#!/bin/sh
#
# ----------------------------------------------------------------------------
# Last modified by Gerhard Mourani:  04-25-2000
# ----------------------------------------------------------------------------
# Copyright (C) 1997, 1998, 1999  Robert L. Ziegler
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted. 
# This software is provided as an example and basis for individual firewall
# development.  This software is provided without warranty.
#
# Any material furnished by Robert L. Ziegler is furnished on an 
# "as is" basis.  He makes no warranties of any kind, either expressed 
# or implied as to any matter including, but not limited to, warranty 
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
# ----------------------------------------------------------------------------
#
# Invoked from /etc/rc.d/init.d/firewall.
# chkconfig: - 60 95
# description: Starts and stops the IPCHAINS Firewall \
#              used to provide Firewall network services.

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
        exit 0
fi

if [ ! -x /sbin/ipchains ]; then
    exit 0
fi

# See how we were called.
case "$1" in
  start)
        echo -n "Starting Firewalling Services: "

# Some definitions for easy maintenance.

# ----------------------------------------------------------------------------
#  EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="eth0"              	# Internet connected interface
LOOPBACK_INTERFACE="lo"			# Your local naming convention
IPADDR="my.ip.address"			# Your IP address
ANYWHERE="any/0"			# Match any IP address
NAMESERVER_1="my.name.server.1"		# Everyone must have at least one
NAMESERVER_2="my.name.server.2"		# Your secondary name server
MY_ISP="my.isp.address.range/24"       	# ISP & NOC address range

SMTP_SERVER="my.smtp.server" 		# Your Mail Hub Server.
SYSLOG_SERVER="syslog.internal.server" 	# Your syslog internal server
SYSLOG_CLIENT="sys.int.client.range/24"	# Your syslog internal client range

LOOPBACK="127.0.0.0/8"			# Reserved loopback address range
CLASS_A="10.0.0.0/8"			# Class A private networks
CLASS_B="172.16.0.0/12"			# Class B private networks
CLASS_C="192.168.0.0/16"		# Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4"		# Class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5"	# Class E reserved addresses
BROADCAST_SRC="0.0.0.0"			# Broadcast source address
BROADCAST_DEST="255.255.255.255"	# Broadcast destination address
PRIVPORTS="0:1023"			# Well known, privileged port range
UNPRIVPORTS="1024:65535"		# Unprivileged port range

# ----------------------------------------------------------------------------

# SSH starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
SSH_PORTS="1022:1023"                  	# range for SSH privileged ports

# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections

    # Remove all existing rules belonging to this filter
    ipchains -F

    # Clearing all current rules and user defined chains
    ipchains -X

    # Set the default policy of the filter to deny.
    # Don't even bother sending an error message back.
    ipchains -P input  DENY
    ipchains -P output DENY
    ipchains -P forward DENY

# ----------------------------------------------------------------------------
# LOOPBACK

    # Unlimited traffic on the loopback interface.
    ipchains -A input  -i $LOOPBACK_INTERFACE -j ACCEPT 
    ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT 

# ----------------------------------------------------------------------------
# Network Ghouls
# Deny access to jerks

    # /etc/rc.d/rc.firewall.blocked contains a list of
    # ipchains -A input  -i $EXTERNAL_INTERFACE -s address -j DENY
    # rules to block from any access.

    # Refuse any connection from problem sites
    #if [ -f /etc/rc.d/rc.firewall.blocked ]; then
    #    . /etc/rc.d/rc.firewall.blocked
    #fi

# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.

    # Refuse spoofed packets pretending to be from the external address.
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l

    # Refuse packets claiming to be to or from a Class A private network
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l
    ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l
    ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l

    # Refuse packets claiming to be to or from a Class B private network
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l
    ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l
    ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l

    # Refuse packets claiming to be to or from a Class C private network
#    ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l
#    ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l
#    ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT -l
#    ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l

    # Refuse packets claiming to be from the loopback interface
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
    ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l

    # Refuse broadcast address SOURCE packets
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l

    # Refuse Class D multicast addresses (in.h) (NET-3-HOWTO)
    # Multicast is illegal as a source address.
    # Multicast uses UDP.
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l

    # Refuse Class E reserved IP  addresses
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l

    # refuse addresses defined as reserved by the IANA
    # 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
    # 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
    # 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l

    #65: 01000001    - /3 includes 64 - need 65-79 spelled out
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l

    #80: 01010000   - /4 masks 80-95
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l

    # 96: 01100000    - /4 makses 96-111
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l

    #126: 01111110    - /3 includes 127 - need 112-126 spelled out
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l

    #217: 11011001    - /5 includes 216 - need 217-219 spelled out
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l

    #223: 11011111    - /6 masks 220-223
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l

# ----------------------------------------------------------------------------
# ICMP

    #    To prevent denial of service attacks based on ICMP bombs, filter
    #    incoming Redirect (5) and outgoing Destination Unreachable (3).
    #    Note, however, disabling Destination Unreachable (3) is not
    #    advisable, as it is used to negotiate packet fragment size.

