
#-----------------------------------------------------------------------
# CHANGES
#-----------------------------------------------------------------------
#
# 2000-10-14  Jean-Sebastien Morisset <jsmoriss@jsm-mv.dyndns.org>
#             Initial module written for v5.0.
#
#-----------------------------------------------------------------------
# MODULE CONFIGURATION
#-----------------------------------------------------------------------
#
#m# 123
#a# accept ignore deny
#i# cluster
#n# http
#t# clients
#
#   |--------------------------------------------------------------------|
#d# The accept option opens access to your port 80 for these hosts and/or
#d# networks. If you have a web server on your firewall, you'll probably 
#d# want to use "any/0".
#d#
#d# You might want anyone to connect to your web server, but you'd like to
#d# exclude a few hosts/networks. They could have tried to attack this 
#d# service, shouldn't know about it, etc. Use the ignore and/or deny 
#d# options. The deny option will log every failed packet, where-as the 
#d# ignore option will not log anything.
#d#
#d# Example:
#d#   accept-eth1-http-clients = any/0
#d#     deny-eth1-http-clients = 207.253.78.0/24
#d#
#d# This will let anyone connect to your web server, except hosts in the 
#d# 207.253.78.* network.
#   |--------------------------------------------------------------------|
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------

for action in ignore deny accept
do
	case $action in
		accept|ignore)
				action_log_msg="$LOG_MSG"; action_log="$LOG";;
		deny)	action_log_msg="(logged)"; action_log="-l"  ;;
	esac
	for host in `Option_Value $action $INTOPT http clients`
	do
		case $action in
			ignore|deny)
				echo "Deny $INTOPT $IPADDR HTTP <- $host $action_log_msg"
				ipchains -A $INCHAIN  -j DENY -p tcp -s $host -d $IPADDR www $action_log
				;;
			accept)
				Accept_Hostports local tcp "HTTP" $host www
				;;
		esac
	done
done
unset action action_log_msg action_log host

