#!/bin/bash
#Copyright 2003 William Stearns
#Released under the GPL.

#ZZZZ The only things that need your attention have "ZZZZ" next to them.
#ZZZZ Please remove the ZZZZ help lines "#ZZZZ...." when you're done.


#ZZZZ Name of the module, will be used as chain name, probably the same as this file name.
Me='ZZZZ'
#ZZZZ A version string, mostly for human reference.
MyVersion='ZZZZ0.3'

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
#ZZZZ try to restrict the following three to only send down what the chain needs to inspect.
#ZZZZ For example, if you're only inspecting flags on tcp packets, put "-p tcp" on these I/O/F rules.
#ZZZZ You should not need to change the preceding "-N $Me" line (or the "-X $Me" in the next section).
		$IptablesBin $AppIn INPUT -i \! lo						-j $Me
		$IptablesBin $AppIn FORWARD							-j $Me
		$IptablesBin $AppIn OUTPUT							-j $Me
		;;
	unlink)
#ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D"
		$IptablesBin -D INPUT -i \! lo							-j $Me
		$IptablesBin -D FORWARD								-j $Me
		$IptablesBin -D OUTPUT								-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me"
		FlushOrNewChain $Me
#ZZZZ Your actual firewall rules go here.  Write one line per type of malicious traffic.
#ZZZZ _If_ the user chooses to log this packet, the optional LogAs='...' specifies what log ID string to use.
#ZZZZ The "$Ipt" and "$Tail" pair handle the fact that the user may wish to specify more than one
#ZZZZ action for malicious traffic (LOG, DROP, REJECT, etc.).  All you need to do is specify the characteristics
#ZZZZ in between "-A $Me" and "$Tail".  Sample lines follow; please delete them once you've written your own.
		#			$IptablesBin -A $Me -s 127.0.0.1			-j RETURN
		#LogAs='ICMP-AMQ'	$Ipt -A $Me -p icmp --icmp-type address-mask-request	$Tail
		;;
	destroy)
		echo "Stopping $Me"
		DestroyChain $Me
		;;
	status)
		if $IptablesBin -L $Me >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
#ZZZZ Please change the text to appropriate help text for this module.  You should
#ZZZZ cover what the module does, if it's generally safe to use, and under what
#ZZZZ conditions it should not be used.  Please replace the lines between the two
#ZZZZ EOTEXT lines with your own.
		cat <<EOTEXT >&2
	The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies.  At best,
these are uncommon and are used in network mapping; these should be safe
to use on any network.
EOTEXT
		DefaultHelp
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done