#! /usr/X11R6/bin/wish8.0
#
# Please set these values as needed. Additional filter entries may be hard
#  coded into the scanner by adding them to the "Special" procedure. This
#  procedure can be found directly after the configuration variables. It may
#  be the easiest way if you uncomment the examples there.
#
#
# For prescan: If $trust_all is 0, only devices in $trusteddevices are trusted.
# Otherwise, all devices are trusted and may use services on the router, except
# for the world device. In the latter case, $trusteddevices is not used.
# $add_tcp_services and $add_udp_services contain a list of services that are
# reachable from the trusted devices, additionally to the services in
# /etc/inetd.conf.
# $allow_all_local_ipaddr allows the trusted nets to connect to any of the
# local interface addresses, not just to the address from the "host" command
# (i.e. the address the nameserver returned).
# The router sometimes has to use a name server. The firewall needs to open
# a channel for the name server's replies to the router. Please set the
# variable $nameserver_dev to the device, where the name server is to be found.

set trust_all				1
set trusteddevices			[list eth0]
set add_tcp_services		[list ssh 20]
set add_udp_services		{}
set allow_all_local_ipaddr	0
set nameserver_dev			{eth0}

# For prescan: Define these to specify the external service providers for
# news and mail. Use either:
#  1. The real FQDN
#  2. The IP addresses

set newsfeed	"news.hamburg.pop.de"
set mailrelay	"mail.hamburg.pop.de"

# This is the default range of masquerading ports used in linux 2.0.30.
# These numbers are from /usr/src/linux/include/net/ip_masq.h (where they can
# be changed!). As linux itself does not allocate ports above 32k, these
# ports can conveniently be used for masquerading.
# Here, these numbers are only used to open a channel for normal ftp data
# connections (via the port command) from servers in the world, port 20,
# to masqueraded clients in the internal net. (The ftp masquerading code
# (ip_masq_ftp) allocates a masquerading port for the data channel when it
# finds a "port" command on the control connection.)

set masq_begin	61000
set masq_end	[expr $masq_begin + 4096]

# Note: port 20 is used for the data channel in ftp on the server.

proc Special {} {
	# These vars are filled in by the scanner before calling "Special".
	global worlddev worldip hostaddress all_tcp_services all_udp_services
	global ifaddr localaddr
	AddFilt infilters "Priviledged service access to router" "" \
		[list 1 "Priviledged HTTP access to router on eth0" TCP "vader" ""\
		"$hostaddress" "http" "eth0" accept "" 0]
	AddFilt infilters "Priviledged service access to router" "" \
		[list 1 "Priviledged HTTP access to router on eth0" TCP "ferengi" ""\
		"$hostaddress" "http" "eth0" accept "" 0]
	AddFilt infilters "Priviledged service access to router" "" \
		[list 1 "Priviledged HTTP access to router on eth0" TCP "rack1" ""\
		"$hostaddress" "http" "eth0" accept "" 0]
}

# --------------------------------------------------------------------------
# - End of user definitions.
# --------------------------------------------------------------------------

# --------------------------------------------------------------------------
# Procedures
# --------------------------------------------------------------------------

# Stub that adds a filter

proc AddFilt { args } {
	upvar #0 [lindex $args 0] thisfilt
	incr thisfilt
	return [Call "AddFilt $args"]
}

# Stub that adds a category

proc AddCategory { args } {
	return [Call "AddCategory $args"]
}

# Stub that sends a command to stdout and reads a retrun value from stdin.

proc Call { command } {
	puts stdout $command
	flush stdout
	return [gets stdin]
}

# get a list of devices

proc GetDev {} {
	global devlist
	set devlist ""

	set f [open {|cat /proc/net/dev | grep ":" | awk -F ":" "{print $1}" | awk "{print $1}" | sort} r]

	while {[gets $f line] >= 0} {
		set devlist [concat $devlist $line]
	}
	close $f
	Call "set devlist \{$devlist\}"
}

# --------------------------------------------------------------------------
# Core Procedure
# --------------------------------------------------------------------------

# This proc scans the routes and interfaces for default rules

proc Scan {} {
	global infilters forwfilters outfilters devlist trust_all trusteddevices
	global incategories forwcategories outcategories
	global add_tcp_services add_udp_services allow_all_local_ipaddr
	global nameserver_dev
	global newsfeed mailrelay
	global masq_begin masq_end
	# These are global because we want to export them (to the "Special" proc).
	global worlddev worldip hostaddress all_tcp_services all_udp_services
	global ifaddr localaddr

