{
		# deny/log fragment to match ipsets maintained by emerging-threats:
		#  https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
		#
		# create ipsets
		# add ULOG and DROP entries
		#
		}
		
		# create et-* lists (-! suppressing errors)
		/usr/sbin/ipset -! create et-blacklist iphash --hashsize 26244
		/usr/sbin/ipset -! create et-blacklistnet nethash --hashsize 3456
		/usr/sbin/ipset -! create et-whitelist hash:net -exist
		
		# populate et-whitelist
		# this should use db variables and localnets...
		/usr/sbin/ipset add et-whitelist 192.168.200.0/24 -exist
		/usr/sbin/ipset add et-whitelist 0.0.0.0 -exist
		/usr/sbin/ipset add et-whitelist 127.0.0.1 -exist
		/usr/sbin/ipset add et-whitelist 127.0.0.2 -exist
		/usr/sbin/ipset add et-whitelist 69.46.36.28 -exist
		/usr/sbin/ipset add et-whitelist 204.178.115.101 -exist
		
		# delete all existing rules relating to et-blacklist and et-whitelist entries
		for r in $(iptables --line-numbers --list INPUT |grep "match-set.*et-"  |cut -d\  -f1 |sort -r)
		do 
			iptables -D INPUT $r
		done
		
		# create new chain
		/sbin/iptables --new-chain emerging-threats-blocklist
		
		# create new rules
		# et-whitelist
		/sbin/iptables --append emerging-threats-blocklist -m set --set et-whitelist src --jump RETURN
		
		# et-blacklists
		/sbin/iptables --append emerging-threats-blocklist -m set --match-set et-blacklistnet src,dst -j ULOG --ulog-nlgroup 1 --ulog-prefix "et-blacklistnet: "
		/sbin/iptables --append emerging-threats-blocklist -m set --match-set et-blacklistnet src,dst -j DROP
		/sbin/iptables --append emerging-threats-blocklist -m set --match-set et-blacklist src,dst -j ULOG --ulog-nlgroup 1 --ulog-prefix "et-blacklist: "
		/sbin/iptables --append emerging-threats-blocklist -m set --match-set et-blacklist src,dst -j DROP
		/sbin/iptables --append emerging-threats-blocklist -j RETURN

		# activate new rules
		/sbin/iptables --insert INPUT 1 -j emerging-threats-blocklist