
#-----------------------------------------------------------------------
# README
#-----------------------------------------------------------------------
#
# This module supports the IPSec VPN, typically used by S/WAN and other
# tunneling software.
#
# To install, copy this file to /etc/firewall/modules/public/services/
# 050-ipsecvpn-hosts. Since VPN bandwidth use may be very high, it's 
# preferable to keep this module near the top. Execute rc.firewall with
# the --update-config parameter. This will add the new options to the 
# configuration file.
#
#-----------------------------------------------------------------------
# CHANGES
#-----------------------------------------------------------------------
#
# 2001-04-30  Dougal Holmes <dholmes@bigpond.net.au>
#             Fixed up cluster operation
# 2001-02-15  Edwin ten Brink <edwin@privateer.student.utwente.nl>
#             Updated documentation
# 2000-10-14  Jean-Sebastien Morisset <jsmoriss@jsm-mv.dyndns.org>
#             Initial module written for v5.0.
#
#-----------------------------------------------------------------------
# MODULE CONFIGURATION
#-----------------------------------------------------------------------
#
#m# 123
#a# accept
#i# cluster
#n# ipsecvpn
#t# hosts
#
#   |--------------------------------------------------------------------|
#d# ipsecvpn (Port 500 UDP)
#d# Hostnames of other servers you'll be communicating with via an IPSec
#d# VPN, typically used by S/WAN and other tunneling software. Entering a
#d# value here will also turn off route filtering (used to prevent IP 
#d# spoofing) on your ipsec public interface(s). Note: This module assumes
#d# you use ESP encryption and/or authentication (the typical case). For
#d# servers which use AH packet-level authentication use the (contrib)
#d# module ipsecvpnah. Other VPN protocols may be found in the contrib 
#d# directory. Your ipsec interface should be declared PUBLIC!
#   |--------------------------------------------------------------------|
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------

module_name="ipsecvpn"         # module name used in options
module_type="hosts"            # the module type (clients, servers, etc.)
service_name="IPSec VPN (ESP)" # displayed on-screen
service_port="500"             # port number for this service

if [ "$CLUSTER_NAME" ]
then
	inchain="$OUTCHAIN"; outchain="$INCHAIN"
else
	inchain="$INCHAIN"; outchain="$OUTCHAIN"
fi

for host in `Option_Value accept $INTOPT $module_name $module_type`
do
	echo "Accept $INTOPT $IPADDR $service_name <-> $host $LOG_MSG"
	ipchains -A $inchain  -j ACCEPT -p udp -s $host   $service_port -d $IPADDR $service_port $LOG
	ipchains -A $outchain -j ACCEPT -p udp -s $IPADDR $service_port -d $host   $service_port $LOG

	ipchains -A $inchain  -j ACCEPT -p 50 -s $host   -d $IPADDR $LOG
	ipchains -A $outchain -j ACCEPT -p 50 -s $IPADDR -d $host   $LOG
done
unset host inchain outchain

