#
# ferm config file
#
# created to mimic monmothas iptables firewall script
#

option iptables
option clearall
option createchains

table filter {
    chain INPUT policy ACCEPT {
	interface ppp0 goto INETIN;
    }

    chain OUTPUT policy ACCEPT {
	outerface ppp0 goto INETOUT;
    }

    chain FORWARD policy DROP {
	saddr (
	    192.168.0.0/24
	    192.168.1.0/24
	) ACCEPT;
	daddr (
	    192.168.0.0/24
	    192.168.1.0/24
	) ACCEPT;
    }

    chain INETIN {
	saddr (
	    bad.guy1.com
	    bad.hacker.org
	) REJECT;

	mod state state INVALID REJECT;

        proto icmp {
	    icmp-type echo-request mod limit limit 1/s ACCEPT;
	    icmptype ! echo-request ACCEPT;
	}

	proto tcp {
	    dport (
		22 25 80 110 443 3333 6667
	    ) goto TCPACCEPT;
	    sport 22 dport (
	    	513:1023 1024:
	    ) ! syn goto TCPACCEPT;
	    saddr (
		1.2.3.4 1.2.3.5 1.2.3.6
	    ) dport 113 goto TCPACCEPT;
	}

	proto udp {
	    dport (
		6112 6119 4000
	    ) goto UDPACCEPT;
	    sport 53 saddr (
		ns1.domain.com ns2.domain.com
	    ) goto UDPACCEPT;
	}

	mod state state (
	    ESTABLISHED RELATED
	) ACCEPT;

	REJECT;
    }

    chain INETOUT {
	ACCEPT;
    }

    chain LDROP {
	LOG {
	    log-level info {
	        proto tcp logprefix "TCP Dropped";
	        proto udp logprefix "UDP Dropped";
	        proto icmp logprefix "ICMP Dropped";
	    }
	    log-level warn fragment log-prefix "FRAGMENT Dropped";
	}
	DROP;
    }

    chain LREJECT {
        LOG {
            log-level info {
                proto tcp logprefix "TCP Rejected";
                proto udp logprefix "UDP Rejected";
                proto icmp logprefix "ICMP Rejected";
            }
            log-level warn fragment log-prefix "FRAGMENT Rejected";
        }
        REJECT;

    }

    chain TCPACCEPT {
	proto tcp {
	    syn mod limit limit 2/s ACCEPT;
	    ! syn ACCEPT;
	}
	logprefix "Mismatch in TCPACCEPT" LOG;
	REJECT;
    }

    chain UDPACCEPT {
	proto udp ACCEPT;
	logprefix "Mismatch in UDPACCEPT" LOG;
	REJECT;
    }
}

table nat chain POSTROUTING {
    outerface ppp0 saddr (
	192.168.0.0/24 192.168.1.0/24
    ) MASQ;
}
