From eb51f872880078e26facd139d9bd16e8640ce4a9 Mon Sep 17 00:00:00 2001
From: Justin Wind <justin.wind+git@gmail.com>
Date: Tue, 24 Jan 2017 20:19:03 -0500
Subject: [PATCH] more better services

---
 firewall.sh | 20 +++++++++++---------
 services    |  6 ++++++
 2 files changed, 17 insertions(+), 9 deletions(-)
 create mode 100644 services

diff --git a/firewall.sh b/firewall.sh
index eab2cb3..dbc0c3f 100755
--- a/firewall.sh
+++ b/firewall.sh
@@ -74,15 +74,17 @@ done
 create_set allowed_udp bitmap:port range 0-65535
 create_set allowed_tcp bitmap:port range 0-65535
 
-# common services
-allow_services ssh smtp submission domain ntp
-
-# per-host services
-srv_file="services.$(hostname -s)"
-if [ -e "${srv_file}" ]
-then
-	. "${srv_file}"
-fi
+for sfx in '' ".$(hostname -s)"
+do
+	if [ -e "services${sfx}" ]
+	then
+
+		for l in $(decommentcat "services${sfx}")
+		do
+			allow_services "${l}"
+		done
+	fi
+done
 
 $IPTABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
 $IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
diff --git a/services b/services
new file mode 100644
index 0000000..9b2cb2a
--- /dev/null
+++ b/services
@@ -0,0 +1,6 @@
+# These are either names as appearing in /etc/services or port/proto
+ssh
+smtp
+submission
+domain
+ntp
-- 
2.43.2