# -*-sh-*-
#
# KERNEL stuff, turn on/off some kernel features
#
# $Id: KERNEL,v 1.2 2001/07/29 21:23:35 scip Exp $


#
# see docs in:
# /usr/src/linux/Documentation/filesystems/proc.txt
# /usr/src/linux/Documentation/networking/ip-sysctl.txt




#
# The name of this chain(in fact it's not a chain, but follow the rules...)
CHAIN=KERNEL


#
# get the type of mode we are running under
# will be one of: start | startlog | print | stop
MODE=$1


#
# get the base path
PREFIX=$2


#
# source the config
. $PREFIX/conf/scipfire.cfg





case $MODE in
    "print")
	    #
	    # we will prefix every iptables command
	    # with $echo
	    echo=/bin/echo
	    MODE=start
	    ;;
    "startlog")
	    MODE=start
	    ;;
esac
	


#
# now $MODE is only start or stop!
case $MODE in
  "start")
    echo "  Setting custom $CHAIN parameters"
	#
	# Disable source routing of packets
	if [ -f /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
	    for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
                $echo echo 0 > $i;
	    done
	fi

	#
	# Enable rp_filter
	if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ]; then
	    for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
	        $echo echo 1 > $i;
	    done
	fi

	#
	# Ignore any broadcast icmp echo requests
	if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
	    $echo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
	fi

	#
	# Log packets with impossible addresses to kernel log.
	if [ -f /proc/sys/net/ipv4/conf/all/log_martians ]; then
	    $echo echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
	fi

	#
	# Don't accept ICMP redirects
	if [ -f /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
	    $echo echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
	fi

	#
	# Drop the ECN flag in tcp-packets
	if [ -f /proc/sys/net/ipv4/tcp_ecn ];then
	    $echo echo 0 > /proc/sys/net/ipv4/tcp_ecn
	fi

	#
	# Increase maximum limit of ip_conntrack
	if [ -f /proc/sys/net/ipv4/ip_conntrack_max ]; then
	    $echo echo 16376 > /proc/sys/net/ipv4/ip_conntrack_max
	fi

	#
	# Avoid SYN-Flooding attacks
        $echo echo 1 >/proc/sys/net/ipv4/tcp_syncookies
    
	#
	# Enable IP FORWARDING
        $echo echo 1 > /proc/sys/net/ipv4/ip_forward

	#
	# Enable TCP SYN-Cookies
	$echo echo 1 > /proc/sys/net/ipv4/tcp_syncookies

	#
	# load several kernel modules
	for module in $MODULES; do
	     $echo /sbin/insmod $module
	done
    ;;
  "stop")
    echo "  Restoring default $CHAIN parameters"



    ;;
esac
