#!/bin/sh
#
# United firewall configuration
#
# . .......... $CONF ......., ... ........... .......
# . ......... $URL url .. ........ ........ ......... 
# ........... .......

# VTC control network
vtc="ip ........... ...."
mail_relay="ip ......... ......."
mail_ports="23,25,110,540"

# debug mode
if [ "${1}" = "echo" ]; then
  ipfw="/bin/echo"
else
  ipfw="/sbin/ipfw"
fi

# router name
rules=${CONF}/`/bin/hostname -s`

# .... ...... ........ .. ....
( cd $CONF; /usr/bin/fetch ${URL}/`/bin/hostname -s` )

# interface ip number by name
ip () { ifconfig $1 | grep inet | awk '{ print $2; }'; }

# start list number
rule_num=1000
# pass and deny rules
pass () { rule_num=$(($rule_num+10)); $ipfw add $rule_num pass $*; }
deny () { rule_num=$(($rule_num+10)); $ipfw add $rule_num deny $*; }

# backbone segment
backbone () { pass all from any to any via $1; }

# any access
any () {
  pass all from $1 to any
  pass all from any to $1
}

# free acces from any interface from list to any
lan () {
  local i j
  for i in $*; do
   for j in $*; do
      if [ $i != $j ]; then
       pass all from any to any out recv $i xmit $j
      fi
   done
  done
}

# client workstation: only outgoing tcp
client () {
  pass tcp from $1 to any
  pass tcp from any to $1 established
}

# only mail workstation
mailws () {
  pass tcp from $1 to $mail_relay $mail_ports
  pass tcp from $mail_relay $mail_ports to $1
}

# server: only incoming tcp on port list
server () {
  local ip port
  ip=$1
  shift
  for port in $* 
  do
    pass tcp from any to $ip $port
    pass tcp from $ip $port to any established
  done
}

$ipfw -f flush

# Main rules

pass all from any to any via lo0
deny all from any to 127.0.0.0/8
pass udp from any to any 33434-33523
#pass all from $vtc to any
#pass all from any to $vtc
#pass tcp from any to any established
# named
pass udp from any to $vtc 53
pass udp from $vtc 53 to any
pass udp from $vtc to any 53
pass udp from any 53 to $vtc
# snmp
pass udp from any 161 to $vtc
pass udp from $vtc to any 161
# icmp
deny icmp from any to any frag
pass icmp from any to any

# Router rules
. $rules

$ipfw add 65000 deny all from any to any
exit