#!/bin/sh
# change ex references to ed 6/25/96 KMF

TMP=/tmp/fwconfig.$$

#
# tailor no-CR echo
#
if [ "`echo -n`" = "-n" ]; then
        # sysv echo
        DN=""
        BC="\c"
else
        # bsd echo
        DN="-n"
        BC=""
fi
 
PRODUCT='Solstice FireWall-1'
 
#
# OS release, 4 or 5
#
OSREL=`/usr/bin/uname -r | sed 's/\./\ /' | awk '{print $1}'`
 
#
# default installation directory
#
if [ ! -d /etc/fw ]; then
	echo ""
	echo "*** /etc/fw does not exist - aborting."
	echo ""
	exit 1
fi

#
# find out where $FWDIR and $VARDIR really are (follow symlinks)
#
FWDIR=`cd /etc/fw; /bin/pwd` 2> /dev/null
VARDIR=`cd /etc/fw/conf/..; /bin/pwd` 2> /dev/null

trap "rm -f $TMP; exit 1" 2
 
#
# read string from user w/o printing on screen, store in $pwd
#
readpwd () {
        trap "stty echo; rm -f $TMP; exit 1" 2
        stty -echo
        pwdlen=0
        while [ $pwdlen -lt 7 ]; do
                pwd=""
                echo $DN "Enter password: $BC"
                read pwd
                echo ""
                pwdlen=`echo "$pwd" | wc -c`
                if [ $pwdlen -lt 7 ]; then
                        echo "Too short, must be 6 characters or more."
                fi
        done
        stty echo
        trap "rm -f $TMP; exit 1" 2
}
 
#
# get a password, /bin/passwd style (sort of)
#
readp2 () {
        readpwd
        spwd="$pwd"
        echo "Type password again for verification."
        readpwd
        if [ "$pwd" != "$spwd" ]; then
                echo "Passwords don't match - try again."
                readp2
        else
                echo "Password accepted."
        fi
}
 
#
# warn user about already running product
#
echo ""
echo "*******************************************************************************"
echo ""
echo "WARNING: Before continuing, be sure $PRODUCT is NOT running."
echo ""
echo "         Attempting reconfiguration while $PRODUCT is running"
echo "         may have unexpected effects."
echo ""
echo "         Also, make sure you have appropriate access privileges"
echo "         to effect any desired changes."
echo ""
echo "         To abort reconfiguration at any time, press Ctrl-C."
echo ""
echo "*******************************************************************************"
 
echo ""
echo "Press RETURN to continue, or Ctrl-C to exit."
read yn
 
#
# configuration options
#
while : ; do
 echo ""
 echo "$PRODUCT post-install configuration options"
 echo "-------------------------------------------------------------------------------"
 echo "Choose one of the following options:"
 echo ""
 echo "(1) Change group access privileges"
 echo "(2) Configure user and/or client authentication"
 echo "(3) Set Inspection Module hosts list and key (for Control Center host)"
 echo "(4) Set Control Station hosts list and key (for Inspection Module host)"
 echo "(5) Specify this host's external network interface name"
 echo "(6) Enable $PRODUCT startup at system boot"
 echo "(7) Disable $PRODUCT startup at system boot"
 echo "(8) Configure Remote Managers "
 echo "(9) Add Remote Manager Usernames"
 echo "(10) Remove Remote Manager Usernames"
 echo "(11) Merge Rulebases for Remote Management"
 echo "(12) Control IP forwarding at boot time"
 echo "(13) Exit"
 echo ""

 opt="0"
 
 while [ "$opt" -lt 1 -o "$opt" -gt 13 ]; do
        echo $DN "Enter your selection (1-13): $BC"
        read opt
        if [ "$opt" -lt 1 -o "$opt" -gt 13 ]; then
                echo "Please choose an option from the above menu."
                echo ""
        fi
 done

 echo ""

 hupinetd=no
 didsomething=yes
 case $opt in
	# set group access permissions
	1)
		echo ""
		echo ""
		echo "$PRODUCT access and execution permissions"
		echo "-------------------------------------------------------------------------------"
		echo "In addition to the superuser, one Unix group may be given permission for"
		echo "access and execution of $PRODUCT. You may name that group here,"
		echo "if desired."
		echo ""
		echo "NOTE: If the group you wish to use does not yet exist, abort now"
		echo "      with Ctrl-C and create the group, then restart."
 
