« back to all changes in this revision
Viewing changes to src/ufw-init-functions
- browse files at revision 50
- compare with another revision
- download diff
- download tarball
- view history from revision 50
- Committer: Bazaar Package Importer
- Author(s): Jamie Strandboge
- Date: 2010-01-30 09:42:05 UTC
- mfrom: (30.1.8 upstream)
- Revision ID: james.westby@ubuntu.com-20100130094205-8wsowzipc32k48yy
Tags: 0.29.3-0ubuntu1
* New upstream release. Fixes:
LP: #490366
LP: #512131
LP: #488032
LP: #513387
* debian/ufw.upstart.ubuntu: start before an interface receives traffic
* debian/postinst: don't sed or chmod a file that doesn't exist
(LP: #503039)
* debian/after*.rules.md5sum: updated for ucf (added additional sums for
people using the workaround in LP: #488032)
LP: #490366
LP: #512131
LP: #488032
LP: #513387
* debian/ufw.upstart.ubuntu: start before an interface receives traffic
* debian/postinst: don't sed or chmod a file that doesn't exist
(LP: #503039)
* debian/after*.rules.md5sum: updated for ucf (added additional sums for
people using the workaround in LP: #488032)
- files removed:
- locales/mo/ar.mo
- files modified:
- ChangeLog
added
removed
src/ufw-init-functions
2
2
#
3
3
# ufw-init-functions: functions used by ufw-init and distribution initscripts
4
4
#
5
# Copyright 2008-2009 Canonical Ltd.
5
# Copyright 2008-2010 Canonical Ltd.
6
6
#
7
7
# This program is free software: you can redistribute it and/or modify
8
8
# it under the terms of the GNU General Public License version 3,
78
78
exe="ip6tables"
79
79
fi
80
80
81
for c in ufw$type-logging-deny ufw$type-logging-allow ufw$type-not-local ufw$type-user-logging-input ufw$type-user-limit-accept ufw$type-user-limit ufw$type-reject-input ufw$type-after-logging-input ufw$type-after-input ufw$type-user-input ufw$type-before-input ufw$type-before-logging-input ufw$type-reject-forward ufw$type-after-logging-forward ufw$type-after-forward ufw$type-user-logging-forward ufw$type-user-forward ufw$type-before-forward ufw$type-before-logging-forward ufw$type-track-output ufw$type-track-input ufw$type-reject-output ufw$type-after-logging-output ufw$type-after-output ufw$type-user-logging-output ufw$type-user-output ufw$type-before-output ufw$type-before-logging-output; do
81
for c in ufw$type-logging-deny ufw$type-logging-allow ufw$type-not-local ufw$type-user-logging-input ufw$type-user-limit-accept ufw$type-user-limit ufw$type-skip-to-policy-input ufw$type-reject-input ufw$type-after-logging-input ufw$type-after-input ufw$type-user-input ufw$type-before-input ufw$type-before-logging-input ufw$type-skip-to-policy-forward ufw$type-reject-forward ufw$type-after-logging-forward ufw$type-after-forward ufw$type-user-logging-forward ufw$type-user-forward ufw$type-before-forward ufw$type-before-logging-forward ufw$type-track-output ufw$type-track-input ufw$type-skip-to-policy-output ufw$type-reject-output ufw$type-after-logging-output ufw$type-after-output ufw$type-user-logging-output ufw$type-user-output ufw$type-before-output ufw$type-before-logging-output; do
