
#-----------------------------------------------------------------------
# README
#-----------------------------------------------------------------------
#
# Private network addresses need to be blocked AFTER DHCP clients and
# BEFORE any services use the "any/0" wildcard.
#
#-----------------------------------------------------------------------
# CHANGES
#-----------------------------------------------------------------------
#
# 2001-03-23  Jean-Sebastien Morisset <jsmoriss@mvlan.net>
#             Removed forced logging from prii/prio chain jumps.
# 2001-03-22  Vladimir Smelhaus <smelhaus@bpt.cz>
#             Changed for use with new user pri[i|o] chains
#             that are defined in private_networks_chains.sh
# 2000-11-23  Jean-Sebastien Morisset <jsmoriss@jsm-mv.dyndns.org>
#             Initial module written for v5.1.
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------

# Do NOT filter-out private IPs on DMZ *interfaces*. This would stop
# LAN traffic from reaching DMZ servers. Virtual interfaces are also 
# excluded since they're not routed in the first place. :-)
#
if [ "$VIRTUAL" = "no" -a \
	! "`echo \"$DMZ_INTERFACES\"|grep \"\(^| \)$INTERFACE\( |\$\)\"`" ]
then
	echo "Deny/Reject $INTOPT <-> Private Networks (logged)"

	ipchains -A $INCHAIN  -j prii $LOG
	ipchains -A $OUTCHAIN -j prio $LOG
fi

