FILE_RESTART" ]; then if [ -f "$PLUGIN_LOAD_FILE_RESTART" ]; then
IFS=$EOL IFS=$EOL
for plugin_restart in `cat "$PLUGIN_LOAD_FILE_RESTART"`; do for plugin_restart in `cat "$PLUGIN_LOAD_FILE_RESTART"`; do
if [ "$plugin_restart" = "$plugin" ]; then if [ "$plugin_restart" = "$plugin" ]; then
if grep -q "^plugin_restart\(\)" "$plugin"; then if grep -q "^plugin_restart\(\)" "$plugin"; then
PLUGIN_CMD=restart PLUGIN_CMD=restart
fi fi
break break
fi fi
done done
fi fi
skipping to change at line 4799 skipping to change at line 4795
plugins_stop() plugins_stop()
{ {
local restart="$1" local restart="$1"
local plugin_count=0 local plugin_count=0
# Remove any stale plugin restart file # Remove any stale plugin restart file
rm -f "$PLUGIN_LOAD_FILE_RESTART" rm -f "$PLUGIN_LOAD_FILE_RESTART"
PLUGIN_ERRORS=0 PLUGIN_ERRORS=0
if [ -e "$PLUGIN_LOAD_FILE" ]; then if [ -f "$PLUGIN_LOAD_FILE" ]; then
echo "Stopping (user) plugins..." echo "Stopping (user) plugins..."
IFS=$EOL IFS=$EOL
for plugin in `cat "$PLUGIN_LOAD_FILE"`; do for plugin in `cat "$PLUGIN_LOAD_FILE"`; do
plugin_name="$(basename "$plugin" |sed 's/^[0-9]*//')" plugin_name="$(basename "$plugin" |sed 's/^[0-9]*//')"
if [ -e "$plugin" ]; then if [ -f "$plugin" ]; then
plugin_file="$plugin" plugin_file="$plugin"
else else
# If we can't find it, ignore the priority number in front of the plugin -filename # If we can't find it, ignore the priority number in front of the plugin -filename
plugin_file="$(ls "$PLUGIN_BIN_PATH"/*.plugin |grep "[0-9]*$plugin_name$ " |head -n1)" plugin_file="$(ls "$PLUGIN_BIN_PATH"/*.plugin |grep "[0-9]*$plugin_name$ " |head -n1)"
fi fi
if [ -e "$plugin_file" ]; then if [ -f "$plugin_file" ]; then
# Only issue the stop command for plugins that support it: # Only issue the stop command for plugins that support it:
if grep -q "^plugin_stop\(\)" "$plugin_file"; then if grep -q "^plugin_stop\(\)" "$plugin_file"; then
# Preset ENABLED=0 to make sure the plugin only # Preset ENABLED=0 to make sure the plugin only
# gets loaded if the config has an explicit ENABLED=1: # gets loaded if the config has an explicit ENABLED=1:
ENABLED=0 ENABLED=0
# Preinit to 0, just in case # Preinit to 0, just in case
PLUGIN_RET_VAL=0 PLUGIN_RET_VAL=0
# Store current amount of iptables rule warnings # Store current amount of iptables rule warnings
skipping to change at line 4864 skipping to change at line 4860
rm -f "$PLUGIN_LOAD_FILE" rm -f "$PLUGIN_LOAD_FILE"
fi fi
} }
plugins_status() plugins_status()
{ {
local match="$1" local match="$1"
# Load/insert user plugins # Load/insert user plugins
if [ -e "$PLUGIN_LOAD_FILE" ]; then if [ -f "$PLUGIN_LOAD_FILE" ]; then
printf "\nShowing status of (user) plugins:${match:+ $match}\n" printf "\nShowing status of (user) plugins:${match:+ $match}\n"
echo "---------------------------------" echo "---------------------------------"
IFS=$EOL IFS=$EOL
for plugin in `cat "$PLUGIN_LOAD_FILE"`; do for plugin in `cat "$PLUGIN_LOAD_FILE"`; do
# Only issue the status command for plugins that support the PLUGIN_CMD-va riable: # Only issue the status command for plugins that support the PLUGIN_CMD-va riable:
if grep -q "^plugin_status\(\)" "$plugin"; then if grep -q "^plugin_status\(\)" "$plugin"; then
