#! /bin/csh -f
#
# Copyright (c) 1993-1996 CheckPoint Software Technologies Ltd.
# All Rights Reserved
#
# THIS IS AN UNPUBLISHED PROPRIETARY SOURCE CODE OF CHECKPOINT SOFTWARE
# TECHNOLOGIES LTD. The copyright notice above does not evidence any actual
# or intended publication of such source code.
#
# $Header: /fw/cvs/fw-1/fwutil/syndefconf.csh,v 1.1.2.1 1996/10/02 11:08:05 nir Exp $
#

####################################
# Some common aliases and settings #
####################################
alias get 'set \!^ = $<'
alias E echo

set methods = ("None" "SYN Relay" "SYN Gateway" "SYN Gateway (Passive)" )
set warnings = ("No" "Yes")

###########################
# We must have FWDIR set. #
###########################
if ( ! $?FWDIR ) then
	E "The FWDIR enviroment variable is not set. Please set it and rerun"
	exit 1
endif

#####################
# Which O/S is it ? #
#####################
if ( -f /kernel/genunix || -f /kernel/unix ) then
	set solaris2 = 1
	set hpux = 0
	set sunos4 = 0
	set module = $FWDIR/modules/fwmod.5.3.o
	set path = ( /usr/bin /usr/ucb /usr/sbin )
	alias sgrep egrep -s
else if (-f /hp-ux) then
	set solaris2 = 0
	set hpux = 9
	if (`uname -m | sed -e 's/^.*\///' -e 's/\(.\).*/\1/'` == 7) then
		set hpux700 = 1
		set hpux800 = 0
	else
		set hpux700 = 0
		set hpux800 = 1
	endif
	set sunos4 = 0
	set module = /hp-ux
	set path = (/bin /usr/bin /etc)
	alias sgrep egrep -q
else if (-f /stand/vmunix) then
	set solaris2 = 0
	set hpux = 10
	if (`uname -m | sed -e 's/^.*\///' -e 's/\(.\).*/\1/'` == 7) then
		set hpux700 = 1
		set hpux800 = 0
	else
		set hpux700 = 0
		set hpux800 = 1
	endif
	set sunos4 = 0
	set module = /stand/vmunix
	set path = (/bin /usr/bin /usr/sbin /etc)
	alias sgrep egrep -q
else if (-f /vmunix) then
	set solaris2 = 0
	set hpux = 0
	set sunos4 = 1
	set module = $FWDIR/modules/fwmod.4.1.3.o
	set path = ( /usr/bin /usr/ucb /bin /usr/etc )
	alias sgrep egrep -s
else
	E Cannot recognize your system.
	exit 1
endif

###############################
# Are we running under root ? #
###############################
if (X`whoami` != Xroot) then
	E "This program must run under super-user (root) permissions"
	exit 1
endif

##############################################
# Do we have the SYNDefender under $module ? #
##############################################
(strings - $module ; exit 0) | sgrep fwsynatk_method
if ($status) then
	E "It seems like you don't have SYNDefender installed under $module"
	exit 1
endif

######################
# Begin Installation #
######################

E "#################################################"
E "S Y N D e f e n d e r   C o n f i g u r a t i o n"
E "#################################################"

if ($solaris2) then

	############
	# System-V #
	############

	#
	# Getting arguments from the module and returning them there.
	#
	alias getvar "egrep fw:\!:1 /etc/system | awk -F= '{print "'$2'"}'"
	alias putvar 'echo set fw:\!:1 = \!:2 >> /etc/system'

	set method = `getvar fwsynatk_method`
	if (X$method == X) set method = 0
	@ method = $method + 1

	set timeout = `getvar fwsynatk_timeout`
	if (X$timeout == X) set timeout = 10

	set max = `getvar fwsynatk_max`
	if (X$max == X) set max = 5000

	set warning = `getvar fwsynatk_warning`
	if (X$warning == X) set warning = 1
	@ warning = $warning + 1

	#
	# Return to this label after reading the new values.
	#
	set label = sysv_done

	goto menu

sysv_done:
	mv /etc/system /etc/system.old
	egrep -v fw:fwsynatk /etc/system.old > /etc/system

	@ method = $method - 1
	putvar fwsynatk_method $method
	putvar fwsynatk_timeout $timeout
	putvar fwsynatk_max $max
	@ warning = $warning - 1
	putvar fwsynatk_warning $warning

	goto done

else

	#######
	# BSD #
	#######

	#
	# Getting arguments from the module and returning them there.
	#
	alias getvar "echo \!:1\?D | adb $module | awk '{print "'$2'"}'"
	alias putvar "echo \!:1\?W0t\!:2 | adb -w $module >& /dev/null"

	#
	# Read current settings.
	#
	set method  = `getvar fwsynatk_method`
	@ method = $method + 1
	set timeout = `getvar fwsynatk_timeout`
	set max     = `getvar fwsynatk_max`
	set warning = `getvar fwsynatk_warning`
	@ warning = $warning + 1

