-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Port tests and scripts from luigirizzo/dummynet@8e87ee720b
- Loading branch information
Showing
19 changed files
with
2,263 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
This directorty contains some ipfw configurations and a scripts | ||
to safely change the firewall rules. | ||
|
||
The firewall configuration comes from the FreeBSD initial script. | ||
The change_rules_linux.sh allows to change the ipfw rules and | ||
in case os a misconfiguration which prevents to reach the remote | ||
host, to restore the old ruleset. | ||
|
||
To configure the firewall behavior, edit the ipfw.conf file and | ||
execute the ./change_rules_linux.sh script. | ||
|
||
The ipfw program executable should be located in /sbin (XXX) | ||
|
||
XXX seems we use something which is not compatible with dash |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,159 @@ | ||
#!/bin/sh | ||
# | ||
# Copyright (c) 2000 Alexandre Peixoto | ||
# All rights reserved. | ||
# | ||
# Redistribution and use in source and binary forms, with or without | ||
# modification, are permitted provided that the following conditions | ||
# are met: | ||
# 1. Redistributions of source code must retain the above copyright | ||
# notice, this list of conditions and the following disclaimer. | ||
# 2. Redistributions in binary form must reproduce the above copyright | ||
# notice, this list of conditions and the following disclaimer in the | ||
# documentation and/or other materials provided with the distribution. | ||
# | ||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | ||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | ||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
# SUCH DAMAGE. | ||
# | ||
# $FreeBSD: src/share/examples/ipfw/change_rules.sh,v 1.6 2003/09/07 07:52:56 jmg Exp $ | ||
|
||
# Change ipfw(8) rules with safety guarantees for remote operation | ||
# | ||
# Invoke this script to edit ${firewall_script}. It will call ${EDITOR}, | ||
# or vi(1) if the environment variable is not set, for you to edit | ||
# ${firewall_script}, ask for confirmation, and then run | ||
# ${firewall_script}. You can then examine the output of ipfw list and | ||
# confirm whether you want the new version or not. | ||
# | ||
# If no answer is received in 30 seconds, the previous | ||
# ${firewall_script} is run, restoring the old rules (this assumes ipfw | ||
# flush is present in it). | ||
# | ||
# If the new rules are confirmed, they'll replace ${firewall_script} and | ||
# the previous ones will be copied to ${firewall_script}.{date}. Mail | ||
# will also be sent to root with a unified diff of the rule change. | ||
# | ||
# Unapproved rules are kept in ${firewall_script}.new, and you are | ||
# offered the option of changing them instead of the present rules when | ||
# you call this script. | ||
# | ||
# This script could be improved by using version control | ||
# software. | ||
|
||
# XXX on linux /etc/rc.conf defines: | ||
# firewall_type and firewall_script | ||
|
||
if [ -r /etc/defaults/rc.conf ]; then | ||
. /etc/defaults/rc.conf | ||
source_rc_confs | ||
elif [ -r /etc/rc.conf ]; then | ||
. /etc/rc.conf | ||
fi | ||
|
||
EDITOR=${EDITOR:-/usr/bin/vi} | ||
PAGER=${PAGER:-/usr/bin/more} | ||
|
||
# on linux the default mktemp invocation behavior | ||
# is different, we should change the temporary file creation | ||
tempfoo=`basename $0` | ||
#TMPFILE=`mktemp -t ${tempfoo}` || exit 1 | ||
TMPFILE=`mktemp -t ${tempfoo}.XXXXX` || exit 1 | ||
|
||
get_yes_no() { | ||
while true | ||
do | ||
echo -n "$1 (Y/N) ? " | ||
read -t 30 a | ||
if [ $? != 0 ]; then | ||
a="No"; | ||
return; | ||
fi | ||
case $a in | ||
[Yy]) a="Yes"; | ||
return;; | ||
[Nn]) a="No"; | ||
return;; | ||
*);; | ||
esac | ||
done | ||
} | ||
|
||
restore_rules() { | ||
nohup sh ${firewall_script} </dev/null >/dev/null 2>&1 | ||
rm ${TMPFILE} | ||
exit 1 | ||
} | ||
|
||
case "${firewall_type}" in | ||
[Cc][Ll][Ii][Ee][Nn][Tt]|\ | ||
[Cc][Ll][Oo][Ss][Ee][Dd]|\ | ||