	# sanity checks
	if { [lsearch -exact $devlist $nameserver_dev] < 0 } {
		puts stderr "scan error: nameserver device \"$nameserver_dev\" does not"
		puts stderr "exist on this machine"
		exit 1
	}

	# This is the only variable that is needed by both the scanner and the
	#  GUI.
	Call "set nameserver_dev $nameserver_dev"

	# supply the defaults for any filter that will not be defined below
	Call "set infilters(policy)    accept"
	Call "set forwfilters(policy)  accept"
	Call "set outfilters(policy)   accept"

	# First, try to get the device with the default route (the worlddev)
    set f [open {|/sbin/route -n | grep "^0.0.0.0" | awk "{print $8}" } r]
    gets $f worlddev
	close $f

	# get the interface address of the worlddev
	set f [open [list |/sbin/ifconfig $worlddev | grep {inet addr} | sed {s/.*inet addr:\([^ ]*\).*/\1/} ] r]
	gets $f worldip
	close $f

	# we need to know this host's official IP address
	set fi [open [list |host [exec hostname] | grep address | awk {{print $4}}] ]
	gets $fi hostaddress
	close $fi
#puts "hostaddress is $hostaddress"

	# Here the categories are defined with their respective priorities.

	set AC		AddCategory

	set cnam	incategories
	set in_anti1	[$AC $cnam "Anti-spoofing I on world device"]
	set in_masqback	[$AC $cnam "Backchannels (ext->in) for masqueraded traffic"]
	set in_loopback	[$AC $cnam "Loopback -> router"]
	set in_denyloop	[$AC $cnam "Deny -> 127.0.0.0"]
	set in_dnsback	[$AC $cnam "Backchannels (DNS->router) for router queries"]
	set in_trustacc	[$AC $cnam "Service access from trusted networks to router"]
	set in_privacc	[$AC $cnam "Priviledged service access to router"]
	set in_denyacc	[$AC $cnam "Denial of other access to router"]
	set in_anti2	[$AC $cnam "Anti-spoofing II on internal nets"]
	set in_tcpback	[$AC $cnam "TCP Backchannel (ext->in) for intern. requests"]
	set in_openweb	[$AC $cnam "Access to internal webserver (ext->in)"]
	set in_deliverin [$AC $cnam "Delivery services (ext->in)"]
	set in_dnsreply	[$AC $cnam "Nameserver and ICMP replies from the world (ext->in)"]
	set in_pingwebserv [$AC $cnam "ICMP requests to webserver (ext->in)"]
	set in_lastdeny	[$AC $cnam "Last deny"]

	set cnam	forwcategories
	set forw_masq	[$AC $cnam "Masquerading to the world"]

	set cnam	outcategories
	set out_tcpback	[$AC $cnam "TCP Backchannel (in->ext) for delivery/web"]
	set out_ftpback	[$AC $cnam "FTP Backchannel (in->ext) for masq. FTP DATA!"]
	set out_icmp	[$AC $cnam "ICMP (in->ext) (+webserv ping repl.) to the world"]
	set out_webacc	[$AC $cnam "World web server access (in->ext)"]
	set out_deliverout	[$AC $cnam "Outbound delivery services (in->ext)"]
	set out_servout	[$AC $cnam "User services in the world (in->ext)"]
	set out_dnsreq	[$AC $cnam "Nameserver requests to the world (in->ext)"]
	set out_lastdeny [$AC $cnam "Deny all other traffic to the world (in->ext)"]

	# For masqueraded traffic, we need to open back routes from the router's
	# world interface, with destination ports set to the masquerading ports.
	# This should pose no additional security risk, since the router itself
	# only uses ports 0:32k, and the masqueraded connections are
	#            1. restricted to TCP answers only (Acks)
	#  otherwise 2. FTP server opens data connections, which needs to
	#                find a port in "listen" state -- this may be used
	#                to spoof ftp data, but this risk would be there even
	#                on passive connections (where the 'acked' packets
	#                from the server might be exchanged)
	#  otherwise 3. UDP traffic may come in, but since there are usually
	#                no UDP listeners (except for the internal name server
	#                sometimes, which should better use its own IP address
	#                and not do masquerading anyway), this traffic will
	#                not make it trough. Name server requests may be spoofed
	#                even without this, so no additional insecurity.
	#  otherwise 4. ICMP traffic may come through, with only the types
	#                generally allowed from the world to the internal net.

