+# Drop syslog from anywhere but localhost
+# sysklogd cannot bind to specific interface and therefore we need to
+# block access by adding firewall rules
+case "${FWPOLICY}" in
+ REJECT)
+ iptables -A POLICYIN -p udp --dport 514 -j REJECT --reject-with icmp-host-unreachable
+ ;;
+ *)
+ iptables -A POLICYIN -p udp --dport 514 -j DROP
+ ;;
+esac
+
+# Allow access from GREEN
+if [ -n "${GREEN_DEV}" ]; then
+ iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
+fi
+
+# Allow access from BLUE
+if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
+ iptables -A POLICYIN -i "${BLUE_DEV}" -j ACCEPT
+fi
+
+# IPsec INPUT
+case "${HAVE_IPSEC},${POLICY}" in
+ true,MODE1) ;;
+ true,*)
+ iptables -A POLICYIN -m policy --pol ipsec --dir in -j ACCEPT
+ ;;
+esac
+