82
82
if [ "$UFW_INIT_DEBUG" = "yes" ]; then
83
83
echo "$exe $flag $c" >&2
84
84
$exe $flag $c || true
96
96
# so that the primary chains don't leave the built-in chains just to come
97
97
# back later in a different place. This means that some (empty) chains will
98
98
# linger until the next boot after disabling ufw.
99
for c in ufw$type-logging-deny ufw$type-logging-allow ufw$type-not-local ufw$type-user-logging-input ufw$type-user-logging-output ufw$type-user-logging-forward ufw$type-user-limit-accept ufw$type-user-limit ufw$type-user-input ufw$type-user-forward ufw$type-user-output ; do
99
for c in ufw$type-logging-deny ufw$type-logging-allow ufw$type-not-local ufw$type-user-logging-input ufw$type-user-logging-output ufw$type-user-logging-forward ufw$type-user-limit-accept ufw$type-user-limit ufw$type-user-input ufw$type-user-forward ufw$type-user-output ufw$type-skip-to-policy-input ufw$type-skip-to-policy-output ufw$type-skip-to-policy-forward ; do
100
100
if [ "$UFW_INIT_DEBUG" = "yes" ]; then
101
101
echo "$exe $flag $c" >&2
102
102
$exe -X $c || true
137
137
# default DROP and accept all on loopback
138
138
delete_chains 6 || error="yes"
139
139
140
ip6tables -P INPUT DROP || error="yes"
141
ip6tables -P OUTPUT DROP || error="yes"
142
ip6tables -P FORWARD DROP || error="yes"
143
144
# delete these first so don't add multiple rules
145
ip6tables -D INPUT -i lo -j ACCEPT 2>/dev/null || true
146
ip6tables -D OUTPUT -o lo -j ACCEPT 2>/dev/null || true
147
148
ip6tables -A INPUT -i lo -j ACCEPT || error="yes"
149
ip6tables -A OUTPUT -o lo -j ACCEPT || error="yes"
150
140
cat <<EOM | ip6tables-restore || error="yes"
141
*filter
142
:INPUT DROP [0:0]
143
:FORWARD DROP [0:0]
144
:OUTPUT DROP [0:0]
145
-A INPUT -i lo -j ACCEPT
146
-A OUTPUT -o lo -j ACCEPT
147
COMMIT
148
EOM
151
149
if [ "$error" = "yes" ]; then
152
150
out="${out}\nProblem loading ipv6 (skipping)"
153
151
fi
164
162
AFTER_RULES="$RULES_PATH/after${type}.rules"
165
163
USER_RULES="$USER_PATH/user${type}.rules"
166
164
167
# flush the chains
168
delete_chains $type || error="yes"
169
170
# setup built-in chains' default policy
171
if [ "$DEFAULT_INPUT_POLICY" = "REJECT" ]; then
172
$exe -P INPUT DROP || error="yes"
173
else
174
$exe -P INPUT $DEFAULT_INPUT_POLICY || error="yes"
175
fi
176
if [ "$DEFAULT_OUTPUT_POLICY" = "REJECT" ]; then
177
$exe -P OUTPUT DROP || error="yes"
178
elif [ "$DEFAULT_OUTPUT_POLICY" = "ACCEPT_NO_TRACK" ]; then
179
$exe -P OUTPUT ACCEPT || error="yes"
180
else
181
$exe -P OUTPUT $DEFAULT_OUTPUT_POLICY || error="yes"
182
fi
183
if [ "$DEFAULT_FORWARD_POLICY" = "REJECT" ]; then
184
$exe -P FORWARD DROP || error="yes"
185
else
186
$exe -P FORWARD $DEFAULT_FORWARD_POLICY || error="yes"
187
fi
188
189
# setup some other chains that can be used later
190
if [ "$type" != "6" ]; then
191
$exe -N ufw${type}-not-local || error="yes"
192
fi
193
194
# setup ufw${type}-logging-* chains
165
# set the default policy
166
input_pol="$DEFAULT_INPUT_POLICY"
167
if [ "$DEFAULT_INPUT_POLICY" = "REJECT" ]; then
168
input_pol="DROP"
169
fi
170
171
output_pol="$DEFAULT_OUTPUT_POLICY"
172
if [ "$DEFAULT_OUTPUT_POLICY" = "REJECT" ]; then
173
output_pol="DROP"
174
fi
175
176
forward_pol="$DEFAULT_FORWARD_POLICY"
177
if [ "$DEFAULT_FORWARD_POLICY" = "REJECT" ]; then
178
forward_pol="DROP"
179
fi
180
cat <<EOM | $exe-restore -n || error="yes"
181
*filter
182
# builtin chains
183
:INPUT $input_pol [0:0]
184
:FORWARD $forward_pol [0:0]
185
:OUTPUT $output_pol [0:0]
186
COMMIT
187
EOM
188
189
# flush the chains (if they exist)
190
if $exe -L ufw${type}-before-logging-input -n >/dev/null 2>&1 ; then
191
delete_chains $type || error="yes"
192
else
