projects / people / teissler / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| 3a1019f6 MT |
1 | #!/bin/sh |
| 2 | ||
| 3 | eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings) | |
| 4 | eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) | |
| fe0cd647 | 5 | eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) |
| 3a1019f6 MT |
6 | IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'` |
| 7 | ||
| 8 | if [ -f /var/ipfire/red/device ]; then | |
| 9 | DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'` | |
| 10 | fi | |
| 11 | ||
| 12 | iptables_init() { | |
| 13 | # Flush all rules and delete all custom chains | |
| 14 | /sbin/iptables -F | |
| 15 | /sbin/iptables -t nat -F | |
| 16 | /sbin/iptables -t mangle -F | |
| 17 | /sbin/iptables -X | |
| 18 | /sbin/iptables -t nat -X | |
| 19 | /sbin/iptables -t mangle -X | |
| 20 | ||
| 21 | # Set up policies | |
| 22 | /sbin/iptables -P INPUT DROP | |
| 23 | /sbin/iptables -P FORWARD DROP | |
| 24 | /sbin/iptables -P OUTPUT ACCEPT | |
| 25 | ||
| 26 | # Empty LOG_DROP and LOG_REJECT chains | |
| 27 | /sbin/iptables -N LOG_DROP | |
| 28 | /sbin/iptables -A LOG_DROP -m limit --limit 10/minute -j LOG | |
| 29 | /sbin/iptables -A LOG_DROP -j DROP | |
| 30 | /sbin/iptables -N LOG_REJECT | |
| 31 | /sbin/iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG | |
| 32 | /sbin/iptables -A LOG_REJECT -j REJECT | |
| 33 | ||
| 34 | # This chain will log, then DROPs packets with certain bad combinations | |
| 35 | # of flags might indicate a port-scan attempt (xmas, null, etc) | |
| 36 | /sbin/iptables -N PSCAN | |
| 5595bc03 | 37 | if [ "$DROPPORTSCAN" == "on" ]; then |
| 97fe1741 | 38 | /sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan" |
| fe0cd647 | 39 | /sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan" |
| 97fe1741 CS |
40 | /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan" |
| 41 | /sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan" | |
| 5595bc03 | 42 | fi |
| 97fe1741 | 43 | /sbin/iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan" |
| 3a1019f6 MT |
44 | |
| 45 | # New tcp packets without SYN set - could well be an obscure type of port scan | |
| 46 | # that's not covered above, may just be a broken windows machine | |
| 47 | /sbin/iptables -N NEWNOTSYN | |
| 5595bc03 | 48 | if [ "$DROPNEWNOTSYN" == "on" ]; then |
| 97fe1741 | 49 | /sbin/iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "DROP_NEWNOTSYN " |
| 5595bc03 | 50 | fi |
| 97fe1741 | 51 | /sbin/iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" |
| 3a1019f6 MT |
52 | |
| 53 | # Chain to contain all the rules relating to bad TCP flags | |
| 54 | /sbin/iptables -N BADTCP | |
| 55 | ||
| d8158ca6 | 56 | #Don't check loopback |
| a56df4ee | 57 | /sbin/iptables -A BADTCP -i lo -j RETURN |
| d8158ca6 | 58 | |
| 3a1019f6 MT |
59 | # Disallow packets frequently used by port-scanners |
| 60 | # nmap xmas | |
| 61 | /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN | |
| 62 | # Null | |
| 63 | /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN | |
| 64 | # FIN | |
| 65 | /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN | |
| 66 | # SYN/RST (also catches xmas variants that set SYN+RST+...) | |
| 67 | /sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN | |
| 68 | # SYN/FIN (QueSO or nmap OS probe) | |
| 69 | /sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN | |
| 70 | # NEW TCP without SYN | |
| 71 | /sbin/iptables -A BADTCP -p tcp ! --syn -m state --state NEW -j NEWNOTSYN | |
| 72 | ||
| 73 | /sbin/iptables -A INPUT -j BADTCP | |
| 74 | /sbin/iptables -A FORWARD -j BADTCP | |
| 75 | ||
| 76 | } | |
| 77 | ||
| 78 | iptables_red() { | |
| 79 | /sbin/iptables -F REDINPUT | |
| 80 | /sbin/iptables -F REDFORWARD | |
| 81 | /sbin/iptables -t nat -F REDNAT | |
| 82 | ||
| 83 | # PPPoE / PPTP Device | |
| 84 | if [ "$IFACE" != "" ]; then | |
| 85 | # PPPoE / PPTP | |
