Command line argument 'panic' does not call the system's iptables script

but blocks all traffic by itself, since many systems do not have the 'panic' argument.
2024-06-28 18:02:33 +00:00 · 2003-03-14 20:59:07 +00:00 · 2003-03-14 20:59:07 +00:00 · 9335770dca
commit 9335770dca
parent e0b1570dd2
2 changed files with 34 additions and 9 deletions
--- a/doc/invoking.html
+++ b/doc/invoking.html
@ -47,7 +47,13 @@ FireHOL has been designed to be a startup service. As such, FireHOL accepts all
 	</td>
 	</tr>
 <tr>	<td><b>panic</td>
-	<td>	Executes <b>/etc/init.d/iptables panic</b>
+	<td>	It removes all rules from the running firewall and then it DROPs all
+	traffic on all iptables tables (mangle, nat, filter) and pre-defined chains
+	(PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING), thus blocking all IP
+	communication. DROPing is not done by changing the default policy to DROP, but
+	by adding just one rule per table/chain to drop all traffic, because the default
+	iptables scripts supplied by many systems (including RedHat 8) do not reset
+	all the chains to ACCEPT when starting (FireHOL resets them correctly).
 	</td>
 	</tr>
 <tr>	<td bgcolor="#EEEEEE"><b>save</td>
@ -183,7 +189,7 @@ its line number in the original configuration file.
 <tr><td align=center valign=middle>
 	<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&amp;type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
 </td><td align=center valign=middle>
-	<small>$Id: invoking.html,v 1.8 2003/02/26 22:26:20 ktsaou Exp $</small>
+	<small>$Id: invoking.html,v 1.9 2003/03/14 20:59:09 ktsaou Exp $</small>
 	<p>
 	<b>FireHOL</b>, a firewall for humans...<br>
 	&copy; Copyright 2002
--- a/firehol.sh
+++ b/firehol.sh
@ -10,7 +10,7 @@
 #
 # config: /etc/firehol.conf
 #
-# $Id: firehol.sh,v 1.110 2003/03/14 20:36:52 ktsaou Exp $
+# $Id: firehol.sh,v 1.111 2003/03/14 20:59:07 ktsaou Exp $
 #
 FIREHOL_FILE="${0}"

@ -3148,8 +3148,27 @@ case "${arg}" in
 		;;
 	
 	panic)
-		/etc/init.d/iptables panic
-		exit $?
+		echo -n $"FireHOL: Blocking all communications:"
+		/sbin/modprobe ip_tables >/dev/null 2>&1
+		tables=`cat /proc/net/ip_tables_names`
+		for t in ${tables}
+		do
+			/sbin/iptables -t "${t}" -F
+			/sbin/iptables -t "${t}" -X
+			/sbin/iptables -t "${t}" -Z
+			
+			# Find all default chains in this table.
+			chains=`/sbin/iptables -t "${t}" -nL | grep "^Chain " | cut -d ' ' -f 2`
+			for c in ${chains}
+			do
+				/sbin/iptables -t "${t}" -P "${c}" ACCEPT
+				/sbin/iptables -t "${t}" -A "${c}" -j DROP
+			done
+		done
+		success $"FireHOL: Blocking all communications:"
+		echo
+		
+		exit 0
 		;;
 	
 	save)
@ -3193,7 +3212,7 @@ case "${arg}" in
 		else
 		
 		cat <<"EOF"
-$Id: firehol.sh,v 1.110 2003/03/14 20:36:52 ktsaou Exp $
+$Id: firehol.sh,v 1.111 2003/03/14 20:59:07 ktsaou Exp $
 (C) Copyright 2002, Costa Tsaousis <costa@tsaousis.gr>
 FireHOL is distributed under GPL.

@ -3376,7 +3395,7 @@ then
 	
 	cat <<"EOF"

-$Id: firehol.sh,v 1.110 2003/03/14 20:36:52 ktsaou Exp $
+$Id: firehol.sh,v 1.111 2003/03/14 20:59:07 ktsaou Exp $
 (C) Copyright 2002, Costa Tsaousis <costa@tsaousis.gr>
 FireHOL is distributed under GPL.
 Home Page: http://firehol.sourceforge.net
@ -3584,7 +3603,7 @@ then
 	
 	cat >&2 <<"EOF"

-$Id: firehol.sh,v 1.110 2003/03/14 20:36:52 ktsaou Exp $
+$Id: firehol.sh,v 1.111 2003/03/14 20:59:07 ktsaou Exp $
 (C) Copyright 2002, Costa Tsaousis <costa@tsaousis.gr>
 FireHOL is distributed under GPL.
 Home Page: http://firehol.sourceforge.net
@ -3677,7 +3696,7 @@ EOF
 	echo "# "

 	cat <<"EOF"
-# $Id: firehol.sh,v 1.110 2003/03/14 20:36:52 ktsaou Exp $
+# $Id: firehol.sh,v 1.111 2003/03/14 20:59:07 ktsaou Exp $
 # (C) Copyright 2002, Costa Tsaousis <costa@tsaousis.gr>
 # FireHOL is distributed under GPL.
 # Home Page: http://firehol.sourceforge.net