	AddFilt infilters "" $in_masqback [list 1 "Back route for masqueraded TCP traffic" TCP "0/0" "" "$worldip" "$masq_begin:$masq_end" $worlddev accept Ack 0]
	AddFilt infilters "" $in_masqback [list 1 "Let FTP data connections reach masq. ports" TCP "0/0" "20" "$worldip" "$masq_begin:$masq_end" $worlddev accept "" 0]
	AddFilt infilters "" $in_masqback [list 1 "'Back' route for masqueraded UDP traffic" UDP "0/0" "" "$worldip" "$masq_begin:$masq_end" $worlddev accept "" 0]
	AddFilt infilters "" $in_masqback [list 1 "'Back' route for masqueraded ICMP traffic" ICMP "0/0" "0 3 4 11 12 14" "$worldip" "" $worlddev accept "" 0]


	# First loop through all devices (except loopback, defined by 127.*)
	# If one of these devices is a trusted device (as defined in the
	# preamble), this inserts rules that allow traffic coming from it (with
	# non-spoofed source addresses) to connect to the router itself (to the
	# address returned by "host `hostname`").  For all other devices, we insert
	# rules that deny all traffic to each interface address on the router.
	# NOTE: depending on the value of $allow_all_local_ipaddr, we allow the
	# trusted nets to either connect to the $hostaddress only (which is
	# returned by resolving the routers hostname), or we allow the trusted nets
	# to connect to all of the router's interface addresses.

	# before entering the loop, we need to know what services this router
	# offers: scanning through /etc/inetd.conf and adding the services defined
	# in $add_tcp_services for TCP and $add_udp_services for UDP.
	set fi [open [list |grep /etc/inetd.conf -ie {^[^#]} | grep -i {^[^ 	]*[ 	]*[^ 	]*[ 	]*tcp} | awk {{printf "%s ",$1 }}] ]
	gets $fi inetd_tcp_services
	close $fi
	set fi [open [list |grep /etc/inetd.conf -ie {^[^#]} | grep -i {^[^ 	]*[ 	]*[^ 	]*[ 	]*udp} | awk {{printf "%s ",$1 }}] ]
	gets $fi inetd_udp_services
	close $fi

	set all_tcp_services_ [concat $inetd_tcp_services $add_tcp_services]
	set all_udp_services_ [concat $inetd_udp_services $add_udp_services]

	# Now make sublists of 10 services for TCP
	set len  [llength $all_tcp_services_]
	set num  [expr $len / 10]
	set rest [expr $len - ( $num * 10 )]
	set all_tcp_services ""
	for { set i 0 } { $i < $num } { incr i } {
		lappend all_tcp_services [lrange $all_tcp_services_ [expr $i * 10] [expr ( $i + 1 ) * 10 - 1]]
	}
	lappend all_tcp_services [lrange $all_tcp_services_ [expr $i * 10] [expr $i * 10 + $rest - 1]]

	# Now make sublists of 10 services for UDP
	set len  [llength $all_udp_services_]
	set num  [expr $len / 10]
	set rest [expr $len - ( $num * 10 )]
	set all_udp_services ""
	for { set i 0 } { $i < $num } { incr i } {
		lappend all_udp_services [lrange $all_udp_services_ [expr $i * 10] [expr ( $i + 1 ) * 10 - 1]]
	}
	lappend all_udp_services [lrange $all_udp_services_ [expr $i * 10] [expr $i * 10 + $rest - 1]]

	# get the interface addresses of all devices
	set fi [open [list |/sbin/ifconfig | grep {inet addr} | grep -v {127\..*} | sed {s/.*inet addr:\([^ ]*\).*/\1/} | sort | uniq | awk {{printf "%s ",$1}} ] r]
	gets $fi ifaddr
	close $fi

	# What do we accept as our local address? All interface addresses or
	# just the address returned by the "host" command? See preamble...
	if { $allow_all_local_ipaddr } {
		set localaddr $ifaddr
	} else {
		set localaddr $hostaddress
	}

	# This accepts traffic coming from the loopback interface that is bound to
	# any of the router's addresses (127.*.*.*, $ipaddr).
	# The last rule denies all other accesses to 127.*.*.*
	AddFilt infilters "" $in_loopback [list 1 "Traffic from loopback to net 127.0.0.0" all "0/0" "" "127.0.0.0/8" "" lo accept "" 0]
	set num_of_local [expr [llength $ifaddr]]
	set l 1
	foreach addr $ifaddr {
		AddFilt infilters "" $in_loopback [list 1 "Traffic from loopback to router $l/$num_of_local" all "0/0" "" "$addr" "" lo accept "" 0]
		incr l
	}
	AddFilt infilters "" $in_denyloop [list 1 "Deny traffic to net 127.0.0.0 from elsewhere" all "0/0" "" "127.0.0.0/8" "" "" deny "" 1]

