File: bastille-ipchains

package info (click to toggle)
bastille 1%3A1.3.0-2.1
links: PTS
area: main
in suites: woody
size: 1,576 kB
ctags: 397
sloc: perl: 8,407; sh: 1,879; ansic: 638; makefile: 203; csh: 17
file content (654 lines) | stat: -rw-r--r-- 21,995 bytes
#!/bin/sh
#
# /sbin/bastille-ipchains		Load/unload ipchains rulesets
#
# $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-ipchains,v $ 
# Modified by: $Author: peterw $
# $Date: 2001/08/18 15:38:31 $
# $Revision: 1.18 $
#
# Copyright (C) 1999-2001 Peter Watkins 
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# Thanks to David Ranch, Brad A, Don G, and others for their suggestions
#
# This script is designed to be called BY a SysV-style init script.
#
# It should be run with a "start" argument
#	1) BY an rc?.d "S" script, _before_ the "network" script
#	   (normally via the "bastille-firewall" init script; 
#	    as of 2001/02/14, the only purpose of bastille-firewall
#	    is to start this script)
#	2) any time an interface is brought up or changed, e.g.
#	   establishing a PPP conection or renewing a DHCP lease
# [also copy 'bastille-firewall-reset', 'bastille-firewall-schedule' and
#  'ifup-local' to /sbin/ (in addition to the bastille-firewall init script]
#
#   Normally you Do Not _Ever_ Want to run this with a "stop" argument!
#
# Note that running this with "stop" will disable the firewall and open
# your system to all network traffic; if you make changes to these rules,
# apply them by running the script again with a "start" argument.

PATH=/bin:/sbin:/usr/bin:/usr/sbin
IPCHAINS=/sbin/ipchains
CONFIG=/etc/Bastille/bastille-firewall.cfg

if [ ! -f ${CONFIG} ]; then
	echo "ERROR: unable to read configuration file \"${CONFIG}\""
	exit 1
fi

# source the configuration file, which will set environment variables
. ${CONFIG}

if [ -z "${TRUSTED_IFACES}" ]; then
        echo "ERROR: no trusted interfaces specified! Exiting!"
        exit 1
fi

#
# Computed values
# 
# These things should be queried/computed at run time
#
# LOCAL_ADDRESSES
#
# LOCAL_ADDRESSES lists all IP addresses for this server 
#  (for the INTERNAL_SERVICES rules); if you have virtual 
#  network devices, you may want to hand-code this, e.g.
# LOCAL_ADDRESSES="127.0.0.0/8"
#
# The following makes a list of all current IP addresses
LOCAL_ADDRESSES=`ifconfig | grep "inet addr" | awk '{print $2}' | awk -F: '{print $2"/32"}' | sed s:127\.0\.0\.1/32:127.0.0.1/8: `
#
#
# INTERNAL_NETWORKS
#
# INTERNAL_NETWORKS lists the masked networks for the INT_INTERFACES
# e.g. INTERNAL_NETWORKS="10.0.0.0/255.0.0.0"
# The following makes a list of all current internal IP addresses _with netmasks_
for i in ${INTERNAL_IFACES} ; do
	INTERNAL_NETWORKS="${INTERNAL_NETWORKS} `ifconfig ${i} 2>/dev/null| grep "inet addr" | awk '{print $2":"$4}' | awk -F: '{print $2"/"$4}' | sed 's:127\.0\.0\.1/$:127.0.0.1/8:'`"
done
#
#
# DNS_SERVERS
#
# Derive this from /etc/resolv.conf if it's not set already
# Note we only take the first three as most systems' resolvers
# can only use three nameservers; see MAXNS in resolv.h for details
MAXNS=3
if [ -z "${DNS_SERVERS}" ]; then
	DNS_SERVERS=`grep nameserver /etc/resolv.conf | awk -F\# '{print $1}' | grep '^nameserver' | awk '{print $2"/32"}' | head -${MAXNS}`
fi
#
#
# LOG_FLAG
# 
# Flag to add to ${REJECT_METHOD} rules to force logging
if [ "${LOG_FAILURES}" = "Y" ]; then
	LOG_FLAG="-l"
else
	LOG_FLAG=""
fi
#
#
# CALLED_METHOD
#
# Variable to hold $1, for use in functions (which have their own $1 vars)
CALLED_METHOD="$1"
#
#
# REJECT_METHOD
# Convert netfilter/DROP to ipchains/DENY
if [ "${REJECT_METHOD}" = "DROP" ]; then
        REJECT_METHOD="DENY"
fi
#
#
# NTP_SERVERS
#
# Do hostname lookups for any names in NTP_SERVERS
#
ntp_server_addrs=""
for n in ${NTP_SERVERS}; do
	ip=`echo ${n} | egrep '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'`
	if [ -n "${ip}" ]; then
		# looks like an IP address, use it as-is
		ntp_server_addrs="${ntp_server_addrs} ${ip}"
	else
		# use 'host' t resolve address
		ip=`host ${n} 2>/dev/null| awk '/ has address / { print $4 }' | head -1`
		ntp_server_addrs="${ntp_server_addrs} ${ip}"
	fi
done