		yn="n"
		while [ "$yn" = "n" ]; do
		 echo ""
		 echo $DN "Please enter the group name, or press RETURN for no group: $BC"
		 grp=""
		 read grp
		 echo ""
		 if [ "$grp" = "" ]; then
		        msg="No group permissions will be granted. Only the superuser \
		will be able to access $PRODUCT."
		 else
		        msg="Group $grp and the superuser will be able to access $PRODUCT."
		 fi
		 echo $msg
		 echo $DN "Is this ok (y/n) [y] ? $BC"
		 yn=""
		 read yn
		done

		echo ""
		echo "Setting group permissions..."

		# reset permissions to root-only
		chmod -R go-rwxs,u+rw,u-s $FWDIR
		if [ $FWDIR != $VARDIR ]; then
		 chmod -R go-rwxs,u+rw,u-s $VARDIR
		fi

		# set kernel module permissions for SunOS 4
		if [ $OSREL -eq 4 ]; then
			ed - $FWDIR/modules/fw.mkdev << EOEX 2>&1 > /dev/null
1,\$s/^.*# FW-1-grp/set grp = # FW-1-grp/
w
q
EOEX
		fi

		# reset group to bin
		chgrp -R bin $FWDIR 2> /dev/null
		if [ $FWDIR != $VARDIR ]; then
		 chgrp -R bin $VARDIR 2> /dev/null
		fi

		# check to see if group is set
		if [ "$grp" != "" ]; then
			# try changing group of $FWDIR
		        chgrp -R $grp $FWDIR
		        if [ $? -eq 0 ]; then
	 		 # if chgrp succeeded, group is ok - continue

			# set kernel module permissions for SunOS 4
			if [ $OSREL -eq 4 ]; then
				ed - $FWDIR/modules/fw.mkdev << EOEX 2>&1 > /dev/null
1,\$s/^.*# FW-1-grp/set grp = $grp # FW-1-grp/
w
q
EOEX
			fi

			 if [ $FWDIR != $VARDIR ]; then
		        	chgrp -R $grp $VARDIR
				chmod g+rwxs $VARDIR
			 fi
			 if [ $OSREL -eq 5 ]; then
			 	rem_drv fw 2> /dev/null
			 	add_drv -m "* 0660 root $grp" fw
			 fi

			 # dirs in $VARDIR, root rwx, group rwxs
		         find $VARDIR/conf $VARDIR/database $VARDIR/log $VARDIR/state $VARDIR/tmp -type d -exec chmod g+rwxs \{\} \;
			 # files in $VARDIR, root rwx, group rwx
		         find $VARDIR/conf $VARDIR/database $VARDIR/log $VARDIR/state $VARDIR/tmp -type f -perm 700 -exec chmod 770 \{\} \;
			 # files in $VARDIR, root fw, group rw
		         find $VARDIR/conf $VARDIR/database $VARDIR/log $VARDIR/state $VARDIR/tmp $FWDIR/modules/fwmod.* -type f -perm 600 -exec chmod 660 \{\} \;

			 # files in $FWDIR, root rwx, group rx
		         find $FWDIR -type f -perm 700 -exec chmod 750 \{\} \;
			 # dirs in $FWDIR, root rwx, group rx
		         find $FWDIR -type d -perm 700 -exec chmod 750 \{\} \;
			 # files in $FWDIR, root rw, group r
		         find $FWDIR -type f -perm 600 -exec chmod 640 \{\} \;

		        else
		         echo "*** Group $grp does not exist, retaining root-only permissions."
		        fi
		else
			if [ $OSREL -eq 5 ]; then
			 rem_drv fw 2> /dev/null
			 add_drv -m "* 0600 root bin" fw
			fi
		fi
		;;

