PageRenderTime 38ms CodeModel.GetById 11ms app.highlight 21ms RepoModel.GetById 1ms app.codeStats 1ms

/share/examples/ipfw/change_rules.sh

https://bitbucket.org/freebsd/freebsd-head/
Shell | 153 lines | 89 code | 15 blank | 49 comment | 14 complexity | 7231a2c7f89e8587c4b1e140c6427a0b MD5 | raw file
  1#!/bin/sh
  2#
  3# Copyright (c) 2000 Alexandre Peixoto
  4# All rights reserved.
  5#
  6# Redistribution and use in source and binary forms, with or without
  7# modification, are permitted provided that the following conditions
  8# are met:
  9# 1. Redistributions of source code must retain the above copyright
 10#    notice, this list of conditions and the following disclaimer.
 11# 2. Redistributions in binary form must reproduce the above copyright
 12#    notice, this list of conditions and the following disclaimer in the
 13#    documentation and/or other materials provided with the distribution.
 14#
 15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 25# SUCH DAMAGE.
 26#
 27# $FreeBSD$
 28
 29# Change ipfw(8) rules with safety guarantees for remote operation
 30#
 31# Invoke this script to edit ${firewall_script}. It will call ${EDITOR},
 32# or vi(1) if the environment variable is not set, for you to edit
 33# ${firewall_script}, ask for confirmation, and then run
 34# ${firewall_script}. You can then examine the output of ipfw list and
 35# confirm whether you want the new version or not.
 36#
 37# If no answer is received in 30 seconds, the previous
 38# ${firewall_script} is run, restoring the old rules (this assumes ipfw
 39# flush is present in it).
 40#
 41# If the new rules are confirmed, they'll replace ${firewall_script} and
 42# the previous ones will be copied to ${firewall_script}.{date}. Mail
 43# will also be sent to root with a unified diff of the rule change.
 44#
 45# Unapproved rules are kept in ${firewall_script}.new, and you are
 46# offered the option of changing them instead of the present rules when
 47# you call this script.
 48#
 49# This script could be improved by using version control
 50# software.
 51
 52if [ -r /etc/defaults/rc.conf ]; then
 53	. /etc/defaults/rc.conf
 54	source_rc_confs
 55elif [ -r /etc/rc.conf ]; then
 56	. /etc/rc.conf
 57fi
 58
 59EDITOR=${EDITOR:-/usr/bin/vi}
 60PAGER=${PAGER:-/usr/bin/more}
 61
 62tempfoo=`basename $0`
 63TMPFILE=`mktemp -t ${tempfoo}` || exit 1
 64
 65get_yes_no() {
 66	while true
 67	do
 68		echo -n "$1 (Y/N) ? " 
 69		read -t 30 a
 70		if [ $? != 0 ]; then
 71			a="No";
 72		        return;
 73		fi
 74		case $a in
 75			[Yy]) a="Yes";
 76			      return;;
 77			[Nn]) a="No";
 78			      return;;
 79			*);;
 80		esac
 81	done
 82}
 83
 84restore_rules() {
 85	nohup sh ${firewall_script} </dev/null >/dev/null 2>&1
 86	rm ${TMPFILE}
 87	exit 1
 88}
 89
 90case "${firewall_type}" in
 91[Cc][Ll][Ii][Ee][Nn][Tt]|\
 92[Cc][Ll][Oo][Ss][Ee][Dd]|\
 93[Oo][Pp][Ee][Nn]|\
 94[Ss][Ii][Mm][Pp][Ll][Ee]|\
 95[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
 96	edit_file="${firewall_script}"
 97	rules_edit=no
 98	;;
 99*)
100	if [ -r "${firewall_type}" ]; then
101		edit_file="${firewall_type}"
102		rules_edit=yes
103	fi
104	;;
105esac
106
107if [ -f ${edit_file}.new ]; then
108	get_yes_no "A new rules file already exists, do you want to use it"
109	[ $a = 'No' ] && cp ${edit_file} ${edit_file}.new
110else 
111	cp ${edit_file} ${edit_file}.new
112fi
113
114trap restore_rules SIGHUP
115
116${EDITOR} ${edit_file}.new
117
118get_yes_no "Do you want to install the new rules"
119
120[ $a = 'No' ] && exit 1
121
122cat <<!
123The rules will be changed now. If the message 'Type y to keep the new
124rules' does not appear on the screen or the y key is not pressed in 30
125seconds, the original rules will be restored.
126The TCP/IP connections might be broken during the change. If so, restore
127the ssh/telnet connection being used.
128!
129
130if [ ${rules_edit} = yes ]; then
131	nohup sh ${firewall_script} ${firewall_type}.new \
132	    < /dev/null > ${TMPFILE} 2>&1
133else
134	nohup sh ${firewall_script}.new \
135	    < /dev/null > ${TMPFILE} 2>&1
136fi
137sleep 2;
138get_yes_no "Would you like to see the resulting new rules"
139[ $a = 'Yes' ] && ${PAGER} ${TMPFILE}
140get_yes_no "Type y to keep the new rules"
141[ $a != 'Yes' ] && restore_rules
142
143DATE=`date "+%Y%m%d%H%M"`
144cp ${edit_file} ${edit_file}.$DATE
145mv ${edit_file}.new ${edit_file} 
146cat <<!
147The new rules are now installed. The previous rules have been preserved in
148the file ${edit_file}.$DATE
149!
150diff -F "^# .*[A-Za-z]" -u ${edit_file}.$DATE ${edit_file} \
151    | mail -s "`hostname` Firewall rule change" root
152rm ${TMPFILE}
153exit 0