X-Git-Url: http://git.squeep.com/?p=firewall-squeep;a=blobdiff_plain;f=firewall.sh;h=356075c424f98eb5d40a071a543455ba17a018a1;hp=34184eefcdaa2091b669dcca60a0c6e2cfda0697;hb=3943c9626bd2f4b0829c666406340852cfca66e8;hpb=0f864e054ebdb2c6606721dc49db867fe93cb61e

diff --git a/firewall.sh b/firewall.sh
index 34184ee..356075c 100755
--- a/firewall.sh
+++ b/firewall.sh
@@ -2,9 +2,7 @@
 
 set -e
 
-IPTABLES=$(which iptables)
-IP6TABLES=$(which ip6tables)
-IPSET=$(which ipset)
+. ./common.sh
 
 debug=0
 
@@ -54,7 +52,7 @@ $IPTABLES -A INPUT -p icmp -j ACCEPT
 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT
 
 # drop source-route rh0 headery things
-$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP
+$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP || echo "MISSING RT MATCH" 1>&2
 
 # accept things we set up
 $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -73,15 +71,19 @@ do
 	$IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP
 done
 
-$IPSET -exist create allowed_udp bitmap:port range 0-65535
-$IPSET -exist create allowed_tcp bitmap:port range 0-65535
-for p in 22 25 53 80 143 443 587 993 1194 5000 5222 5269 22556 64738
-do
-	$IPSET -exist add allowed_tcp ${p}
-done
-for p in 53 123 1194 64738
+create_set allowed_udp bitmap:port range 0-65535
+create_set allowed_tcp bitmap:port range 0-65535
+
+for sfx in '' ".$(hostname -s)"
 do
-	$IPSET -exist add allowed_udp ${p}
+	if [ -e "services${sfx}" ]
+	then
+
+		for l in $(decommentcat "services${sfx}")
+		do
+			allow_services "${l}"
+		done
+	fi
 done
 
 $IPTABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
@@ -89,6 +91,11 @@ $IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j A
 $IP6TABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
 $IP6TABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
 
+create_drop_chain xenophobe
+
+# insert asia blocker
+./sinokorea.sh
+
 # insert persistent-pest-blocker
 ./xenophobe.sh