#
# Shell functions
#
# include_supplemental
# source supplemental (plug-in) firewall scripts
include_supplemental()
{
        # args: $1 = nickname for the supplemental phase
        nickname="$1"
        if [ -e /etc/Bastille/firewall.d/${nickname}.sh ]; then
                cd /etc/Bastille/firewall.d && . ./${nickname}.sh
        fi
        if [ -d /etc/Bastille/firewall.d/${nickname}.d ]; then
                for s in `ls /etc/Bastille/firewall.d/${nickname}.d/*.sh`; do
                        cd /etc/Bastille/firewall.d/${nickname}.d && \
                        . ${s}
                done
        fi
}
#
# do_masq_mods
# Function to load/unload "ip_masq_*" kernel modules
do_masq_mods()
{
	# args: $1 = "load" or "unload"
	#
	# find the currently loaded modules
	masq_mods=`lsmod | awk '{print $1}' | grep '^ip_masq_'`
	#
	# Step 1: unload unwanted modules
	for m in ${masq_mods} ; do
		UNLOAD_THIS_MOD=Y
		for normal_mod in ${IP_MASQ_MODULES} ; do
			if [ "ip_masq_${normal_mod}" = $m ]; then
				# this module is _supposed_ to be loaded
				UNLOAD_THIS_MOD=N
			fi
		done
		if [ "${CALLED_METHOD}" = "stop" -o -z "${IP_MASQ_NETWORK}" ]; then
			# we're either disabling the firewall or we've disabled masquerading,
			# so we should unload _all_ masq modules
			UNLOAD_THIS_MOD=Y
		fi
		if [ $UNLOAD_THIS_MOD = "Y" -a $1 = "unload" ]; then
			rmmod $m || echo "Error unloading ${m} module"
		fi
	done
	# Step 2: load wanted modules that are not already loaded
	if [ $1 = "load" ]; then
		for normal_mod in ${IP_MASQ_MODULES} ; do
			MOD_LOADED=N
			for m in ${masq_mods} ; do
				if [ "ip_masq_${normal_mod}" = ${m} ]; then
					MOD_LOADED=Y
				fi
			done
			if [ $MOD_LOADED = "N" ]; then
				insmod "ip_masq_${normal_mod}" || echo "Error loading ip_masq_${normal_mod} module"
			fi
		done
	fi
}