	#
	# Return to this label after reading the new values.
	#
	set label = bsd_done

	goto menu

bsd_done:
	#
	# Store settings back in the module.
	#
	@ method = $method - 1
	putvar fwsynatk_method $method
	putvar fwsynatk_timeout $timeout
	putvar fwsynatk_max $max
	@ warning = $warning - 1
	putvar fwsynatk_warning $warning

	goto done

endif

#####################
# Installation Menu #
#####################
menu:
	E ""
	E "Current SYNDefender settings are:"
    E "1) Method           : $methods[$method]"
	E "2) Timeout          : $timeout Seconds"
	E "3) Max Sessions     : $max"
    E "4) Display Warnings : $warnings[$warning]"
	E ""
	E -n "Which of the above do you want to change [Enter=None]? "
	get ans
	E ""

	if (X$ans == X) goto $label

	if (X$ans == X1) then
		cat << EOF
SYNDefender Method
~~~~~~~~~~~~~~~~~~
   This variable selects the method to be used against the SYN Attack. Your
valid options for it are:

   1 - Do nothing against the SYN Attack.

   2 - Become a SYN Relay (i.e. perform the 3-way protocol with the source,
       then with the destination and translate the sequence and acknowledgment
       numbers).

   3 - Become an Active SYN Gateway (i.e. send an ACK for a SYN/ACK and an RST
       when the SYN/ACK is not ACK'ed by the source of the connection).

   4 - Become a Passive SYN Gateway (i.e. do not send ACK's for SYN/ACK's but
       send an RST when you don't see an ACK for a SYN/ACK).

EOF
		E -n "Which of the above methods do you want to use ? "
		get ans
		if (X$ans == X1) set method = 1
		if (X$ans == X2) set method = 2
		if (X$ans == X3) set method = 3
		if (X$ans == X4) set method = 4

	else if (X$ans == X2) then
		cat << EOF
SYNDefender Timeout
~~~~~~~~~~~~~~~~~~~
   This variable sets the time, in seconds, during which the SYNDefender module
should expect a 3-way hand-shake to be finished. The module will send an RST
packet to terminate a 3-way hand-shake takes more than this time. Under the SYN
Relay mode, the time measurement is being reset every time the hand-shake moves
from one mode to another. In thr SYN Gateway mode, the time measurement
is never being reset and the 3-way hand-shake must finish during this fixed
time.

EOF
		E -n "Please select the new SYNDefender timeout (1 - 60): "
		get ans
		if (X$ans != X) then
			echo $ans | sgrep '[^0-9]'
			if ($status) then
				if ($ans >= 1 && $ans <= 60) set timeout = $ans
			endif
		endif

	else if (X$ans == X3) then
		cat << EOF
SYNDefender Maximum Sessions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  This variable controls the number of sessions which the SYNDefender module
may handle simultaneously. When this limit is passed, new sessions will not be
handled and will be passed to their destination without being first verified.
Please note that when acting as a SYN Relay, a session is handled from the
minute it starts until it ends (since sequence and acknowledgment numbers have
to be translated) while when acting as SYN Gateway, sessions are kept only for
fwsynatk_timeout seconds.

  Increasing this variable might require more memory to be pre-allocated by
FireWall-1. To do this, modify the value of the fwhmem variable (contact your
reseller for more information) to 1,000,000 or even to more to 1,500,000 if
your are using Network Address Translation. Note that this might require your
FireWall-1 Module to be installed on a 64Mbytes machine.

EOF
		E -n "Please select the new SYNDefender sessions (100 - 10000): "
		get ans
		if (X$ans != X) then
			echo $ans | sgrep '[^0-9]'
			if ($status) then
				if ($ans >= 100 && $ans <= 10000) set max = $ans
			endif
		endif

	else if (X$ans == X4) then
		cat << EOF
SYNDefender Warning Messages
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   This variable controls whether the SYNDefender module should print a warning
message when it detects a SYN - SYN/ACK sequence that times out or which is
followed by an RST since these two imply that a SYN Attack is being attempted.
Since this messages may be printed upon valid timeouts, you might want to set
this variable off (i.e. no messages).

EOF
		E -n "Do you want the SYNDefender to print warning messages (y/n) ? "
		get ans
		if (X$ans == Xy) set warning = 2
		if (X$ans == Xn) set warning = 1

	endif

	goto menu

########################
# Installation is done #
########################
done:
	E "---------------------------------------------------------------"
	E "SYNDefender is now configured. To activate your changes, please"
	if ($sunos4) then
		E 'issue $FWDIR/bin/fwstop and then $FWDIR/bin/fwstart.'
	else if ($hpux || $solaris2) then
		E "reboot your machine."
	endif
	E "---------------------------------------------------------------"

	exit 0

