#!/bin/bash
#This is a sample set of calls for the firebricks modules.
#Written by William Stearns <wstearns@pobox.com>

#Where to find the bricks themselves.  This is only used for this script
export PATH="/usr/lib/firebricks/:$PATH"

#00
#This, and the corresponding "lockdown stop" at the end are _optional_.
#They improve security by blocking all traffic until the firewall is 
#completely set up.  Not a good call on a running machine already
#handling lots of packets.
lockdown

#01-09 Setup
kernel start
#Need iptables module load brick
#Make sure ulogd running

#Set up the optional target chains.  These are just set up, not actually
#called from anywhere.  These need to be ready before they are used as
#targets of any of the following bricks.
banfor30
scrutinizedst
scrutinizesrc
#histogram
autoreject

#11-19 NAT/Mangle
#Need NAT/Mangle brick with sample NAT/Mangle lines.

#21-29 Mustblock (get rid of packets with invalid characteristics)
macchk
inputsrcaddrtype
outputdstaddrtype
fwdsrcaddrtype
fwddstaddrtype
address
bogons
icmpchk
icmpfwdchk	scrutinizesrc banfor30 DROP
ipopts		scrutinizesrc banfor30 DROP
plength
tcpchk		scrutinizesrc banfor30 DROP
udpchk		scrutinizesrc banfor30 DROP
catchmapper	scrutinizesrc DROP
catchmapreply	scrutinizedst DROP


#31-39 Learn (must be before established)
mapssh
pasvmap

#Rules that actually allow traffic should be below this point.

#41-49 Mustallow
#Need OUTPUT DNS brick
#Need admin brick for incoming ssh, outgoing syslog perhaps

#51-59 Punish/recent (must follow rules that might refresh the recent tables)
scrutinize
checkbans
shunsrc
shundst
punishmapper

#61-69 Established, related (Everything after this can only refer to NEW rules)
established
#Need invalid brick (default LOG)

#71-79 Block (local policy)
blockfwdports
identreject

#81-89 Allow (local policy)
local-forward-accept
local-input-accept
local-output-accept

#91-94 Log
logremainder

#95-98 Policy
policy

#99
lockdown stop


