#!/bin/sh
#
# modwall        Starts and stops a modwall firewall.
#
#
# chkconfig: 2345 18 92
# description: modwall is a modular firewall based on iptables.
# Version 0.4.1

# Debian flags for runlevels - similar to RH's chkconfig.
FLAGS="defaults 19"

# Source function library.
if [ -f /etc/rc.d/init.d/functions ]; then
	. /etc/rc.d/init.d/functions
fi

MODWALLCONF=${MODWALLCONF:-"/etc/modwall/modwall.conf"}
[ -f $MODWALLCONF ] || exit 0

if [ -f $MODWALLCONF ]; then
	. $MODWALLCONF
fi
#MODWALLLIB=${MODWALLLIB:-"/usr/lib/modwall/modwalllib"}
#if [ -f $MODWALLLIB ]; then
#	. $MODWALLLIB
#else
#	echo Missing $MODWALLLIB library file.  Please get a complete copy of Modwall from >&2
#	echo http://www.stearns.org/modwall/ .  Exiting. >&2
#	exit
#fi

if ! type ModwallStart >/dev/null 2>/dev/null ; then
	#Place the bricks to be called when "/etc/init.d/modwall start" is run
	ModwallStart () {
		export PATH="/usr/lib/modwall/:$PATH"

		lockdown

		kernel start

		banfor30
		scrutinizedst
		scrutinizesrc
		#histogram
		autoreject

		macchk
		inputsrcaddrtype
		outputdstaddrtype
		fwdsrcaddrtype
		fwddstaddrtype
		address
		bogons
		icmpchk
		icmpfwdchk	scrutinizesrc banfor30 DROP
		ipopts		scrutinizesrc banfor30 DROP
		plength
		tcpchk		scrutinizesrc banfor30 DROP
		udpchk		scrutinizesrc banfor30 DROP
		catchmapper	scrutinizesrc DROP
		catchmapreply	scrutinizedst DROP

		syncapture
		mapssh
		pasvmap
		scrutinize

		established

		checkbans
		shunsrc
		shundst
		punishmapper

		blockfwdports
		identreject

		local-forward-accept
		local-input-accept
		local-output-accept

		canarydst
		logremainder

		policy

		lockdown stop
	}
fi

if ! type ModwallStop >/dev/null 2>/dev/null ; then
	#Place the bricks to be called when "/etc/init.d/modwall stop" is run
	ModwallStop () {
		export PATH="/usr/lib/modwall/:$PATH"

		lockdown
	}
fi

# See how we were called.
case "$1" in
start)
	echo -n "Starting Modwall firewall: "
	ModwallStart
	if [ -d /var/lock/subsys ]; then
		touch /var/lock/subsys/modwall
	fi
	echo
	;;
stop)
	echo -n "Shutting down Modwall firewall: "
	ModwallStop
	if [ -d /var/lock/subsys ]; then
		rm -f /var/lock/subsys/modwall
	fi
	echo
	;;
#status)
#	status syslogd
#	status klogd
#	;;
restart)
	$0 stop
	$0 start
	;;
force-reload)
	$0 stop
	$0 start
	;;
*)
	echo "Usage: $0 {start|stop|restart|force-reload}"
	exit 1
esac

exit 0