# See how we were called.
case "$1" in
  start|reload|restart)
	#
        # anything to do before resetting?
        include_supplemental pre-reset
	#
	# For Red Hat users, let's ensure that its firewalls are disabled
	rhtest_ipchains=`chkconfig --list ipchains 2>/dev/null | grep :on`
	rhtest_iptables=`chkconfig --list iptables 2>/dev/null | grep :on`
	bftest=`chkconfig --list bastille-firewall 2>/dev/null | grep :on`
	if [ \( -n "${rhtest_ipchains}" -o -n "${rhtest_iptables}" \) -a -n "${bftest}" ]; then
		echo
		echo "bastille-firewall conflicts with Red Hat 7.1's 'ipchains'"
		echo "and 'iptables' firewalls. We are disabling Red Hat's firewalls."
		[ -n "${rhtest_ipchains}" ] && chkconfig --level 0123456 ipchains off
		[ -n "${rhtest_iptables}" ] && chkconfig --level 0123456 iptables off
		echo
	fi
	# load the IPCHAINS compatibilty module if we're using a 2.4 kernel
	if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then
		echo "Loading ipchains compatibility module"
		modprobe ipchains 
	fi
	#
	# we set defaults to DENY now to minimize possible interruptions
	# if this script is re-run to reset rules
	#
	# set default policy to disallow forwarding
	${IPCHAINS} -P forward DENY
	# flush rules
	${IPCHAINS} -F forward
	# default is to disallow incoming traffic	
	${IPCHAINS} -P input DENY
	# flush rules 
	${IPCHAINS} -F input
	# disallow outbound until we set up the explicit outbound rules
	${IPCHAINS} -P output DENY
	# flush rules 
	${IPCHAINS} -F output

	# Run our "early" custom script if it exists
	[ -f /etc/Bastille/bastille-firewall-early.sh ] && . /etc/Bastille/bastille-firewall-early.sh

        # any new-style "early" plugins?
        include_supplemental early

	# always allow MTU discovery packets
	${IPCHAINS} -A input -p icmp --icmp-type fragmentation-needed -j ACCEPT
	${IPCHAINS} -A output -p icmp --icmp-type fragmentation-needed -j ACCEPT

        include_supplemental pre-local-block

	# Block any non-local attempts to get localhost addresses
	# per woody@thebunker.net's bugtraq post
	${IPCHAINS} -A input -d 127.0.0.0/8 ! -i lo -j ${REJECT_METHOD} ${LOG_FLAG}

	# Fragments
	if [ "${ALLOW_FRAGMENTS}" = "N" ]; then
		${IPCHAINS} -A input -f -j ${REJECT_METHOD}
	fi 

	# from the ipchains HOWTO, I think
	if [ "${ENABLE_SRC_ADDR_VERIFY}" = "Y" ]; then
		if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
        		echo -n "Setting up IP spoofing protection..."
		        for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
            		echo 1 > $f
        		done
        		echo " done."
		else
        		echo "WARNING: errors encountered while trying to enable IP spoofing protection!"
		fi
	fi

	include_supplemental pre-trusted

	# Allow all traffic from trusted interfaces
	echo -n "Allowing traffic from trusted interfaces..."
	for t_iface in ${TRUSTED_IFACES} ; do	
		${IPCHAINS} -A input -i ${t_iface} -d 0.0.0.0/0 -j ACCEPT
	done
	echo " done. "

	# If you have networks that route traffic to each other through this
	# server, you may want to add some forwarding rules, here, e.g.
	# one way, 192.168.*.* -> 10.*.*.* with 192.168.*.* on "eth0"
	#${IPCHAINS} -A forward -i eth0 -s 192.168.0.0/16 -d 10.0.0.0/8 -j ACCEPT	
	# the other direction, 10.*.*.* -> 192.168.*.* with 10.*.*.* on "eth1"
	#${IPCHAINS} -A forward -i eth1 -d 192.168.0.0/16 -s 10.0.0.0/8 -j ACCEPT	

	include_supplemental pre-mcast-block

	# No packets with multicast source addresses (Joshua K, RFC 1122)
	${IPCHAINS} -A input -s 224.0.0.0/4 -j ${REJECT_METHOD} ${LOG_FLAG}

