#!/bin/sh
#
# firewall      This shell script takes care of starting and stopping
#               the firewall.
#
# chkconfig: 2345 11 90
# description: rcf (aka rc.firewall) is an ipchains-based firewall \
#	with support for over 50 network services (including \
#	vtun, dhcp, nfs, smb, napster, proxies, online games, etc.), \
#	masquerading, port forwarding, and ip accounting. \
#	All services are self-contained modules which can be \
#	prioritized easily in the ipchains stack. Protections \
#	include spoofing, stuffed routing/masqerading, DoS, \
#	smurf attacks, outgoing port scans, and many more. \
#	rcf also supports multiple public, private (masqu'ed), \
#	dmz, and mz (non-masq'ed) networks and interfaces. \
#	Access rules are defined per interface and dmz/mz server groups.
# config: /etc/firewall.conf

WITHOUT_RC_COMPAT=1

# Source function library.
. /etc/init.d/functions

# Source networking configuration.
SourceIfNotEmpty /etc/sysconfig/network

LOCKFILE=/var/lock/subsys/firewall
RETVAL=0

start()
{
	[ -s /etc/firewall.conf ] && is_yes "$NETWORKING" || return 0
	/sbin/rcf
	RETVAL=$?
	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
	return $RETVAL
}

stop()
{
	/sbin/rcf --accept-all
	RETVAL=$?
	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
	return $RETVAL
}

dump()
{
	ipchains -nvxL >>/var/log/firewall.log
	echo >>/var/log/firewall.log
}

restart()
{
	dump
	start
}

# See how we were called.
case "$1" in
	start)
		start
		;;
	restart|reload)
		restart
		;;
	stop)
		dump
		stop
		;;
	condstop)
		if [ -e "$LOCKFILE" ]; then
			stop
		fi
		;;
	condreload|condrestart)
		if [ -e "$LOCKFILE" ]; then
			restart
		fi
		;;
	dump)
		dump
		;;
	status)
		TOTAL_RULES="`ipchains -nL |grep -v '^Chain  *' |grep -v '^target  *' |sed -n '$='`"
		echo "$TOTAL_RULES IPchains Firewall Rules (includes IP Accounting)"
		unset TOTAL_RULES
		;;
	*)
		echo "Usage: ${0##*/} {start|stop|restart|condstop|condrestart|dump|status}"
		RETVAL=1
		;;
esac

exit $RETVAL