4
# Required-Start: $remote_fs
5
# Required-Stop: $remote_fs
8
# Short-Description: Intelligent firewall
9
# Description: Automates a packet filtering firewall with iptables.
12
# chkconfig: 345 08 92
13
# description: Automates a packet filtering firewall with iptables.
15
# FIAIF is an Intelligent firewall$
16
# Startup script to add firewall functionality.
18
# Script Author: Anders Fugmann <afu at fugmann dot net>
20
# FIAIF is an Intelligent firewall
21
# Copyright (C) 2002-2013 Anders Peter Fugmann
22
# This package comes with ABSOLUTELY NO WARRANTY
23
# Use strictly at your own risk.
25
# This program is free software; you can redistribute it and/or
26
# modify it under the terms of the GNU General Public License
27
# as published by the Free Software Foundation; either version 2
28
# of the License, or (at your option) any later version.
30
# This program is distributed in the hope that it will be useful,
31
# but WITHOUT ANY WARRANTY; without even the implied warranty of
32
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
33
# GNU General Public License for more details.
35
# You should have received a copy of the GNU General Public License
36
# along with this program; if not, write to the Free Software
37
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
39
###############################################################################
41
###############################################################################
44
source /usr/share/fiaif/constants.sh
46
if [ -r ${CONF_FILE} ]; then
47
# Test configuration file
48
TMP_FILE=$(mktemp /tmp/fiaif-tmp.XXXXXX)
49
awk -f ${FIAIF_SHARED}/syntax.awk \
50
-f ${FIAIF_SHARED}/fiaif_rules.awk < ${CONF_FILE} > ${TMP_FILE}
51
if (( $? != 0 )); then
52
echo "Syntax errors in FIAIF configuration files detected."
64
source ${FIAIF_SHARED}/iptables.sh
65
source ${FIAIF_SHARED}/functions.sh
66
source ${FIAIF_SHARED}/zones.sh
67
source ${FIAIF_SHARED}/proc-check.sh
68
source ${FIAIF_SHARED}/sanity_check.sh
69
source ${FIAIF_SHARED}/cleanup_rules.sh
70
source ${FIAIF_SHARED}/aliases.sh
72
function fiaif_start ()
74
local FIAIF_SAVE_STATE=$1
78
if (( SAVE_STATES == 1 )); then
79
save_rules ${NETFILTER_STATE_FILE}
83
local PRE_SCRIPT_LENGTH=${#PRE_SCRIPT[*]}
84
if (( PRE_SCRIPT_LENGTH > 0 )); then
85
echo "PRE_SCRIPT variable is depricated, and should be replaced"
86
echo "by PRE_START_SCRIPT."
87
apply_script PRE_SCRIPT PRE_SCRIPT_LENGTH
89
apply_script PRE_START_SCRIPT ${#PRE_START_SCRIPT[*]}
91
# Use the state file is available.
92
if (( FIAIF_SAVE_STATE == 1 )) && state_valid; then
93
restore_rules ${FIAIF_STATE_FILE}
96
debug_out "Removing all existing rules, and setting default policies"
97
iptables_stop ${DEBUG}
100
# Test if rules should be saved
101
if (( ZONE_ERRORS == 0 && DEV_ERRORS == 0 && \
102
IPTABLES_ERRORS == 0 && RULE_ERRORS == 0)); then
103
if (( FIAIF_SAVE_STATE == 1 && TEST == 0 )); then
104
save_rules ${FIAIF_STATE_FILE}
107
print_err "*** FIAIF encountered errors ***"
108
print_err "${DEV_ERRORS} error(s) when testing zone configurations."
109
print_err "${ZONE_ERRORS} reference(s) to undefined zones."
110
print_err "${RULE_ERRORS} error(s) in rule specifications."
111
print_err "${IPTABLES_ERRORS} iptables rule generation error(s)."
112
if (( TEST == 0 )); then
113
print_err "Please issue '$0 test' and inspect /tmp/fiaif.out for descriptions."
117
if (( TEST == 0 )); then
118
if (( SAVE_STATES == 1 )); then
119
set_proc ${PROC_STATE_FILE}
125
local POST_SCRIPT_LENGTH=${#POST_SCRIPT[*]}
126
if (( POST_SCRIPT_LENGTH > 0 )); then
127
print_err "POST_SCRIPT variables is depricated, and should be replaced"
128
print_err "by POST_START_SCRIPT."
