|
| 1 | +#!/bin/sh |
| 2 | +# |
| 3 | +# bastille-firewall Load/unload ipchains rulesets |
| 4 | +# |
| 5 | +# do not rename this file unless you edit /sbin/bastille-firewall-reset |
| 6 | +# |
| 7 | +# chkconfig: 2345 5 98 |
| 8 | +# description: A firewall/packet-filter script for Linux systems \ |
| 9 | +# that allows the machine to be used as a gateway system |
| 10 | +# |
| 11 | +# $Id: bastille-firewall,v 1.6 2002/02/24 17:19:14 peterw Exp $ |
| 12 | +# Copyright (c) 1999-2002 Peter Watkins |
| 13 | +# |
| 14 | +# This program is distributed in the hope that it will be useful, |
| 15 | +# but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 16 | +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 17 | +# GNU General Public License for more details. |
| 18 | +# |
| 19 | +# You should have received a copy of the GNU General Public License |
| 20 | +# along with this program; if not, write to the Free Software |
| 21 | +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| 22 | +# |
| 23 | +# Thanks to David Ranch, Brad A, Don G, and others for their suggestions |
| 24 | +# |
| 25 | +# This script is designed to be used as a SysV-style init script. |
| 26 | +# |
| 27 | +# It should be run with a "start" argument |
| 28 | +# 1) as an rc?.d "S" script, _before_ the "network" script |
| 29 | +# [copy this to /etc/rc.d/init.d/bastille-firewall (or your equivalent of |
| 30 | +# /etc/rc.d/init.d) and run 'chkconfig -add bastille-firewall' ] |
| 31 | +# 2) any time an interface is brought up or changed, e.g. |
| 32 | +# establishing a PPP conection or renewing a DHCP lease |
| 33 | +# [copy 'bastille-firewall-reset', 'bastille-firewall-schedule' |
| 34 | +# and 'ifup-local' to /sbin/] |
| 35 | +# |
| 36 | +# Normally you Do Not _Ever_ Want to run this with a "stop" argument! |
| 37 | +# |
| 38 | +# Note that running this with "stop" will disable the firewall and open |
| 39 | +# your system to all network traffic; if you make changes to these rules, |
| 40 | +# apply them by running the script again with a "start" argument. |
| 41 | +# |
| 42 | +# ** As of 0.99-beta1, this script merely kicks off the real script, |
| 43 | +# either /sbin/bastille-ipchains or /sbin/bastille-netfilter |
| 44 | + |
| 45 | +# Default is to use the 'ipchains' script, which will load the |
| 46 | +# ipchains compatibility module if you're using a 2.4 kernel |
| 47 | +REALSCRIPT=/sbin/bastille-ipchains |
| 48 | +PATH=/sbin:/bin:/usr/sbin:/usr/bin |
| 49 | + |
| 50 | +# exit function to be called in place of regular Bourne exit |
| 51 | +clean_exit() |
| 52 | +{ |
| 53 | + rmdir /var/lock/bastille-firewall 2>/dev/null |
| 54 | + exit $1 |
| 55 | +} |
| 56 | + |
| 57 | +[ ! -d /var/lock ] && mkdir -m 0755 /var/lock |
| 58 | + |
| 59 | +mkdir -m 0700 /var/lock/bastille-firewall 2>/dev/null |
| 60 | +if [ $? -ne 0 ]; then |
| 61 | + if [ -n "${BASTILLE_FWALL_QUIET_FAIL}" ]; then exit 0; fi |
| 62 | + echo "ERROR: bastille-firewall currently being reset or lock is stuck." |
| 63 | + echo "To un-stick, remove the directory /var/lock/bastille-firewall" |
| 64 | + exit 1 |
| 65 | +fi |
| 66 | + |
| 67 | +if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then |
| 68 | + # We are using Linux 2.3 or newer; use the netfilter script if available |
| 69 | + if [ -x /sbin/bastille-netfilter ]; then |
| 70 | + REALSCRIPT=/sbin/bastille-netfilter |
| 71 | + fi |
| 72 | +fi |
| 73 | + |
| 74 | +if [ ! -x ${REALSCRIPT} ]; then |
| 75 | + echo "ERROR: \"${REALSCRIPT}\" not available!" |
| 76 | + clean_exit 1 |
| 77 | +fi |
| 78 | + |
| 79 | +${REALSCRIPT} "$1" |
| 80 | +bretval=$? |
| 81 | + |
| 82 | +# Use "subsys" locks to indicate our status |
| 83 | +case "$1" in |
| 84 | + start|restart|reload) |
| 85 | + if [ $bretval -eq 0 ]; then touch /var/lock/subsys/bastille-firewall; fi |
| 86 | + ;; |
| 87 | + stop) |
| 88 | + rm -f /var/lock/subsys/bastille-firewall |
| 89 | + ;; |
| 90 | +esac |
| 91 | + |
| 92 | +clean_exit $bretval |
| 93 | + |
0 commit comments