| 86 | if [ "$DEVICE" != "" ]; then | |
| 87 | /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT | |
| 88 | fi | |
| 89 | if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then | |
| 90 | if [ "$RED_DEV" != "" ]; then | |
| 91 | /sbin/iptables -A REDINPUT -i $RED_DEV -j ACCEPT | |
| 92 | fi | |
| 93 | fi | |
| 94 | fi | |
| 95 | ||
| 96 | # PPTP over DHCP | |
| 97 | if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then | |
| 98 | /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT | |
| 99 | /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT | |
| 100 | fi | |
| 101 | ||
| 102 | # Orange pinholes | |
| 103 | if [ "$ORANGE_DEV" != "" ]; then | |
| 104 | # This rule enables a host on ORANGE network to connect to the outside | |
| 105 | # (only if we have a red connection) | |
| 106 | if [ "$IFACE" != "" ]; then | |
| 139a9b4f | 107 | /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT |
| 3a1019f6 MT |
108 | fi |
| 109 | fi | |
| 110 | ||
| 111 | if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then | |
| 112 | # DHCP | |
| 113 | if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then | |
| 114 | /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
| 115 | /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
| 116 | fi | |
| 117 | if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then | |
| 118 | /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
| 119 | /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
| 120 | fi | |
| 121 | ||
| db073a10 AF |
122 | # Outgoing masquerading (don't masqerade IPSEC (mark 50)) |
| 123 | /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN | |
| 3a1019f6 MT |
124 | /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE |
| 125 | ||
| 126 | fi | |
| 127 | } | |
| 128 | ||
| 129 | # See how we were called. | |
| 130 | case "$1" in | |
| 131 | start) | |
| 132 | iptables_init | |
| 133 | ||
| 134 | # Limit Packets- helps reduce dos/syn attacks | |
| 135 | # original do nothing line | |
| 136 | #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec | |
| 137 | # the correct one, but the negative '!' do nothing... | |
| 9efdd899 | 138 | #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN ! -m limit --limit 10/sec -j DROP |
| 3a1019f6 MT |
139 | |
| 140 | # Fix for braindead ISP's | |
| 141 | /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
| 142 | ||
| 143 | # CUSTOM chains, can be used by the users themselves | |
| 144 | /sbin/iptables -N CUSTOMINPUT | |
| 145 | /sbin/iptables -A INPUT -j CUSTOMINPUT | |
| 057249ba CS |
146 | /sbin/iptables -N GUARDIAN |
| 147 | /sbin/iptables -A INPUT -j GUARDIAN | |
| 148 | /sbin/iptables -A FORWARD -j GUARDIAN | |
| 3a1019f6 MT |
149 | /sbin/iptables -N CUSTOMFORWARD |
| 150 | /sbin/iptables -A FORWARD -j CUSTOMFORWARD | |
| 151 | /sbin/iptables -N CUSTOMOUTPUT | |
| 152 | /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT | |
| 4cb74dce | 153 | /sbin/iptables -N OUTGOINGFW |
| d9716b06 | 154 | /sbin/iptables -N OUTGOINGFWMAC |
| 4cb74dce | 155 | /sbin/iptables -A OUTPUT -j OUTGOINGFW |
| 3a1019f6 MT |
156 | /sbin/iptables -t nat -N CUSTOMPREROUTING |
| 157 | /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING | |
| 158 | /sbin/iptables -t nat -N CUSTOMPOSTROUTING | |
| 159 | /sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING | |
| 160 | ||
| daa1ceba AF |
161 | # IPTV chains for IGMPPROXY |
| 162 | /sbin/iptables -N IPTVINPUT | |
| 163 | /sbin/iptables -A INPUT -j IPTVINPUT | |
| 164 | /sbin/iptables -N IPTVFORWARD | |
| 165 | /sbin/iptables -A FORWARD -j IPTVFORWARD | |
| 166 | ||
| 3a1019f6 MT |
167 | # filtering from GUI |
| 168 | /sbin/iptables -N GUIINPUT | |
| 169 | /sbin/iptables -A INPUT -j GUIINPUT | |
| 905fbf3e | 170 | /sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT |
| 3a1019f6 MT |
171 | |
| 172 | # Accept everything connected | |