129
apply_script POST_SCRIPT POST_SCRIPT_LENGTH
131
apply_script POST_START_SCRIPT ${#POST_START_SCRIPT[*]}
133
if (( TEST == 0 ));then
134
if [[ -z "${NO_CLEANUP}" ]];then
135
# Cleanup - remove unused chains
136
echo -n "Cleaning up rules: "
141
logger -p syslog.notice -t fiaif "FIAIF started"
142
if (( DEBUG == 1 )); then
143
logger -p syslog.crit -t fiaif "DEBUG=1 in fiaif.conf."
144
logger -p syslog.crit -t fiaif \
145
"This means that your firewall is wide open"
150
function fiaif_stop ()
152
apply_script PRE_STOP_SCRIPT ${#PRE_STOP_SCRIPT[*]}
156
#Restore previous state.
157
restore_proc ${PROC_STATE_FILE}
158
restore_rules ${NETFILTER_STATE_FILE}
160
apply_script POST_STOP_SCRIPT ${#POST_STOP_SCRIPT[*]}
161
logger -p syslog.notice -t fiaif "FIAIF stopped"
168
if [[ -f ${SUBSYS_FILE} ]]; then
169
echo "FIAIF already started. Please stop FIAIF before starting."
172
fiaif_start ${SAVE_STATE} 1
177
if [[ ! -f ${SUBSYS_FILE} ]]; then
178
echo "FIAIF has not yet been started."
183
# Clean up state files.
185
rm -f ${IPTABLES_STATE_FILE} ${PROC_STATE_FILE}
190
if [[ ! -f ${SUBSYS_FILE} ]]; then
191
echo "FIAIF has not yet been started."
194
fiaif_start ${SAVE_STATE} 0
198
touch ${FIAIF_STATE_FILE}
199
rm -fr ${FIAIF_STATE_FILE}
200
fiaif_start ${SAVE_STATE} 0
205
if [[ -f ${SUBSYS_FILE} ]]; then
206
echo "FIAIF is running."
209
echo "FIAIF is stopped."
215
# Stop the firewall. Do not read DEBUG variable.
222
# Determine which file to write to.
223
if [[ -n "$2" ]]; then
225
elif [[ -n "${TEST_FILE}" ]]; then
226
TEST_FILE=${TEST_FILE}
228
TEST_FILE="/tmp/fiaif.out"
232
# Dont use the state file
235
check_network_settings
236
echo "All rules has been written to ${TEST_FILE}"
240
echo "Usage: $0 {start|stop|restart|force-reload|status|panic|test}"
247
PATH=${BIN_PATH}:${PATH}
249
# Test that the user is indeed root
250
if (( EUID != 0 )); then
251
echo You must be root to run this program
255
if [[ ! -r ${CONF_FILE} ]]; then
256
echo "FIAIF configuration file '${CONF_FILE}' not found."
261
# Dont start if the FIAIF has not been configured.
262
if [[ -n "${DONT_START}" ]] && (( DONT_START == 1 )); then
263
echo "Fiaif is not configured."
264
echo "Set 'DONT_START=0' in /etc/fiaif/fiaif.conf"
268
# Test if iptables program is available.
269
which iptables > /dev/null
270
if (( $? != 0 )); then
271
echo "Could not find 'iptables'. Aborting."
275
if [[ -n "${MODULES}" ]]; then
276
which modprobe > /dev/null
277
if (( $? != 0 )); then
278
echo "Could not find 'modprobe'. Aborting."
283
# Remove old state file if older than boot time
284
if [[ -f ${SUBSYS_FILE} ]]; then
285
BOOT_TIME=$(grep '^btime ' /proc/stat|cut -f 2 -d" ")
286
SUBSYS_TIME=$(date +%s -r ${SUBSYS_FILE})
287
if (( SUBSYS_TIME < BOOT_TIME )); then
293
let ${ZONE_ERRORS:=0}
294
let ${RULE_ERRORS:=0}
296
let ${IPTABLES_ERRORS:=0}
303
if (( DEBUG == 1 )); then
304
print_err "*** Warning: DEBUG=1 in fiaif.conf."
305
print_err "*** This means that NO packets will ever be dropped,"
306
print_err "*** and your firewall will accept all connections."