	# Forwarding

	include_supplemental pre-nat

	# IP Masquerading/forwarding
	#
	# Unload masq modules (maybe we're disabling masquerading, maybe we changed the module list)
	do_masq_mods unload
	#
	if [ -n "${IP_MASQ_NETWORK}" ]; then
		echo -n "Setting up masquerading rules..."	
		# since we've set the default forwarding policy to
		# reject, we can enable forwarding now
		echo 1 > /proc/sys/net/ipv4/ip_forward
		# set up rules for masqueraded networks
		for net in ${IP_MASQ_NETWORK} ; do
			if [ "${DROP_SMB_NAT_BCAST}" = "Y" ]; then
				# NetBIOS
				${IPCHAINS} -A forward -p tcp -s ${net} -d 0.0.0.255/0.0.0.255 137:139 -j ${REJECT_METHOD} ${LOG_FLAG}
				${IPCHAINS} -A forward -p udp -s ${net} -d 0.0.0.255/0.0.0.255 137:139 -j ${REJECT_METHOD} ${LOG_FLAG}
			fi
			for pub in ${PUBLIC_IFACES} ; do
				# NAT should be one-way, deny traffic from public
				# interfaces that is addresses to masq'ed networks
				${IPCHAINS} -A input -d ${net} -i ${pub} -j ${REJECT_METHOD} ${LOG_FLAG}
				# spoofed addreses from outside
				${IPCHAINS} -A input -s ${net} -i ${pub} -j ${REJECT_METHOD} ${LOG_FLAG}
				# enable forwarding
				${IPCHAINS} -A forward -s ${net} -i ${pub} -j MASQ
			done
		done
		echo " done."
		echo -n "Loading masquerading modules..."	
		do_masq_mods load
		echo " done."
	fi
	
	echo -n "Setting up chains for public/internal interface traffic..."	

	# make a public input chain
	${IPCHAINS} -N PUB_IN 2> /dev/null
	${IPCHAINS} -F PUB_IN
	# as close to setting policy as we can get
	${IPCHAINS} -A PUB_IN -j DENY
	# make a public output chain
	${IPCHAINS} -N PUB_OUT 2> /dev/null
	${IPCHAINS} -F PUB_OUT
	# as close to setting policy as we can get
	${IPCHAINS} -A PUB_OUT -j DENY

	# make an "INTERNAL" input chain
	${IPCHAINS} -N INT_IN 2> /dev/null
	${IPCHAINS} -F INT_IN
	# as close to setting policy as we can get
	${IPCHAINS} -A INT_IN -j DENY
	# make an "INTERNAL" output chain
	${IPCHAINS} -N INT_OUT 2> /dev/null
	${IPCHAINS} -F INT_OUT
	# as close to setting policy as we can get
	${IPCHAINS} -A INT_OUT -j DENY

	include_supplemental pre-chain-split

	# direct packets to the INTERNAL_* chains
	for iface in ${INTERNAL_IFACES} ; do
		${IPCHAINS} -A input -i ${iface} -j INT_IN
		${IPCHAINS} -A output -i ${iface} -j INT_OUT
		NON_LOOPBACK_SEEN=N
		for net in ${LOCAL_ADDRESSES} ; do
			if [ ${net} != "127.0.0.1/8" ]; then
				NON_LOOPBACK_SEEN=Y
			fi
		done	
		# complain if no local addresses
		if [ ${NON_LOOPBACK_SEEN} = "N" ]; then
			echo "WARNING: no non-loopback local addresses; protection from INTERNAL_IFACES not enabled!"
		fi
	done

	# Direct PUBLIC interface traffic to the proper chain
	for iface in ${PUBLIC_IFACES} ; do
		${IPCHAINS} -A input -i ${iface} -j PUB_IN
		${IPCHAINS} -A output -i ${iface} -j PUB_OUT
	done

	include_supplemental pre-audit

	# Auditing must be set up before these packets are blocked!
	#
	for service in ${TCP_AUDIT_SERVICES} ; do
		${IPCHAINS} -A PUB_IN -p tcp -d 0.0.0.0/0 ${service} -y  -l
	done   
	for service in ${UDP_AUDIT_SERVICES} ; do
		${IPCHAINS} -A PUB_IN -p udp -d 0.0.0.0/0 ${service} -l
	done   
	for type in ${ICMP_AUDIT_TYPES} ; do
		${IPCHAINS} -A PUB_IN -p icmp --icmp-type ${type} -d 0.0.0.0/0 -l 
	done

