disable firewall logging by default

f62d6b5b · ale · 5ae77a7d · f62d6b5b · f62d6b5b
Commit f62d6b5b authored 9 years ago by ale
--- a/files/etc/systemd/system/firewall.service
+++ b/files/etc/systemd/system/firewall.service
@@ -6,6 +6,7 @@ Before=sysinit.target

 [Service]
 Type=oneshot
+EnvironmentFile=-/etc/default/firewall
 ExecStart=/usr/local/bin/firewall start
 ExecReload=/usr/local/bin/firewall reload
 #ExecStop=/etc/iptables/flush-iptables.sh

--- a/files/usr/local/bin/firewall
+++ b/files/usr/local/bin/firewall
@@ -7,7 +7,8 @@
 # environment.  Useful in combination with /etc/default or some
 # equivalent mechanism.
 FW_DIR="${FW_DIR:-/etc/firewall}"
-DO_LOG="${DO_LOG:-1}"
+ENABLE_LOG="${ENABLE_LOG:-0}"
+ENABLE_IPV6="${ENABLE_IPV6:-1}"
 LOG_RATE="${LOG_RATE:-5/min}"

 TABLES="filter nat mangle"
@@ -214,7 +215,7 @@ generate_filter() {
    add_rule -A INPUT -j user-input

    # Logging.
-    if [ "${DO_LOG}" -eq 1 ]; then
+    if [ "${ENABLE_LOG}" -eq 1 ]; then
        create_chain log-deny
        add_rule -A log-deny -j LOG --log-prefix 'deny: '
        add_rule -A INPUT -j log-deny -m limit --limit "${LOG_RATE}" --limit-burst 5
@@ -252,8 +253,10 @@ load() {
        cat ${v6rules}
    else
        /sbin/iptables-restore <${v4rules}
+        if [ "${ENABLE_IPV6}" -eq 1 ]; then
            /sbin/ip6tables-restore <${v6rules}
        fi
+    fi
 }

 dry_run=0