/usr/share/fwbuilder-5.1.0.3599/configlets/linux24/block_action is in fwbuilder-common 5.1.0-4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | ## -*- mode: shell-script; -*-
##
## To be able to make changes to the part of configuration created
## from this configlet you need to copy this file to the directory
## fwbuilder/configlets/sveasoft/ in your home directory and modify it.
## Double "##" comments are removed during processing but single "#"
## comments are be retained and appear in the generated script. Empty
## lines are removed as well.
##
## Configlets support simple macro language with these constructs:
## {{$var}} is variable expansion
## {{if var}} is conditional operator.
##
## This configlet defines commands executed when iptables script is ran
## with command line argument "block". By default it resets iptables
## tables and chains using function reset_all and optionally adds backup
## ssh access rules.
block_action() {
reset_all
## it helps to add backup ssh access rule as early as possible so that
## ssh session opened from the management station won't break after
## all chains are flushed. The installation process may stall if
## stdout buffer gets filled with diagnostic or progress output from
## this script printed after chains are flushed but before a rule
## permitting ssh is installed. This may happen if script debugging is
## on or there are many NAT rules (so it prints a lot of "Rule NN
## (NAT)" lines).
{{if mgmt_access}}
# backup ssh access
$IPTABLES -A INPUT -p tcp -m tcp -s {{$ssh_management_address}} --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp -d {{$ssh_management_address}} --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
{{endif}}
}
|