193
# setup all the primary chains
194
cat <<EOM | $exe-restore -n || error="yes"
195
*filter
196
# primary chains
197
:ufw${type}-before-logging-input - [0:0]
198
:ufw${type}-before-logging-output - [0:0]
199
:ufw${type}-before-logging-forward - [0:0]
200
:ufw${type}-before-input - [0:0]
201
:ufw${type}-before-output - [0:0]
202
:ufw${type}-before-forward - [0:0]
203
:ufw${type}-after-input - [0:0]
204
:ufw${type}-after-output - [0:0]
205
:ufw${type}-after-forward - [0:0]
206
:ufw${type}-after-logging-input - [0:0]
207
:ufw${type}-after-logging-output - [0:0]
208
:ufw${type}-after-logging-forward - [0:0]
209
:ufw${type}-reject-input - [0:0]
210
:ufw${type}-reject-output - [0:0]
211
:ufw${type}-reject-forward - [0:0]
212
:ufw${type}-track-input - [0:0]
213
:ufw${type}-track-output - [0:0]
214
215
-A INPUT -j ufw${type}-before-logging-input
216
-A INPUT -j ufw${type}-before-input
217
-A INPUT -j ufw${type}-after-input
218
-A INPUT -j ufw${type}-after-logging-input
219
-A INPUT -j ufw${type}-reject-input
220
-A INPUT -j ufw${type}-track-input
221
222
-A OUTPUT -j ufw${type}-before-logging-output
223
-A OUTPUT -j ufw${type}-before-output
224
-A OUTPUT -j ufw${type}-after-output
225
-A OUTPUT -j ufw${type}-after-logging-output
226
-A OUTPUT -j ufw${type}-reject-output
227
-A OUTPUT -j ufw${type}-track-output
228
229
-A FORWARD -j ufw${type}-before-logging-forward
230
-A FORWARD -j ufw${type}-before-forward
231
-A FORWARD -j ufw${type}-after-forward
232
-A FORWARD -j ufw${type}-after-logging-forward
233
-A FORWARD -j ufw${type}-reject-forward
234
COMMIT
235
EOM
236
fi
237
238
# add reject policy
239
if [ "$DEFAULT_INPUT_POLICY" = "REJECT" ]; then
240
cat <<EOM | $exe-restore -n || error="yes"
241
*filter
242
-A ufw${type}-reject-input -j REJECT
243
COMMIT
244
EOM
245
fi
246
if [ "$DEFAULT_OUTPUT_POLICY" = "REJECT" ]; then
247
cat <<EOM | $exe-restore -n || error="yes"
248
*filter
249
-A ufw${type}-reject-output -j REJECT
250
COMMIT
251
EOM
252
fi
253
if [ "$DEFAULT_FORWARD_POLICY" = "REJECT" ]; then
254
cat <<EOM | $exe-restore -n || error="yes"
255
*filter
256
-A ufw${type}-reject-forward -j REJECT || error="yes"
257
COMMIT
258
EOM
259
fi
260
261
# add tracking policy
262
if [ "$DEFAULT_INPUT_POLICY" = "ACCEPT" ]; then
263
cat <<EOM | $exe-restore -n || error="yes"
264
*filter
265
-A ufw${type}-track-input -p tcp -m state --state NEW -j ACCEPT
266
-A ufw${type}-track-input -p udp -m state --state NEW -j ACCEPT
267
COMMIT
268
EOM
269
fi
270
271
if [ "$DEFAULT_OUTPUT_POLICY" = "ACCEPT" ]; then
272
cat <<EOM | $exe-restore -n || error="yes"
273
*filter
274
-A ufw${type}-track-output -p tcp -m state --state NEW -j ACCEPT
275
-A ufw${type}-track-output -p udp -m state --state NEW -j ACCEPT
276
COMMIT
277
EOM
278
fi
279
280
# now setup the secondary 'logging-deny' chains
195
281
if ! $exe -L ufw${type}-logging-deny -n >/dev/null 2>&1 ; then
196
$exe -N ufw${type}-logging-deny || error="yes"
197
$exe -N ufw${type}-logging-allow || error="yes"
198
fi
199
200
# setup ufw${type}-user-logging-* chains
201
if ! $exe -L ufw${type}-user-logging-input -n >/dev/null 2>&1 ; then
202
$exe -N ufw${type}-user-logging-input || error="yes"
203
$exe -N ufw${type}-user-logging-output || error="yes"
204
$exe -N ufw${type}-user-logging-forward || error="yes"
205
fi
206
207
# setup ufw${type}-before-logging-* chains
208
if ! $exe -L ufw${type}-before-logging-input -n >/dev/null 2>&1 ; then
209
$exe -N ufw${type}-before-logging-input || error="yes"
210
$exe -N ufw${type}-before-logging-output || error="yes"
211
$exe -N ufw${type}-before-logging-forward || error="yes"
212
$exe -A INPUT -j ufw${type}-before-logging-input || error="yes"
213
