před 10 měsíci · af7e967b74
--- a/etc/lfirewall.conf
+++ b/etc/lfirewall.conf
@@ -1,3 +1,10 @@
 
				+###############################################################################
			
 
				+# Do not edit the lfirewall.conf directly                                     #
			
 
				+# Instead copy it first and edit the lfirewall.conf.local                     #
			
 
				+#                                                                             #
			
 
				+# cp /etc/lfirewall/lfirewall.conf /etc/lfirewall/lfirewall.conf.local        #
			
 
				+###############################################################################
			
 
				+
			
 
				 # Firewall configuration file
			
 
				 # Uncomment the services you need there
			
 
				 
			
@@ -16,6 +23,8 @@ ALLOW_IP_FORWARDING=0
 
				 #################################
			
 
				 
			
 
				 # SSH
			
 
				+SSH_PORT="22"
			
 
				+
			
 
				 TCP_SERVICES="22"
			
 
				 
			
 
				 # SAMBA
			
--- a/scripts/lfirewall
+++ b/scripts/lfirewall
@@ -120,19 +120,26 @@ SSH_PORT="22"
 
				 # Default IP_TABLES command path
			
 
				 IP_TABLES="/sbin/iptables"
			
 
				 
			
 
				-CONFIGURATION_FILE=/etc/lfirewall/lfirewall.conf
			
 
				+CONFIGURATION_DIR=/etc/lfirewall
			
 
				+CONFIGURATION_FILE=${CONFIGURATION_DIR}/lfirewall.conf
			
 
				+CONFIGURATION_LOCAL_FILE=${CONFIGURATION_DIR}/lfirewall.conf.local
			
 
				 if [ -f $CONFIGURATION_FILE ] ; then
			
 
				 	set +u
			
 
				 	. $CONFIGURATION_FILE
			
 
				 	set -u
			
 
				 fi
			
 
				+if [ -f $CONFIGURATION_LOCAL_FILE ] ; then
			
 
				+	set +u
			
 
				+	. $CONFIGURATION_LOCAL_FILE
			
 
				+	set -u
			
 
				+fi
			
 
				 
			
 
				 if ! [ -x $IP_TABLES ]; then
			
 
				 	echo "$IP_TABLES is not executable or not present" >&2
			
 
				 	exit 1
			
 
				 fi
			
 
				 
			
 
				-if ! /usr/sbin/ifup --no-act $NETWORK_IF
			
 
				+if ! /usr/sbin/ifup --no-act $NETWORK_IF > /dev/null 2>&1
			
 
				 then
			
 
				 	echo "Network interface '$NETWORK_IF' is not present or configured" >&2
			
 
				 	exit 2
			
@@ -227,6 +234,16 @@ fw_start () {
 
				 		$do_action $IPTABLES_ADD $IT_INPUT -p tcp --dport ${SSH_PORT}  -j ACCEPT
			
 
				 	fi
			
 
				 
			
 
				+	# SSH
			
 
				+	if [ ! -z "${SSH_PORT:-}" ] ; then
			
 
				+	    $do_action $IPTABLES_ADD $IT_OUTPUT -t filter -p tcp --dport "$SSH_PORT" -j ACCEPT
			
 
				+		$do_action $IPTABLES_ADD $IT_INPUT -t filter -p tcp --dport "$SSH_PORT" -j ACCEPT
			
 
				+	else
			
 
				+	    $do_action $IPTABLES_ADD $IT_OUTPUT -t filter -p tcp --dport "22" -j ACCEPT
			
 
				+		$do_action $IPTABLES_ADD $IT_INPUT -t filter -p tcp --dport "22" -j ACCEPT
			
 
				+	fi
			
 
				+
			
 
				+
			
 
				 	#**************************************************************************#
			
 
				 	# NGINX
			
 
				 	#**************************************************************************#
			
@@ -305,8 +322,6 @@ fw_start () {
 
				 	echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
			
 
				 	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
			
 
				 
			
 
				-	iptables -t filter -A $IT_OUTPUT -p tcp --dport 22 -j ACCEPT
			
 
				-	iptables -t filter -A $IT_INPUT -p tcp --dport 22 -j ACCEPT
			
 
				 }
			
 
				 
			
 
				 do_this(){
			
@@ -404,7 +419,7 @@ case "$1" in
 
				 	status)
			
 
				 		do_action=do_check
			
 
				 		global_status=0
			
 
				-		if [ "$2" = "-v" ] ; then
			
 
				+		if [ "${2:-}" = "-v" ] ; then
			
 
				 			do_log=log_action
			
 
				 		fi
			
 
				 		# Start will not really start but exec the "check" action