if [ "${plugin%$match.plugin}" != "${plugin}" ]; then if [ "${plugin%$match.plugin}" != "${plugin}" ]; then
# Preset ENABLED=0 to make sure the plugin only # Preset ENABLED=0 to make sure the plugin only
# gets loaded if the config has an explicit ENABLED=1: # gets loaded if the config has an explicit ENABLED=1:
skipping to change at line 4916 skipping to change at line 4912
} }
# Add (background) job # Add (background) job
# $1 = Job name # $1 = Job name
# $2 = Time in minutes between executes # $2 = Time in minutes between executes
# $3 = Path to script/binary # $3 = Path to script/binary
job_add() job_add()
{ {
local SCRIPT_NAME SCRIPT_TIME SCRIPT_PATH local SCRIPT_NAME SCRIPT_TIME SCRIPT_PATH
if [ -z "$JOBS_FILE" ]; then
echo "** ERROR: Unable to add job since JOBS_FILE is not defined" >&2
return 1
fi
SCRIPT_NAME="$1" SCRIPT_NAME="$1"
shift shift
SCRIPT_TIME="$1" SCRIPT_TIME="$1"
shift shift
SCRIPT_PATH="$*" SCRIPT_PATH="$*"
# First remove job (if one exists) # First remove job (if one exists)
job_remove "$SCRIPT_NAME" >/dev/null job_remove "$SCRIPT_NAME" >/dev/null
echo "${INDENT}Adding background job \"$SCRIPT_NAME\"" echo "${INDENT}Adding background job \"$SCRIPT_NAME\""
skipping to change at line 4942 skipping to change at line 4943
return 0 return 0
} }
# Run job once (in foreground) # Run job once (in foreground)
# $1 = Path to job helper # $1 = Path to job helper
job_run_once() job_run_once()
{ {
local SCRIPT_NAME="$1" local SCRIPT_NAME="$1"
if [ -z "$JOB_EXECUTER" ]; then
echo "** ERROR: Unable to execute job \"$SCRIPT_NAME\" since JOB_EXECUTER is
not defined" >&2
return 1
fi
echo "${INDENT}Foreground running job helper script \"$SCRIPT_NAME\"" echo "${INDENT}Foreground running job helper script \"$SCRIPT_NAME\""
# Source script # Source script
if ! "$JOB_EXECUTER" --indent="${INDENT} " "$SCRIPT_NAME"; then if ! "$JOB_EXECUTER" --indent="${INDENT} " "$SCRIPT_NAME"; then
return 1 return 1
fi fi
return 0 return 0
} }
# Check if job process is running # Check if job process is running
job_process_is_running() job_process_is_running()
{ {
if [ -z "$JOB_PROCESSOR" ]; then
return 1
fi
if ! pgrep -f "$JOB_PROCESSOR" >/dev/null 2>&1; then if ! pgrep -f "$JOB_PROCESSOR" >/dev/null 2>&1; then
return 1 return 1
fi fi
return 0 return 0
} }
# Check whether the jobs process is terminated, if not wait 10 seconds for it # Check whether the jobs process is terminated, if not wait 10 seconds for it
# else (hard) pkill it. This function assumes jobs_process_stop() was previously called # else (hard) pkill it. This function assumes jobs_process_stop() was previously called
jobs_process_terminate_check() jobs_process_terminate_check()
skipping to change at line 5003 skipping to change at line 5013
# Remove possible leftover jobs file (unlikely) # Remove possible leftover jobs file (unlikely)
rm -f "$JOBS_FILE" rm -f "$JOBS_FILE"
return return
} }
# Start jobs processor # Start jobs processor
jobs_process_start() jobs_process_start()
{ {
if [ -n "$JOBS_FILE" -a -e "$JOBS_FILE" ]; then if [ -f "$JOBS_FILE" ]; then
if [ -z "$JOB_PROCESSOR" ]; then
echo "** ERROR: Unable to start jobs processor since JOB_PROCESSOR is not
defined" >&2
return
fi
echo "Starting background jobs processor" echo "Starting background jobs processor"
