=================================================================== RCS file: /home/cvsd/home/cvs/scripts/shell/firewall/fw-universal.sh,v retrieving revision 2.25 retrieving revision 2.26 diff -u -p -r2.25 -r2.26 --- scripts/shell/firewall/fw-universal.sh 2005/06/29 15:24:04 2.25 +++ scripts/shell/firewall/fw-universal.sh 2005/06/29 16:16:46 2.26 @@ -9,7 +9,7 @@ # Licensed under terms of GNU General Public License. # All rights reserved. # -# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.24 2005/04/18 22:49:30 rajo Exp $ +# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.25 2005/06/29 15:24:04 rajo Exp $ # # Changelog: # 2003-10-24 - created @@ -32,6 +32,8 @@ fi DEFAULT_POLICY="${DEFAULT_POLICY:=DROP}" # which modules to load MODULES="${MODULES:=}" +MODULES_LOADING="${MODULES_LOADING:=yes}" +MODULES_REMOVING="${MODULES_REMOVING:=no}" LOG_LIMIT="${LOG_LIMIT:=-m limit --limit 12/h --limit-burst 10 -j LOG --log-level notice --log-prefix}" @@ -77,23 +79,27 @@ ACCEPT_ICMP_PACKETS="${ACCEPT_ICMP_PACKE # load necessary modules from $MODULES variable load_modules() { # {{{ - echo "# Loading modules" - for mod in $MODULES; do - echo " $MODPROBE $mod" - $MODPROBE $mod - done + if [ "e$MODULES_LOADING" = "eyes" ]; then + echo "# Loading modules" + for mod in $MODULES; do + echo " $MODPROBE $mod" + $MODPROBE $mod + done + fi } # }}} # unload necessary modules from $MODULES variable unload_modules() { # {{{ # reverse modules - echo "# Removing modules" - R_MODULES=`echo "$MODULES" | tr ' ' '\012' | tac | tr '\012' ' '` - for mod in $R_MODULES; do - echo " $RMMOD $mod" - $RMMOD $mod - done + if [ "e$MODULES_REMOVING" = "eyes" ]; then + echo "# Removing modules" + R_MODULES=`echo "$MODULES" | tr ' ' '\012' | tac | tr '\012' ' '` + for mod in $R_MODULES; do + echo " $RMMOD $mod" + $RMMOD $mod + done + fi } # }}} # print status of detected interfaces @@ -617,7 +623,8 @@ accept_related() for iface in $INTERFACES; do ip="IP_$iface"; echo -en " ${!ip}($iface)" - $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT done echo " done." @@ -791,6 +798,15 @@ case "$1" in remove_chains unload_modules forward_off + accept_related + ;; + + really-off) + echo -n "Stopping $DESC: removing ALL rules, all packets are dropped !!" + set_default_policy + remove_chains + unload_modules + forward_off ;; status) @@ -799,7 +815,7 @@ case "$1" in ;; *) - echo "Usage: $0 {start|stop|status}" >&2 + echo "Usage: $0 {start|stop|really-off|status}" >&2 exit 1 ;; esac