added helper ipuntrap, to undo what iptrap does; keyword "except" does not accept negative expressions - added check in rule(); workaround for a bash bug that did not show all commands in explain mode; added some color and option -nc to disable colors; added some more info in various points for debug mode; debug mode was not generating comments - fixed it

2024-06-28 18:02:33 +00:00 · 2015-02-07 17:28:43 +02:00 · 2015-02-07 17:28:43 +02:00 · 3b8505f73d
commit 3b8505f73d
parent daf7981da0
2 changed files with 184 additions and 85 deletions
--- a/doc/firehol/firehol-iptrap.5.md
+++ b/doc/firehol/firehol-iptrap.5.md
@ -8,44 +8,56 @@ firehol-iptrap - dynamically put IP addresses in an ipset

 # SYNOPSIS

-{ iptrap | iptrap4 | iptrap6 } *type* *ipset* *timeout* [*rule-params*]...
+{ iptrap | iptrap4 | iptrap6 } *type* *ipset* *timeout* [*rule-params*] [ except [*rule-params*] ]...

+{ ipuntrap | ipuntrap4 | ipuntrap6 } *type* *ipset* [*rule-params*] [ except [*rule-params*] ]...

 # DESCRIPTION


-The `trap` puts the IP addresses of the matching packets to `ipset`. It does
-not affect the flow of traffic. It does not `ACCEPT`, `REJECT`, `DROP`
-packets or affect the firewall in any way.
+`iptrap` adds the IP addresses of the matching packets to `ipset`.

-Type selects which of the IP addresses of the matching packets will be saved
-in the `ipset`. Type can be `src`, `dst`, `src,dst`, `dst,src`.
+`ipuntrap` deletes the IP adresses of the matching packets from `ipset`.

-iptrap will create the `ipset` specified, if that ipset is not already
+Both helpers do not affect the flow of traffic. They does not `ACCEPT`,
+`REJECT`, `DROP` packets or affect the firewall in any way.
+
+`type` selects which of the IP addresses of the matching packets will be used
+(added or removed from the ipset). `type` can be `src`, `dst`, `src,dst`,
+`dst,src`.
+
+Both helpers will create the `ipset` specified, if that ipset is not already
 created by other statements. When the ipset is created by the `iptrap` helper,
 the ipset will not be reset (emptied) when the firewall is restarted.

-`timeout` is the duration in seconds of the lifetime of each IP
-address in the ipset. Every matching packet will refresh this duration
-for the IP address in the ipset. The Linux kernel will automatically remove
-the IP from the ipset when this time expires. The user may monitor the
-remaining time for each IP, by running `ipset list NAME` (where `NAME` is
-the `ipset` parameter given in the `iptrap` command).
+`timeout` is required by `iptrap` and gives the duration in seconds of the
+lifetime of each IP address that is added to `ipset`. Every matching packet
+will refresh this duration for the IP address in the ipset.
+The Linux kernel will automatically remove the IP from the ipset when this
+time expires. The user may monitor the remaining time for each IP, by running
+`ipset list NAME` (where `NAME` is the `ipset` parameter given in the `iptrap`
+command).

 The *rule-params* define a set of rule parameters to restrict
-the traffic that is matched to this service. See
+the traffic that is matched to this helper. See
 [firehol-params(5)][] for more details.

-`iptrap` is hooked on PREROUTING so it is only useful for incoming traffic.
+`except` *rule-params* are used to exclude traffic, i.e. traffic that normally
+is matched by the first set of *rule-params*, will be excluded if matched by
+the second.

-`iptrap` cannot setup both IPv4 and IPv6 traps with one call. The reason
-is that the `ipset` can either be IPv4 or IPv6.
+`iptrap` and `ipuntrap` are hooked on PREROUTING so it is only useful for
+incoming traffic.
+
+`iptrap` and `ipuntrap` cannot setup both IPv4 and IPv6 traps with one call.
+The reason is that the `ipset` can either be IPv4 or IPv6.