	# enable user auth
	2)
		conffile=$FWDIR/conf/fwauthd.conf
		echo ""
		echo ""
		echo "User and Client Authentication"
		echo "-------------------------------------------------------------------------------"
		echo "You may enable the $PRODUCT User and/or Client Authentication"
		echo "capabilities at this time. If enabled, User Authentication proxies"
		echo "will replace existing services on the firewall. If enabled, the Client"
		echo "Authentication daemon binds to TCP port 259 on the firewall."
		echo ""
		echo "Available services for User Authentication are telnet, ftp and http."
		echo ""
		echo "NOTE: Use of $PRODUCT's Authentication functions requires"
		echo "additional configuration. Please consult your Administrator's"
		echo "Guide for more information."
		echo ""
		echo $DN "Do you wish to enable one or more authentication types (y/n) [n] ? $BC"
		yn=""
		read yn
		echo ""
		if [ "$yn" = "" -o "$yn" != "y" ]; then
			echo "All authentication options will be disabled."
			echo ""
			echo $DN "Is this ok? (y/n) [n] ? $BC"
			yn=""
			read yn
			echo ""
			if [ "$yn" != "y" ]; then
				echo "Current authentication configuration is retained."
				echo ""
				didsomething=no
			else
				ed - /etc/inetd.conf << EOEX 2>&1 > /dev/null
1,\$s/^#FW: //
w
q
EOEX
				rm -f $conffile.bak
				if [ -f $conffile ]; then
					cp -p $conffile $conffile.bak
				fi
				cp /dev/null $conffile
			fi
		else
			yn=n
			while [ "$yn" = "n" ]; do
			 echo ""
			 echo $DN "Enable User Authentication TELNET proxy (y/n) [n] ? $BC"
			 read ans
			 if [ "$ans" = "y" ]; then
				atelnet=y
			 else
				atelnet=n
			 fi
			 echo $DN "Enable User Authentication FTP proxy (y/n) [n] ? $BC"
			 read ans
			 if [ "$ans" = "y" ]; then
				aftp=y
			 else
				aftp=n
			 fi
			 echo $DN "Enable User Authentication HTTP proxy (y/n) [n] ? $BC"
			 read ans
			 if [ "$ans" = "y" ]; then
				ahttp=y
			 else
				ahttp=n
			 fi
			 echo $DN "Enable Client Authentication daemon (y/n) [n] ? $BC"
			 read ans
			 if [ "$ans" = "y" ]; then
				aclient=y
			 else
				aclient=n
			 fi
			 echo ""
			 echo $DN "Are these choices ok (y/n) [y] ? $BC"
			 yn=""
			 read yn
			 if [ "$yn" = "" -o "$yn" = "y" ]; then
				yn=y
			 else
				yn=n
			 fi
			done
			echo ""
			# authentication option
			# temporarily disable all FW-1 servers in inetd.conf, if they exist
			ed - /etc/inetd.conf << EOEX 2>&1 > /dev/null
1,\$s/^#FW: //
w
q
EOEX
			rm -f $conffile.bak
			if [ -f $conffile ]; then
				cp -p $conffile $conffile.bak
			fi
			cp /dev/null $conffile

			if [ "$atelnet" = "y" ]; then
				echo "Enabling TELNET..."
				ed - /etc/inetd.conf << EOEX 2>&1 > /dev/null
1,\$s/^[	]*telnet/#FW: telnet/g
w
q
EOEX
				echo "23	bin/in.atelnetd	nowait" >> $conffile
			fi

			if [ "$aftp" = "y" ]; then
				echo "Enabling FTP..."
				ed - /etc/inetd.conf << EOEX 2>&1 > /dev/null
1,\$s/^[	]*ftp/#FW: ftp/g
w
q
EOEX
				echo "21	bin/in.aftpd	nowait" >> $conffile
			fi

			if [ "$ahttp" = "y" ]; then
				echo "Enabling HTTP..."
				ed - /etc/inetd.conf << EOEX 2>&1 > /dev/null
1,\$s/^[	]*http/#FW: http/g
w
q
EOEX
				echo "80	bin/in.ahttpd	wait" >> $conffile
			fi

			if [ "$aclient" = "y" ]; then
				echo "Enabling Client Authentication..."
				echo "259	bin/in.aclientd	nowait" >> $conffile
			fi
		fi
		hupinetd=yes
		;;