| 173 | /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| 174 | /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| 5fd30232 MT |
175 | |
| 176 | # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything | |
| 6652626c AF |
177 | /sbin/iptables -N IPSECINPUT |
| 178 | /sbin/iptables -N IPSECFORWARD | |
| 179 | /sbin/iptables -N IPSECOUTPUT | |
| 5fd30232 | 180 | /sbin/iptables -N OPENSSLVIRTUAL |
| 6652626c | 181 | /sbin/iptables -A INPUT -j IPSECINPUT |
| 5595bc03 | 182 | /sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT" |
| 6652626c | 183 | /sbin/iptables -A FORWARD -j IPSECFORWARD |
| 5595bc03 | 184 | /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD" |
| 6652626c | 185 | /sbin/iptables -A OUTPUT -j IPSECOUTPUT |
| c4cd0f7b AF |
186 | /sbin/iptables -t nat -N IPSECNAT |
| 187 | /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT | |
| b68e5c14 | 188 | |
| 4cb74dce | 189 | # Outgoing Firewall |
| d9716b06 | 190 | /sbin/iptables -A FORWARD -j OUTGOINGFWMAC |
| 3a1019f6 MT |
191 | |
| 192 | # localhost and ethernet. | |
| d8158ca6 | 193 | /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT |
| 3a1019f6 MT |
194 | /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo |
| 195 | /sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP | |
| cae0079c | 196 | /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT |
| 3a1019f6 MT |
197 | /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP |
| 198 | /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP | |
| dd79c399 | 199 | /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp |
| 3a1019f6 MT |
200 | /sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT |
| 201 | ||
| 202 | # If a host on orange tries to initiate a connection to IPFire's red IP and | |
| 203 | # the connection gets DNATed back through a port forward to a server on orange | |
| 204 | # we end up with orange -> orange traffic passing through IPFire | |
| 205 | [ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT | |
| 206 | ||
| 3a1019f6 MT |
207 | # allow DHCP on BLUE to be turned on/off |
| 208 | /sbin/iptables -N DHCPBLUEINPUT | |
| 209 | /sbin/iptables -A INPUT -j DHCPBLUEINPUT | |
| 210 | ||
| 5fd30232 MT |
211 | # OPenSSL |
| 212 | /sbin/iptables -N OPENSSLPHYSICAL | |
| 213 | /sbin/iptables -A INPUT -j OPENSSLPHYSICAL | |
| 3a1019f6 MT |
214 | |
| 215 | # WIRELESS chains | |
| 216 | /sbin/iptables -N WIRELESSINPUT | |
| 217 | /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT | |
| 218 | /sbin/iptables -N WIRELESSFORWARD | |
| 219 | /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD | |
| 220 | ||
| 221 | # RED chain, used for the red interface | |
| 222 | /sbin/iptables -N REDINPUT | |
| 223 | /sbin/iptables -A INPUT -j REDINPUT | |
| 224 | /sbin/iptables -N REDFORWARD | |
| 225 | /sbin/iptables -A FORWARD -j REDFORWARD | |
| 226 | /sbin/iptables -t nat -N REDNAT | |
| 227 | /sbin/iptables -t nat -A POSTROUTING -j REDNAT | |
| 228 | ||
| 229 | iptables_red | |
| 230 | ||
| 231 | # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow | |
| 232 | # ORANGE to talk to GREEN / BLUE. | |
| 233 | /sbin/iptables -N DMZHOLES | |
| 234 | if [ "$ORANGE_DEV" != "" ]; then | |
| 235 | /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES | |
| 236 | fi | |
| 237 | ||
| 238 | # XTACCESS chain, used for external access | |
| 239 | /sbin/iptables -N XTACCESS | |
| 240 | /sbin/iptables -A INPUT -m state --state NEW -j XTACCESS | |
| 241 | ||
| 242 | # PORTFWACCESS chain, used for portforwarding | |
| 243 | /sbin/iptables -N PORTFWACCESS | |
| 244 | /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS | |
| 245 | ||
| 246 | # Custom prerouting chains (for transparent proxy and port forwarding) | |
| 247 | /sbin/iptables -t nat -N SQUID | |
| 248 | /sbin/iptables -t nat -A PREROUTING -j SQUID | |
| 249 | /sbin/iptables -t nat -N PORTFW | |
| 250 | /sbin/iptables -t nat -A PREROUTING -j PORTFW | |
| 251 | ||
| 7e7495b3 MT |
252 | # upnp chain for our upnp daemon |