	# The only service that the router itself usually uses - the domain name
	# service - needs to have a back route open (on the device where the
	# internal name server is attached). (Must get through, so have one entry
	# for each interface address.)
	set l 1
	foreach addr $ifaddr {
		AddFilt infilters "" $in_dnsback [list 1 "'Back' route for name server queries $l/[expr 2 * $num_of_local]" UDP "nameserver" "domain" "$addr" "1024:65535" $nameserver_dev accept "" 0]
		incr l
		AddFilt infilters "" $in_dnsback [list 1 "'Back' route for name server queries $l/[expr 2 * $num_of_local]" TCP "nameserver" "domain" "$addr" "1024:65535" $nameserver_dev accept Ack 0]
		incr l
	}

	# These variables are used to set counters on the filters like 1/2 ...
	set num_of_tcp  [expr [llength $localaddr] * [llength $all_tcp_services]]
	set num_of_udp  [expr [llength $localaddr] * [llength $all_udp_services]]
	set num_of_icmp [expr [llength $localaddr]]
	set num_of_deny [expr [llength $ifaddr]]

	# Now look at the devices.
	set f [open {|/sbin/route -n | grep "[0-9]" | awk "{print $8,$1,$3}" | sort
| grep -v " 127\." } r]

    while {[gets $f line] >= 0} {
		set dev        "[lindex $line 0]"
		set sourceip   "[lindex $line 1]"
		set sourcemask "[lindex $line 2]"

		# Here we convert the mask into its number of one bits
		set ff [open "|echo $sourcemask | convmask"  r]
		gets $ff smbits
		close $ff

		set source     $sourceip/$smbits

		if { [lsearch -exact $trusteddevices $dev] != -1 ||
			 $trust_all == 1 && [string compare $dev $worlddev] != 0 } {
			# We trust this device:
			# insert accept filters for this device
			set t 1 ; set u 1 ; set i 1
			foreach addr $localaddr {
				foreach serv $all_tcp_services {
					AddFilt infilters "" $in_trustacc [list 1 "TCP to router from $source on $dev $t/$num_of_tcp" TCP "$source" "" "$addr" "$serv" $dev accept "" 0]
				incr t
				}
			}
			foreach addr $localaddr {
				foreach serv $all_udp_services {
					AddFilt infilters "" $in_trustacc [list 1 "UDP to router from $source on $dev $u/$num_of_udp" UDP "$source" "" "$addr" "$serv" $dev accept "" 0]
				incr u
				}
			}
			foreach addr $localaddr {
				AddFilt infilters "" $in_trustacc [list 1 "ICMP to router from $source on $dev $i/$num_of_icmp" ICMP "$source" "0 3 4 8 11 12 13 14" "$addr" "" $dev accept "" 0]
				incr i
			}
		}
	}
	close $f

	# This rule denies all traffic to the router that "falls through" the above
	#  rules
	set d 1
	foreach addr $ifaddr {
		AddFilt infilters "" $in_denyacc [list 1 "Deny traffic to router from elsewhere (and log) $d/$num_of_deny" all "0/0" "" "$addr" "" "" deny "" 1]
		incr d
	}

	# Now, the second loop through all devices (except for loopback)

	set f [open {|/sbin/route -n | grep "[0-9]" | awk "{print $8,$1,$3}" | sort | grep -v " 127\." } r]

    while {[gets $f line] >= 0} {
		set dev        "[lindex $line 0]"
		set sourceip   "[lindex $line 1]"
		set sourcemask "[lindex $line 2]"

		# Here we convert the mask into its number of one bits
		set ff [open "|echo $sourcemask | convmask"  r]
		gets $ff smbits
		close $ff

		set source     $sourceip/$smbits

		# We need to protect the internal nets from spoofing from the external
		#  net. Thus we deny packets with *internal* source addresses that come
		#  from the worlddev (worlddev source addresses are explicitly excluded
		#  here).
		if { [string compare $worlddev ""] != 0 && [string compare $worlddev $dev] != 0 } {
			AddFilt infilters "" $in_anti1 [list 1 "Anti-spoofing on $worlddev" all "$source" "" "0/0" "" $worlddev deny "" 0]
		}

