Package: shorewall6
Version: 5.2.3.2-1
Followup-For: Bug #932473
This seems to work okay;
SRWL='/sbin/shorewall'
SRWL_OPTS="-6 -tvv"
-- System Information:
Debian Release: 10.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.44-2-pve (SMP w/2 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages shorewall6 depends on:
ii debconf [debconf-2.0] 1.5.71
ii iproute2 4.20.0-2
ii iptables 1.8.2-4
ii libio-socket-inet6-perl 2.72-2
ii lsb-base 10.2019051400
ii shorewall 5.2.3.2-1
shorewall6 recommends no packages.
shorewall6 suggests no packages.
-- Configuration Files:
/etc/default/shorewall6 changed:
startup=1
OPTIONS=""
STARTOPTIONS=""
RESTARTOPTIONS=""
RELOADOPTIONS=""
STOPOPTIONS=""
INITLOG=/dev/null
SAFESTOP=0
/etc/init.d/shorewall6 changed:
. /lib/lsb/init-functions
SRWL='/sbin/shorewall'
SRWL_OPTS="-6 -tvv"
WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
test -n ${INITLOG:=/var/log/shorewall6-init.log}
test -x $SRWL || exit 0
test -x $WAIT_FOR_IFUP || exit 0
test -n "$INITLOG" || {
echo "INITLOG cannot be empty, please configure $0" ;
exit 1;
}
if [ "$(id -u)" != "0" ]
then
echo "You must be root to start, stop or restart \"Shorewall6 firewall\"."
exit 1
fi
echo_notdone () {
if [ "$INITLOG" = "/dev/null" ] ; then
echo "not done."
else
echo "not done (check $INITLOG)."
fi
exit 1
}
not_configured () {
echo "#### WARNING ####"
echo "The firewall won't be started/stopped unless it is configured"
if [ "$1" != "stop" ]
then
echo ""
echo "Please read about Debian specific customization in"
echo "/usr/share/doc/shorewall6/README.Debian.gz."
fi
echo "#################"
exit 0
}
. /usr/share/shorewall/shorewallrc
if [ -f "${SYSCONFDIR}/shorewall6" ]
then
. ${SYSCONFDIR}/shorewall6
SRWL_OPTS="$SRWL_OPTS $OPTIONS"
if [ "$startup" != "1" ]
then
not_configured
fi
else
not_configured
fi
[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 ||
SHOREWALL_INIT_SCRIPT=0
export SHOREWALL_INIT_SCRIPT
wait_for_pppd () {
if [ "$wait_interface" != "" ]
then
for i in $wait_interface
do
$WAIT_FOR_IFUP $i 90
done
fi
}
shorewall6_start () {
printf "Starting \"Shorewall6 firewall\": "
wait_for_pppd
$SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." ||
echo_notdone
return 0
}
shorewall6_stop () {
if [ "$SAFESTOP" = 1 ]; then
printf "Stopping \"Shorewall6 firewall\": "
$SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
else
printf "Clearing all \"Shorewall6 firewall\" rules: "
$SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
fi
return 0
}
shorewall6_restart () {
printf "Restarting \"Shorewall6 firewall\": "
$SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." ||
echo_notdone
return 0
}
shorewall6_refresh () {
printf "Refreshing \"Shorewall6 firewall\": "
$SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
shorewall6_status () {
$SRWL $SRWL_OPTS status && exit 0 || exit $?
}
case "$1" in
start)
shorewall6_start
;;
stop)
shorewall6_stop
;;
refresh)
shorewall6_refresh
;;
force-reload|restart)
shorewall6_restart
;;
status)
shorewall6_status
;;
*)
echo "Usage: /etc/init.d/shorewall6
{start|stop|refresh|restart|force-reload|status}"
exit 1
esac
exit 0
/etc/shorewall6/shorewall6.conf changed:
STARTUP_ENABLED=Yes
VERBOSITY=1
PAGER=
FIREWALL=
LOG_LEVEL="info"
BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_VERBOSITY=2
LOG_ZONE=Both
LOGALLNEW=
LOGFILE=/var/log/messages
LOGFORMAT="%s %s "
LOGLIMIT="s:1/sec:10"
LOGTAGONLY=No
MACLIST_LOG_LEVEL="$LOG_LEVEL"
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL="$LOG_LEVEL"
SFILTER_LOG_LEVEL="$LOG_LEVEL"
SMURF_LOG_LEVEL="$LOG_LEVEL"
STARTUP_LOG=/var/log/shorewall6-init.log
TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
UNTRACKED_LOG_LEVEL=
CONFIG_PATH=":${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE
IP6TABLES=
IP=
IPSET=
LOCKFILE=
MODULESDIR=
NFACCT=
PERL=/usr/bin/perl
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=""
TC=
ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=Yes
BALANCE_PROVIDERS=No
BASIC_FILTERS=No
BLACKLIST="ALL"
CLAMPMSS=No
CLEAR_TC=No
COMPLETE=No
DEFER_DNS_RESOLUTION=Yes
DELETE_THEN_ADD=Yes
DONT_LOAD=
DYNAMIC_BLACKLIST="ipset"
EXPAND_POLICIES=Yes
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARK=Yes
HELPERS=
IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=Keep
KEEP_RT_TABLES=Yes
MACLIST_TABLE=filter
MACLIST_TTL=
MANGLE_ENABLED=Yes
MARK_IN_FORWARD_CHAIN=No
MINIUPNPD=No
MUTEX_TIMEOUT=60
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No
PERL_HASH_SEED=0
REJECT_ACTION=
RENAME_COMBINED=Yes
REQUIRE_INTERFACE=No
RESTART=restart
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
SAVE_IPSETS=Yes
TC_ENABLED=Shared
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=Yes
TRACK_RULES=No
USE_DEFAULT_RT=Yes
USE_NFLOG_SIZE=No
USE_PHYSICAL_NAMES=No
USE_RT_NAMES=No
VERBOSE_MESSAGES=Yes
WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
BLACKLIST_DISPOSITION=DROP
INVALID_DISPOSITION=CONTINUE
MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
SFILTER_DISPOSITION=DROP
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
TC_BITS=
PROVIDER_BITS=
PROVIDER_OFFSET=
MASK_BITS=
ZONE_BITS=0
-- debconf information excluded
