Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/bin/sh
#
# bastille-firewall Load/unload ipchains rulesets
#
# do not rename this file unless you edit /sbin/bastille-firewall-reset
#
# chkconfig: 2345 5 98
# description: A firewall/packet-filter script for Linux systems \
# that allows the machine to be used as a gateway system
#
# $Id: bastille-firewall,v 1.6 2002/02/24 17:19:14 peterw Exp $
# Copyright (c) 1999-2002 Peter Watkins
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Thanks to David Ranch, Brad A, Don G, and others for their suggestions
#
# This script is designed to be used as a SysV-style init script.
#
# It should be run with a "start" argument
# 1) as an rc?.d "S" script, _before_ the "network" script
# [copy this to /etc/rc.d/init.d/bastille-firewall (or your equivalent of
# /etc/rc.d/init.d) and run 'chkconfig -add bastille-firewall' ]
# 2) any time an interface is brought up or changed, e.g.
# establishing a PPP conection or renewing a DHCP lease
# [copy 'bastille-firewall-reset', 'bastille-firewall-schedule'
# and 'ifup-local' to /sbin/]
#
# Normally you Do Not _Ever_ Want to run this with a "stop" argument!
#
# Note that running this with "stop" will disable the firewall and open
# your system to all network traffic; if you make changes to these rules,
# apply them by running the script again with a "start" argument.
#
# ** As of 0.99-beta1, this script merely kicks off the real script,
# either /sbin/bastille-ipchains or /sbin/bastille-netfilter
# Default is to use the 'ipchains' script, which will load the
# ipchains compatibility module if you're using a 2.4 kernel
REALSCRIPT=/sbin/bastille-ipchains
PATH=/sbin:/bin:/usr/sbin:/usr/bin
# exit function to be called in place of regular Bourne exit
clean_exit()
{
rmdir /var/lock/bastille-firewall 2>/dev/null
exit $1
}
[ ! -d /var/lock ] && mkdir -m 0755 /var/lock
mkdir -m 0700 /var/lock/bastille-firewall 2>/dev/null
if [ $? -ne 0 ]; then
if [ -n "${BASTILLE_FWALL_QUIET_FAIL}" ]; then exit 0; fi
echo "ERROR: bastille-firewall currently being reset or lock is stuck."
echo "To un-stick, remove the directory /var/lock/bastille-firewall"
exit 1
fi
if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then
# We are using Linux 2.3 or newer; use the netfilter script if available
if [ -x /sbin/bastille-netfilter ]; then
REALSCRIPT=/sbin/bastille-netfilter
fi
fi
if [ ! -x ${REALSCRIPT} ]; then
echo "ERROR: \"${REALSCRIPT}\" not available!"
clean_exit 1
fi
${REALSCRIPT} "$1"
bretval=$?
# Use "subsys" locks to indicate our status
case "$1" in
start|restart|reload)
if [ $bretval -eq 0 ]; then touch /var/lock/subsys/bastille-firewall; fi
;;
stop)
rm -f /var/lock/subsys/bastille-firewall
;;
esac
clean_exit $bretval