File: uif.initscript

package info (click to toggle)
uif 1.1.9-2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, sid
  • size: 520 kB
  • sloc: perl: 1,991; sh: 324; makefile: 37
file content (241 lines) | stat: -rwxr-xr-x 5,478 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
#! /bin/bash
### BEGIN INIT INFO
# Provides:          uif
# Required-Start:    $network $syslog $remote_fs
# Required-Stop:     $network $syslog $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Universal Internet Firewall
# Description:       Start the firewall defined in /etc/uif/uif.conf.
### END INIT INFO
#
# Version:      @(#)/etc/init.d/uif  1.1.9  August-2018 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
#

# RedHat specific settings - ignore for real systems ---------------------------
# chkconfig: - 60 95
# description: provides iptables packet filtering

. /lib/lsb/init-functions

PATH=/usr/sbin:/sbin:$PATH
UIF=/usr/sbin/uif

IPV6MODE=0

# Include firewall defaults if available
if [ -f /etc/default/uif ] ; then
	. /etc/default/uif
fi

#THIS IS DEFAULT ANYWAY#[ -z "$OPTIONS" ] && OPTIONS="-c /etc/uif/uif.conf"

# Binaries installed?
if [ ! -f /sbin/iptables ]; then
	log_failure_msg "uif: iptables not found - aborting"
	exit 1
fi

if [ $IPV6MODE = 1 -a ! -f /sbin/ip6tables ] ; then
	log_failure_msg "uif: ip6tables not found - aborting"
	exit 1
fi

# uif installed? Without this script makes no sense...
[ -f $UIF ] || exit 1


# As the name says. If the kernel supports modules, it'll try to load
# the ones listed in "MODULES".
load_modules() {
	[ -f /proc/modules ] || return
	LIST=`/sbin/lsmod|awk '!/Module/ {print $1}'`

	for mod in $MODULES; do
		echo $LIST | grep -q $mod || modprobe $mod || /bin/true
	done
}


case "$1" in

start)
	log_daemon_msg "Starting uif"
	logger "Starting uif"
	[ -f /proc/modules ] && { log_progress_msg "modules"; load_modules; }

	log_progress_msg "IPv4-rules"
	EMSG=`$UIF $OPTIONS 2>&1`
	RET4=$?
	if [ $RET4 -ne 0 ]; then

		logger "Starting uif failed: $EMSG"

		[ -n "$MAILTO" ] && \
		echo -e "Hi. This is your firewall script - which has failed" \
		"to execute in a proper way.\nHere is the error message:\n" \
		"\n$EMSG\n\nPlease fix to be sure..." | mail -s "Firewall script failure" $MAILTO

		log_end_msg $RET4
		echo
		echo -e "Error message: $EMSG\n"
		exit 1
	fi
	if [ $IPV6MODE = 1 ] ; then
		log_progress_msg "IPv6-rules"
		EMSG=`$UIF -6 $OPTIONS 2>&1`
		RET6=$?
		if [ $RET6 -ne 0 ]; then

			logger "Starting uif failed: $EMSG"

			[ -n "$MAILTO" ] && \
			echo -e "Hi. This is your IPv6 firewall script - which has failed" \
			"to execute in a proper way.\nHere is the error message:\n" \
			"\n$EMSG\n\nPlease fix to be sure..." | mail -s "Firewall script failure" $MAILTO

			log_end_msg $RET6
			echo
			echo -e "Error message: $EMSG\n"
			exit 1
		fi
	else
		RET6=0;
	fi

	log_end_msg $(($RET4+$RET6))
	;;

stop)
	log_daemon_msg "Stopping uif"
	logger "Stopping uif"
	if [ $IPV6MODE = 1 ] ; then
		log_progress_msg "IPv4"
	fi
	$UIF -d
	if [ $IPV6MODE = 1 ] ; then
		log_progress_msg "IPv6"
		$UIF -6 -d
	fi
	log_end_msg 0
	;;

print)
	echo "Printing rules based on your current configuration"
	$UIF $OPTIONS -pt
	if [ $IPV6MODE = 1 ] ; then
		$UIF -6 $OPTIONS -pt
	fi