		# This adds rules to the infilters that open them for regular traffic.
		# The spoofing rules above are inserted at the beginning of the list,
		# so that they are found first...
		# The traffic from worlddev is filtered in four categories, TCP, UDP,
		# ICMP and TCP backchannel, where each category may have several
		# service filters.
		if { [string compare $worlddev ""] != 0 && [string compare $worlddev $dev] == 0 && [string compare $sourceip "0.0.0.0"] == 0} {
			AddFilt infilters "" $in_tcpback [list 1 "TCP backchannel from the world" TCP "$source" "" "0/0" "" $dev accept Ack 0]
			AddFilt infilters "" $in_openweb [list 1 "Access to our web server from the world" TCP "$source" "" "webserver" "http" $dev accept "" 0]
			AddFilt infilters "" $in_deliverin [list 1 "Mail delivery from external mail relay (SMTP)" TCP "$mailrelay" "1024:65535" "mailserver" "smtp" $dev accept "" 0]
			AddFilt infilters "" $in_deliverin [list 1 "Mail delivery from external mail relay (UUCP)" TCP "$mailrelay" "1024:65535" "mailserver" "uucp" $dev accept "" 0]
			AddFilt infilters "" $in_deliverin [list 1 "News from external news feed over NNTP" TCP "$newsfeed" "1024:65535" "newsserver" "nntp" $dev accept "" 0]
			AddFilt infilters "" $in_deliverin [list 1 "News from external news feed over UUCP" TCP "$newsfeed" "1024:65535" "newsserver" "uucp" $dev accept "" 0]
			AddFilt infilters "" $in_dnsreply [list 1 "Nameserver replies from the internet" UDP "$source" "domain" "nameserver" "domain" $dev accept "" 0]
			# allow echo reply, destination unreach., source quench,
			# time exceeded, parameter problem, timestamp reply
			AddFilt infilters "" $in_dnsreply [list 1 "ICMP messages from the internet" ICMP "$source" "0 3 4 11 12 14" "0/0" "" $dev accept "" 0]
			AddFilt infilters "" $in_pingwebserv [list 1 "ICMP pings from the internet to the webserver" ICMP "$source" "8" "webserver" "" $dev accept "" 0]
		} else {
			# if this is a point-to-point route, say so in the comment...
			if { $smbits != 32 } {
				AddFilt infilters "" $in_anti2 [list 1 "Regular source from $dev" all "$source" "" "0/0" "" $dev accept "" 0]
			} else {
				AddFilt infilters "" $in_anti2 [list 1 "Regular source from 'HostIp' on $dev" all "$source" "" "0/0" "" $dev accept "" 0]
			}
		}

		# Is this a private network ? Then masquerade... (nets *and* host
		# routes -- some connections need only one IP address, so they only
		# have a host route...)
		if { ( [string match "192.168.*" $sourceip] == 1 \
			|| [string match "172.16.*"  $sourceip] == 1 \
			|| [string match "10.*"      $sourceip] == 1 ) } {

			AddFilt forwfilters "" $forw_masq [list 1 "Masquerading source from $dev" all "$source" "" "0/0" "" $worlddev masq "" 0]
		}

		# No specific output filtering based on a route...
##		AddFilt outfilters "" $out_regout [list 1 "Regular source from $dev" all "$source" "" "0/0" "" $worlddev accept "" 0]
    }
    close $f

	# For logging, all routes not matching the installed input filters
	# are matched with a final deny rule which has logging on.
	AddFilt infilters "" $in_lastdeny [list 1 "Deny and log everything else" all "0/0" "" "0/0" "" "" deny "" 1]