 # EXAMPLES

 ~~~~
 iptrap4 src trap 3600 inface eth0 proto tcp dport 80 log "TRAPPED HTTP"
+ipuntrap4 src trap inface eth0 src ipset:trap proto tcp dport 80 log "UNTRAPPED HTTP"
 ~~~~

 # SEE ALSO
--- a/sbin/firehol.in
+++ b/sbin/firehol.in
@ -93,6 +93,37 @@ FIREHOL_DEFAULT_WORKING_DIRECTORY="${PWD}"
 # Make sure we don't get localized results
 export LC_ALL=C

+if [ "z$1" = "z-nc" ]
+then
+	shift
+else
+	# Enable colors
+	if [ $[$(tput colors 2>/dev/null)] -ge 8 ]
+	then
+		COLOR_RESET="\e[0m"
+		COLOR_BLACK="\e[30m"
+		COLOR_RED="\e[31m"
+		COLOR_GREEN="\e[32m"
+		COLOR_YELLOW="\e[33m"
+		COLOR_BLUE="\e[34m"
+		COLOR_PURPLE="\e[35m"
+		COLOR_CYAN="\e[36m"
+		COLOR_WHITE="\e[37m"
+		COLOR_BGBLACK="\e[40m"
+		COLOR_BGRED="\e[41m"
+		COLOR_BGGREEN="\e[42m"
+		COLOR_BGYELLOW="\e[43m"
+		COLOR_BGBLUE="\e[44m"
+		COLOR_BGPURPLE="\e[45m"
+		COLOR_BGCYAN="\e[46m"
+		COLOR_BGWHITE="\e[47m"
+		COLOR_BOLD="\e[1m"
+		COLOR_DIM="\e[2m"
+		COLOR_UNDERLINED="\e[4m"
+		COLOR_BLINK="\e[5m"
+		COLOR_INVERTED="\e[7m"
+	fi
+fi

 # ------------------------------------------------------------------------------
 # XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
@ -1080,36 +1111,9 @@ syslog() {
 	return 0
 }

-# Enable colors
-if [ $[$(tput colors 2>/dev/null)] -ge 8 ]
-then
-	COLOR_RESET="\e[0m"
-	COLOR_BLACK="\e[30m"
-	COLOR_RED="\e[31m"
-	COLOR_GREEN="\e[32m"
-	COLOR_YELLOW="\e[33m"
-	COLOR_BLUE="\e[34m"
-	COLOR_PURPLE="\e[35m"
-	COLOR_CYAN="\e[36m"
-	COLOR_WHITE="\e[37m"
-	COLOR_BGBLACK="\e[40m"
-	COLOR_BGRED="\e[41m"
-	COLOR_BGGREEN="\e[42m"
-	COLOR_BGYELLOW="\e[43m"
-	COLOR_BGBLUE="\e[44m"
-	COLOR_BGPURPLE="\e[45m"
-	COLOR_BGCYAN="\e[46m"
-	COLOR_BGWHITE="\e[47m"
-	COLOR_BOLD="\e[1m"
-	COLOR_DIM="\e[2m"
-	COLOR_UNDERLINED="\e[4m"
-	COLOR_BLINK="\e[5m"
-	COLOR_INVERTED="\e[7m"
-fi
-
 declare -a FIREHOL_PROGRESS_MESSAGES=()
 progress() {
-	printf >&2 "FireHOL: ${*}... "
+	printf >&2 "${COLOR_GREEN}FireHOL:${COLOR_RESET} ${*}... "
 	FIREHOL_PROGRESS_MESSAGES=("${*}" "${FIREHOL_PROGRESS_MESSAGES[@]}")
 	syslog info "${*} started"
 }
@ -1117,10 +1121,10 @@ progress() {
 success() {
 	if [ ! -z "${1}" ]
 	then
-		echo >&2 " OK (${*})"
+		echo >&2 -e "${COLOR_RESET}${COLOR_BGGREEN}${COLOR_BLACK}${COLOR_BOLD} OK ${COLOR_RESET} (${*})"
 		syslog info "${FIREHOL_PROGRESS_MESSAGES[0]} succeeded with message: ${*}"
 	else
-		echo >&2 " OK"
+		echo >&2 -e "${COLOR_RESET}${COLOR_BGGREEN}${COLOR_BLACK}${COLOR_BOLD} OK ${COLOR_RESET}"
 		syslog info "${FIREHOL_PROGRESS_MESSAGES[0]} succeeded"
 	fi
 	unset FIREHOL_PROGRESS_MESSAGES[0]
@ -1130,10 +1134,10 @@ success() {
 failure() {
 	if [ ! -z "${1}" ]
 	then
-		echo >&2 " FAILED (${*})"
+		echo >&2 -e "${COLOR_RESET}${COLOR_BGRED}${COLOR_WHITE}${COLOR_BOLD}${COLOR_BLINK} FAILED ${COLOR_RESET} (${*})"
 		syslog err "${FIREHOL_PROGRESS_MESSAGES[0]} failed with message: ${*}"
 	else
-		echo >&2 " FAILED"
+		echo >&2 -e "${COLOR_RESET}${COLOR_BGRED}${COLOR_WHITE}${COLOR_BOLD}${COLOR_BLINK} FAILED ${COLOR_RESET}"
 		syslog err "${FIREHOL_PROGRESS_MESSAGES[0]} failed"
 	fi
 	unset FIREHOL_PROGRESS_MESSAGES[0]
@ -3649,6 +3653,10 @@ blacklist() {
 	while [ ! -z "${1}" ]
 	do
 		case "${1}" in
+			src|SRC)
+				shift
+				;;
+
 			except|EXCEPT)
 				shift
 				break
@ -3693,7 +3701,7 @@ blacklist() {
 	iptables_both -t mangle -N "${chain}.in"

