# -*-sh-*-
#
# OUTPUT chain for scipfire
#
# $Id: OUTPUT,v 1.2 2001/07/29 21:23:35 scip Exp $



#
# The name of this chain
CHAIN=OUTPUT


#
# get the type of mode we are running under
# will be one of: start | startlog | print | stop
MODE=$1


#
# get the base path
PREFIX=$2


#
# source the config
. $PREFIX/conf/scipfire.cfg



#
# now $MODE is only start or stop!
case $MODE in
  "start")
    echo "  Initialize $CHAIN"
    #
    # initialize this chain
    $echo $iptables -F $CHAIN                # flush possibly existing rules(for restart|reload!)
    $echo $iptables -P $CHAIN $OUT_POLICY    # define default policy

    #
    # guaranty service for ssh
    $fw -t mangle -o $EX_INT -p tcp -d 0/0 --dport 22 -j TOS --set-tos Minimize-Delay

    #
    # accept tcp traffic coming from outside/inside
    # there are no reverse rules here, because we've
    # got it still done at this point by the INPUT rules
    $fw -p tcp -d $EX_NET -j ACCEPT
    $fw -p tcp -d $IN_NET -j ACCEPT
    
    #
    # handle dns rules in OUT_DNS
    $fw -p udp --sport 53 -j OUT_DNS
    $fw -p udp --dport 53 -j OUT_DNS

    #
    # deny all other stuff
    $log
    $fw -j $DENY


    ;;
  "stop")
    echo "  Resetting $CHAIN"
    #
    # zero and delete this chain
    $iptables -F $CHAIN
    $iptables -P $CHAIN ACCEPT

    #
    # do this for the mangle table chain too
    $iptables -t mangle -F $CHAIN

    ;;
esac
