| change_rules.sh (978243bd80a17607addca02212af7e1aa7f4e8e0) | change_rules.sh (7b4d3c72cc4ba8071f0fde23be4a06e3515c3ffc) |
|---|---|
| 1#!/bin/sh 2# 3# Copyright (c) 2000 Alexandre Peixoto 4# All rights reserved. 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: --- 14 unchanged lines hidden (view full) --- 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25# SUCH DAMAGE. 26# 27# $FreeBSD$ 28 29# Change ipfw(8) rules with safety guarantees for remote operation 30# | 1#!/bin/sh 2# 3# Copyright (c) 2000 Alexandre Peixoto 4# All rights reserved. 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: --- 14 unchanged lines hidden (view full) --- 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25# SUCH DAMAGE. 26# 27# $FreeBSD$ 28 29# Change ipfw(8) rules with safety guarantees for remote operation 30# |
| 31# Invoke this script to edit ${firewall_script}. It will call ${EDITOR}, 32# or vi(1) if the environment variable is not set, for you to edit 33# ${firewall_script}, ask for confirmation, and then run 34# ${firewall_script}. You can then examine the output of ipfw list and 35# confirm whether you want the new version or not. | 31# Invoke this script to edit rc.firewall. It will call ${EDITOR}, or 32# vi(1) if the environment variable is not set, for you to edit rc.firewall, 33# asks for confirmation and then run rc.firewall. You can then examine 34# the output of ipfw list and confirm whether you want the new version or 35# not. |
| 36# | 36# |
| 37# If no answer is received in 30 seconds, the previous 38# ${firewall_script} is run, restoring the old rules (this assumes ipfw 39# flush is present in it). | 37# If no answer is received in 30 seconds, the previous rc.firewall is 38# run, restoring the old rules (this assumes ipfw flush is present in 39# it). |
| 40# | 40# |
| 41# If the new rules are confirmed, they'll replace ${firewall_script} and 42# the previous ones will be copied to ${firewall_script}.{date}. Mail 43# will also be sent to root with a unified diff of the rule change. | 41# If the new rules are confirmed, they'll replace rc.firewall and the 42# previous ones will be copied to rc.firewall.{date}. A mail will also 43# be sent to root with the unified diffs of the rule change. |
| 44# | 44# |
| 45# Unapproved rules are kept in ${firewall_script}.new, and you are 46# offered the option of changing them instead of the present rules when 47# you call this script. | 45# Non-approved rules are kept in rc.firewall.new, and you are offered 46# the option of changing them instead of the present rules when you 47# call this script. |
| 48# | 48# |
| 49# This script could be improved by using version control | 49# It is suggested improving this script by using some version control |
| 50# software. 51 | 50# software. 51 |
| 52if [ -r /etc/defaults/rc.conf ]; then 53 . /etc/defaults/rc.conf 54 source_rc_confs 55elif [ -r /etc/rc.conf ]; then 56 . /etc/rc.conf 57fi 58 59EDITOR=${EDITOR:-/usr/bin/vi} 60PAGER=${PAGER:-/usr/bin/more} 61 62tempfoo=`basename $0` 63TMPFILE=`mktemp -t ${tempfoo}` || exit 1 64 | |
| 65get_yes_no() { 66 while true 67 do 68 echo -n "$1 (Y/N) ? " 69 read -t 30 a 70 if [ $? != 0 ]; then 71 a="No"; 72 return; --- 4 unchanged lines hidden (view full) --- 77 [Nn]) a="No"; 78 return;; 79 *);; 80 esac 81 done 82} 83 84restore_rules() { | 52get_yes_no() { 53 while true 54 do 55 echo -n "$1 (Y/N) ? " 56 read -t 30 a 57 if [ $? != 0 ]; then 58 a="No"; 59 return; --- 4 unchanged lines hidden (view full) --- 64 [Nn]) a="No"; 65 return;; 66 *);; 67 esac 68 done 69} 70 71restore_rules() { |