	# Return routes for internal servers / mail delivery
	AddFilt outfilters "" $out_tcpback [list 1 "TCP backchannel from the webserver" TCP "webserver" "http" "0/0" "" $worlddev accept Ack 0]
	AddFilt outfilters "" $out_tcpback [list 1 "Return route for mail delivery to internal server (SMTP)" TCP "mailserver" "smtp" "$mailrelay" "1024:65535" $worlddev accept Ack 0]
	AddFilt outfilters "" $out_tcpback [list 1 "Return route for mail delivery to internal server (UUCP)" TCP "mailserver" "uucp" "$mailrelay" "1024:65535" $worlddev accept Ack 0]
	AddFilt outfilters "" $out_tcpback [list 1 "Return route for news delivery to us (NNTP)" TCP "newsserver" "nntp" "$newsfeed" "1024:65535" $worlddev accept Ack 0]
	AddFilt outfilters "" $out_tcpback [list 1 "Return route for news delivery to us (UUCP)" TCP "newsserver" "uucp" "$newsfeed" "1024:65535" $worlddev accept Ack 0]
	AddFilt outfilters "" $out_ftpback [list 1 "Return route for FTP data connections using masq." TCP "$worldip" "$masq_begin:$masq_end" "0/0" "20" $worlddev accept Ack 0]
	# allow source quench, echo request, parameter problem, timestamp
	# request
	AddFilt outfilters "" $out_icmp [list 1 "ICMP messages to the internet" ICMP "0/0" "4 8 12 13" "0/0" "" $worlddev accept "" 0]
	AddFilt outfilters "" $out_icmp [list 1 "ICMP pings (replies) from webserver to the internet" ICMP "webserver" "0" "0/0" "" $worlddev accept "" 0]

	# The output filters are used to specifically restrict access to services
	# and destinations. This adds some rules to the output filters to restrict
	# access to Internet services. They should probably be edited. Other rules
	# need to be inserted by hand.
	AddFilt outfilters "" $out_webacc [list 1 "Access to the world's web servers" TCP "0/0" "" "0/0" "http" $worlddev accept "" 0]
	AddFilt outfilters "" $out_webacc [list 1 "Access to the world's secure HTTP web servers" TCP "0/0" "" "0/0" "443" $worlddev accept "" 0]
	AddFilt outfilters "" $out_deliverout [list 1 "Sending mail from the mail server to the world (SMTP)" TCP "mailserver" "" "0/0" "smtp" $worlddev accept "" 0]
	AddFilt outfilters "" $out_deliverout [list 1 "Sending mail from the mail server to mail relay (UUCP)" TCP "mailserver" "" "$mailrelay" "uucp" $worlddev accept "" 0]
	AddFilt outfilters "" $out_deliverout [list 1 "Posting news to the newsfeed (NNTP)" TCP "newsserver" "1024:65535" "$newsfeed" "nntp" $worlddev accept "" 0]
	AddFilt outfilters "" $out_deliverout [list 1 "Posting news to the newsfeed (UUCP)" TCP "newsserver" "1024:65535" "$newsfeed" "uucp" $worlddev accept "" 0]
	AddFilt outfilters "" $out_servout [list 1 "Using FTP to the outside" TCP "0/0" "1024:65535" "0/0" "ftp" $worlddev accept "" 0]
	AddFilt outfilters "" $out_servout [list 1 "Using Telnet to the outside" TCP "0/0" "1024:65535" "0/0" "telnet" $worlddev accept "" 0]
	AddFilt outfilters "" $out_servout [list 1 "Using slogin/ssh to the outside" TCP "0/0" "1024:65535" "0/0" "22" $worlddev accept "" 0]
	AddFilt outfilters "" $out_dnsreq [list 1 "The name server may ask anybody for names using UDP" UDP "nameserver" "domain" "0/0" "domain" $worlddev accept "" 0]
	AddFilt outfilters "" $out_dnsreq [list 1 "The name server may ask anybody for names using TCP" TCP "nameserver" "domain" "0/0" "domain" $worlddev accept "" 0]

	# To the internet, we do not allow other services to be accepted. Since
	# the default policy for output is most practically still "accept" (for
	# the internal nets to communicate freely), this last rule denies all
	# other services to the web (and logs them).
	AddFilt outfilters "" $out_lastdeny [list 1 "Deny all other connections to the Internet" all "0/0" "" "0/0" "" $worlddev deny "" 1]

	# This sets up user defined filters.
	Special

	# Any filterlist that received an entry will now have the default policy
	#  of "deny", though not for the forward and output filters...
	if { $infilters != 0 } {
		 Call "set infilters(policy) deny" }
#	if { $forwcategories != 0 } {
#		 Call "set forwfilters(policy) deny" }
#	if { $outcategories != 0 } {
#		 Call "set outfilters(policy) deny" }
}

set infilters	0
set forwfilters	0
set outfilters	0

if {$argc > 0} {
    switch -exact -- [lindex $argv 0] {
		--getdev	-
		-getdev		{
					GetDev
					exit
		}
	}
} else {
	GetDev
	Scan
#puts stderr "infilters: $infilters"
#puts stderr "forwfilters: $forwfilters"
#puts stderr "outfilters: $outfilters"
	exit
}
