#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

Me='kernel'
MyVersion='0.1.1'

SetProc () {
	if [ -e "$1" ]; then
		echo "#Setting $1 to $2" >&2
		echo "sudo echo "`sudo cat "$1"`" >$1"
		sudo echo "$2" >"$1"
	else
		echo "#This kernel has no $1, skipping" >&2
	fi
}

Action="$1"
case "$Action" in
start)
	echo "#Starting $Me"
	echo "#The output from this script can be saved to a file that can be"
	echo "#later run to restore the current settings."

	SetProc /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 1
	SetProc /proc/sys/net/ipv4/tcp_syncookies 1

	for OneProc in \
	 /proc/sys/net/ipv4/conf/*/accept_redirects \
	 /proc/sys/net/ipv4/conf/*/accept_source_route \
	 ; do
		SetProc $OneProc 0
	done

#Not appropriate for asymmetric routing situations, enable everywhere else.
#	for OneProc in \
#	 /proc/sys/net/ipv4/conf/*/rp_filter \
#	 ; do
#		SetProc $OneProc 1
#	done

	;;
stop)
	echo "Stopping $Me is accomplished by running the commands that this module provided when it was first run."
	;;
version)
	echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
	;;
help)
	DefaultHelp
	cat <<EOTEXT >&2
	The $Me module sets some standard security settings in the Linux
kernel /proc filesystem.  When run, it returns the commands needed to
return the kernel to its previous state, allowing you to save the
current settings.
	These are generally safe to use.
EOTEXT
	;;
*)
	echo "Unknown action $Action in $Me, no action taken." >&2
	;;
esac