[Oo][Pp][Ee][Nn]|\ | ||
[Ss][Ii][Mm][Pp][Ll][Ee]|\ | ||
[Uu][Nn][Kk][Nn][Oo][Ww][Nn]) | ||
edit_file="${firewall_script}" | ||
rules_edit=no | ||
;; | ||
*) | ||
if [ -r "${firewall_type}" ]; then | ||
edit_file="${firewall_type}" | ||
rules_edit=yes | ||
fi | ||
;; | ||
esac | ||
|
||
if [ -f ${edit_file}.new ]; then | ||
get_yes_no "A new rules file already exists, do you want to use it" | ||
[ $a = 'No' ] && cp ${edit_file} ${edit_file}.new | ||
else | ||
cp ${edit_file} ${edit_file}.new | ||
fi | ||
|
||
trap restore_rules SIGHUP | ||
|
||
${EDITOR} ${edit_file}.new | ||
|
||
get_yes_no "Do you want to install the new rules" | ||
|
||
[ $a = 'No' ] && exit 1 | ||
|
||
cat <<! | ||
The rules will be changed now. If the message 'Type y to keep the new | ||
rules' does not appear on the screen or the y key is not pressed in 30 | ||
seconds, the original rules will be restored. | ||
The TCP/IP connections might be broken during the change. If so, restore | ||
the ssh/telnet connection being used. | ||
! | ||
|
||
if [ ${rules_edit} = yes ]; then | ||
nohup sh ${firewall_script} ${firewall_type}.new \ | ||
< /dev/null > ${TMPFILE} 2>&1 | ||
else | ||
nohup sh ${firewall_script}.new \ | ||
< /dev/null > ${TMPFILE} 2>&1 | ||
fi | ||
sleep 2; | ||
get_yes_no "Would you like to see the resulting new rules" | ||
[ $a = 'Yes' ] && ${PAGER} ${TMPFILE} | ||
get_yes_no "Type y to keep the new rules" | ||
[ $a != 'Yes' ] && restore_rules | ||
|
||
DATE=`date "+%Y%m%d%H%M"` | ||
cp ${edit_file} ${edit_file}.$DATE | ||
mv ${edit_file}.new ${edit_file} | ||
cat <<! | ||
The new rules are now installed. The previous rules have been preserved in | ||
the file ${edit_file}.$DATE | ||
! | ||
diff -F "^# .*[A-Za-z]" -u ${edit_file}.$DATE ${edit_file} \ | ||
| mail -s "`hostname` Firewall rule change" root | ||
rm ${TMPFILE} | ||
exit 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
#!/bin/sh | ||
# | ||
# marta | ||
# linux wrapper for the FreeBSD change rules program | ||
# This file load the linux configuration and calls the | ||
# original change rules program | ||
|
||
if [ -r ./ipfw.conf ]; then | ||
. ./ipfw.conf | ||
fi | ||
|
||
. ./change_rules.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# ipfw and dummynet configuration file for linux | ||
# XXX TO BE TESTED ON LINUX | ||
|
||
# The firewall_type variable is used to configure the firewall behavior. | ||
# A detailed description on how a following type works is in rc.firewall | ||
# | ||
# open - will allow anyone in | ||
# client - will try to protect just this machine | ||
# simple - will try to protect a whole network | ||
# closed - totally disables IP services except via lo0 interface | ||
# workstation - will try to protect just this machine using statefull | ||
# firewalling. See below for rc.conf variables used | ||
# UNKNOWN - disables the loading of firewall rules. | ||
# filename - will load the rules in the given filename (full path required) | ||
|
||
# firewall_type=open | ||
|
||
# The following file is an example on how to use a filename to define a firewall | ||
# and how to configure a simple dummynet pipe to ... XXX shape traffic... etc... | ||
firewall_type=/home/marta/SVN/ports-luigi/dummynet-branches/ipfw3/configuration/ipfw.rules | ||
|
||
# Environment variables expected by the change rules script | ||
EDITOR=/usr/bin/vi | ||
PAGER=/bin/more | ||
|
||
# The following variable should point to the rc.firewall script | ||
# XXX TEST | ||
#firewall_script=`echo "please edit the firewall_script variable in ipfw.conf"`; | ||
firewall_script="/home/marta/SVN/ports-luigi/dummynet-branches/ipfw3/configuration/rc.firewall" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# This is a simple configuration file | ||
# add dummynet pipes and a firewall section | ||
|
||
# flush all rules ... | ||
# flush | ||
|
||
# dummynet configuration | ||
|
||
# firewall configuration | ||
add 1 allow all from any to any | ||
# ... | ||
add 65000 deny all from any to any |
Oops, something went wrong.