	# managed hosts/password
	3)
		echo "Inspection Module hosts"
		echo "-------------------------------------------------------------------------------"
		echo "You may now enter a list of Inspection Module hosts this Control"
		echo "Station will manage."
		echo ""
		echo "Note: The local host is automatically included in this list."
		nrhosts=0
		while [ $nrhosts -eq 0 ]; do
			echo ""
			echo "Enter the names of the Inspection Module hosts, one per line."
			echo "Be sure to enter the name of *every interface* for a multi-homed host."
			echo "When done, press Ctrl-D or your EOF character."
			echo ""
			uname -n | tee $TMP
			cat >> $TMP
			h=""
			for hst in `cat $TMP`; do
				h=$h:$hst
				nrhosts=`expr $nrhosts + 1`
			done
			echo ""
			if [ $nrhosts -eq 0 ]; then
				echo "You specified no Inspection Module hosts."
			else
				echo "The following hosts will be managed:"
				echo ""
				cat $TMP
				echo ""
				echo $DN "Is this ok (y/n) [y]? $BC"
				yn=""
				read yn
				if [ "$yn" = "y" -o "$yn" = "" ]; then
					:
				else
					nrhosts=0
				fi
			fi
		done

		if [ $nrhosts -gt 1 ]; then
			echo ""
			pwd=""
			while [ "$pwd" = "" ]; do
				echo "You may now enter an authentication key"
				echo "to be used with the Inspection Module hosts."
				echo ""
				readp2
			done
			$FWDIR/bin/fw putkey -p "$pwd" `echo $h | sed 's/:/\ /g'` 2> /dev/null

			echo ""
			echo "NOTE: You must create matching authentication keys"
			echo "      for use on all Inspection Module hosts."
			echo ""
			echo "      You may do this when installing $PRODUCT on"
			echo "      the Inspection Module hosts, or after installation by"
			echo "      using the fwconfig command."
			echo ""
		fi
		;;

	# managing hosts/password
	4)
		echo "Control Station hosts"
		echo "-------------------------------------------------------------------------------"
		echo "You may now enter a list of trusted Control Station Hosts, which"
		echo "which are allowed to manage this Inspection Module." 
		nrmast=0
		while [ $nrmast -eq 0 ]; do
			echo ""
			echo "Enter the names of the Control Station hosts, one per line."
			echo "Be sure to enter the name of *every interface* for a multi-homed host."
			echo "When done, press Ctrl-D or your EOF character."
			echo ""
			cat > $TMP
			for hst in `cat $TMP`; do
				h=$h:$hst
				nrmast=`expr $nrmast + 1`
			done
			echo ""
			if [ $nrmast -eq 0 ]; then
				echo "You specified no Control Station hosts."
			else
				echo "The following hosts will be listed as Control Stations"
				echo "for this Inspection Module:"
				echo ""
				cat $TMP
				echo ""
				echo $DN "Is this ok (y/n) [y] ? $BC"
				yn=""
				read yn
				if [ "$yn" = "y" -o "$yn" = "" ]; then
					:
				else
					nrmast=0
				fi
			fi
		done

		rm -f $FWDIR/conf/masters
		cat $TMP > $FWDIR/conf/masters

		pwd=""
		while [ "$pwd" = "" ]; do
			echo ""
			echo "You may now enter an authentication key"
			echo "to be used with the Control Station hosts."
			echo ""
			readp2
		done
		$FWDIR/bin/fw putkey -p "$pwd" `echo $h | sed 's/:/\ /g'` 2> /dev/null
		echo ""
		echo "NOTE: You must create matching authentication keys"
		echo "      for use on all Control Station hosts."
		echo ""
		echo "      You may do this when installing $PRODUCT on"
		echo "      the Control Station hosts, or after installation by"
		echo "      using the fwconfig command."
		echo ""
		;;

	# configure external network interface
	5)
	        echo ""
	        echo ""
	        echo "Specification of external network interface"
	        echo "-------------------------------------------------------------------------------"
	        echo "In order for $PRODUCT to correctly detect the number of"
	        echo "hosts your internal network has, it is necessary for you to specify"
	        echo "the name of this host's external network interface."
	        echo ""
	        echo "(If this host has only one network interface, enter the name of"
	        echo "that interface)."
	        yn="n"
	        while [ "$yn" = "n" ]; do
	                 echo ""
	                 echo $DN "Enter this host's external interface name [le0]: $BC"
	                 xint=""
	                 read xint
	                 if [ "$xint" = "" ]; then
	                        xint=le0
	                 fi
	                 echo ""
	                 echo "You specified $xint as the name of this host's external network interface."
	                 echo ""
	                 echo $DN "Is this ok (y/n) [y] ? $BC"
	                 yn=""
	                 read yn
                done
		echo $xint > $FWDIR/conf/external.if
		;;	

