Package: ferm
Version: 1.2.1-1
My sample ferm.conf looks like:
#!/usr/bin/ferm
def $PORTS = (80 443);
table filter {
chain INPUT {
proto tcp mod multiport destination-ports $PORTS ACCEPT;
}
chain OUTPUT {
proto tcp mod multiport destination-ports $PORTS ACCEPT;
}
}
Running "ferm --lines --noexec" on the above produces:
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t filter -P FORWARD ACCEPT
/sbin/iptables -t filter -P INPUT ACCEPT
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t filter -F
/sbin/iptables -t filter -X
/sbin/iptables -t filter -A INPUT -m multiport -p tcp -m tcp
--destination-ports 80,443 -j ACCEPT
The rule for the filter/OUTPUT chain is missing. If I put the OUTPUT chain
stanza above the INPUT chain stanza in the conf file then ferm will omit the
rule for the INPUT chain. Also, I've only seen this happen when using
variables in the rules. For example, if I replace PORTS with (80 443) in
the rule for the OUTPUT chain in the sample conf file then ferm would create
its corresponding iptable rule.