$exe -A OUTPUT -j ufw${type}-before-logging-output || error="yes"
214
$exe -A FORWARD -j ufw${type}-before-logging-forward || error="yes"
215
fi
216
217
# setup ufw${type}-before-* chains
218
if ! $exe -L ufw${type}-before-input -n >/dev/null 2>&1 ; then
219
$exe -N ufw${type}-before-input || error="yes"
220
$exe -N ufw${type}-before-output || error="yes"
221
$exe -N ufw${type}-before-forward || error="yes"
222
$exe -A INPUT -j ufw${type}-before-input || error="yes"
223
$exe -A OUTPUT -j ufw${type}-before-output || error="yes"
224
$exe -A FORWARD -j ufw${type}-before-forward || error="yes"
225
fi
226
if [ -s "$RULES_PATH" ]; then
227
if ! $exe-restore -n < $BEFORE_RULES ; then
282
cat <<EOM | $exe-restore -n || error="yes"
283
*filter
284
:ufw${type}-logging-deny - [0:0]
285
:ufw${type}-logging-allow - [0:0]
286
COMMIT
287
EOM
288
fi
289
290
# now setup the secondary 'skip to policy' chains
291
if ! $exe -L ufw${type}-skip-to-policy-input -n >/dev/null 2>&1 ; then
292
cat <<EOM | $exe-restore -n || error="yes"
293
*filter
294
:ufw${type}-skip-to-policy-input - [0:0]
295
:ufw${type}-skip-to-policy-output - [0:0]
296
:ufw${type}-skip-to-policy-forward - [0:0]
297
-A ufw${type}-skip-to-policy-input -j "$DEFAULT_INPUT_POLICY"
298
-A ufw${type}-skip-to-policy-output -j "$DEFAULT_OUTPUT_POLICY"
299
-A ufw${type}-skip-to-policy-forward -j "$DEFAULT_FORWARD_POLICY"
300
COMMIT
301
EOM
302
fi
303
304
# now ip[6]tables-restore before*.rules. This resets the following
305
# chains:
306
# ufw-before-input
307
# ufw-before-output
308
# ufw-before-forward
309
#
310
# and sets the following:
311
# ufw-not-local
312
if [ -s "$BEFORE_RULES" ]; then
313
if ! $exe-restore -n < "$BEFORE_RULES" ; then
228
314
out="${out}\nProblem running '$BEFORE_RULES'"
229
315
error="yes"
230
316
fi
231
317
else
232
318
out="${out}\nCouldn't find '$BEFORE_RULES'"
233
fi
234
235
# setup ufw${type}-user chain
236
if [ -s "$USER_PATH" ]; then
237
$exe -N ufw${type}-user-input || error="yes"
238
$exe -N ufw${type}-user-output || error="yes"
239
$exe -N ufw${type}-user-forward || error="yes"
240
$exe -A ufw${type}-before-input -j ufw${type}-user-input || error="yes"
241
$exe -A ufw${type}-before-output -j ufw${type}-user-output || error="yes"
242
$exe -A ufw${type}-before-forward -j ufw${type}-user-forward || error="yes"
243
if ! $exe-restore -n < $USER_RULES ; then
244
out="${out}\nProblem running '$USER_RULES'"
245
error="yes"
246
fi
247
# don't include the RETURN lines here, as they will
248
# be in the USER_PATH file
249
fi
250
251
# setup ufw${type}-after-* chains
252
if ! $exe -L ufw${type}-after-input -n >/dev/null 2>&1 ; then
253
$exe -N ufw${type}-after-input || error="yes"
254
$exe -N ufw${type}-after-output || error="yes"
255
$exe -N ufw${type}-after-forward || error="yes"
256
$exe -A INPUT -j ufw${type}-after-input || error="yes"
257
$exe -A OUTPUT -j ufw${type}-after-output || error="yes"
258
$exe -A FORWARD -j ufw${type}-after-forward || error="yes"
259
fi
319
error="yes"
320
fi
321
322
# now ip[6]tables-restore after*.rules. This resets the following
323
# chains:
324
# ufw-after-input
325
# ufw-after-output
326
# ufw-after-forward
260
327
if [ -s "$AFTER_RULES" ]; then
261
if ! $exe-restore -n < $AFTER_RULES ; then
328
if ! $exe-restore -n < "$AFTER_RULES" ; then
262
329
out="${out}\nProblem running '$AFTER_RULES'"
263
330
error="yes"
264
331
fi
265
332
else
266
333
out="${out}\nCouldn't find '$AFTER_RULES'"
267
fi
268
269
# setup ufw${type}-after-logging-* chains
270
if ! $exe -L ufw${type}-after-logging-input -n >/dev/null 2>&1 ; then
271
$exe -N ufw${type}-after-logging-input || error="yes"
272
$exe -N ufw${type}-after-logging-output || error="yes"