	# disallow any attempts to get to internal interfaces from outside
	# not good if this is supposed to route between normal networks
	for int in ${INTERNAL_NETWORKS} ; do
		# deny traffic from public
		# interfaces that is addressed to internal networks
		${IPCHAINS} -A PUB_IN -d ${int} -j ${REJECT_METHOD} ${LOG_FLAG}
		# spoofed addreses from outside
		${IPCHAINS} -A PUB_IN -s ${int} -j ${REJECT_METHOD} ${LOG_FLAG}
	done
	
	echo " done. "
		
	echo -n "Setting up general rules..."	

	include_supplemental pre-dhcp

	# Allow response from DHCP servers
	for iface in ${DHCP_IFACES} ; do
		for chain in input PUB_IN INT_IN ; do
			# allow UDP responses
			${IPCHAINS} -A ${chain} -p udp -s 0.0.0.0/0 bootps -d 255.255.255.255/0 bootpc -j ACCEPT 		
			# normally we allow TCP data returns so this is redundant
			# ${IPCHAINS} -A ${chain} -p tcp -s 0.0.0.0/0 bootps -d 255.255.255.255/0 bootpc -j ACCEPT 		
		done
		# make link so dhcpcd runs firewall when IP changes (if no such file already)
		[ ! -d /etc/dhcpc ] && mkdir /etc/dhcpc -m 0750
		if [ -x /sbin/bastille-firewall-reset -a ! -L /etc/dhcpc/dhcpcd-${iface}.exe ]; then
			ln -s /sbin/bastille-firewall-reset /etc/dhcpc/dhcpcd-${iface}.exe
		fi
	done

	include_supplemental pre-internal

	# internal interface rules
	for net in ${LOCAL_ADDRESSES} ; do
		# Allow accessses to TCP services on this system
		for serv in ${TCP_INTERNAL_SERVICES} ; do
			${IPCHAINS} -A INT_IN -p tcp -d ${net} ${serv} -j ACCEPT 		
		done
		${IPCHAINS} -A INT_IN -p tcp -d ${net} ${serv} \! -y -j ACCEPT
		# UDP services
		for serv in ${UDP_INTERNAL_SERVICES} ; do
			${IPCHAINS} -A INT_IN -p udp -d ${net} ${serv} -j ACCEPT 
		done
	done
	# ICMP
	# hopefully you don't care about hiding from internal hosts!
	${IPCHAINS} -A INT_IN -p icmp -d 0.0.0.0/0 -j ACCEPT 
	${IPCHAINS} -A INT_OUT -p icmp -d 0.0.0.0/0 -j ACCEPT 
	# ...but if you do... try this... (and see the PUB_IN rules below)
	#for type in ${ICMP_ALLOWED_TYPES} ; do
	#	${IPCHAINS} -A INT_IN -p icmp --icmp-type ${type} -d 0.0.0.0/0 -j ACCEPT 
	#done
	#for type in ${ICMP_OUTBOUND_DISABLED_TYPES} ; do
	#	${IPCHAINS} -A INT_OUT -p icmp --icmp-type ${type} -j REJECT
	#done
        
	# input rules
	#
	# public interfaces

	include_supplemental pre-input

	# --------------------- ICMP --------------------------
	for type in ${ICMP_ALLOWED_TYPES} ; do
		${IPCHAINS} -A PUB_IN -p icmp --icmp-type ${type} -d 0.0.0.0/0 -j ACCEPT 
	done

	# --------------------- TCP --------------------------
	for serv in ${TCP_PUBLIC_SERVICES} ; do
		${IPCHAINS} -A PUB_IN -p tcp -d 0.0.0.0/0 ${serv} -j ACCEPT 		
	done

