#!/bin/sh
# $Id: postinst 31 2012-11-01 10:32:31Z henkjan $

update-rc.d bit-firewall defaults 36 2> /dev/null 1> /dev/null

if [ ! -r /etc/bit-firewall/rules ]; then
  echo "Generating default /etc/bit-firewall/rules"
  cat << EOF > /etc/bit-firewall/rules
#####
# Refer to /etc/defaults/bit-firewall for additional settings
# Refer to /etc/init.d/bit-firewall for default policies
#

# Add custom rules here
#\$IPTABLES -A INPUT -p tcp --dport 22  -m state --state NEW -j ACCEPT

# Uncomment the next line to enable loggin of dropped packets
#\$IPTABLES -A INPUT -m limit --limit 40/second --limit-burst 10 -j LOG --log-prefix "BITFirewall: "

# No other incoming tcp-connections (send RST):
\$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
\$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

# Default policy (all that does not match a rule)
\$IPTABLES -P INPUT DROP

# Check for Fail2Ban, it needs to be restarted after flushing rules
[ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban restart
EOF
fi

if [ ! -r /etc/bit-firewall/rules6 ]; then
  echo "Generating default /etc/bit-firewall/rules6"
  cat << EOF > /etc/bit-firewall/rules6
#####
# Refer to /etc/defaults/bit-firewall for additional settings
# Refer to /etc/init.d/bit-firewall for default policies
# 

# Add custom rules here
#\$IP6TABLES -A INPUT -p tcp --dport 22  -m state --state NEW -j ACCEPT

# Uncomment the next line to enable loggin of dropped packets
#\$IP6TABLES -A INPUT -m limit --limit 40/second --limit-burst 10 -j LOG --log-prefix "BITFirewall: "

# No other incoming tcp-connections (send RST):
\$IP6TABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
\$IP6TABLES -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable

# Default policy (all that does not match a rule)
\$IP6TABLES -P INPUT DROP
EOF
fi

if grep -q "^v6TRUSTED=" /etc/default/bit-firewall; then
	echo "Fixing typo in defaults file."
	TMP=`mktemp`
	cat /etc/default/bit-firewall | sed -e 's/^v6TRUSTED/V6TRUSTED/' > $TMP
	mv $TMP /etc/default/bit-firewall
	echo "Reloading firewall."
	invoke-rc.d bit-firewall restart
fi
