#!/bin/bash
#
# functions - This file contains the functions for the firewall
#
# Curt Rebelein, Junior
# fw@rebby.com
#

###############################
### informational functions ###
###############################

displayhelp() {
   # display a limited help to the user
   $ECHO -e "rFW v$VERSION\nUsage: rFW [OPTION]"
   $ECHO "Simple script for counting packets/bytes of data."
   $ECHO "   -help         display this help"
   $ECHO "   -version      display version information"
   $ECHO "   -status       display the firwall status"
   $ECHO "   -start        start the firewall"
   $ECHO "   -stop         flush the rules, policies, & counters"
   $ECHO -e "   -restart      restart the firewall\n"
   $ECHO -e "Report bugs to <fw@rebby.com>."
} # end displayhelp()

displayversion() {
   # display the version of rFW
   $ECHO -e "rFW v$VERSION\nReport bugs to <fw@rebby.com>."
} # end displayversion()

status() {
   displayversion     # first display the version of rTables
   $IPT -$IPT_OPTS -L # display the status of the firewall
} # end status()

#######################################
### functions that control the flow ###
#######################################

stopfw() {
   # stop the firewall
   openpolicy   # open the policies so we don't kill our remote sessions
   flushchains  # flush the chains
   zerochains   # zero the chains
} # end stopfw()

restart() {
   # restart the firewall
   openpolicy   # open the policies so we don't kill our remote sessions
   start        # apply the rules
} # end restart()

start() {
   # start the firewall
   flushchains   # flush the chains
   procrules     # set up files in /proc
   buildusertables # build special user tables
   setuprules    # set up rules for $NETWORKS
} # end start()

##############################
### functions for flushing ###
##############################

flushchains() {
   # flush the chains & delete user chains
   $IPT -F
   $IPT -t nat -F
   $IPT -X
   $IPT -t nat -X
} # end flushchains()

zerochains() {
   # zero the chains & delete user chains
   $IPT -Z
   $IPT -t nat -Z PREROUTING
   $IPT -t nat -Z POSTROUTING
   $IPT -t nat -Z OUTPUT
} # end zerochains()

#########################
### set up the policy ###
#########################

openpolicy() {
   # set default policies w/open rules
   $IPT -P INPUT ACCEPT
   $IPT -P OUTPUT ACCEPT
   $IPT -P FORWARD ACCEPT
} # end openpolicy()

###################
### set up proc ###
###################

procrules() {
   # set up IP spoofing protection
   # turn on source address verification
   #for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
   #   echo 1 > $f
   #done

   # enable SYN cookie protection
   #echo 1 > /proc/sys/net/ipv4/tcp_syncookies

   # enable ip_forward if we need it
   if [ -e /proc/sys/net/ipv4/ip_forward ]; then
      echo 1 > /proc/sys/net/ipv4/ip_forward
   else
      echo -e "\n/proc/sys/net/ipv4/ip_forward does not exist!"
   fi
} # end procrules()

####################
### set up rules ###
####################

buildusertables() {
   $IPT -t filter -N FWD-IN
   $IPT -t filter -N FWD-OUT
} # end buildusertables()

setuprules() {
   $IPT -A FORWARD -j FWD-IN
   $IPT -A FORWARD -j FWD-OUT

   for net in $NETWORKS; do
      $IPT -A FWD-OUT -d $net -j ACCEPT
      $IPT -A FWD-IN -s $net -j ACCEPT
   done
} # end setuprules()

# we're done!!! :-)