#!/bin/sh
#
# Main file for firewall rules, using ipchains.
# Written by Tom Karlsson 1999-10-14.
#
# Parameters to fwrules are:
#
# refresh = Initialize or reinitialize the complete set of rules (default).
#           This will clear all statistics.
# purge   = Delete the rules declared in the fwrules files,
#           but leave all manually added rules.
# delete  = Delete all rules.
#

source /filter/fw.conf

if [ ${1:-none} = "none" ]; then
    ACTION="refresh"
    ipchains -F
    ipchains -X
else
    if [ $1 != "refresh" -a $1 != "purge" -a $1 != "delete" ]; then
	echo
	echo "Usage:   $0 <refresh|purge|delete>"
	echo "Example: $0 refresh    (default)"
	echo
	exit
    fi
fi

case $1 in ( refresh ) ACTION=refresh; ipchains -F; ipchains -X;;
	   ( purge )   ACTION=purge;;
	   ( delete )  ACTION=delete; ipchains -F; ipchains -X; exit;;
esac

ipchains --version
echo
echo "$0"

#------------------
# Set default policy
#
ipchains -P input REJECT
ipchains -P forward ACCEPT
ipchains -P output ACCEPT

#------------------
# Create new sub chains.
# Inserted in reverse traffic order.
#
if [ $ACTION = "refresh" ]; then
    ipchains -N log 2> /dev/null
    ipchains -I input -j log

    ipchains -N snmp 2> /dev/null
    ipchains -I input -j snmp

    ipchains -N printers 2> /dev/null
    ipchains -I input -j printers

    ipchains -N ntp 2> /dev/null
    ipchains -I input -j ntp

    ipchains -N misc 2> /dev/null
    ipchains -I input -j misc

    ipchains -N lyskom 2> /dev/null
    ipchains -I input -j lyskom

    ipchains -N dns 2> /dev/null
    ipchains -I input -j dns

    ipchains -N http 2> /dev/null
    ipchains -I input -j http

    ipchains -N login 2> /dev/null
    ipchains -I input -j login

    ipchains -N icmp 2> /dev/null
    ipchains -I input -j icmp
    ipchains -N ficmp 2> /dev/null
    ipchains -I forward -j ficmp

    ipchains -N out 2> /dev/null
    ipchains -I input -j out

    ipchains -N rate 2> /dev/null
    ipchains -I output -j rate
fi

#------------------
# lock
#
ipchains -I input 1 -j DENY

#------------------
# Call the other modules
#
/filter/fwrules.log $ACTION
/filter/fwrules.snmp $ACTION
/filter/fwrules.printers $ACTION
/filter/fwrules.ntp $ACTION
/filter/fwrules.misc $ACTION
/filter/fwrules.lyskom $ACTION
/filter/fwrules.dns $ACTION
/filter/fwrules.http $ACTION
/filter/fwrules.login $ACTION
/filter/fwrules.icmp $ACTION
/filter/fwrules.out $ACTION
/filter/fwrules.rate $ACTION

#------------------
# Remove lock
#
ipchains -D input 1