
#-----------------------------------------------------------------------
# CHANGES
#-----------------------------------------------------------------------
#
# 2000-10-14  Jean-Sebastien Morisset <jsmoriss@jsm-mv.dyndns.org>
#             Initial module written for v5.0.
#
#-----------------------------------------------------------------------
# MODULE CONFIGURATION
#-----------------------------------------------------------------------
#
#m# 123
#a# accept ignore deny
#i# cluster
#n# https
#t# clients
#
#   |--------------------------------------------------------------------|
#d# The accept option opens access to your port 443 (secure HTTP) for 
#d# these hosts/networks. If you have a secure (SSL) web server on your
#d# firewall, you'll probably want to use "any/0".
#d#
#d# You might want anyone to connect to your secure web server, but you'd
#d# like to exclude a few hosts and/or networks. They could have tried to
#d# attack this service, shouldn't know about it, etc. Use the ignore 
#d# and/or deny options. The deny option will log every failed packet, 
#d# where-as the ignore option will not log anything.
#d#
#d# Example:
#d#   accept-eth1-https-clients = any/0
#d#     deny-eth1-https-clients = 207.253.78.0/24
#d#
#d# This will let anyone connect to your HTTPS server, except hosts in the 
#d# 207.253.78.* network.
#   |--------------------------------------------------------------------|
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------

for action in ignore deny accept
do
	case $action in
		accept|ignore)
				action_log_msg="$LOG_MSG"; action_log="$LOG";;
		deny)	action_log_msg="(logged)"; action_log="-l"  ;;
	esac
	for host in `Option_Value $action $INTOPT https clients`
	do
		case $action in
			ignore|deny)
				echo "Deny $INTOPT $IPADDR HTTPS <- $host $action_log_msg"
				ipchains -A $INCHAIN -j DENY -p tcp -s $host -d $IPADDR https $action_log
				;;
			accept)
				Accept_Hostports local tcp "HTTPS" $host https
				;;
		esac
	done
done
unset action action_log_msg action_log host