# Run script for background process # Run script for background process
if check_command start-stop-daemon; then if check_command start-stop-daemon; then
start-stop-daemon -S -b -x "$JOB_PROCESSOR" start-stop-daemon -S -b -x "$JOB_PROCESSOR"
else else
# Fallback: # Fallback:
"$JOB_PROCESSOR" & "$JOB_PROCESSOR" &
fi fi
skipping to change at line 5027 skipping to change at line 5042
# Check if job process is running # Check if job process is running
if ! job_process_is_running; then if ! job_process_is_running; then
echo "** ERROR: Starting jobs processor \"$JOB_PROCESSOR\" failed!" >&2 echo "** ERROR: Starting jobs processor \"$JOB_PROCESSOR\" failed!" >&2
fi fi
fi fi
} }
# Stop jobs processor # Stop jobs processor
jobs_process_stop() jobs_process_stop()
{ {
if [ -n "$JOBS_FILE" -a -e "$JOBS_FILE" ]; then if [ -f "$JOBS_FILE" ]; then
echo "Stopping background jobs processor" echo "Stopping background jobs processor"
# Enter critical section (ignore whether we actually can obtain the lock) # Enter critical section (ignore whether we actually can obtain the lock)
lock_enter "$JOBS_LOCK_NAME" lock_enter "$JOBS_LOCK_NAME"
# Remove jobs file (also kills background process (if any)) # Remove jobs file (also kills background process (if any))
rm -f "$JOBS_FILE" rm -f "$JOBS_FILE"
# Leave critical section (ignore whether we actually can release the lock) # Leave critical section (ignore whether we actually can release the lock)
lock_leave "$JOBS_LOCK_NAME" lock_leave "$JOBS_LOCK_NAME"
skipping to change at line 5113 skipping to change at line 5128
# Setup rules for input/output logging # Setup rules for input/output logging
###################################### ######################################
setup_input_log setup_input_log
setup_output_log setup_output_log
# Explicit unset IFS, just in case # Explicit unset IFS, just in case
unset IFS unset IFS
# Insert the custom rules # Insert the custom rules
######################### #########################
if [ -e "$CUSTOM_RULES" ]; then if [ -f "$CUSTOM_RULES" ]; then
echo "Reading custom rules from $CUSTOM_RULES" echo "Reading custom rules from $CUSTOM_RULES"
. $CUSTOM_RULES . $CUSTOM_RULES
fi fi
# Start (user) plugins # Start (user) plugins
###################### ######################
plugins_start plugins_start
# Fragmented packets handling # Fragmented packets handling
# NOTE: Fragmentation cannot happen with IPv6 (and probably even not with ipta bles/IPv4) # NOTE: Fragmentation cannot happen with IPv6 (and probably even not with ipta bles/IPv4)
skipping to change at line 5927 skipping to change at line 5942
fi fi
# Show plugin status # Show plugin status
plugins_status plugins_status
else else
#iptables -nvL $2 $3 $4 $5 #iptables -nvL $2 $3 $4 $5
iptables -xnvL $@ iptables -xnvL $@
fi fi
# Show IP->hostname mappings from our host-cache # Show IP->hostname mappings from our host-cache
if [ -e "$HOST_CACHE_FILE" ]; then if [ -f "$HOST_CACHE_FILE" ]; then
echo "" echo ""
echo "Showing hostname->IP mapping" echo "Showing hostname->IP mapping"
echo "----------------------------" echo "----------------------------"
cat "$HOST_CACHE_FILE" cat "$HOST_CACHE_FILE"
fi fi
} }
show_start() show_start()
{ {
