1) Fix change_rules.sh for the case where firewall_type provides the

name of a file containing ipfw rules.

2) Replace the use of a predictable temporary filename with one
   generated by mktemp(1).

3) Only exit with a zero exit status if the rules were updated.

4) Use a pager to view the new rules, not an editor.

I was told by dcs that this script's original author is no longer
interested in FreeBSD and would not wish to review this patch.
This commit is contained in:
Sheldon Hearn 2001-09-30 14:30:55 +00:00
parent 4674ae32e5
commit 256ab0ef06

View File

@ -57,6 +57,10 @@ elif [ -r /etc/rc.conf ]; then
fi
EDITOR=${EDITOR:-/usr/bin/vi}
PAGER=${PAGER:-/usr/bin/more}
tempfoo=`basename $0`
TMPFILE=`mktemp -t ${tempfoo}` || exit 1
get_yes_no() {
while true
@ -78,24 +82,42 @@ get_yes_no() {
}
restore_rules() {
nohup sh ${firewall_script} >/dev/null 2>&1
exit
nohup sh ${firewall_script} >/dev/null 2>&1
rm ${TMPFILE}
exit 1
}
if [ -f ${firewall_script}.new ]; then
case "${firewall_type}" in
[Cc][Ll][Ii][Ee][Nn][Tt]|\
[Cc][Ll][Oo][Ss][Ee][Dd]|\
[Oo][Pp][Ee][Nn]|\
[Ss][Ii][Mm][Pp][Ll][Ee]|\
[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
edit_file="${firewall_script}"
rules_edit=no
;;
*)
if [ -r "${firewall_type}" ]; then
edit_file="${firewall_type}"
rules_edit=yes
fi
;;
esac
if [ -f ${edit_file}.new ]; then
get_yes_no "A new rules file already exists, do you want to use it"
[ $a = 'No' ] && cp ${firewall_script} ${firewall_script}.new
[ $a = 'No' ] && cp ${edit_file} ${edit_file}.new
else
cp ${firewall_script} ${firewall_script}.new
cp ${edit_file} ${edit_file}.new
fi
trap restore_rules SIGHUP
${EDITOR} ${firewall_script}.new
${EDITOR} ${edit_file}.new
get_yes_no "Do you want to install the new rules"
[ $a = 'No' ] && exit
[ $a = 'No' ] && exit 1
cat <<!
The rules will be changed now. If the message 'Type y to keep the new
@ -105,19 +127,27 @@ The TCP/IP connections might be broken during the change. If so, restore
the ssh/telnet connection being used.
!
nohup sh ${firewall_script}.new > /tmp/`basename ${firewall_script}`.out 2>&1;
if [ ${rules_edit} = yes ]; then
nohup sh ${firewall_script} ${firewall_type}.new \
> ${TMPFILE} 2>&1
else
nohup sh ${firewall_script}.new \
> ${TMPFILE} 2>&1
fi
sleep 2;
get_yes_no "Would you like to see the resulting new rules"
[ $a = 'Yes' ] && ${EDITOR} /tmp/`basename ${firewall_script}`.out
[ $a = 'Yes' ] && ${PAGER} ${TMPFILE}
get_yes_no "Type y to keep the new rules"
[ $a != 'Yes' ] && restore_rules
DATE=`date "+%Y%m%d%H%M"`
cp ${firewall_script} ${firewall_script}.$DATE
mv ${firewall_script}.new ${firewall_script}
cp ${edit_file} ${edit_file}.$DATE
mv ${edit_file}.new ${edit_file}
cat <<!
The new rules are now default. The previous rules have been preserved in
the file ${firewall_script}.$DATE
the file ${edit_file}.$DATE
!
diff -F "^# .*[A-Za-z]" -u ${firewall_script}.$DATE ${firewall_script} | mail -s "`hostname` Firewall rule change" root
diff -F "^# .*[A-Za-z]" -u ${edit_file}.$DATE ${edit_file} \
| mail -s "`hostname` Firewall rule change" root
rm ${TMPFILE}
exit 0