#!/bin/sh

### BEGIN INIT INFO
# Provides:          pre-init-firewall
# Required-Start:    $syslog $network
# Required-Stop:     $syslog
# Should-Start:      $local_fs
# Should-Stop:       $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: NuFace firewall pre-init script
# Description:       Temporary initialization script for firewall, to
#                    ensure the host is not vulnerable during the time
#                    the firewall rules are applied.
#                    All input connections will be dropped
### END INIT INFO


# These temporary firewall rules block all INPUT and FORWARD; they are
# meant to be applied before the actual firewall rules configured with
# NuFace.  They allow OUTPUT traffic.

# These rules should be "overwritten" by the rules applied by the
# init-firewall script.

IPTABLES="/sbin/iptables"

set_default_rules()
{
  $IPTABLES -F
  $IPTABLES -t nat -F
  $IPTABLES -t mangle -F

  $IPTABLES -P INPUT DROP
  $IPTABLES -P FORWARD DROP
  $IPTABLES -P OUTPUT ACCEPT

  $IPTABLES -A FORWARD -j DROP
  $IPTABLES -A INPUT -i lo -j ACCEPT
  $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  $IPTABLES -A INPUT -j DROP
}

case $1 in
  start | restart | reload | force-reload)
    echo "Loading temporary firewall configuration"
    set_default_rules
    ;;
  stop)
    ;;
esac