DATE=`LC_ALL=C date +'%b %d %H:%M:%S'`
echo "$DATE ** Starting Arno's Iptables Firewall(AIF) v$MY_VERSION **" >> $FIR
EWALL_LOG
echo "** Starting Arno's Iptables Firewall(AIF) v$MY_VERSION **" |log_msg echo "** Starting Arno's Iptables Firewall(AIF) v$MY_VERSION **" |log_msg
} }
show_restart() show_restart()
{ {
DATE=`LC_ALL=C date +'%b %d %H:%M:%S'`
echo "$DATE ** Restarting Arno's Iptables Firewall(AIF) v$MY_VERSION **" >> $F
IREWALL_LOG
echo "** Restarting Arno's Iptables Firewall(AIF) v$MY_VERSION **" |log_msg echo "** Restarting Arno's Iptables Firewall(AIF) v$MY_VERSION **" |log_msg
} }
show_failed() show_failed()
{ {
DATE=`LC_ALL=C date +'%b %d %H:%M:%S'`
echo "$DATE ** ERROR: Firewall failed to start! **" >> $FIREWALL_LOG
echo "** ERROR: Firewall failed to start! **" |log_msg echo "** ERROR: Firewall failed to start! **" |log_msg
} }
show_stop() show_stop()
{ {
DATE=`LC_ALL=C date +'%b %d %H:%M:%S'` DATE=`LC_ALL=C date +'%b %d %H:%M:%S'`
printf "$DATE \033[40m\033[1;32mStopping Arno's Iptables Firewall(AIF) v$MY_VE RSION\033[0m\n" printf "$DATE \033[40m\033[1;32mStopping Arno's Iptables Firewall(AIF) v$MY_VE RSION\033[0m\n"
echo "$DATE ** Stopping Arno's Iptables Firewall(AIF) v$MY_VERSION **" >> $FIR EWALL_LOG
echo "** Stopping Arno's Iptables Firewall(AIF) v$MY_VERSION **" |log_msg echo "** Stopping Arno's Iptables Firewall(AIF) v$MY_VERSION **" |log_msg
} }
show_stop_blocked() show_stop_blocked()
{ {
DATE=`LC_ALL=C date +'%b %d %H:%M:%S'` DATE=`LC_ALL=C date +'%b %d %H:%M:%S'`
printf "$DATE \033[40m\033[1;31mFIREWALL DISABLED & BLOCKING ALL INTERNET TRAF FIC!\033[0m\n" printf "$DATE \033[40m\033[1;31mFIREWALL DISABLED & BLOCKING ALL INTERNET TRAF FIC!\033[0m\n"
echo "** FIREWALL DISABLED & BLOCKING ALL INTERNET TRAFFIC! **" |log_msg echo "** FIREWALL DISABLED & BLOCKING ALL INTERNET TRAFFIC! **" |log_msg
} }
# Now show the final message # Now show the final message
show_applied() show_applied()
{ {
echo "" echo ""
DATE=`LC_ALL=C date +'%b %d %H:%M:%S'` DATE=`LC_ALL=C date +'%b %d %H:%M:%S'`
if [ $RULE_WARNING -ne 0 ]; then if [ $RULE_WARNING -ne 0 ]; then
printf "$DATE \033[40m\033[1;31mWARNING: $RULE_WARNING firewall rules failed to apply!\n\033[0m" >&2 printf "$DATE \033[40m\033[1;31mWARNING: $RULE_WARNING firewall rules failed to apply!\n\033[0m" >&2
echo "$DATE ** WARNING: $RULE_WARNING firewall rules failed to apply! **" >> $FIREWALL_LOG
echo "** WARNING: $RULE_WARNING firewall rules failed to apply! **" |log_msg echo "** WARNING: $RULE_WARNING firewall rules failed to apply! **" |log_msg
else else
printf "$DATE \033[40m\033[1;32mAll firewall rules applied.\033[0m\n" printf "$DATE \033[40m\033[1;32mAll firewall rules applied.\033[0m\n"
echo "$DATE ** All firewall rules applied **" >> $FIREWALL_LOG
echo "** All firewall rules applied **" |log_msg echo "** All firewall rules applied **" |log_msg
fi fi
echo "" echo ""
} }
show_disabled() show_disabled()
{ {
DATE=`LC_ALL=C date +'%b %d %H:%M:%S'` DATE=`LC_ALL=C date +'%b %d %H:%M:%S'`
printf "$DATE \033[40m\033[1;31mFIREWALL DISABLED!\033[0m\n" printf "$DATE \033[40m\033[1;31mFIREWALL DISABLED!\033[0m\n"
 End of changes. 29 change blocks. 
52 lines changed or deleted 56 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)