| 85 nohup sh ${firewall_script} </dev/null >/dev/null 2>&1 86 rm ${TMPFILE} 87 exit 1 | 72 nohup sh /etc/rc.firewall >/dev/null 2>&1 73 exit |
| 88} 89 | 74} 75 |
| 90case "${firewall_type}" in 91[Cc][Ll][Ii][Ee][Nn][Tt]|\ 92[Cc][Ll][Oo][Ss][Ee][Dd]|\ 93[Oo][Pp][Ee][Nn]|\ 94[Ss][Ii][Mm][Pp][Ll][Ee]|\ 95[Uu][Nn][Kk][Nn][Oo][Ww][Nn]) 96 edit_file="${firewall_script}" 97 rules_edit=no 98 ;; 99*) 100 if [ -r "${firewall_type}" ]; then 101 edit_file="${firewall_type}" 102 rules_edit=yes 103 fi 104 ;; 105esac 106 107if [ -f ${edit_file}.new ]; then | 76if [ -f /etc/rc.firewall.new ]; then |
| 108 get_yes_no "A new rules file already exists, do you want to use it" | 77 get_yes_no "A new rules file already exists, do you want to use it" |
| 109 [ $a = 'No' ] && cp ${edit_file} ${edit_file}.new | 78 [ $a = 'No' ] && cp /etc/rc.firewall /etc/rc.firewall.new |
| 110else | 79else |
| 111 cp ${edit_file} ${edit_file}.new | 80 cp /etc/rc.firewall /etc/rc.firewall.new |
| 112fi 113 114trap restore_rules SIGHUP 115 | 81fi 82 83trap restore_rules SIGHUP 84 |
| 116${EDITOR} ${edit_file}.new | 85vi /etc/rc.firewall.new |
| 117 118get_yes_no "Do you want to install the new rules" 119 | 86 87get_yes_no "Do you want to install the new rules" 88 |
| 120[ $a = 'No' ] && exit 1 | 89[ $a = 'No' ] && exit |
| 121 122cat <<! | 90 91cat <<! |
| 123The rules will be changed now. If the message 'Type y to keep the new 124rules' does not appear on the screen or the y key is not pressed in 30 125seconds, the original rules will be restored. | 92The rules will be changed now. If the message 'Type y to keep the new rules' 93do not appear on the screen or the y key is not pressed in 30 seconds, the 94former rules will be restored. |
| 126The TCP/IP connections might be broken during the change. If so, restore 127the ssh/telnet connection being used. 128! 129 | 95The TCP/IP connections might be broken during the change. If so, restore 96the ssh/telnet connection being used. 97! 98 |
| 130if [ ${rules_edit} = yes ]; then 131 nohup sh ${firewall_script} ${firewall_type}.new \ 132 < /dev/null > ${TMPFILE} 2>&1 133else 134 nohup sh ${firewall_script}.new \ 135 < /dev/null > ${TMPFILE} 2>&1 136fi | 99nohup sh /etc/rc.firewall.new > /tmp/rc.firewall.out 2>&1; |
| 137sleep 2; 138get_yes_no "Would you like to see the resulting new rules" | 100sleep 2; 101get_yes_no "Would you like to see the resulting new rules" |
| 139[ $a = 'Yes' ] && ${PAGER} ${TMPFILE} | 102[ $a = 'Yes' ] && vi /tmp/rc.firewall.out |
| 140get_yes_no "Type y to keep the new rules" 141[ $a != 'Yes' ] && restore_rules 142 143DATE=`date "+%Y%m%d%H%M"` | 103get_yes_no "Type y to keep the new rules" 104[ $a != 'Yes' ] && restore_rules 105 106DATE=`date "+%Y%m%d%H%M"` |
| 144cp ${edit_file} ${edit_file}.$DATE 145mv ${edit_file}.new ${edit_file} | 107cp /etc/rc.firewall /etc/rc.firewall.$DATE 108mv /etc/rc.firewall.new /etc/rc.firewall |
| 146cat <<! | 109cat <<! |
| 147The new rules are now installed. The previous rules have been preserved in 148the file ${edit_file}.$DATE | 110The new rules are now default. The previous rules have been preserved 111in the file /etc/rc.firewall.$DATE |
| 149! | 112! |
| 150diff -F "^# .*[A-Za-z]" -u ${edit_file}.$DATE ${edit_file} \ 151 | mail -s "`hostname` Firewall rule change" root 152rm ${TMPFILE} 153exit 0 | 113diff -F "^# .*[A-Za-z]" -u /etc/rc.firewall.$DATE /etc/rc.firewall | mail -s "`hostname` Firewall rule change" root 114 |