===================================================================
RCS file: /home/cvsd/home/cvs/scripts/shell/firewall/fw-universal.sh,v
retrieving revision 2.24
retrieving revision 2.25
diff -u -p -r2.24 -r2.25
--- scripts/shell/firewall/fw-universal.sh	2005/04/18 22:49:30	2.24
+++ scripts/shell/firewall/fw-universal.sh	2005/06/29 15:24:04	2.25
@@ -9,7 +9,7 @@
 # Licensed under terms of GNU General Public License.
 # All rights reserved.
 #
-# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.23 2005/04/15 22:07:18 rajo Exp $
+# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.24 2005/04/18 22:49:30 rajo Exp $
 #
 # Changelog:
 # 2003-10-24 - created
@@ -18,11 +18,11 @@
 DESC="firewall"
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
-DEFAULT_CONFIG="${DEFAULT_CONFIG:=/etc/default/firewall}"
+DEFAULT_FIREWALL_CONFIG="${DEFAULT_FIREWALL_CONFIG:=/etc/default/firewall}"
 
-if [ -f "$DEFAULT_CONFIG" ]; then
-	echo "Reading config file $DEFAULT_CONFIG"
-	. $DEFAULT_CONFIG
+if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then
+	echo "Reading config file $DEFAULT_FIREWALL_CONFIG"
+	. $DEFAULT_FIREWALL_CONFIG
 fi
 
 #
@@ -38,6 +38,11 @@ LOG_LIMIT="${LOG_LIMIT:=-m limit --limit
 # Paths:
 #IPTABLES=":" # for testing only - does nothing
 IPTABLES="${IPTABLES:=$DEBUG/sbin/iptables}"
+if [ "x$LOGGING" = "xoff" ]; then
+	IPTABLES_LOG=": log turned off"
+else
+	IPTABLES_LOG="${IPTABLES_LOG:=$DEBUG/sbin/iptables}"
+fi
 IFCONFIG="${IFCONFIG:=/sbin/ifconfig}"
 DEPMOD="${DEPMOD:=/sbin/depmod}"
 MODPROBE="${MODPROBE:=/sbin/modprobe}"
@@ -152,24 +157,24 @@ nmap_scan_filter()
 
 	for chain in INPUT FORWARD; do
 		#  Nie je nastaveny ziaden bit
-		$IPTABLES -A $chain   -p TCP --tcp-flags ALL NONE  $LOG_LIMIT "nmap scan $chain ALL NONE: "
+		$IPTABLES_LOG	-A $chain   -p TCP --tcp-flags ALL NONE  $LOG_LIMIT "nmap scan $chain ALL NONE: "
 		echo -en "."
-		$IPTABLES -A $chain   -p TCP --tcp-flags ALL NONE -j DROP 
+		$IPTABLES		-A $chain   -p TCP --tcp-flags ALL NONE -j DROP 
 		echo -en "."
 
 		# dva odporujuuce si flagy su nastavene:
 		for flags in   SYN,FIN   SYN,RST   FIN,RST   ; do
-			$IPTABLES -A $chain   -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: "
+			$IPTABLES_LOG	-A $chain   -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: "
 			echo -en "."
-			$IPTABLES -A $chain   -p TCP --tcp-flags $flags $flags -j DROP 
+			$IPTABLES		-A $chain   -p TCP --tcp-flags $flags $flags -j DROP 
 			echo -en "."
 		done
 
 		# je nastavene len $flags bez predpokladaneho ACK
 		for flags in   FIN   PSH   URG   ; do
-			$IPTABLES -A $chain   -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: "
+			$IPTABLES_LOG	-A $chain   -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: "
 			echo -en "."
-			$IPTABLES -A $chain   -p TCP --tcp-flags ACK,$flags $flags -j DROP 
+			$IPTABLES		-A $chain   -p TCP --tcp-flags ACK,$flags $flags -j DROP 
 			echo -en "."
 		done
 	done
@@ -184,9 +189,9 @@ invalid_packet_filter()
 	
 	echo -en "Turning on INVALID packet filter "
 	for chain in INPUT OUTPUT FORWARD; do
-		$IPTABLES -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: "
+		$IPTABLES_LOG	-A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: "
 		echo -en "."
-		$IPTABLES -A $chain -m state --state INVALID -j DROP 
+		$IPTABLES		-A $chain -m state --state INVALID -j DROP 
 		echo -en "."
 	done
 
