1#!/bin/sh 2# 3# Copyright (c) 2000 Alexandre Peixoto 4# All rights reserved. 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25# SUCH DAMAGE. 26# 27# $FreeBSD$ 28 29# Change ipfw(8) rules with safety guarantees for remote operation 30# 31# Invoke this script to edit ${firewall_script}. It will call ${EDITOR}, 32# or vi(1) if the environment variable is not set, for you to edit 33# ${firewall_script}, ask for confirmation, and then run 34# ${firewall_script}. You can then examine the output of ipfw list and 35# confirm whether you want the new version or not. 36# 37# If no answer is received in 30 seconds, the previous 38# ${firewall_script} is run, restoring the old rules (this assumes ipfw 39# flush is present in it). 40# 41# If the new rules are confirmed, they'll replace ${firewall_script} and 42# the previous ones will be copied to ${firewall_script}.{date}. Mail 43# will also be sent to root with a unified diff of the rule change. 44# 45# Unapproved rules are kept in ${firewall_script}.new, and you are 46# offered the option of changing them instead of the present rules when 47# you call this script. 48# 49# This script could be improved by using version control 50# software. 51 52if [ -r /etc/defaults/rc.conf ]; then 53 . /etc/defaults/rc.conf 54 source_rc_confs 55elif [ -r /etc/rc.conf ]; then 56 . /etc/rc.conf 57fi 58 59EDITOR=${EDITOR:-/usr/bin/vi} 60PAGER=${PAGER:-/usr/bin/more} 61 62tempfoo=`basename $0` 63TMPFILE=`mktemp -t ${tempfoo}` || exit 1 64 65get_yes_no() { 66 while true 67 do 68 echo -n "$1 (Y/N) ? " 69 read -t 30 a 70 if [ $? != 0 ]; then 71 a="No"; 72 return; 73 fi 74 case $a in 75 [Yy]) a="Yes"; 76 return;; 77 [Nn]) a="No"; 78 return;; 79 *);; 80 esac 81 done 82} 83 84restore_rules() { 85 nohup sh ${firewall_script} </dev/null >/dev/null 2>&1 86 rm ${TMPFILE} 87 exit 1 88} 89 90case "${firewall_type}" in 91[Cc][Ll][Ii][Ee][Nn][Tt]|\ 92[Cc][Ll][Oo][Ss][Ee][Dd]|\ 93[Oo][Pp][Ee][Nn]|\ 94[Ss][Ii][Mm][Pp][Ll][Ee]|\ 95[Uu][Nn][Kk][Nn][Oo][Ww][Nn]) 96 edit_file="${firewall_script}" 97 rules_edit=no 98 ;; 99*) 100 if [ -r "${firewall_type}" ]; then 101 edit_file="${firewall_type}" 102 rules_edit=yes 103 fi 104 ;; 105esac 106 107if [ -f ${edit_file}.new ]; then 108 get_yes_no "A new rules file already exists, do you want to use it" 109 [ $a = 'No' ] && cp ${edit_file} ${edit_file}.new 110else 111 cp ${edit_file} ${edit_file}.new 112fi 113 114trap restore_rules SIGHUP 115 116${EDITOR} ${edit_file}.new 117 118get_yes_no "Do you want to install the new rules" 119 120[ $a = 'No' ] && exit 1 121 122cat <<! 123The rules will be changed now. If the message 'Type y to keep the new 124rules' does not appear on the screen or the y key is not pressed in 30 125seconds, the original rules will be restored. 126The TCP/IP connections might be broken during the change. If so, restore 127the ssh/telnet connection being used. 128! 129 130if [ ${rules_edit} = yes ]; then 131 nohup sh ${firewall_script} ${firewall_type}.new \ 132 < /dev/null > ${TMPFILE} 2>&1 133else 134 nohup sh ${firewall_script}.new \ 135 < /dev/null > ${TMPFILE} 2>&1 136fi 137sleep 2; 138get_yes_no "Would you like to see the resulting new rules" 139[ $a = 'Yes' ] && ${PAGER} ${TMPFILE} 140get_yes_no "Type y to keep the new rules" 141[ $a != 'Yes' ] && restore_rules 142 143DATE=`date "+%Y%m%d%H%M"` 144cp ${edit_file} ${edit_file}.$DATE 145mv ${edit_file}.new ${edit_file} 146cat <<! 147The new rules are now installed. The previous rules have been preserved in 148the file ${edit_file}.$DATE 149! 150diff -F "^# .*[A-Za-z]" -u ${edit_file}.$DATE ${edit_file} \ 151 | mail -s "`hostname` Firewall rule change" root 152rm ${TMPFILE} 153exit 0 154