    # For bi-directional ping.
    #     Message Types:  Echo_Reply (0),  Echo_Request (8)
    #     To prevent attacks, limit the src addresses to your ISP range.
    # 
    # For outgoing traceroute.
    #     Message Types:  INCOMING Dest_Unreachable (3), Time_Exceeded (11)
    #     default UDP base: 33434 to base+nhops-1
    # 
    # For incoming traceroute.
    #     Message Types:  OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
    #     To block this, deny OUTGOING 3 and 11

    #  0: echo-reply (pong)
    #  3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
    #  4: source-quench
    #  5: redirect
    #  8: echo-request (ping)
    # 11: time-exceeded
    # 12: parameter-problem

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 0 -d $IPADDR -j ACCEPT 
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 3 -d $IPADDR -j ACCEPT 
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 4 -d $IPADDR -j ACCEPT 
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 11 -d $IPADDR -j ACCEPT 
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 12 -d $IPADDR -j ACCEPT 
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $MY_ISP 8 -d $IPADDR -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 0 -d $MY_ISP -j ACCEPT 
    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 3 -d $MY_ISP -j ACCEPT 
    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 4 -d $ANYWHERE -j ACCEPT 
    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 8 -d $ANYWHERE -j ACCEPT 
    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 12 -d $ANYWHERE -j ACCEPT 
    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 11 -d $MY_ISP -j ACCEPT 

# ----------------------------------------------------------------------------
    # UDP INCOMING TRACEROUTE
    # traceroute usually uses -S 32769:65535 -D 33434:33523

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $MY_ISP $TRACEROUTE_SRC_PORTS \
             -d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $ANYWHERE $TRACEROUTE_SRC_PORTS \
             -d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l

# ----------------------------------------------------------------------------
    # DNS forwarding, caching only nameserver (53)
    # --------------------------------------------

    # server to server query or response
    # Caching only name server only requires UDP, not TCP

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $NAMESERVER_1 53 \
             -d $IPADDR 53 -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR 53 \
             -d $NAMESERVER_1 53 -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $NAMESERVER_2 53 \
             -d $IPADDR 53 -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR 53 \
             -d $NAMESERVER_2 53 -j ACCEPT 

    # DNS client (53)
    # ---------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $NAMESERVER_1 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_1 53 -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $NAMESERVER_2 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_2 53 -j ACCEPT

# TCP client to server requests are allowed by the protocol 
# if UDP requests fail. This is rarely seen. Usually, clients
# use TCP as a secondary nameserver for zone transfers from
# their primary nameservers, and as hackers.

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $NAMESERVER_1 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_1 53 -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $NAMESERVER_2 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_2 53 -j ACCEPT 

# ----------------------------------------------------------------------------
    # TCP accept only on selected ports
    # ---------------------------------
    # ------------------------------------------------------------------

    # SSH server (22)
    # ---------------

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 22 -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 22 \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $SSH_PORTS \
             -d $IPADDR 22 -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 22 \
             -d $ANYWHERE $SSH_PORTS -j ACCEPT 


    # ------------------------------------------------------------------

    # HTTP server (80)
    # ----------------

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 80 -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 80 \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT 

    # ------------------------------------------------------------------

    # HTTPS server (443)
    # ------------------

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 443 -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 443 \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT 

    # ------------------------------------------------------------------

    # SYSLOG server (514)
    # -----------------

    # Provides full remote logging. Using  this feature you're able to
    # control all syslog messages on one host.

#    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
#             -s $SYSLOG_CLIENT \
#             -d $IPADDR 514 -j ACCEPT

    # SYSLOG client (514)
    # -----------------

#    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
#             -s $IPADDR 514 \
#             -d $SYSLOG_SERVER 514 -j ACCEPT

    # ------------------------------------------------------------------

    # AUTH server (113)
    # -----------------

    # Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE \
             -d $IPADDR 113 -j REJECT 

    # ------------------------------------------------------------------

    # SMTP client (25)
    # ----------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $SMTP_SERVER 25 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $SMTP_SERVER 25 -j ACCEPT 

    # ------------------------------------------------------------------

    # FTP server (20, 21)
    # -------------------

    # incoming request

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 21 -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 21 \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT 

    # PORT MODE data channel responses
    # 
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
            -s $ANYWHERE $UNPRIVPORTS \
            -d $IPADDR 20 -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
            -s $IPADDR 20 \
            -d $ANYWHERE $UNPRIVPORTS -j ACCEPT 

    # PASSIVE MODE data channel responses

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT 

    # ------------------------------------------------------------------
    # OUTGOING TRACEROUTE
    # -------------------
    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR $TRACEROUTE_SRC_PORTS \
             -d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT 

# ----------------------------------------------------------------------------
# Enable logging for selected denied packets

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
	     -d $IPADDR -j DENY -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
	     -d $IPADDR $PRIVPORTS -j DENY -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
	     -d $IPADDR $UNPRIVPORTS -j DENY -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 5 -d $IPADDR -j DENY -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 13:255 -d $IPADDR -j DENY -l

# ----------------------------------------------------------------------------

        ;;
  stop)
        echo -n "Shutting Firewalling Services: "

    # Remove all existing rules belonging to this filter
    ipchains -F

    # Delete all user-defined chain to this filter
    ipchains -X

    # Reset the default policy of the filter to accept.
    ipchains -P input  ACCEPT
    ipchains -P output ACCEPT
    ipchains -P forward ACCEPT

	;;
  status)
        status firewall
	;;
  restart|reload)
	$0 stop
	$0 start
	;;
  *)
	echo "Usage: firewall {start|stop|status|restart|reload}"
	exit 1
esac

exit 0