	;;

test|test4)
	if [ $IPV6MODE = 1 ] ; then
		echo -n "IPv4 Test: "
	fi
	echo -n "Activating IPv4 ruleset for $TIMEOUT seconds: modules, "
	trap 'echo "aborted, IPv4 rules restored"; exit 0' SIGINT
	load_modules

	echo -n "IPv4 rules - active, waiting - "
	EMSG=`$UIF -T $TIMEOUT $OPTIONS`
	if [ $? -eq 0 ]; then
		echo ok
		exit 0
	fi
	echo failed
	echo -e "Error message: $EMSG\n"
	;;
test6)
	if [ $IPV6MODE = 1 ] ; then
		echo -n "IPv6 Test: "
		echo -n "Activating IPv6 ruleset for $TIMEOUT seconds: modules, "
		trap 'echo "aborted, IPv6 rules restored"; exit 0' SIGINT
		load_modules

		echo -n "IPv6 rules - active, waiting - "
		EMSG=`$UIF -6 -T $TIMEOUT $OPTIONS`
		if [ $? -eq 0 ]; then
			echo ok
			exit 0
		fi
		echo failed
	echo -e "Error message: $EMSG\n"
	fi
	;;

status)
	if [ "`id -u`" != "0" ]; then
		echo "Can't retrieve status information. You need to be root."
		exit 1
	fi
	if [ $IPV6MODE = 1 ] ; then
		echo "IPv4 STATUS:"
	fi
	# Simple rule listing
	echo -e "\nRule listing:\n"
	iptables-save | sed "/^#/d"

	# Show accounting data
	if [ -n "$ACCOUNTPREFIX" ]; then
		echo -e "\n\nCurrent accounting information:\n"
		iptables -vnx -L 2>&1 | sed "/pkts/d" | sed -ne "/^Chain $ACCOUNTPREFIX/N" -e "s/\n/ /p" | \
			sed "s/[ ][ ]*/ /g" | awk '{ print $2"\t"$6" Bytes"; }'
	fi
	if [ $IPV6MODE = 1 ] ; then
		echo "IPv6 STATUS:"
		# Simple rule listing
		echo -e "\nRule listing:\n"
		ip6tables-save | sed "/^#/d"

		# Show accounting data
		if [ -n "$ACCOUNTPREFIX" ]; then
			echo -e "\n\nCurrent accounting information:\n"
			ip6tables -vnx -L 2>&1 | sed "/pkts/d" | sed -ne "/^Chain $ACCOUNTPREFIX/N" -e "s/\n/ /p" | \
			    sed "s/[ ][ ]*/ /g" | awk '{ print $2"\t"$6" Bytes"; }'
		fi
	fi
	# Show last 10 policy violations
	if [ -n "$LOGPREFIX" ]; then
		if [ $IPV6MODE = 1 ] ; then
			echo -e "\n\nLast 10 policy violations (IPv4 & IPv6 combined):"
		else
			echo -e "\n\nLast 10 policy violations (IPv4 only):"
		fi
		dmesg | grep "`hostname`.* $LOGPREFIX .*:" 2> /dev/null | tail -n 10
	fi

	echo -e "\n\n"
	;;


restart|reload|force-reload)
	$0 start
	;;

flush)
	echo -n "Flushing IPv4 packet counters: "
	iptables -Z &> /dev/null
	if [ $? -eq 0 ]; then
		echo ok
	else
		echo failed
	fi
	if [ $IPV6MODE = 1 ] ; then
		echo -n "Flushing IPv6 packet counters: "
		ip6tables -Z &> /dev/null
		if [ $? -eq 0 ]; then
			echo ok
		else
			echo failed
		fi
	fi

	;;

*)
	echo "Usage: $0 {start|stop|status|restart|reload|flush|print}"
	exit 1
esac

exit 0