
#-----------------------------------------------------------------------
# Copyright (C) 2000-2001, Jean-Sebastien Morisset <jsmoriss@mvlan.net>
#-----------------------------------------------------------------------
# $Id: 610-afp-servers,v 1.1 2001/10/04 23:32:27 cjgraham Exp $
#-----------------------------------------------------------------------
# README
#-----------------------------------------------------------------------
#
# Allow a Macintosh to connect to a Apple File Server host.
#
#-----------------------------------------------------------------------
# MODULE CONFIGURATION
#-----------------------------------------------------------------------
#
#m# 23
#a# accept ignore deny
#i# cluster
#n# afp
#t# servers
#
#   |--------------------------------------------------------------------|
#d# afp (Ports 548 TCP, 548 UDP)
#d# The following rules will allow an internal Macintosh to connect to
#d# an external Apple File Server host when strict or paranoid mode is on.
#   |--------------------------------------------------------------------|
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------

module_name="afp"           # module name used in options
service_name="AFP"          # displayed on-screen
module_type="servers"       # the module type (clients, servers, etc.)
tcp_service_port="548"      # tcp port number for this service
udp_service_port="548"      # udp port number for this service

#--------------------------------------------------------------------
# AFP (Port 548)
#--------------------------------------------------------------------

[ ! "$CLUSTER_NAME" ] && { inchain="$INCHAIN"; outchain="$OUTCHAIN"; } || \
                         { inchain="$OUTCHAIN"; outchain="$INCHAIN"; }

for action in ignore deny accept
do
	case $action in
		accept|ignore)
			action_log_msg="$LOG_MSG"; action_log="$LOG";;
		deny)
			action_log_msg="(logged)"; action_log="-l"  ;;
	esac

	for host in `Option_Value $action $INTOPT $module_name $module_type`
	do
		case $action in
			ignore|deny)
				echo "Reject $INTOPT $IPADDR -> $host $service_name $action_log_msg"
				ipchains -A $outchain -j REJECT -p tcp   -y -s $IPADDR -d $host $tcp_service_port $action_log
				ipchains -A $outchain -j REJECT -p udp      -s $IPADDR -d $host $udp_service_port $action_log
				;;
			accept)
				Hostports accept remote tcp "$service_name" $host $tcp_service_port
				Hostports accept remote udp ""              $host $udp_service_port
				;;
		esac
	done
done

unset module_name module_type service_name tcp_service_port udp_service_port
unset action action_log_msg action_log host inchain outchain