 	# add the excepted rules
-	test ! -z "${1}" && ( rule table mangle chain "${chain}.in" in action RETURN "${@}" || return 1 )
+	test ! -z "${1}" && ( rule nonot table mangle chain "${chain}.in" in action RETURN "${@}" || return 1 )

 	# add the accounting rules
 	test ! -z "${accounting}" && ( iptables_both -t mangle -A "${chain}.in" -m nfacct --nfacct-name "${accounting}" || return 1 )
@ -3760,6 +3768,12 @@ blacklist() {
 }

 FIREHOL_IPTRAP_COUNTER=0
+
+ipuntrap4() { ipv4 iptrap undo "${@}"; }
+ipuntrap6() { ipv6 iptrap undo "${@}"; }
+ipuntrap46() { both iptrap undo "${@}"; }
+ipuntrap() { iptrap undo "${@}"; }
+
 iptrap4() { ipv4 iptrap "${@}"; }
 iptrap6() { ipv6 iptrap "${@}"; }
 iptrap46() { both iptrap "${@}"; }
@ -3771,8 +3785,22 @@ iptrap() {
 	require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
 	running_both       && error "${FUNCNAME} cannot be used in both IPv4 and IPv6. Please give use either iptrap4 or iptrap6." && return 1

-	local type="${1}" ipset="${2}" timeout="${3}" chain=
-	local -a args=() logopts_arg=(log "TRAP")
+	local undo=0 type= ipset= timeout= chain=
+	local -a args=() logopts_arg=()
+
+	if [ "$1" = "undo" ]
+	then
+		undo=1
+		type="${2}"
+		ipset="${3}"
+		logopts_arg=(log "UNTRAP")
+	else
+		undo=0
+		type="${1}"
+		ipset="${2}"
+		timeout="${3}"
+		logopts_arg=(log "TRAP")
+	fi
 	shift 3

 	if [ ${ENABLE_IPSET} -ne 1 ]
@ -3823,10 +3851,17 @@ iptrap() {
 	iptables_both -t mangle -N "${chain}"

 	# add the excepted rules
-	test ! -z "${1}" && ( rule table mangle chain "${chain}" in action RETURN "${@}" || return 1 )
+	test ! -z "${1}" && ( rule nonot table mangle chain "${chain}" in action RETURN "${@}" || return 1 )

 	# do the job
-	iptables_both -t mangle -A "${chain}" -j SET --add-set ${ipset} ${type} --exist --timeout ${timeout}
+	if [ ${undo} -eq 1 ]
+	then
+		# remove the ip
+		iptables_both -t mangle -A "${chain}" -j SET --del-set ${ipset} ${type}
+	else
+		# add the ip
+		iptables_both -t mangle -A "${chain}" -j SET --add-set ${ipset} ${type} --exist --timeout ${timeout}
+	fi

