#!/bin/bash

# create default rules

RAD=../../rules.avail
RDD=/etc/firewall/rules.d

function addrule()
{
	RF=$1
	if ! [ -e $RDD/$RF ]; then
		if ! [ -L $RDD/$RF ]; then
			ln -s $RAD/$RF $RDD/$RF
		fi
	fi
}

# global rules, must exist everywhere
	addrule 01-custom/admin_ips.sh
	addrule 01-custom/whitelist_ips.sh


OLDRULENO=`find $RDD/ -type f |wc -l`

if [ $OLDRULENO -lt 1 ]; then

	# DEFAULT RULES

	addrule 01-custom/loop-notrack.sh
	addrule 01-custom/munin.sh

	addrule 11-drop-in-fw/infw_all_tcp_attacks.sh
	addrule 11-drop-in-fw/infw_all_fake_loopback.sh
	addrule 11-drop-in-fw/in_inet_fail2ban.sh
	addrule 11-drop-in-fw/infw_inet_droplist.sh
	addrule 11-drop-in-fw/infw_inet_fake_lan.sh
	addrule 11-drop-in-fw/infw_inet_scandetect.sh

	addrule 12-drop-out/out_all_smtp_wwwdata.sh
	addrule 12-drop-out/out_loop_smtp_wwwdata.sh
	addrule 12-drop-out/out_hvlan_all_wwwdata.sh

	addrule 21-accept-in/in_all_icmp.sh
	addrule 21-accept-in/in_all_established.sh
	addrule 21-accept-in/in_inet_mail.sh
	addrule 21-accept-in/in_inet_ssh_admin.sh
	addrule 21-accept-in/in_inet_ssh_knock.sh
	addrule 21-accept-in/in_inet_ftp.sh
	addrule 21-accept-in/in_inet_sftp.sh
	addrule 21-accept-in/in_inet_web.sh
	addrule 21-accept-in/in_inet_dns.sh
	#addrule 21-accept-in/in_inet_web_test_php73.sh
	#addrule 21-accept-in/in_inet_web_test_php72.sh
	#addrule 21-accept-in/in_inet_web_test_php71.sh
	#addrule 21-accept-in/in_inet_web_test_php70.sh
	#addrule 21-accept-in/in_inet_web_test_php56.sh
	#addrule 21-accept-in/in_inet_web_test_php54.sh
	addrule 21-accept-in/in_inet_statusd.sh
	addrule 21-accept-in/in_hvlan_ssh.sh
	addrule 21-accept-in/in_inet_zzz_scandetect.sh

	addrule 22-accept-out/out_all_established.sh
	addrule 22-accept-out/out_hvlan_dns.sh
	addrule 22-accept-out/out_all_icmp.sh
	addrule 22-accept-out/out_inet_all.sh
	addrule 22-accept-out/out_hvlan_dns.sh
	addrule 22-accept-out/out_hvlan_nfs.sh
	addrule 22-accept-out/out_hvlan_all_rootuser.sh

fi

if [ -z "$2" ]; then
	# First install
	deb-systemd-helper enable "firewall.service" >/dev/null || true
else
	# Upgrade
	if deb-systemd-helper --quiet was-enabled "firewall.service"; then
		deb-systemd-helper enable "firewall.service" >/dev/null || true
	else
		deb-systemd-helper update-state "firewall.service" >/dev/null || true
	fi
fi

echo "3G Firewall installed/updated but not started or restarted."
echo "Please start/restart/reload manually."