#!/bin/sh


if grep -q "^v6TRUSTED=" /etc/default/bit-firewall; then
	echo "Fixing typo in defaults file."
	TMP=`mktemp`
	cat /etc/default/bit-firewall | sed -e 's/^v6TRUSTED/V6TRUSTED/' > $TMP
	mv $TMP /etc/default/bit-firewall
	echo "Reloading firewall."
	/usr/sbin/bit-firewall restart
fi


mkdir -p /etc/bit-firewall


if [ ! -f /etc/bit-firewall/rules ]; then
    echo "No /etc/bit-firewall/rules found, placing default example."
    cat >/etc/bit-firewall/rules <<EOT
# Refer to /etc/defaults/bit-firewall for additional settings
# Refer to /etc/init.d/bit-firewall for default policies
#


# Add custom rules here, example:
#\$IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT


# Uncomment the next line to enable loggin of dropped packets
#\$IPTABLES -A INPUT -m limit --limit 40/second --limit-burst 10 -j LOG --log-prefix "BITFirewall: "
# No other incoming tcp-connections (send RST):
\$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
\$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
# Default policy (all that does not match a rule)
\$IPTABLES -P INPUT DROP
# Check for Fail2Ban, it needs to be restarted after flushing rules
[ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban restart
EOT
else
    echo "Not touching existing /etc/bit-firewall/rules file!"
fi


if [ ! -f /etc/bit-firewall/rules6 ]; then
    echo "No /etc/bit-firewall/rules6 found, placing default example."
    cat >/etc/bit-firewall/rules6 <<EOT
# Refer to /etc/defaults/bit-firewall for additional settings
# Refer to /etc/init.d/bit-firewall for default policies
#


# Add custom rules here, example:
#\$IP6TABLES -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT


# Uncomment the next line to enable loggin of dropped packets
#\$IP6TABLES -A INPUT -m limit --limit 40/second --limit-burst 10 -j LOG --log-prefix "BITFirewall: "
# No other incoming tcp-connections (send RST):
\$IP6TABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
\$IP6TABLES -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
# Default policy (all that does not match a rule)
\$IP6TABLES -P INPUT DROP
EOT
else
    echo "Not touching existing /etc/bit-firewall/rules6 file!"
fi

#DEBHELPER#