 	# log and return
 	rule table mangle chain "${chain}" in "${logopts_arg[@]}" action RETURN
@ -4635,8 +4670,15 @@ postprocess() {
 		esac
 	done

-	test "${FIREHOL_MODE}" = "DEBUG"   && check="debug"
-	test "${FIREHOL_MODE}" = "EXPLAIN" && check="debug"
+	if [ "${FIREHOL_MODE}" = "EXPLAIN" ]
+	then
+		printf "%q " "${@}"
+		printf "\n"
+		return 0
+	elif [ "${FIREHOL_MODE}" = "DEBUG" ]
+	then
+		check="debug"
+	fi
 	
 	printf "%q " "${@}" >&21
 	case "${check}" in
@ -4655,14 +4697,6 @@ postprocess() {
 			;;
 	esac
 	
-	if [ "${FIREHOL_MODE}" = "EXPLAIN" ]
-	then
-		file close 21
-		${CAT_CMD} "${FIREHOL_OUTPUT}"
-		${RM_CMD} "${FIREHOL_OUTPUT}"
-		file open 21 "${FIREHOL_OUTPUT}" w || exit 1
-	fi
-	
 	test $save -eq 1 && save_for_restore ${check} "${@}"

 	return 0
@ -5342,6 +5376,8 @@ close_interface() {
 	
 	set_work_function "Finilizing interface '${work_name}'"
 	
+	set_work_function "Accepting all RELATED sockets in interface '${work_name}'"
+
 	# Accept all related traffic to the established connections
 	rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
 	rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
@ -5350,6 +5386,7 @@ close_interface() {
 	test -z "${work_policy}" && work_policy="${DEFAULT_INTERFACE_POLICY}"
 	case "${work_policy}" in
 		return|RETURN)
+			set_work_function "Nothing to be done for policy RETURN of interface '${work_name}'"
 			return 0
 			;;
 			
@ -5359,6 +5396,8 @@ close_interface() {
 		*)	
 			if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
 			then
+				set_work_function "Silently droping TCP ACK+FIN packets of interface '${work_name}' (option: FIREHOL_DROP_ORPHAN_TCP_ACK_FIN)"
+
 				# Silently drop orphan TCP/ACK FIN packets
 				rule chain "in_${work_name}" proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
 				rule reverse chain "out_${work_name}" proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
@ -5369,6 +5408,8 @@ close_interface() {
 			;;
 	esac
 	
+	set_work_function "Applying default policy of ${work_policy} on interface '${work_name}'"
+
 	rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1
 	rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1
 	
@ -5388,6 +5429,8 @@ close_router() {
 	
 	set_work_function "Finilizing router '${work_name}'"
 	
+	set_work_function "Accepting all RELATED sockets in router '${work_name}'"
+
 	# Accept all related traffic to the established connections
 	rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
 	rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
@ -5396,6 +5439,7 @@ close_router() {
 	test -z "${work_policy}" && work_policy="${DEFAULT_ROUTER_POLICY}"
 	case "${work_policy}" in
 		return|RETURN)
+			set_work_function "Nothing to be done for policy RETURN of router '${work_name}'"
 			return 0
 			;;
 			
@ -5405,6 +5449,8 @@ close_router() {
 		*)	
 			if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
 			then
+				set_work_function "Silently droping TCP ACK+FIN packets of router '${work_name}' (option: FIREHOL_DROP_ORPHAN_TCP_ACK_FIN)"
+
 				# Silently drop orphan TCP/ACK FIN packets
 				rule chain "in_${work_name}" proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
 				rule reverse chain "out_${work_name}" proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
@ -5415,6 +5461,8 @@ close_router() {
 			;;
 	esac
 	
+	set_work_function "Applying default policy of ${work_policy} on router '${work_name}'"
+
 	rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1
 	rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1
 	
@ -5433,10 +5481,14 @@ close_master() {
 	
 	if [ ! "${MARKS_SAVERESTORE_STATEFUL_MASK}" = "0x00000000" ]
 	then
+		set_work_function "Restoring stateful permanent marks"
+
 		# copy CONNMARK to MARK at the top of mangle, on entry points
 		iptables_both -t mangle -I OUTPUT     1 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark --mask ${MARKS_SAVERESTORE_STATEFUL_MASK}
 		iptables_both -t mangle -I PREROUTING 1 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark --mask ${MARKS_SAVERESTORE_STATEFUL_MASK}