	# if you're disallowing ICMP, you may be trying to look 
	# invisible/disable ping, so let's just drop these attempts
	${IPCHAINS} -A PUB_IN -p icmp -d 0.0.0.0/0 -j DENY ${LOG_FLAG}

	for chain in PUB_IN INT_IN ; do
		if [ ${FORCE_PASV_FTP} != "Y" ]; then
			# no point explicitly blocking TCP services unless active FTP is enabled
			# Step 1: block the high port TCP services
			for serv in ${TCP_BLOCKED_SERVICES} ; do
				# only block -y initial connects; in case the port was needlessly
				# specified, this should still enable it to be used as a source
				# port for non-FTP connecions from this host or machines using it as a gateway
				${IPCHAINS} -A ${chain} -p tcp -d 0.0.0.0/0 ${serv} -y -j ${REJECT_METHOD} ${LOG_FLAG}
			done
			# FEATURE: check bound high TCP and complain?
			# Step 2: allow the ftp-data connections
			${IPCHAINS} -A ${chain} -p tcp -d 0.0.0.0/0 1024: -s 0.0.0.0/0 ftp-data -j ACCEPT
		fi

		# general response to my TCP requests
		${IPCHAINS} -A ${chain} -p tcp \! -y -j ACCEPT
	
		# no TCP requests to other ports (redundant)
		# ${IPCHAINS} -A ${chain} -p tcp -j ${REJECT_METHOD} ${LOG_FLAG}
	
		# --------------------- UDP --------------------------
		for serv in ${UDP_PUBLIC_SERVICES} ; do
			${IPCHAINS} -A PUB_IN -p udp -d 0.0.0.0/0 ${serv} -j ACCEPT 		
		done

		# This isn't necessary unless you have DNS_SERVERS or NTP_SERVERS
		# but who wouldn't have DNS servers configured?
		for serv in ${UDP_BLOCKED_SERVICES} ; do
			${IPCHAINS} -A ${chain} -p udp -d 0.0.0.0/0 ${serv} -j ${REJECT_METHOD} ${LOG_FLAG}
		done

		for dns_net in ${DNS_SERVERS} ; do
			${IPCHAINS} -A ${chain} -p udp -s ${dns_net} domain -d 0.0.0.0/0 1024: -j ACCEPT
		done

		for ntp_net in ${ntp_server_addrs} ; do
			# this allows unprivileged queries, e.g. 'ntpdate'
			${IPCHAINS} -A ${chain} -p udp -s ${ntp_net} ntp -d 0.0.0.0/0 1024: -j ACCEPT
			# this allows you to run an ntp daemon to maintain 
			# system time nore gracefully than with 'ntpdate'
			${IPCHAINS} -A ${chain} -p udp -s ${ntp_net} ntp -d 0.0.0.0/0 ntp -j ACCEPT
		done
		# Reject other UDP (redundant)
		#${IPCHAINS} -A ${chain} -p udp -j ${REJECT_METHOD} ${LOG_FLAG}
	done

	
	# end of loop through public interfaces for input rules

	if [ ${FORCE_PASV_FTP} != "Y" -a \( -n "${PUBLIC_IFACES}" -o -n "${INTERNAL_IFACES}" \) ]; then
		# warning
		echo
		echo "WARNING: allowing \"active\" FTP; any unknown TCP services running"
		echo "on high ports will be vulnerable; blocking too many high TCP ports"
		echo "may affect various TCP _clients_ running on this machine or using"
		echo "this machine as a gateway."
	fi

	# now we can deny the attempts from the internal interfaces to this host
	for tnet in ${LOCAL_ADDRESSES} ; do
		for chain in PUB_IN INT_IN ; do
			${IPCHAINS} -A ${chain} -d ${tnet} -j ${REJECT_METHOD} ${LOG_FLAG}
		done
	done
	# now that we've blocked attempts from the internal interfaces
	# to the IP's on this server, we need to accept other connections
	# so the IP Masq / NAT will function
	for net in ${IP_MASQ_NETWORK} ; do
		for chain in PUB_IN INT_IN ; do
			${IPCHAINS} -A ${chain} -s ${net} -j ACCEPT
		done
	done

