# You should not edit this file.  Instead, create a file with the same
# name as this one, but with a .rul extension instead of .def.  The
# .rul file will override this one.
#
# However, any changes you make to this file will be preserved.

# Packet filter firewall script for ipmasq (GPL)
#                   By Osamu Aoki <osamu@aokiconsulting.com>
#
# Firewall are set for external network connection ports listed in $EXTERNAL
# Little consideration taken for shared port.
#
echo "# Firewall for outgoing packets"
###############################################################################
# QUIET ADDRESS (REJECT for internal request) RULES
if [ -n "$EXTERNAL" ]; then
    for i in $EXTERNAL; do
        ipnm_cache $i
        for j in $QADDR; do
	    case $MASQMETHOD in
	    ipfwadm)
	        $IPFWADM -O -a reject -W ${i%%:*} -D $j
	        ;;
	    ipchains)
	        $IPCHAINS --no-warnings -A output -j REJECT -i ${i%%:*} -d $j
	        ;;
	    netfilter)
	        $IPTABLES -A OUTPUT -j REJECT -o ${i%%:*} -d $j
	        ;;
	    esac
        done
    done
fi

###############################################################################
# ALLOW OUTPUT TCP RULES
if [ -n "$EXTERNAL" ]; then
    for i in $EXTERNAL; do
        ipnm_cache $i
        for j in $ATCPSVR; do
	    case $MASQMETHOD in
	    ipfwadm)
	        $IPFWADM -O -a accept -W ${i%%:*} -S $IPOFIF/$NMOFIF $j -P tcp
	        ;;
	    ipchains)
	        $IPCHAINS -A output -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF $j -p tcp
	        ;;
	    netfilter)
	        $IPTABLES -A OUTPUT -j ACCEPT -o ${i%%:*} -s $IPOFIF/$NMOFIF -p tcp --source-port $j
	        ;;
	    esac
        done
    done
fi

# ALLOW OUTPUT UDP RULES
if [ -n "$EXTERNAL" ]; then
    for i in $EXTERNAL; do
        ipnm_cache $i
        for j in $AUDPSVR; do
	    case $MASQMETHOD in
	    ipfwadm)
	        $IPFWADM -O -a accept -W ${i%%:*} -S $IPOFIF/$NMOFIF $j -P udp
	        ;;
	    ipchains)
	        $IPCHAINS -A output -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF $j -p udp
	        ;;
	    netfilter)
	        $IPTABLES -A OUTPUT -j ACCEPT -o ${i%%:*} -s $IPOFIF/$NMOFIF -p udp --source-port $j
	        ;;
	    esac
        done
    done
fi

###############################################################################
# QUIET OUTPUT TCP RULES
if [ -n "$EXTERNAL" ]; then
    for i in $EXTERNAL; do
        ipnm_cache $i
        for j in $QTCPSVR; do
	    case $MASQMETHOD in
	    ipfwadm)
	        $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P tcp
	        ;;
	    ipchains)
	        $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p tcp
	        ;;
	    netfilter)
	        $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j
	        ;;
	    esac
        done
    done
fi

# QUIET OUTPUT UDP RULES
if [ -n "$EXTERNAL" ]; then
    for i in $EXTERNAL; do
        ipnm_cache $i
        for j in $QUDPSVR; do
	    case $MASQMETHOD in
	    ipfwadm)
	        $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P udp
	        ;;
	    ipchains)
	        $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p udp
	        ;;
	    netfilter)
	        $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j
	        ;;
	    esac
        done
    done
fi

###############################################################################
# DENY OUTPUT TCP RULES
if [ -n "$EXTERNAL" ]; then
    for i in $EXTERNAL; do
        ipnm_cache $i
        for j in $DTCPSVR; do
	    case $MASQMETHOD in
	    ipfwadm)
	        $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P tcp -o
	        ;;
	    ipchains)
	        $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p tcp -l
	        ;;
	    netfilter)
	        $IPTABLES -A OUTPUT -j LOG  -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j
	        $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j
	        ;;
	    esac
        done
    done
fi

# DENY OUTPUT UDP RULES
if [ -n "$EXTERNAL" ]; then
    for i in $EXTERNAL; do
        ipnm_cache $i
        for j in $DUDPSVR; do
	    case $MASQMETHOD in
	    ipfwadm)
	        $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P udp -o
	        ;;
	    ipchains)
	        $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p udp -l
	        ;;
	    netfilter)
	        $IPTABLES -A OUTPUT -j LOG  -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j
	        $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j
	        ;;
	    esac
        done
    done
fi
echo "#"