Systemd will not allow new connections after stop

scripts/lfirewall

@@ -246,7 +246,29 @@ do_not_log_action () {
 do_log=do_not_log_action
 
 ##########################
-# Start the Firewall rules
+# Drops INPUT
+##########################
+
+fw_exec_basic_input_rules(){
+	local do_action
+	do_action=$1
+
+	### Blocks any incoming
+	$do_action $IPTABLES_SET_POLICY $IT_INPUT DROP
+
+	### Keep existing connections
+	$do_action $IPTABLES_ADD $IT_INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+	# Remote testing
+	### Allows PING
+	$do_action $IPTABLES_ADD $IT_INPUT -p icmp -j ACCEPT
+
+	### Allows LOOPBACK
+	$do_action $IPTABLES_ADD $IT_INPUT -i lo -j ACCEPT
+}
+
+##########################
+# Executes the Firewall rules
 ##########################
 
 fw_execute () {
@@ -255,9 +277,8 @@ fw_execute () {
 	#**************************************************************************#
 	# Input traffic:
 	#**************************************************************************#
+	fw_exec_basic_input_rules $do_action
 
-	### Keep existing connections
-	$do_action $IPTABLES_ADD $IT_INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 	# Services
 	if [ -n "$TCP_SERVICES" ] ; then
 		for PORT in $TCP_SERVICES; do
@@ -292,14 +313,6 @@ fw_execute () {
 	$do_action $IPTABLES_ADD $IT_INPUT -i lo -s localhost -d localhost -j ACCEPT
 	$do_action $IPTABLES_ADD $IT_OUTPUT -o lo -s localhost -d localhost -j ACCEPT
 
-	# Remote testing
-	### Allows PING
-	$do_action $IPTABLES_ADD $IT_INPUT -p icmp -j ACCEPT
-
-	### Allows LOOPBACK
-	$do_action $IPTABLES_ADD $IT_INPUT -i lo -j ACCEPT
-
-	$do_action $IPTABLES_SET_POLICY $IT_INPUT DROP
 
 	#**************************************************************************#
 	# Output:
@@ -457,16 +470,17 @@ fw_stop () {
 
 
 ##########################
-# Drop all connections
+# Drop any incoming
+# but keep existing ones
 ##########################
 
 fw_dropall(){
-		do_this $IP_TABLES -F
-        do_this $IP_TABLES -t nat -F
-        do_this $IP_TABLES -t mangle -F
-        do_this $IP_TABLES -P $IT_INPUT DROP
-        do_this $IP_TABLES -P FORWARD DROP
-        do_this $IP_TABLES -P $IT_OUTPUT ACCEPT
+	do_this $IP_TABLES -F
+	do_this $IP_TABLES -t nat -F
+	do_this $IP_TABLES -t mangle -F
+	fw_exec_basic_input_rules do_exec
+	do_this $IP_TABLES -P FORWARD ACCEPT
+	do_this $IP_TABLES -P OUTPUT ACCEPT
 }
 
 ##########################
@@ -560,9 +574,21 @@ case "$1" in
 		echo "done."
 	;;
 	dropall)
-		echo -n "Droping all connections !!!"
+		echo "Droping all connections !!!"
 		fw_dropall
 		echo "done."
+		echo "###############################################################"
+		echo "#                   IMPORTANT WARNING !!!                     #"
+		echo "#                                                             #"
+		echo "# From now any new SSH session or INPUT                       #"
+		echo "#                                                             #"
+		echo "#                      WILL BE REFUSED                        #"
+		echo "#                                                             #"
+		echo "# If you NEED to continue working remotely,                   #"
+		echo "# run one of the 'lfirewall clear', 'lfirewall stop'          #"
+		echo "# 'lfirewall start' commands                                  #"
+		echo "#                           NOW !!!                           #"
+		echo "###############################################################"
 	;;
 	test)
 		echo "Test Firewall rules..."

systemd/lfirewall.service

@@ -8,7 +8,7 @@ After=local-fs.target
 [Service]
 Type=oneshot
 ExecStart=/sbin/lfirewall start
-ExecStop=/sbin/lfirewall stop
+ExecStop=/sbin/lfirewall dropall
 ExecStartPost=/sbin/lfirewall status
 RemainAfterExit=yes