	# --------------------- catch-all --------------------------
	# Reject all other traffic (redundant if not logging)
	if [ ${LOG_FAILURES} = "Y" ]; then
		for chain in input forward PUB_IN INT_IN ; do
 			${IPCHAINS} -A ${chain} -j ${REJECT_METHOD} ${LOG_FLAG}
 		done
 	fi

	#
       	echo " done."

	echo -n "Setting up outbound rules..."	

	include_supplemental pre-output

	# block outbound ICMP types (usu. to hide from traceroute)
	for type in ${ICMP_OUTBOUND_DISABLED_TYPES} ; do
		# ** The following will limit ICMP on public and internal interfaces:
		# for chain in PUB_OUT INT_OUT ; do
		# ** but our default is to only limit outbound ICMP on public interfaces
		for chain in PUB_OUT ; do
			${IPCHAINS} -A ${chain} -p icmp --icmp-type ${type} -j REJECT ${LOG_FLAG}
		done
	done
	# 
	# Here you might really lock things down if this is a server,
	# e.g., to keep it from doing anything but connecting to
	# SMTP servers and responding to Web requests, or whatever
	# the specific requirements are. 
	#
	# Such lockdowns are recommended if the situation affords you
	# that flexibility.
	#
	# default is to enable outbound traffic
	# (again, here, for a server you might default to ${REJECT_METHOD} )
	${IPCHAINS} -P output ACCEPT

	include_supplemental pre-policy-reset
	
	# Now that all rules are set, we can change the policies
	# to the user preference safely
	${IPCHAINS} -P forward ${REJECT_METHOD}
	${IPCHAINS} -P input ${REJECT_METHOD}
	# to set default "policies" for PUB_* and INT_* chains, add a final rule
	if [ ${LOG_FAILURES} != "Y" ]; then
		# if LOG_FAILURES were set, we would have already done this
		for chain in PUB_IN INT_IN ; do
			${IPCHAINS} -A ${chain} -j ${REJECT_METHOD} ${LOG_FLAG}
		done
	fi
	for chain in PUB_OUT INT_OUT ; do
		${IPCHAINS} -A ${chain} -j ACCEPT
	done
	# rule 1 in all of these chains is a deny rule; remove it so other rules work
	for chain in PUB_IN INT_IN PUB_OUT INT_OUT ; do
		${IPCHAINS} -D ${chain} -j DENY
	done

	include_supplemental post-rule-setup
	
	echo " done."

	;;
  stop)
	include_supplemental pre-drop-rules
	echo
	echo "WARNING: reverting to default settings (dropping firewall)"
	# We should disable NAT/forwarding even if not set to restore defaults
	echo -n "disabling IP forwarding..."	
	echo 0 > /proc/sys/net/ipv4/ip_forward
	echo " done."
	echo -n "unloading masquerading modules..."	
	do_masq_mods unload
	echo " done."
	# flushing seems to leave the default input at ${REJECT_METHOD}
	echo -n "resetting default input rules to accept..."
	${IPCHAINS} -P input ACCEPT
	echo " done."
	echo -n "resetting default output rule to accept..."
	${IPCHAINS} -P output ACCEPT
	echo " done."
	#  We disabled forwarding with the /proc interface, but we
	#  reset FORWARD to ACCEPT because that;s the normal default
	echo -n "resetting default forward rule to accept..."
	${IPCHAINS} -P forward ACCEPT
	echo " done."
	for chain in input output forward ; do
		echo -n "flushing ${chain} rules..."	
		${IPCHAINS} -F ${chain}
		echo " done."
	done
	# flush and delete the user-defined chains
	echo -n "removing user-defined chains..."	
	for chain in PUB_IN PUB_OUT INT_IN INT_OUT ; do
		${IPCHAINS} -F ${chain}
		${IPCHAINS} -X ${chain}
	done
	include_supplemental post-drop-rules
	echo " done."
	;;
  status)
	${IPCHAINS} -L -v -n
	;;
  *)
	echo "Usage: $0 {start|restart|reload|stop|status}"
	exit 1
esac

exit 0