# -*-sh-*-
#
# INPUT_EXTERN chain for scipfire
#
# $Id: INPUT_EXTERN,v 1.3 2001/07/29 21:23:35 scip Exp $



#
# The name of this chain
CHAIN=INPUT_EXTERN


#
# get the type of mode we are running under
# will be one of: start | startlog | print | stop
MODE=$1


#
# get the base path
PREFIX=$2


#
# source the config
. $PREFIX/conf/scipfire.cfg


    
#
# now $MODE is only start or stop!
case $MODE in
  "start")
    echo "  Initialize $CHAIN"
    #
    # initialize this chain
    $echo $iptables -N $CHAIN                # create the new chain
    $echo $iptables -F $CHAIN                # flush possibly existing rules(for restart|reload!)

    #
    # rfc sourced stuff will be denied
    $fw -j RFC

    #
    # deny external network broadcasts
    $log -d $EX_BROADCAST
    $fw  -d $EX_BROADCAST -j $DENY

    #
    # deny stupid windows clients broadcast messages
    $log -d 255.255.255.255
    $fw  -d 255.255.255.255 -j $DENY

    #
    # dns may be allowed
    $fw -p udp --sport 53 -j IN_DNS
    $fw -p udp --dport 53 -j IN_DNS

    #
    # deny other udp
    $log -p udp
    $fw  -p udp -j $DENY

    #
    # deny connection attempts
    $log -p tcp -m state --state INVALID,NEW
    $fw  -p tcp -m state --state INVALID,NEW -j $DENY

    #
    # related stuff, such as ftp active (NEEDS TO BE INVESTIGATED !)
    $fw -p tcp -m state --state RELATED -d $IN_NET -j ACCEPT

    #
    # jump to certain tcp services stuff
    $fw -p tcp --sport 22    -j IN_SSH
    $fw -p tcp --sport 80    -j IN_WWW
    $fw -p tcp --sport 443   -j IN_WWW
    $fw -p tcp --sport 20    -j IN_FTP
    $fw -p tcp --sport 21    -j IN_FTP
    $fw -p icmp              -j IN_ICMP
    
    ;;
  "stop")
    echo "  Deleting $CHAIN"
    #
    # zero and delete this chain
    $iptables -F $CHAIN
    $iptables -X $CHAIN
    ;;
esac