| 253 | /sbin/iptables -t nat -N UPNPFW | |
| 254 | /sbin/iptables -t nat -A PREROUTING -j UPNPFW | |
| 54194ba4 MT |
255 | # This chain only contains dummy rules. |
| 256 | /sbin/iptables -N UPNPFW | |
| 3a1019f6 MT |
257 | |
| 258 | # Custom mangle chain (for port fowarding) | |
| 259 | /sbin/iptables -t mangle -N PORTFWMANGLE | |
| 260 | /sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE | |
| 261 | ||
| 262 | # Postrouting rules (for port forwarding) | |
| 263 | /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \ | |
| 264 | --to-source $GREEN_ADDRESS | |
| 265 | if [ "$BLUE_DEV" != "" ]; then | |
| 266 | /sbin/iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $BLUE_ADDRESS | |
| 267 | fi | |
| 268 | if [ "$ORANGE_DEV" != "" ]; then | |
| 269 | /sbin/iptables -t nat -A POSTROUTING -m mark --mark 3 -j SNAT --to-source $ORANGE_ADDRESS | |
| 270 | fi | |
| 271 | ||
| 3a1019f6 MT |
272 | # run local firewall configuration, if present |
| 273 | if [ -x /etc/sysconfig/firewall.local ]; then | |
| 274 | /etc/sysconfig/firewall.local start | |
| 275 | fi | |
| 276 | ||
| 277 | # last rule in input and forward chain is for logging. | |
| 5595bc03 CS |
278 | |
| 279 | if [ "$DROPINPUT" == "on" ]; then | |
| 97fe1741 | 280 | /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " |
| 5595bc03 | 281 | fi |
| 97fe1741 | 282 | /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" |
| 5595bc03 | 283 | if [ "$DROPOUTPUT" == "on" ]; then |
| 97fe1741 | 284 | /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " |
| 5595bc03 | 285 | fi |
| 97fe1741 | 286 | /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" |
| 3a1019f6 | 287 | ;; |
| 13211b21 CS |
288 | startovpn) |
| 289 | # run openvpn | |
| 290 | /usr/local/bin/openvpnctrl --create-chains-and-rules | |
| 291 | ;; | |
| 3a1019f6 MT |
292 | stop) |
| 293 | iptables_init | |
| 294 | # Accept everyting connected | |
| 295 | /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| 296 | ||
| 297 | # localhost and ethernet. | |
| 298 | /sbin/iptables -A INPUT -i lo -j ACCEPT | |
| 299 | /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT | |
| 300 | ||
| 301 | if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then | |
| 302 | /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
| 303 | /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
| 304 | fi | |
| 305 | if [ "$PROTOCOL" == "RFC1483" -a "$METHOD" == "DHCP" ]; then | |
| 306 | /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
| 307 | /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
| 308 | fi | |
| 309 | ||
| 3a1019f6 MT |
310 | # run local firewall configuration, if present |
| 311 | if [ -x /etc/sysconfig/firewall.local ]; then | |
| 312 | /etc/sysconfig/firewall.local stop | |
| 313 | fi | |
| 314 | ||
| 5595bc03 | 315 | if [ "$DROPINPUT" == "on" ]; then |
| 97fe1741 | 316 | /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " |
| 5595bc03 | 317 | fi |
| 97fe1741 | 318 | /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" |
| 5595bc03 | 319 | if [ "$DROPOUTPUT" == "on" ]; then |
| 97fe1741 | 320 | /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " |
| 5595bc03 | 321 | fi |
| 97fe1741 | 322 | /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" |
| 3a1019f6 | 323 | ;; |
| 13211b21 CS |
324 | stopovpn) |
| 325 | # stop openvpn | |
| 326 | /usr/local/bin/openvpnctrl --delete-chains-and-rules | |
| 327 | ;; | |
| 3a1019f6 MT |
328 | reload) |
| 329 | iptables_red | |
| 330 | ||
| 331 | # run local firewall configuration, if present | |
| 332 | if [ -x /etc/sysconfig/firewall.local ]; then | |
| 333 | /etc/sysconfig/firewall.local reload | |
| 334 | fi | |
| 335 | ;; | |
| 336 | restart) | |
| 337 | $0 stop | |
| 338 | $0 start | |
| 339 | ;; | |
| 340 | *) | |
| 341 | echo "Usage: $0 {start|stop|reload|restart}" | |
| 342 | exit 1 | |
| 343 | ;; | |
| 344 | esac | |
| 345 | ||
| 346 | exit 0 |