xref: /freebsd/share/examples/ipfw/change_rules.sh (revision a03411e84728e9b267056fd31c7d1d9d1dc1b01e)
1#!/bin/sh
2#
3# SPDX-License-Identifier: BSD-2-Clause
4#
5# Copyright (c) 2000 Alexandre Peixoto
6# All rights reserved.
7#
8# Redistribution and use in source and binary forms, with or without
9# modification, are permitted provided that the following conditions
10# are met:
11# 1. Redistributions of source code must retain the above copyright
12#    notice, this list of conditions and the following disclaimer.
13# 2. Redistributions in binary form must reproduce the above copyright
14#    notice, this list of conditions and the following disclaimer in the
15#    documentation and/or other materials provided with the distribution.
16#
17# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27# SUCH DAMAGE.
28#
29
30# Change ipfw(8) rules with safety guarantees for remote operation
31#
32# Invoke this script to edit ${firewall_script}. It will call ${EDITOR},
33# or vi(1) if the environment variable is not set, for you to edit
34# ${firewall_script}, ask for confirmation, and then run
35# ${firewall_script}. You can then examine the output of ipfw list and
36# confirm whether you want the new version or not.
37#
38# If no answer is received in 30 seconds, the previous
39# ${firewall_script} is run, restoring the old rules (this assumes ipfw
40# flush is present in it).
41#
42# If the new rules are confirmed, they'll replace ${firewall_script} and
43# the previous ones will be copied to ${firewall_script}.{date}. Mail
44# will also be sent to root with a unified diff of the rule change.
45#
46# Unapproved rules are kept in ${firewall_script}.new, and you are
47# offered the option of changing them instead of the present rules when
48# you call this script.
49#
50# This script could be improved by using version control
51# software.
52
53if [ -r /etc/defaults/rc.conf ]; then
54	. /etc/defaults/rc.conf
55	source_rc_confs
56elif [ -r /etc/rc.conf ]; then
57	. /etc/rc.conf
58fi
59
60EDITOR=${EDITOR:-/usr/bin/vi}
61PAGER=${PAGER:-/usr/bin/more}
62
63tempfoo=`basename $0`
64TMPFILE=`mktemp -t ${tempfoo}` || exit 1
65
66get_yes_no() {
67	while true
68	do
69		echo -n "$1 (Y/N) ? "
70		read -t 30 a
71		if [ $? != 0 ]; then
72			a="No";
73		        return;
74		fi
75		case $a in
76			[Yy]) a="Yes";
77			      return;;
78			[Nn]) a="No";
79			      return;;
80			*);;
81		esac
82	done
83}
84
85restore_rules() {
86	nohup sh ${firewall_script} </dev/null >/dev/null 2>&1
87	rm ${TMPFILE}
88	exit 1
89}
90
91case "${firewall_type}" in
92[Cc][Ll][Ii][Ee][Nn][Tt]|\
93[Cc][Ll][Oo][Ss][Ee][Dd]|\
94[Oo][Pp][Ee][Nn]|\
95[Ss][Ii][Mm][Pp][Ll][Ee]|\
96[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
97	edit_file="${firewall_script}"
98	rules_edit=no
99	;;
100*)
101	if [ -r "${firewall_type}" ]; then
102		edit_file="${firewall_type}"
103		rules_edit=yes
104	fi
105	;;
106esac
107
108if [ -f ${edit_file}.new ]; then
109	get_yes_no "A new rules file already exists, do you want to use it"
110	[ $a = 'No' ] && cp ${edit_file} ${edit_file}.new
111else
112	cp ${edit_file} ${edit_file}.new
113fi
114
115trap restore_rules SIGHUP
116
117${EDITOR} ${edit_file}.new
118
119get_yes_no "Do you want to install the new rules"
120
121[ $a = 'No' ] && exit 1
122
123cat <<!
124The rules will be changed now. If the message 'Type y to keep the new
125rules' does not appear on the screen or the y key is not pressed in 30
126seconds, the original rules will be restored.
127The TCP/IP connections might be broken during the change. If so, restore
128the ssh/telnet connection being used.
129!
130
131if [ ${rules_edit} = yes ]; then
132	nohup sh ${firewall_script} ${firewall_type}.new \
133	    < /dev/null > ${TMPFILE} 2>&1
134else
135	nohup sh ${firewall_script}.new \
136	    < /dev/null > ${TMPFILE} 2>&1
137fi
138sleep 2;
139get_yes_no "Would you like to see the resulting new rules"
140[ $a = 'Yes' ] && ${PAGER} ${TMPFILE}
141get_yes_no "Type y to keep the new rules"
142[ $a != 'Yes' ] && restore_rules
143
144DATE=`date "+%Y%m%d%H%M"`
145cp ${edit_file} ${edit_file}.$DATE
146mv ${edit_file}.new ${edit_file}
147cat <<!
148The new rules are now installed. The previous rules have been preserved in
149the file ${edit_file}.$DATE
150!
151diff -u ${edit_file}.$DATE ${edit_file} \
152    | mail -s "`hostname` Firewall rule change" root
153rm ${TMPFILE}
154exit 0
155