#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

#ZZZZ Check Me and MyVersion
Me='snort-porn'
MyVersion='20031125'
#DefaultActions=''

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
#ZZZZ try to restrict the following three to only send down what the chain needs to inspect.
		$IptablesBin $AppIn INPUT -i \! lo						-j $Me
		$IptablesBin $AppIn FORWARD							-j $Me
		$IptablesBin $AppIn OUTPUT							-j $Me
		;;
	unlink)
#ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D"
		$IptablesBin -D INPUT -i \! lo							-j $Me
		$IptablesBin -D FORWARD								-j $Me
		$IptablesBin -D OUTPUT								-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me


		LogAs="SID1836"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"alt.binaries.pictures.erotica"'	$Tail	# '"PORN alt.binaries.pictures.erotica"' nocase-ignored classtype:kickass-porn sid:1836
		LogAs="SID1837"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"alt.binaries.pictures.tinygirls"'	$Tail	# '"PORN alt.binaries.pictures.tinygirls"' nocase-ignored classtype:kickass-porn sid:1837
		LogAs="SID1310"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"FREE XXX"'	$Tail	# '"PORN free XXX"' nocase-ignored classtype:kickass-porn sid:1310
		LogAs="SID1311"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"hardcore anal"'	$Tail	# '"PORN hardcore anal"' nocase-ignored classtype:kickass-porn sid:1311
		LogAs="SID1312"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"nude cheerleader"'	$Tail	# '"PORN nude cheerleader"' nocase-ignored classtype:kickass-porn sid:1312
		LogAs="SID1313"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"up skirt"'	$Tail	# '"PORN up skirt"' nocase-ignored classtype:kickass-porn sid:1313
		LogAs="SID1315"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"hot young sex"'	$Tail	# '"PORN hot young sex"' nocase-ignored classtype:kickass-porn sid:1315
		LogAs="SID1316"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"fuck fuck fuck"'	$Tail	# '"PORN fuck fuck fuck"' nocase-ignored classtype:kickass-porn sid:1316
		LogAs="SID1317"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"anal sex"'	$Tail	# '"PORN anal sex"' nocase-ignored classtype:kickass-porn sid:1317
		LogAs="SID1318"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"hardcore rape"'	$Tail	# '"PORN hardcore rape"' nocase-ignored classtype:kickass-porn sid:1318
		LogAs="SID1319"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"real snuff"'	$Tail	# '"PORN real snuff"' nocase-ignored classtype:kickass-porn sid:1319
		LogAs="SID1320"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"fuck movies"'	$Tail	# '"PORN fuck movies"' nocase-ignored classtype:kickass-porn sid:1320
		LogAs="SID1781"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"dildo"'	$Tail	# '"PORN dildo"' nocase-ignored classtype:kickass-porn sid:1781
		LogAs="SID1782"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"nipple"' --string '"clamp"'	$Tail	# '"PORN nipple clamp"' nocase-ignored nocase-ignored classtype:kickass-porn sid:1782
		LogAs="SID1783"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"oral sex"'	$Tail	# '"PORN oral sex"' nocase-ignored classtype:kickass-porn sid:1783
		LogAs="SID1784"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"nude celeb"'	$Tail	# '"PORN nude celeb"' nocase-ignored classtype:kickass-porn sid:1784
		LogAs="SID1786"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"raw sex"'	$Tail	# '"PORN raw sex"' nocase-ignored classtype:kickass-porn sid:1786
		LogAs="SID1794"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"masturbat"'	$Tail	# '"PORN masturbation"' nocase-ignored classtype:kickass-porn sid:1794
		LogAs="SID1795"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"ejaculat"'	$Tail	# '"PORN ejaculation"' nocase-ignored classtype:kickass-porn sid:1795
		LogAs="SID1797"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"BDSM"'	$Tail	# '"PORN BDSM"' nocase-ignored classtype:kickass-porn sid:1797
		LogAs="SID1833"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"naked lesbians"'	$Tail	# '"PORN naked lesbians"' nocase-ignored classtype:kickass-porn sid:1833


		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		TempChain="$Me-$RANDOM"
		echo "Replacing existing rules in $Me with new rules" >&2
		$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		if [ -z "$TempChain" ]; then
			echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "No $Me chain in $Me, replace operation incomplete." >&2
		elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
			echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		else
#ZZZZ Place the same criteria you used in link/unlink above in the following three lines.
#ZZZZ Criteria should go just in front of "-j $Me"
			$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo		-j $Me
			$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'`		-j $Me
			$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'`			-j $Me
			DestroyChain $TempChain
			unset TempChain
		fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		DefaultHelp
#ZZZZ Please change the text to appropriate help text for this module.  You should
#ZZZZ cover what the module does, if it's generally safe to use, and under what
#ZZZZ conditions it should not be used.  Please replace the lines between the two
#ZZZZ EOTEXT lines with your own.
		cat <<EOTEXT >&2
	The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies.  At best,
these are uncommon and are used in network mapping.  These rules should
be safe to use on any network.
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done