/share/examples/ipfw/change_rules.sh

https://bitbucket.org/freebsd/freebsd-head/ · Shell · 153 lines · 89 code · 15 blank · 49 comment · 14 complexity · 7231a2c7f89e8587c4b1e140c6427a0b MD5 · raw file

  1. #!/bin/sh
  2. #
  3. # Copyright (c) 2000 Alexandre Peixoto
  4. # All rights reserved.
  5. #
  6. # Redistribution and use in source and binary forms, with or without
  7. # modification, are permitted provided that the following conditions
  8. # are met:
  9. # 1. Redistributions of source code must retain the above copyright
  10. # notice, this list of conditions and the following disclaimer.
  11. # 2. Redistributions in binary form must reproduce the above copyright
  12. # notice, this list of conditions and the following disclaimer in the
  13. # documentation and/or other materials provided with the distribution.
  14. #
  15. # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  16. # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  17. # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  18. # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  19. # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  20. # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  21. # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  22. # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  23. # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  24. # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  25. # SUCH DAMAGE.
  26. #
  27. # $FreeBSD$
  28. # Change ipfw(8) rules with safety guarantees for remote operation
  29. #
  30. # Invoke this script to edit ${firewall_script}. It will call ${EDITOR},
  31. # or vi(1) if the environment variable is not set, for you to edit
  32. # ${firewall_script}, ask for confirmation, and then run
  33. # ${firewall_script}. You can then examine the output of ipfw list and
  34. # confirm whether you want the new version or not.
  35. #
  36. # If no answer is received in 30 seconds, the previous
  37. # ${firewall_script} is run, restoring the old rules (this assumes ipfw
  38. # flush is present in it).
  39. #
  40. # If the new rules are confirmed, they'll replace ${firewall_script} and
  41. # the previous ones will be copied to ${firewall_script}.{date}. Mail
  42. # will also be sent to root with a unified diff of the rule change.
  43. #
  44. # Unapproved rules are kept in ${firewall_script}.new, and you are
  45. # offered the option of changing them instead of the present rules when
  46. # you call this script.
  47. #
  48. # This script could be improved by using version control
  49. # software.
  50. if [ -r /etc/defaults/rc.conf ]; then
  51. . /etc/defaults/rc.conf
  52. source_rc_confs
  53. elif [ -r /etc/rc.conf ]; then
  54. . /etc/rc.conf
  55. fi
  56. EDITOR=${EDITOR:-/usr/bin/vi}
  57. PAGER=${PAGER:-/usr/bin/more}
  58. tempfoo=`basename $0`
  59. TMPFILE=`mktemp -t ${tempfoo}` || exit 1
  60. get_yes_no() {
  61. while true
  62. do
  63. echo -n "$1 (Y/N) ? "
  64. read -t 30 a
  65. if [ $? != 0 ]; then
  66. a="No";
  67. return;
  68. fi
  69. case $a in
  70. [Yy]) a="Yes";
  71. return;;
  72. [Nn]) a="No";
  73. return;;
  74. *);;
  75. esac
  76. done
  77. }
  78. restore_rules() {
  79. nohup sh ${firewall_script} </dev/null >/dev/null 2>&1
  80. rm ${TMPFILE}
  81. exit 1
  82. }
  83. case "${firewall_type}" in
  84. [Cc][Ll][Ii][Ee][Nn][Tt]|\
  85. [Cc][Ll][Oo][Ss][Ee][Dd]|\
  86. [Oo][Pp][Ee][Nn]|\
  87. [Ss][Ii][Mm][Pp][Ll][Ee]|\
  88. [Uu][Nn][Kk][Nn][Oo][Ww][Nn])
  89. edit_file="${firewall_script}"
  90. rules_edit=no
  91. ;;
  92. *)
  93. if [ -r "${firewall_type}" ]; then
  94. edit_file="${firewall_type}"
  95. rules_edit=yes
  96. fi
  97. ;;
  98. esac
  99. if [ -f ${edit_file}.new ]; then
  100. get_yes_no "A new rules file already exists, do you want to use it"
  101. [ $a = 'No' ] && cp ${edit_file} ${edit_file}.new
  102. else
  103. cp ${edit_file} ${edit_file}.new
  104. fi
  105. trap restore_rules SIGHUP
  106. ${EDITOR} ${edit_file}.new
  107. get_yes_no "Do you want to install the new rules"
  108. [ $a = 'No' ] && exit 1
  109. cat <<!
  110. The rules will be changed now. If the message 'Type y to keep the new
  111. rules' does not appear on the screen or the y key is not pressed in 30
  112. seconds, the original rules will be restored.
  113. The TCP/IP connections might be broken during the change. If so, restore
  114. the ssh/telnet connection being used.
  115. !
  116. if [ ${rules_edit} = yes ]; then
  117. nohup sh ${firewall_script} ${firewall_type}.new \
  118. < /dev/null > ${TMPFILE} 2>&1
  119. else
  120. nohup sh ${firewall_script}.new \
  121. < /dev/null > ${TMPFILE} 2>&1
  122. fi
  123. sleep 2;
  124. get_yes_no "Would you like to see the resulting new rules"
  125. [ $a = 'Yes' ] && ${PAGER} ${TMPFILE}
  126. get_yes_no "Type y to keep the new rules"
  127. [ $a != 'Yes' ] && restore_rules
  128. DATE=`date "+%Y%m%d%H%M"`
  129. cp ${edit_file} ${edit_file}.$DATE
  130. mv ${edit_file}.new ${edit_file}
  131. cat <<!
  132. The new rules are now installed. The previous rules have been preserved in
  133. the file ${edit_file}.$DATE
  134. !
  135. diff -F "^# .*[A-Za-z]" -u ${edit_file}.$DATE ${edit_file} \
  136. | mail -s "`hostname` Firewall rule change" root
  137. rm ${TMPFILE}
  138. exit 0