#!/bin/sh
# Outgoing, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
$FW -O -f
$FW -O -p deny

if [ "$VERBOSE" != "" ] ; then
 for vars_list in $IP_ETH0 $ANY_NET $ANY_MASK $LOC_NET $NETC_MASK $NETB_MASK $IP_PPP0 $DIALUP_NET $HOST_MASK
  do
   echo -ne "$vars_list\n"
  if [ "$vars_list" = "" ] ; then 
   echo "There's unset variable!" 
  fi
done
fi

# local interface, any source going to local net is valid
$FW -O -a accept -V $IP_ETH0 -S $ANY_NET/$ANY_MASK -D $LOC_NET/$NETC_MASK

# outgoing to local net on remote interface, stuffed routing, deny
$FW -O -a deny -V $IP_PPP0 -S $ANY_NET/$ANY_MASK -D $LOC_NET/$NETB_MASK -o

# outgoing from local net on remote interface, stuffed masquerading, deny
$FW -O -a deny -V $IP_PPP0 -S $LOC_NET/$NETC_MASK -D $ANY_NET/$ANY_MASK -o

# outgoing from local net on remote interface, stuffed masquerading, deny
$FW -O -a deny -V $IP_PPP0 -S $ANY_NET/$ANY_MASK -D $LOC_NET/$NETB_MASK -o

# anything else outgoing on remote interface is valid
$FW -O -a accept -V $IP_PPP0 -S $IP_PPP0/$HOST_MASK -D $ANY_NET/$ANY_MASK

# this helps w/ slip/ppp 192.168.4.120 address.
$FW -O -a accept -V $IP_ETH0 -S $ANY_NET/$ANY_MASK -D 192.168.4.120/$HOST_MASK

# loopback interface is valid.
$FW -O -a accept -V 127.0.0.1 -S $ANY_NET/$ANY_MASK -D $ANY_NET/$ANY_MASK


# outgoing from slip/ppp on remote interface, stuffed masquerading, deny
$FW -O -a deny -V $IP_PPP0 -S $DIALUP_NET/$NETC_MASK -D $ANY_NET/$ANY_MASK -o

# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
$FW -O -a deny -S $ANY_NET/$ANY_MASK -D $ANY_NET/$ANY_MASK -o