+		set_work_function "Saving stateful permanent marks"
+
 		# save MARK to CONNMARK at the end of mangle, on exit points
 		iptables_both -t mangle -A INPUT       -m conntrack --ctstate NEW -j CONNMARK --save-mark --mask ${MARKS_SAVERESTORE_STATEFUL_MASK}
 		iptables_both -t mangle -A POSTROUTING -m conntrack --ctstate NEW -j CONNMARK --save-mark --mask ${MARKS_SAVERESTORE_STATEFUL_MASK}
@ -5444,15 +5496,21 @@ close_master() {

 	if [ ! "${MARKS_SAVERESTORE_STATELESS_MASK}" = "0x00000000" ]
 	then
+		set_work_function "Restoring stateless permanent marks"
+
 		# copy CONNMARK to MARK at the top of mangle, on entry points
 		iptables_both -t mangle -I OUTPUT     1 -j CONNMARK --restore-mark --mask ${MARKS_SAVERESTORE_STATELESS_MASK}
 		iptables_both -t mangle -I PREROUTING 1 -j CONNMARK --restore-mark --mask ${MARKS_SAVERESTORE_STATELESS_MASK}

+		set_work_function "Saving stateless permanent marks"
+
 		# save MARK to CONNMARK at the end of mangle, on exit points
 		iptables_both -t mangle -A INPUT       -j CONNMARK --save-mark --mask ${MARKS_SAVERESTORE_STATELESS_MASK}
 		iptables_both -t mangle -A POSTROUTING -j CONNMARK --save-mark --mask ${MARKS_SAVERESTORE_STATELESS_MASK}
 	fi

+	set_work_function "Accepting all RELATED traffic to the ESTABLISHED connections"
+
 	# Accept all related traffic to the established connections
 	rule chain INPUT state RELATED action ACCEPT || return 1
 	rule chain OUTPUT state RELATED action ACCEPT || return 1
@ -5460,12 +5518,16 @@ close_master() {
 	
 	if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
 	then
+		set_work_function "Silently droping TCP ACK+FIN packets (option: FIREHOL_DROP_ORPHAN_TCP_ACK_FIN)"
+
 		# Silently drop orphan TCP/ACK FIN packets
 		rule chain INPUT proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
 		rule chain OUTPUT proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
 		rule chain FORWARD proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
 	fi
 	
+	set_work_function "Setting default unmatched policy (options: UNMATCHED_INPUT_POLICY UNMATCHED_OUTPUT_POLICY UNMATCHED_ROUTER_POLICY)"
+
 	rule chain INPUT loglimit "IN-unknown" action ${UNMATCHED_INPUT_POLICY} || return 1
 	rule chain OUTPUT loglimit "OUT-unknown" action ${UNMATCHED_OUTPUT_POLICY} || return 1
 	rule chain FORWARD loglimit "PASS-unknown" action ${UNMATCHED_ROUTER_POLICY} || return 1
@ -5569,6 +5631,8 @@ close_all_groups() {

 FIREHOL_ACCEPT_CHAIN_COUNT=0
 rule_action_param() {
+	# echo >&2 "    >>> ${FUNCNAME}: ${*}"
+
 	local	iptables_cmd="${1}" \
 		action="${2}" \
 		protocol="${3}" \
@ -5792,7 +5856,7 @@ rule_action_param() {
 }

 rule() {
-	#echo >&2 "${FUNCNAME}: ${*}"
+	# echo >&2 " >>> ${FUNCNAME}: ${*}"

 	# defining these local variables together speeds FireHOL up by 4%
 	local	failed=0 \
@ -5832,6 +5896,9 @@ rule() {
 	# if set to 1, log and loglimit are ignored.
 	local nolog=0
 	
