# -*-sh-*-
#
# IN_ICMP chain for scipfire
#
# $Id: IN_ICMP,v 1.2 2001/07/29 21:23:35 scip Exp $



#
# The name of this chain
CHAIN=IN_ICMP


#
# get the type of mode we are running under
# will be one of: start | startlog | print | stop
MODE=$1


#
# get the base path
PREFIX=$2


#
# source the config
. $PREFIX/conf/scipfire.cfg




#
# now $MODE is only start or stop!
case $MODE in
  "start")
    echo "  Initialize $CHAIN"
    #
    # initialize this chain
    $echo $iptables -N $CHAIN                # create the new chain
    $echo $iptables -F $CHAIN                # flush possibly existing rules(for restart|reload!)

    #
    # deny icmp requests of any type
    $log -p icmp --icmp-type timestamp-request
    $fw  -p icmp --icmp-type timestamp-request -j $DENY
    
    $log -p icmp --icmp-type address-mask-request
    $fw  -p icmp --icmp-type address-mask-request -j $DENY

    $log -p icmp --icmp-type echo-request
    $fw  -p icmp --icmp-type echo-request -j $DENY

    #
    # allow answers destined to LAN (replys in most cases!)
    $fw  -p icmp ! -d $EX_ME -m limit --limit $ICMP_LIMIT -j ACCEPT
    

    ;;
  "stop")
    echo "  Deleting $CHAIN"
    #
    # zero and delete this chain
    $iptables -F $CHAIN
    $iptables -X $CHAIN
    ;;
esac
