Package: shorewall6 Version: 5.2.3.2-1 Followup-For: Bug #932473 This seems to work okay;
SRWL='/sbin/shorewall' SRWL_OPTS="-6 -tvv" -- System Information: Debian Release: 10.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.44-2-pve (SMP w/2 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages shorewall6 depends on: ii debconf [debconf-2.0] 1.5.71 ii iproute2 4.20.0-2 ii iptables 1.8.2-4 ii libio-socket-inet6-perl 2.72-2 ii lsb-base 10.2019051400 ii shorewall 5.2.3.2-1 shorewall6 recommends no packages. shorewall6 suggests no packages. -- Configuration Files: /etc/default/shorewall6 changed: startup=1 OPTIONS="" STARTOPTIONS="" RESTARTOPTIONS="" RELOADOPTIONS="" STOPOPTIONS="" INITLOG=/dev/null SAFESTOP=0 /etc/init.d/shorewall6 changed: . /lib/lsb/init-functions SRWL='/sbin/shorewall' SRWL_OPTS="-6 -tvv" WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup test -n ${INITLOG:=/var/log/shorewall6-init.log} test -x $SRWL || exit 0 test -x $WAIT_FOR_IFUP || exit 0 test -n "$INITLOG" || { echo "INITLOG cannot be empty, please configure $0" ; exit 1; } if [ "$(id -u)" != "0" ] then echo "You must be root to start, stop or restart \"Shorewall6 firewall\"." exit 1 fi echo_notdone () { if [ "$INITLOG" = "/dev/null" ] ; then echo "not done." else echo "not done (check $INITLOG)." fi exit 1 } not_configured () { echo "#### WARNING ####" echo "The firewall won't be started/stopped unless it is configured" if [ "$1" != "stop" ] then echo "" echo "Please read about Debian specific customization in" echo "/usr/share/doc/shorewall6/README.Debian.gz." fi echo "#################" exit 0 } . /usr/share/shorewall/shorewallrc if [ -f "${SYSCONFDIR}/shorewall6" ] then . ${SYSCONFDIR}/shorewall6 SRWL_OPTS="$SRWL_OPTS $OPTIONS" if [ "$startup" != "1" ] then not_configured fi else not_configured fi [ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0 export SHOREWALL_INIT_SCRIPT wait_for_pppd () { if [ "$wait_interface" != "" ] then for i in $wait_interface do $WAIT_FOR_IFUP $i 90 done fi } shorewall6_start () { printf "Starting \"Shorewall6 firewall\": " wait_for_pppd $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone return 0 } shorewall6_stop () { if [ "$SAFESTOP" = 1 ]; then printf "Stopping \"Shorewall6 firewall\": " $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone else printf "Clearing all \"Shorewall6 firewall\" rules: " $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone fi return 0 } shorewall6_restart () { printf "Restarting \"Shorewall6 firewall\": " $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone return 0 } shorewall6_refresh () { printf "Refreshing \"Shorewall6 firewall\": " $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone return 0 } shorewall6_status () { $SRWL $SRWL_OPTS status && exit 0 || exit $? } case "$1" in start) shorewall6_start ;; stop) shorewall6_stop ;; refresh) shorewall6_refresh ;; force-reload|restart) shorewall6_restart ;; status) shorewall6_status ;; *) echo "Usage: /etc/init.d/shorewall6 {start|stop|refresh|restart|force-reload|status}" exit 1 esac exit 0 /etc/shorewall6/shorewall6.conf changed: STARTUP_ENABLED=Yes VERBOSITY=1 PAGER= FIREWALL= LOG_LEVEL="info" BLACKLIST_LOG_LEVEL= INVALID_LOG_LEVEL= LOG_BACKEND= LOG_VERBOSITY=2 LOG_ZONE=Both LOGALLNEW= LOGFILE=/var/log/messages LOGFORMAT="%s %s " LOGLIMIT="s:1/sec:10" LOGTAGONLY=No MACLIST_LOG_LEVEL="$LOG_LEVEL" RELATED_LOG_LEVEL= RPFILTER_LOG_LEVEL="$LOG_LEVEL" SFILTER_LOG_LEVEL="$LOG_LEVEL" SMURF_LOG_LEVEL="$LOG_LEVEL" STARTUP_LOG=/var/log/shorewall6-init.log TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL" UNTRACKED_LOG_LEVEL= CONFIG_PATH=":${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall" GEOIPDIR=/usr/share/xt_geoip/LE IP6TABLES= IP= IPSET= LOCKFILE= MODULESDIR= NFACCT= PERL=/usr/bin/perl PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" RESTOREFILE=restore SHOREWALL_SHELL=/bin/sh SUBSYSLOCK="" TC= ACCEPT_DEFAULT="none" BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RSH_COMMAND='ssh ${root}@${system} ${command}' ACCOUNTING=Yes ACCOUNTING_TABLE=filter ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes AUTOHELPERS=Yes AUTOMAKE=Yes BALANCE_PROVIDERS=No BASIC_FILTERS=No BLACKLIST="ALL" CLAMPMSS=No CLEAR_TC=No COMPLETE=No DEFER_DNS_RESOLUTION=Yes DELETE_THEN_ADD=Yes DONT_LOAD= DYNAMIC_BLACKLIST="ipset" EXPAND_POLICIES=Yes EXPORTMODULES=Yes FASTACCEPT=No FORWARD_CLEAR_MARK=Yes HELPERS= IGNOREUNKNOWNVARIABLES=No IMPLICIT_CONTINUE=No IPSET_WARNINGS=Yes IP_FORWARDING=Keep KEEP_RT_TABLES=Yes MACLIST_TABLE=filter MACLIST_TTL= MANGLE_ENABLED=Yes MARK_IN_FORWARD_CHAIN=No MINIUPNPD=No MUTEX_TIMEOUT=60 OPTIMIZE=All OPTIMIZE_ACCOUNTING=No PERL_HASH_SEED=0 REJECT_ACTION= RENAME_COMBINED=Yes REQUIRE_INTERFACE=No RESTART=restart RESTORE_DEFAULT_ROUTE=Yes RESTORE_ROUTEMARKS=Yes SAVE_IPSETS=Yes TC_ENABLED=Shared TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=Yes TRACK_RULES=No USE_DEFAULT_RT=Yes USE_NFLOG_SIZE=No USE_PHYSICAL_NAMES=No USE_RT_NAMES=No VERBOSE_MESSAGES=Yes WARNOLDCAPVERSION=Yes WORKAROUNDS=No ZERO_MARKS=No ZONE2ZONE=- BLACKLIST_DISPOSITION=DROP INVALID_DISPOSITION=CONTINUE MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT SFILTER_DISPOSITION=DROP RPFILTER_DISPOSITION=DROP SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP UNTRACKED_DISPOSITION=CONTINUE TC_BITS= PROVIDER_BITS= PROVIDER_OFFSET= MASK_BITS= ZONE_BITS=0 -- debconf information excluded