+	# if set to 1, negative expressions will give an error
+	local nonot=0
+
 	# if set to 1, detection algorithm about overwriting optional rule
 	# parameters will take place.
 	local softwarnings=1
@ -5842,6 +5909,11 @@ rule() {
 	while [ ! -z "${1}" ]
 	do
 		case "${1}" in
+			nonot|NONOT)
+				nonot=1
+				shift
+				;;
+
 			reverse|REVERSE)
 				reverse=1
 				shift
@ -7084,6 +7156,12 @@ rule() {
 	# ignore 'statenot', 'srctypenot', 'dsttypenot' since it is negated in the positive rules
 	if [ ! -z "${infacenot}${outfacenot}${physinnot}${physoutnot}${macnot}${srcnot}${dstnot}${sportnot}${dportnot}${protonot}${uidnot}${gidnot}${pidnot}${sidnot}${cmdnot}${marknot}${tosnot}${dscpnot}" ]
 	then
+		if [ ${nonot} -eq 1 ]
+		then
+			error "Negative expressions are not allowed at this point."
+			return 1
+		fi
+
 		if [ ${action_is_chain} -eq 1 ]
 		then
 			# if the action is a chain name, then just add the negative
@ -7354,8 +7432,8 @@ rule() {
 			do
 				iptables_both ${table} -A "${negative_chain}" -m dscp --dscp${dscptype} "${tdscp}" -j RETURN
 			done
-			dscp=any
 			dscpnot=
+			dscp=any
 		fi
 		
 		
@ -7746,7 +7824,7 @@ rule() {

 warning() {
 	echo >&2
-	echo >&2 "WARNING: " "${@}"
+	echo >&2 -e "${COLOR_YELLOW}WARNING${COLOR_RESET}: " "${@}"
 	echo >&2
 	
 	return 0
@ -7754,13 +7832,13 @@ warning() {

 softwarning() {
 	echo >&2
-	echo >&2 "--------------------------------------------------------------------------------"
-	echo >&2 "WARNING"
-	echo >&2 "WHEN   : ${work_function}"
-	echo >&2 "WHY    :" "${@}"
-	printf >&2 "COMMAND: "; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2
-	echo >&2 "MODE   :" "${FIREHOL_NS_CURR}"
-	echo >&2 "SOURCE : $(config_line)"
+	echo >&2 -e "--------------------------------------------------------------------------------"
+	echo >&2 -e "${COLOR_BOLD}${COLOR_YELLOW}WARNING${COLOR_RESET}"
+	echo >&2 -e "WHEN   : ${work_function}"
+	echo >&2 -e "WHY    : ${COLOR_BOLD}${COLOR_YELLOW}${@}${COLOR_RESET}"
+	printf >&2 "COMMAND: ${COLOR_YELLOW}"; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2
+	echo >&2 -e "${COLOR_RESET}MODE   :" "${FIREHOL_NS_CURR}"
+	echo >&2 -e "SOURCE : $(config_line)"
 	echo >&2
 	
 	return 0
@ -7778,13 +7856,13 @@ error() {
 	
 	work_error=$[work_error + 1]
 	echo >&2
-	echo >&2 "--------------------------------------------------------------------------------"
-	echo >&2 "ERROR #: ${work_error}"
-	echo >&2 "WHEN   : ${work_function}"
-	echo >&2 "WHY    :" "${@}"
-	printf >&2 "COMMAND: "; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2
-	echo >&2 "MODE   :" "${FIREHOL_NS_CURR}"
-	echo >&2 "SOURCE : $(config_line)"
+	echo >&2 -e "--------------------------------------------------------------------------------"
+	echo >&2 -e "${COLOR_BOLD}${COLOR_BGRED}${COLOR_WHITE} ERROR ${COLOR_RESET}: # ${work_error}"
+	echo >&2 -e "WHEN   : ${work_function}"
+	echo >&2 -e "WHY    : ${COLOR_BGRED}${COLOR_WHITE} ${@} ${COLOR_RESET}"
+	printf >&2 "COMMAND: ${COLOR_YELLOW}"; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2
+	echo >&2 -e "${COLOR_RESET}MODE   :" "${FIREHOL_NS_CURR}"
+	echo >&2 -e "SOURCE : $(config_line)"
 	echo >&2
 	
 	return 0
@ -8356,7 +8434,6 @@ case "${arg}" in
 		firewall_policy6_applied=1
 		FIREHOL_FAST_ACTIVATION=0
 		FIREHOL_MODE="EXPLAIN"
-		FIREHOL_CONF_SHOW=1
 		;;
 	