@@ -221,19 +226,19 @@ anti_spoof_filter()
 		$IPTABLES -N spoof
 
 		# Ochrana proti Spoogingu zo spatnej slucky
-		$IPTABLES -A spoof -s 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 src" 
-		$IPTABLES -A spoof -s 127.0.0.0/8 -j DROP 
-		$IPTABLES -A spoof -d 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 dest"
-		$IPTABLES -A spoof -d 127.0.0.0/8 -j DROP
+		$IPTABLES_LOG	-A spoof -s 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 src" 
+		$IPTABLES		-A spoof -s 127.0.0.0/8 -j DROP 
+		$IPTABLES_LOG	-A spoof -d 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 dest"
+		$IPTABLES		-A spoof -d 127.0.0.0/8 -j DROP
 		# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete 
-		$IPTABLES -A spoof -s 192.168.0.0/16 $LOG_LIMIT "RESERVED:192.168.0.0/16 src"
-		$IPTABLES -A spoof -s 192.168.0.0/16 -j DROP 		# RFC1918
-		$IPTABLES -A spoof -s 172.16.0.0/12 $LOG_LIMIT "RESERVED:172.16.0.0/12 src"
-		$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP 		# RFC1918
-		$IPTABLES -A spoof -s 10.0.0.0/8  $LOG_LIMIT "RESERVED:10.0.0.0/8 src"
-		$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP  # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN
-		$IPTABLES -A spoof -s 96.0.0.0/4 $LOG_LIMIT "RESERVED:96.0.0.0/4 src"
-		$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP  			# IANA
+		$IPTABLES_LOG	-A spoof -s 192.168.0.0/16 $LOG_LIMIT "RESERVED:192.168.0.0/16 src"
+		$IPTABLES		-A spoof -s 192.168.0.0/16 -j DROP 		# RFC1918
+		$IPTABLES_LOG	-A spoof -s 172.16.0.0/12 $LOG_LIMIT "RESERVED:172.16.0.0/12 src"
+		$IPTABLES		-A spoof -s 172.16.0.0/12 -j DROP 		# RFC1918
+		$IPTABLES_LOG	-A spoof -s 10.0.0.0/8  $LOG_LIMIT "RESERVED:10.0.0.0/8 src"
+		$IPTABLES		-A spoof -s 10.0.0.0/8 -j DROP  # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN
+		$IPTABLES_LOG	-A spoof -s 96.0.0.0/4 $LOG_LIMIT "RESERVED:96.0.0.0/4 src"
+		$IPTABLES		-A spoof -s 96.0.0.0/4 -j DROP  			# IANA
 
 		for iface in $ANTISPOOF_IFACE; do
 			echo -en " $iface"
@@ -355,7 +360,7 @@ masquerade()
 			echo -en " $type"
 			$IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT
 		done
-		#$IPTABLES -A FORWARD -p ICMP -j LOG --log-prefix "FWD ICMP: "
+		#$IPTABLES_LOG -A FORWARD -p ICMP -j LOG --log-prefix "FWD ICMP: "
 		echo " done."
 
 		# Port forwarding to local machines
@@ -384,9 +389,9 @@ log_new_connections()
 	if [ ! -z "$NAT_LOG_NEW_CONNECTIONS" ]; then
 		if [ "x$NAT_LOG_NEW_CONNECTIONS" = "xyes" ]; then
 			echo -en "Logging new connections:"
-			$IPTABLES -A INPUT   -m state --state NEW -j LOG --log-prefix "IN  connection: "
-			$IPTABLES -A OUTPUT  -m state --state NEW -j LOG --log-prefix "OUT connection: "
-			$IPTABLES -A FORWARD -m state --state NEW -j LOG --log-prefix "FWD connection: "
+			$IPTABLES_LOG -A INPUT   -m state --state NEW -j LOG --log-prefix "IN  connection: "
+			$IPTABLES_LOG -A OUTPUT  -m state --state NEW -j LOG --log-prefix "OUT connection: "
+			$IPTABLES_LOG -A FORWARD -m state --state NEW -j LOG --log-prefix "FWD connection: "
 			echo " done."
 		fi
 	fi
@@ -566,8 +571,8 @@ allow_icmp()
 			$IPTABLES -A INPUT -i $iface -d ${!ip} -p ICMP --icmp-type $type -j ACCEPT
 		done
 	done
-	#$IPTABLES -A INPUT  -p ICMP -j LOG --log-prefix "IN  ICMP: "
-	#$IPTABLES -A OUTPUT -p ICMP -j LOG --log-prefix "OUT ICMP: "
+	#$IPTABLES_LOG -A INPUT  -p ICMP -j LOG --log-prefix "IN  ICMP: "
+	#$IPTABLES_LOG -A OUTPUT -p ICMP -j LOG --log-prefix "OUT ICMP: "
 	echo " done."
 
 } # }}}
@@ -575,27 +580,33 @@ allow_icmp()
 log_input_drop()
 { # {{{
 
-	prefix="input drop: "
-	echo "Input drop is logged with prefix '$prefix'"
-	$IPTABLES -A INPUT $LOG_LIMIT "$prefix"
+	if [ ! "x$LOGGING" = "xoff" ]; then
+		prefix="input drop: "
+		echo "Input drop is logged with prefix '$prefix'"
+		$IPTABLES_LOG -A INPUT $LOG_LIMIT "$prefix"
+	fi
 
 } # }}}
 
 log_output_drop()
 { # {{{
 
-	prefix="output drop: "
-	echo "Output drop is logged with prefix '$prefix'"
-	$IPTABLES -A OUTPUT $LOG_LIMIT "$prefix"
+	if [ ! "x$LOGGING" = "xoff" ]; then
+		prefix="output drop: "
+		echo "Output drop is logged with prefix '$prefix'"
+		$IPTABLES_LOG -A OUTPUT $LOG_LIMIT "$prefix"
+	fi
 
 } # }}}
 
 log_forward_drop()
 { # {{{
 
-	prefix="forward drop: "
-	echo "Forward drop is logged with prefix '$prefix'"
-	$IPTABLES -A FORWARD $LOG_LIMIT "$prefix"
+	if [ ! "x$LOGGING" = "xoff" ]; then
+		prefix="forward drop: "
+		echo "Forward drop is logged with prefix '$prefix'"
+		$IPTABLES_LOG -A FORWARD $LOG_LIMIT "$prefix"
+	fi
 
 } # }}}
 
@@ -788,7 +799,7 @@ case "$1" in
 		;;
 
 	*)
-		echo "Usage: $0 {start|stop|stop}" >&2
+		echo "Usage: $0 {start|stop|status}" >&2
 		exit 1
 		;;
 esac