273
$exe -N ufw${type}-after-logging-forward || error="yes"
274
$exe -A INPUT -j ufw${type}-after-logging-input || error="yes"
275
$exe -A OUTPUT -j ufw${type}-after-logging-output || error="yes"
276
$exe -A FORWARD -j ufw${type}-after-logging-forward || error="yes"
277
fi
278
279
# now setup the REJECT chains
280
if ! $exe -L ufw${type}-reject-input -n >/dev/null 2>&1 ; then
281
$exe -N ufw${type}-reject-input || error="yes"
282
$exe -N ufw${type}-reject-output || error="yes"
283
$exe -N ufw${type}-reject-forward || error="yes"
284
$exe -A INPUT -j ufw${type}-reject-input || error="yes"
285
$exe -A OUTPUT -j ufw${type}-reject-output || error="yes"
286
$exe -A FORWARD -j ufw${type}-reject-forward || error="yes"
287
fi
288
289
if [ "$DEFAULT_INPUT_POLICY" = "REJECT" ]; then
290
$exe -A ufw${type}-reject-input -j REJECT || error="yes"
291
fi
292
if [ "$DEFAULT_OUTPUT_POLICY" = "REJECT" ]; then
293
$exe -A ufw${type}-reject-output -j REJECT || error="yes"
294
fi
295
if [ "$DEFAULT_FORWARD_POLICY" = "REJECT" ]; then
296
$exe -A ufw${type}-reject-forward -j REJECT || error="yes"
297
fi
298
299
# now setup the incoming state tracking chains
300
if ! $exe -L ufw${type}-track-input -n >/dev/null 2>&1 ; then
301
$exe -N ufw${type}-track-input || error="yes"
302
$exe -A INPUT -j ufw${type}-track-input || error="yes"
303
fi
304
305
if [ "$DEFAULT_INPUT_POLICY" = "ACCEPT" ]; then
306
$exe -A ufw${type}-track-input -p tcp -m state --state NEW -j ACCEPT || error="yes"
307
$exe -A ufw${type}-track-input -p udp -m state --state NEW -j ACCEPT || error="yes"
308
fi
309
310
# now setup the outgoing state tracking chains
311
if ! $exe -L ufw${type}-track-output -n >/dev/null 2>&1 ; then
312
$exe -N ufw${type}-track-output || error="yes"
313
$exe -A OUTPUT -j ufw${type}-track-output || error="yes"
314
fi
315
316
if [ "$DEFAULT_OUTPUT_POLICY" = "ACCEPT" ]; then
317
$exe -A ufw${type}-track-output -p tcp -m state --state NEW -j ACCEPT || error="yes"
318
$exe -A ufw${type}-track-output -p udp -m state --state NEW -j ACCEPT || error="yes"
334
error="yes"
335
fi
336
337
# user chains
338
if [ -s "$USER_RULES" ]; then
339
# setup the secondary 'user' chains
340
if ! $exe -L ufw${type}-user-input -n >/dev/null 2>&1 ; then
341
cat <<EOM | $exe-restore -n || error="yes"
342
*filter
343
:ufw${type}-user-input - [0:0]
344
:ufw${type}-user-output - [0:0]
345
:ufw${type}-user-forward - [0:0]
346
:ufw${type}-user-logging-input - [0:0]
347
:ufw${type}-user-logging-output - [0:0]
348
:ufw${type}-user-logging-forward - [0:0]
349
:ufw${type}-user-limit - [0:0]
350
:ufw${type}-user-limit-accept - [0:0]
351
COMMIT
352
EOM
353
fi
354
355
# now ip[6]tables-restore user*.rules. This resets the following
356
# chains:
357
# ufw-before-logging-input
358
# ufw-before-logging-output
359
# ufw-before-logging-forward
360
# ufw-after-logging-input
361
# ufw-after-logging-output
362
# ufw-after-logging-forward
363
# ufw-logging-deny
364
# ufw-logging-allow
365
# ufw-after-input
366
# ufw-after-output
367
# ufw-after-forward
368
# ufw-user-limit
369
# ufw-user-limit-accept
370
if ! $exe-restore -n < "$USER_RULES" ; then
371
out="${out}\nProblem running '$USER_RULES'"
372
error="yes"
373
fi
374
375
# now hooks these into the primary chains
376
cat <<EOM | $exe-restore -n || error="yes"
377
*filter
378
-A ufw${type}-before-input -j ufw${type}-user-input
379
-A ufw${type}-before-output -j ufw${type}-user-output
380
-A ufw${type}-before-forward -j ufw${type}-user-forward
381
COMMIT
382
EOM
383
else
384
out="${out}\nCouldn't find '$USER_RULES'"
385
error="yes"
319
386
fi
320
387
done
321
388
Loggerhead is a web-based interface for Breezy
Version: 2.0.1