
#-----------------------------------------------------------------------
# README
#-----------------------------------------------------------------------
#
# This module supports the PPTP VPN, typically used by MicroSoft and other
# tunneling software.
#
# To install, copy this file to /etc/firewall-modules/public/services/
# 030-pptp-clients. Since VPN bandwidth use may be very high, it's 
# preferable to keep this module near the top. Execute rc.firewall with
# the --update-config parameter. This will add the new options to the 
# configuration file.
#
# Make sure you add the following line to the ip-up script which is
# run after the pptp client connects, to ensure rcf gets the forwarding
# and input chains correct:
#	/sbin/route add -host $5 gw $4
#
# References:
# http://poptop.lineo.com/
# http://www.vibrationresearch.com/pptpd/pptpd-FAQ.txt
#
#-----------------------------------------------------------------------
# MODULE CONFIGURATION
#-----------------------------------------------------------------------
#
#n# pptp
#a# accept
#t# clients
#i# cluster
#m# 123
#
#   |--------------------------------------------------------------------|
#d# pptp (Port 1723 TCP, Protocol 43)
#d# Hostnames of PPTP clients you'll be communicating with via PPTP
#d# You must declare the PPTP interface as either PUBLIC or PRIVATE !
#   |--------------------------------------------------------------------|
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------

module_name="pptp"	# module name used in options
module_type="clients"	# the module type (clients, servers, etc.)
service_name="PPTP"	# displayed on-screen
service_port="1723"	# port number for this service

#-----------------------------------------------------------------------
# PoPToP VPN (Port 1723, Protocol 43)
#-----------------------------------------------------------------------

for host in `Option_Value accept $INTOPT $module_name $module_type`
do
	Hostports accept local tcp "$service_name" $host $service_port
	if [ ! "$CLUSTER_NAME" ]
	then
		inchain="$INCHAIN"; outchain="$OUTCHAIN"
	else
		inchain="$OUTCHAIN"; outchain="$INCHAIN"
	fi
	ipchains -A $inchain  -j ACCEPT -p 47 -s $host   -d $IPADDR $LOG
	ipchains -A $outchain -j ACCEPT -p 47 -s $IPADDR -d $host   $LOG
done

unset module_name module_type service_name service_port host inchain outchain