	# enable boot startup
	6)
		if [ $OSREL -eq 5 ]; then
		 rm -f /etc/rc[23].d/S[0-9][0-9]firewall1 /etc/init.d/firewall1 2>&1 > /dev/null
		 echo "Installing auto-startup script in /etc/rc3.d..."
		 cat > /etc/init.d/firewall1 << EOCAT

	
#!/bin/sh
# FW-1 Start
if [ -f $FWDIR/bin/fwstart ]; then
        FWDIR=$FWDIR
        export FWDIR
        $FWDIR/bin/fwstart
fi
# FW-1 END
EOCAT
		 ln -f /etc/init.d/firewall1 /etc/rc3.d/S95firewall1
		 chown root /etc/rc3.d/S95firewall1
		 chgrp sys /etc/rc3.d/S95firewall1
		 chmod 744 /etc/rc3.d/S95firewall1
		else # OSREL = 4
		 echo "Deleting old startup script from /etc/rc.local, if present..."
		 grep -s FW-1 /etc/rc.local
		 if [ $? -eq 0 ]; then
			ed - /etc/rc.local << EOF
/^# FW-1/,/^# FW-1 END/d
w
q
EOF
		 fi
		 echo "Installing auto-startup script in /etc/rc.local..."
		 cat >> /etc/rc.local << EOF
# FW-1 Start
if [ -f $FWDIR/bin/fwstart ]; then
        FWDIR=$FWDIR
        export FWDIR
        $FWDIR/bin/fwstart
fi
# FW-1 END
EOF
		fi
		;;

	# disable boot startup
	7)
		if [ $OSREL -eq 5 ]; then
		 echo "Removing auto-startup script in /etc/rc3.d, if present..."
		 rm -f /etc/rc[23].d/S[0-9][0-9]firewall1 /etc/init.d/firewall1 2>&1 > /dev/null
		else # OSREL = 4
		 echo "Deleting old startup script from /etc/rc.local, if present..."
		 grep -s FW-1 /etc/rc.local
		 if [ $? -eq 0 ]; then
			ed - /etc/rc.local << EOF
/^# FW-1/,/^# FW-1 END/d
w
q
EOF
		 fi
		fi
		;;

	# exit

# 2.1 Addition
   8)
	echo ""
	echo ""
	echo "FireWall-1 management server configuration "
	echo " "
	echo "You should now enter a list of trusted hosts that may be used "
	echo "as GUI clients (i.e., on which you may run the Windows GUI). "

	if [ -f $FWDIR/conf/gui-clients ]; then
		ngui_clients=`cat $FWDIR/conf/gui-clients | wc -w`
		if [ $ngui_clients -ne 0 ]; then
			echo "Following is your current GUI clients list:"
			echo ""
			cat $FWDIR/conf/gui-clients
		fi
	fi
	echo ""
	echo $DN "Do you want to configure GUI clients? (y/n) [y] ? $BC"
	yn=""
	read yn
	if [ "$yn" = "y" -o "$yn" = "" ]; then
	echo ""
	echo "Please enter the list of GUI Clients, one host at a line."	
	echo "Terminate with CTRL-D or your EOF character"

	cat > $FWDIR/conf/gui-clients
	if [ $? -eq 0 ]; then
	  echo ""
	  ngui_clients=`cat $FWDIR/conf/gui-clients | wc -w`
	  if [ $ngui_clients -ne 0 ]; then
	    echo "You have selected the following GUI clients:"
	    echo ""
	    cat $FWDIR/conf/gui-clients
	  else
	    echo "You have selected no GUI client"
	  fi
	  echo ""
	  $FWDIR/bin/fw rand 2> /dev/null
	else
		rm -f $FWDIR/conf/guiclients
		echo "GUI client list entry aborted, try again"

        fi
     fi
		;;

