#!/bin/sh
#
# /etc/init.d/firewall : SliTaz firewall daemon script
# Configuration file   : /etc/slitaz/firewall.conf
# Firewall script      : /etc/slitaz/firewall.sh
#

. /etc/init.d/rc.functions
. /etc/slitaz/firewall.conf

case "$1" in
	start)
		# Kernel security. 0 = disable, 1 = enable.
		#
		if [ "$KERNEL_SECURITY" = "yes" ] ; then
			echo -n "Setting up kernel security rules... "

			# ICMP redirects acceptance.
			for conf in /proc/sys/net/ipv4/conf/*/accept_redirects ; do
				echo "0" > $conf
			done
			for conf in /proc/sys/net/ipv4/conf/*/secure_redirects ; do
				echo "0" > $conf
			done

			# IP source routing.
			for conf in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
				echo "0" > $conf
			done

			# Log impossible addresses.
			for conf in /proc/sys/net/ipv4/conf/*/log_martians ; do
				echo "1" > $conf
			done

			# Ip spoofing protection
			for conf in /proc/sys/net/ipv4/conf/*/rp_filter; do
				echo "1" > $conf
			done
			echo "1" > /proc/sys/net/ipv4/tcp_syncookies
			status
		else
			echo "WARNING: Kernel security rules are disabled"
		fi
		# Netfilter/IPtables rules
		if [ "$IPTABLES_RULES" = "yes" ] ; then
			echo -n "Starting IPtables firewall: /etc/slitaz/firewall.sh"
			/etc/slitaz/firewall.sh
			status
		else
			echo "WARNING: IPtables rules are disabled"
		fi ;;
	stop)
		if [ "$IPTABLES_RULES" = "yes" ] ; then
			echo -n "Stopping iptables firewall rules... "
			iptables -P INPUT ACCEPT
			iptables -P OUTPUT ACCEPT
			iptables -P FORWARD ACCEPT
			iptables -F
			iptables -X
			status
		else
			echo "Iptables rules are disabled... "
		fi ;;
	restart)
		$0 stop
		sleep 2
		$0 start ;;
	status)
		echo ""
		echo -e "\033[1m===================== SliTaz firewall statistics =====================\033[0m"
		echo ""
		if [ "$KERNEL_SECURITY" = "yes" ] ; then
			echo "Kernel security: enabled"
		else
			echo "Kernel security: disabled"
		fi
		echo -e "\nNetfilter/iptables rules:\n"
		iptables -nL
		echo "" ;;
	*)
		echo ""
		echo -e "\033[1mUsage:\033[0m $0 [start|stop|restart|status]"
		echo "" ;;
esac
