share/examples/ipfw/change_rules.sh

   1 #!/bin/sh
   2 #
   3 # Copyright (c) 2000 Alexandre Peixoto
   4 # All rights reserved.
   5 #
   6 # Redistribution and use in source and binary forms, with or without
   7 # modification, are permitted provided that the following conditions
   8 # are met:
   9 # 1. Redistributions of source code must retain the above copyright
  10 #    notice, this list of conditions and the following disclaimer.
  11 # 2. Redistributions in binary form must reproduce the above copyright
  12 #    notice, this list of conditions and the following disclaimer in the
  13 #    documentation and/or other materials provided with the distribution.
  14 #
  15 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  16 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  17 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  18 # ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  19 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  20 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  21 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  22 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  23 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  24 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  25 # SUCH DAMAGE.
  26 #
  27 # $FreeBSD$
  28
  29 # Change ipfw(8) rules with safety guarantees for remote operation
  30 #
  31 # Invoke this script to edit ${firewall_script}. It will call ${EDITOR},
  32 # or vi(1) if the environment variable is not set, for you to edit
  33 # ${firewall_script}, ask for confirmation, and then run
  34 # ${firewall_script}. You can then examine the output of ipfw list and
  35 # confirm whether you want the new version or not.
  36 #
  37 # If no answer is received in 30 seconds, the previous
  38 # ${firewall_script} is run, restoring the old rules (this assumes ipfw
  39 # flush is present in it).
  40 #
  41 # If the new rules are confirmed, they'll replace ${firewall_script} and
  42 # the previous ones will be copied to ${firewall_script}.{date}. Mail
  43 # will also be sent to root with a unified diff of the rule change.
  44 #
  45 # Unapproved rules are kept in ${firewall_script}.new, and you are
  46 # offered the option of changing them instead of the present rules when
  47 # you call this script.
  48 #
  49 # This script could be improved by using version control
  50 # software.
  51
  52 if [ -r /etc/defaults/rc.conf ]; then
  53         . /etc/defaults/rc.conf
  54         source_rc_confs
  55 elif [ -r /etc/rc.conf ]; then
  56         . /etc/rc.conf
  57 fi
  58
  59 EDITOR=${EDITOR:-/usr/bin/vi}
  60 PAGER=${PAGER:-/usr/bin/more}
  61
  62 tempfoo=`basename $0`
  63 TMPFILE=`mktemp -t ${tempfoo}` || exit 1
  64
  65 get_yes_no() {
  66         while true
  67         do
  68                 echo -n "$1 (Y/N) ? "
  69                 read -t 30 a
  70                 if [ $? != 0 ]; then
  71                         a="No";
  72                         return;
  73                 fi
  74                 case $a in
  75                         [Yy]) a="Yes";
  76                               return;;
  77                         [Nn]) a="No";
  78                               return;;
  79                         *);;
  80                 esac
  81         done
  82 }
  83
  84 restore_rules() {
  85         nohup sh ${firewall_script} </dev/null >/dev/null 2>&1
  86         rm ${TMPFILE}
  87         exit 1
  88 }
  89
  90 case "${firewall_type}" in
  91 [Cc][Ll][Ii][Ee][Nn][Tt]|\
  92 [Cc][Ll][Oo][Ss][Ee][Dd]|\
  93 [Oo][Pp][Ee][Nn]|\
  94 [Ss][Ii][Mm][Pp][Ll][Ee]|\
  95 [Uu][Nn][Kk][Nn][Oo][Ww][Nn])
  96         edit_file="${firewall_script}"
  97         rules_edit=no
  98         ;;
  99 *)
 100         if [ -r "${firewall_type}" ]; then
 101                 edit_file="${firewall_type}"
 102                 rules_edit=yes
 103         fi
 104         ;;
 105 esac
 106
 107 if [ -f ${edit_file}.new ]; then
 108         get_yes_no "A new rules file already exists, do you want to use it"
 109         [ $a = 'No' ] && cp ${edit_file} ${edit_file}.new
 110 else
 111         cp ${edit_file} ${edit_file}.new
 112 fi
 113
 114 trap restore_rules SIGHUP
 115
 116 ${EDITOR} ${edit_file}.new
 117
 118 get_yes_no "Do you want to install the new rules"
 119
 120 [ $a = 'No' ] && exit 1
 121
 122 cat <<!
 123 The rules will be changed now. If the message 'Type y to keep the new
 124 rules' does not appear on the screen or the y key is not pressed in 30
 125 seconds, the original rules will be restored.
 126 The TCP/IP connections might be broken during the change. If so, restore
 127 the ssh/telnet connection being used.
 128 !
 129
 130 if [ ${rules_edit} = yes ]; then
 131         nohup sh ${firewall_script} ${firewall_type}.new \
 132             < /dev/null > ${TMPFILE} 2>&1
 133 else
 134         nohup sh ${firewall_script}.new \
 135             < /dev/null > ${TMPFILE} 2>&1
 136 fi
 137 sleep 2;
 138 get_yes_no "Would you like to see the resulting new rules"
 139 [ $a = 'Yes' ] && ${PAGER} ${TMPFILE}
 140 get_yes_no "Type y to keep the new rules"
 141 [ $a != 'Yes' ] && restore_rules
 142
 143 DATE=`date "+%Y%m%d%H%M"`
 144 cp ${edit_file} ${edit_file}.$DATE
 145 mv ${edit_file}.new ${edit_file}
 146 cat <<!
 147 The new rules are now installed. The previous rules have been preserved in
 148 the file ${edit_file}.$DATE
 149 !
 150 diff -F "^# .*[A-Za-z]" -u ${edit_file}.$DATE ${edit_file} \
 151     | mail -s "`hostname` Firewall rule change" root
 152 rm ${TMPFILE}
 153 exit 0