# You should not edit this file.  Instead, create a file with the same
# name as this one, but with a .rul extension instead of .def.  The
# .rul file will override this one.
#
# However, any changes you make to this file will be preserved.

# Packet filter firewall script for ipmasq (GPL)
#                   By Osamu Aoki <osamu@aokiconsulting.com>
#
# Firewall are set for external network connection ports listed in $EXTERNAL
# Little consideration taken for shared port.
#
echo "# Firewall for incoming packets"
###############################################################################
# QUIET INPUT ADDRESS (Deny for forein packet) RULES
if [ -n "$EXTERNAL" ]; then
    for i in $EXTERNAL; do
        ipnm_cache $i
        for j in $QADDR; do
	    case $MASQMETHOD in
	    ipfwadm)
	        $IPFWADM -I -a deny -W ${i%%:*} -S $j
	        ;;
	    ipchains)
	        $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -s $j
	        ;;
	    netfilter)
	        $IPTABLES -A INPUT -j DROP -i ${i%%:*} -s $j
	        ;;
	    esac
        done
    done
fi
###############################################################################
# ALLOW INPUT TCP RULES
if [ -n "$EXTERNAL" ]; then
    for i in $EXTERNAL; do
        ipnm_cache $i
        for j in $ATCPSVR; do
	    case $MASQMETHOD in
	    ipfwadm)
	        $IPFWADM -I -a accept -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P tcp
	        ;;
	    ipchains)
	        $IPCHAINS -A input -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p tcp
	        ;;
	    netfilter)
	        $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j
	        ;;
	    esac
        done
    done
fi

# ALLOW INPUT UDP RULES
if [ -n "$EXTERNAL" ]; then
    for i in $EXTERNAL; do
        ipnm_cache $i
        for j in $AUDPSVR; do
	    case $MASQMETHOD in
	    ipfwadm)
	        $IPFWADM -I -a accept -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P udp
	        ;;
	    ipchains)
	        $IPCHAINS -A input -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p udp
	        ;;
	    netfilter)
	        $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j
	        ;;
	    esac
        done
    done
fi

###############################################################################
# QUIET INPUT TCP RULES
if [ -n "$EXTERNAL" ]; then
    for i in $EXTERNAL; do
        ipnm_cache $i
        for j in $QTCPSVR; do
	    case $MASQMETHOD in
	    ipfwadm)
	        $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P tcp
	        ;;
	    ipchains)
	        $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p tcp
	        ;;
	    netfilter)
	        $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j
	        ;;
	    esac
        done
    done
fi

# QUIET INPUT UDP RULES
if [ -n "$EXTERNAL" ]; then
    for i in $EXTERNAL; do
        ipnm_cache $i
        for j in $QUDPSVR; do
	    case $MASQMETHOD in
	    ipfwadm)
	        $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P udp
	        ;;
	    ipchains)
	        $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p udp
	        ;;
	    netfilter)
	        $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j
	        ;;
	    esac
        done
    done
fi

###############################################################################
# DENY INPUT TCP RULES
if [ -n "$EXTERNAL" ]; then
    for i in $EXTERNAL; do
        ipnm_cache $i
        for j in $DTCPSVR; do
	    case $MASQMETHOD in
	    ipfwadm)
	        $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P tcp -o
	        ;;
	    ipchains)
	        $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p tcp -l
	        ;;
	    netfilter)
	        $IPTABLES -A INPUT -j LOG  -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j
	        $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j
	        ;;
	    esac
        done
    done
fi

# DENY INPUT UDP RULES
if [ -n "$EXTERNAL" ]; then
    for i in $EXTERNAL; do
        ipnm_cache $i
        for j in $DUDPSVR; do
	    case $MASQMETHOD in
	    ipfwadm)
	        $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P udp -o
	        ;;
	    ipchains)
	        $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p udp -l
	        ;;
	    netfilter)
	        $IPTABLES -A INPUT -j LOG  -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j
	        $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j
	        ;;
	    esac
        done
    done
fi
echo "#"