	9)
	echo " "
	echo "You may now define administrators that are allowed to use the GUI clients "
	echo "(i.e., the Windows GUI)."
	echo "You must define at least one administrator in order to use the GUI clients"

	echo ""
	echo $DN "Do you want to add an administrator for the GUI clients? (y/n) [y] ? $BC"
	yn=""
	read yn
	if [ "$yn" = "y" -o "$yn" = "" ]; then
	 echo ""
	 $FWDIR/bin/fwm -p
         echo "Adding a username..."
	 $FWDIR/bin/fwm -a
	else
	  echo "No changes made."
	fi
		;;
	10)

	echo " "
	echo "You may now remove usernames that are allowed to use the GUI clients "
	echo "(i.e., the Windows GUI)."
	echo "At any time you can remove users by running fwm -r"

	echo ""
	echo $DN "Do you want to remove a username for the GUI clients? (y/n) [y] ? $BC"
	yn=""
	read yn
	if [ "$yn" = "y" -o "$yn" = "" ]; then
	 echo ""
	 $FWDIR/bin/fwm -p
         echo "Remove a username..."
	 $FWDIR/bin/fwm -r
	else
	  echo "No changes made."
	fi
	;;
   11)
   echo " "
   echo "The rule bases of Firewall-1 management server are located"
   echo "in a single file called rulebases.fws. You may now merge"
   echo "your existing rule bases into this file."
   echo "At any later time you may do this by running fwm -g file.W."
   echo " "
	   echo $DN "Do you want to convert your rule bases (y/n) [y] ? $BC"
	   yn=""
	   read yn
	   echo ""
	   if [ "$yn" = "y" -o "$yn" = "" ]; then
	     $FWDIR/bin/fwm -g $FWDIR/conf/*.W 2> $FWDIR/log/fwmconvert_log
           else
	     echo "No changes made."
	   fi
	 ;;
   
# control IP forwarding at boot time
	12)
		echo ""
		echo "Do you wish to disable IP-Forwarding on boot time (y/n) [y] ? "
		read ipfans

		if [ "X$ipfans" = X -o "X$ipfans" = Xy ]; then

			if [ $OSREL -eq 5 ]; then
				/bin/cp $FWDIR/bin/ipforwarding_off /sbin
				egrep -s "ipforwarding_off" /etc/rcS.d/S30rootusr.sh
				if [ $? -eq 1 ]; then
					ex - /etc/rcS.d/S30rootusr.sh << EOEX_RU
/ifconfig.*lo0
a
/sbin/ipforwarding_off
.
w!
q
EOEX_RU
				fi

				egrep -s "ndd -set /dev/ip ip_forwarding" /etc/rc2.d/S69inet
				if [ $? -ne 0 ]; then
					echo ""
					echo "Failed disabling IP forwarding.  Consult manual."
					echo "";
				else
					egrep -s "ndd -set /dev/ip ip_forwarding 1" /etc/rc2.d/S69inet
					if [ $? -eq 0 ]; then
						ex - /etc/rc2.d/S69inet << EOEX >/dev/null
/ndd
a
ndd -set /dev/ip ip_forwarding 0
.
/ndd -set \/dev\/ip ip_forwarding 1
s/ndd -set \/dev\/ip ip_forwarding 1/ndd -set \/dev\/ip ip_forwarding 0/g 
a
		ndd -set /dev/ip ip_forward_src_routed 0
.
w!
q
EOEX
					else
						echo ""
						echo "IP forwarding was already disabled in /etc/rc2.d/S69inet"
						echo "";
					fi
				fi
		fi
	fi
	;;
		

# End of 2.1 Addition   
	13)
		echo ""
		rm -f $TMP
		exit
		;;

	# default
	*)
		echo ""
		echo "Unrecognized choice, try again."
		echo ""
		didsomething=no
		;;
 esac

 # 
 # kick inetd if required (change to /etc/inetd.conf by enable or disable
 # of user authentication)
 #
 if [ $hupinetd = yes ]; then
	if [ $OSREL -eq 5 ]; then
	 inetdpid=`/usr/bin/ps -e | fgrep -v fgrep | fgrep inetd | awk '{print $1}'`
	else
	 inetdpid=`/usr/bin/ps -gx | fgrep -v fgrep | fgrep inetd | awk '{print $1}'`
	fi
	if [ "$inetdpid" != "" ]; then
		kill -HUP $inetdpid
	fi
 fi

 if [ $didsomething = yes ]; then
	 echo "Done."
 fi
 echo ""
done
