#!/usr/bin/sh

## setup gw0
if [ `dladm show-vnic | grep gw0 | wc -l` -ne 1 ]; then
  /usr/sbin/dladm create-vnic -m 2:8:20:bc:d5:5f -l switch0 gw0
  /usr/sbin/ipadm create-addr -T static -a 172.16.0.1/24 gw0/v4
fi

## setup ip forwarding
/usr/sbin/routeadm -u -e ipv4-forwarding
/usr/sbin/routeadm -u -e ipv6-forwarding

## clear nat and firewall rules
[ -e /etc/ipf/ipnat.conf ] && rm /etc/ipf/ipnat.conf
[ -e /etc/ipf/ipf.conf ] && rm /etc/ipf/ipf.conf

## setup firewall
echo "# Default policies" >> /etc/ipf/ipf.conf
echo "pass out all keep state" >> /etc/ipf/ipf.conf
echo "block in all" >> /etc/ipf/ipf.conf
echo "block return-rst in log first proto tcp all" >> /etc/ipf/ipf.conf
echo "block return-icmp(host-unr) in log proto udp all" >> /etc/ipf/ipf.conf
echo "pass out quick proto udp from any to any port = 53" >> /etc/ipf/ipf.conf
echo "# Allow Loopback" >> /etc/ipf/ipf.conf
echo "pass in quick on lo0 all" >> /etc/ipf/ipf.conf
echo "pass out quick on lo0 all" >> /etc/ipf/ipf.conf
echo "# Allow ICMP" >> /etc/ipf/ipf.conf
echo "pass out quick proto icmp all keep state" >> /etc/ipf/ipf.conf
echo "pass in quick proto icmp all keep state" >> /etc/ipf/ipf.conf
echo "# Allow SSH" >> /etc/ipf/ipf.conf
echo "pass in quick proto tcp from any to any port = 22 flags S/FSRPAU keep state keep frags" >> /etc/ipf/ipf.conf

## setup portforwarding
echo "rdr e1000g0 from any to any port = 2201 -> 172.16.0.2 port 22 tcp" >> /etc/ipf/ipnat.conf
echo "pass in quick proto tcp from any to any port = 2201 flags S/FSRPAU keep state keep frags" >> /etc/ipf/ipf.conf
echo "rdr e1000g0 from any to any port = 2202 -> 172.16.0.3 port 22 tcp" >> /etc/ipf/ipnat.conf
echo "pass in quick proto tcp from any to any port = 2202 flags S/FSRPAU keep state keep frags" >> /etc/ipf/ipf.conf

## setup outbound nat
echo "map e1000g0 from 172.16.0.0/24 to any -> 0/32 proxy port ftp ftp/tcp" >> /etc/ipf/ipnat.conf
echo "map e1000g0 from 172.16.0.0/24 to any -> 0/32 portmap tcp/udp auto" >> /etc/ipf/ipnat.conf
echo "map e1000g0 from 172.16.0.0/24 to any -> 0/32" >> /etc/ipf/ipnat.conf

## enable firewall / NET
/usr/sbin/ipf -E -Fa -v -f /etc/ipf/ipf.conf
/usr/sbin/ipnat -C -v -f /etc/ipf/ipnat.conf

## OVH/Kimsufi NTP fix
#/usr/sbin/svcadm disable ntp
#/usr/bin/grep -v server /etc/inet/ntp.conf > /tmp/ntp.conf
#echo "server europe.pool.ntp.org" >> /tmp/ntp.conf
#/usr/bin/mv /tmp/ntp.conf /etc/inet/ntp.conf
#/usr/sbin/svcadm enable ntp