 	helpme|wizard)
@ -8570,7 +8647,6 @@ case "${arg}" in
 	debug)
 		test ! -z "${1}" && test ${1} != "--" && softwarning "Arguments after parameter '${arg}' are ignored."
 		FIREHOL_MODE="DEBUG"
-		FIREHOL_CONF_SHOW=1
 		;;

 	ipset_update_from_file)
@ -8912,6 +8988,8 @@ then
 	fi
 fi

+test "${FIREHOL_MODE}" = "DEBUG" && FIREHOL_CONF_SHOW=1
+
 [ ${FIREHOL_FAST_ACTIVATION} -eq 0 ] && FIREHOL_LOG_ESCAPE=

 # ------------------------------------------------------------------------------
@ -8947,9 +9025,10 @@ EOF
 	
 	while [ 1 = 1 ]
 	do
-		read -p "# FireHOL [${work_cmd}:${work_name}] > " -e -r
+		echo -en "${COLOR_RESET}#${COLOR_GREEN} FireHOL ${COLOR_RESET}[${COLOR_BOLD}${COLOR_BLUE}${work_cmd}${COLOR_RESET}:${COLOR_CYAN}${work_name}${COLOR_RESET}]"
+		read -p " > " -e -r
 		test -z "${REPLY}" && continue
-		
+
 		set_work_function -ne "Executing user input"
 		
 		while [ 1 = 1 ]
@ -9907,6 +9986,8 @@ firewall_policy_applied=0
 firewall_policy() {
 	firewall_policy_applied=1
 	
+	set_work_function "Applying IPv4 firewall activation policy (options: FIREHOL_INPUT_ACTIVATION_POLICY FIREHOL_OUTPUT_ACTIVATION_POLICY FIREHOL_FORWARD_ACTIVATION_POLICY)"
+
 	iptables -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}"
 	iptables -t filter -P OUTPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}"
 	iptables -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}"
@ -9914,6 +9995,7 @@ firewall_policy() {
 	# Accept everything in/out the loopback device.
 	if [ "${FIREHOL_TRUST_LOOPBACK}" = "1" ]
 	then
+		set_work_function "Trusting IPv4 lo (option: FIREHOL_TRUST_LOOPBACK)"
 		iptables -A INPUT -i lo -j ACCEPT
 		iptables -A OUTPUT -o lo -j ACCEPT
 	fi
@ -9922,6 +10004,7 @@ firewall_policy() {
 	# Netfilter HOWTO suggests to DROP all INVALID packets.
 	if [ "${FIREHOL_DROP_INVALID}" = "1" ]
 	then
+		set_work_function "Droping IPv4 connection tracker INVALID packets (option: FIREHOL_DROP_INVALID)"
 		iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
 		iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
 		iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
@ -9932,6 +10015,8 @@ firewall_policy6_applied=0
 firewall_policy6() {
 	firewall_policy6_applied=1
 	
+	set_work_function "Applying IPv6 firewall activation policy (options: FIREHOL_INPUT_ACTIVATION_POLICY FIREHOL_OUTPUT_ACTIVATION_POLICY FIREHOL_FORWARD_ACTIVATION_POLICY)"
+
 	ip6tables -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}"
 	ip6tables -t filter -P OUTPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}"
 	ip6tables -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}"
@ -9939,6 +10024,7 @@ firewall_policy6() {
 	# Accept everything in/out the loopback device.
 	if [ "${FIREHOL_TRUST_LOOPBACK}" = "1" ]
 	then
+		set_work_function "Trusting IPv4 lo (option: FIREHOL_TRUST_LOOPBACK)"
 		ip6tables -A INPUT -i lo -j ACCEPT
 		ip6tables -A OUTPUT -o lo -j ACCEPT
 	fi
@ -9947,6 +10033,7 @@ firewall_policy6() {
 	# Netfilter HOWTO suggests to DROP all INVALID packets.
 	if [ "${FIREHOL_DROP_INVALID}" = "1" ]
 	then
+		set_work_function "Droping IPv4 connection tracker INVALID packets (option: FIREHOL_DROP_INVALID)"
 		ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
 		ip6tables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
 		ip6tables -A FORWARD -m conntrack --ctstate INVALID -j DROP