#! /bin/csh -f

#
# set security servers options
#
source scripts/aliases

#
#    To add a security service, just add it to the 'new' 
# array, to the E "1).. E "2)... messages below. The messages should hold
# first the old and then the new secured_services lists in their order.
#
# Don't forget to add it to 'fwconf/fwauthd.conf'.
#

	set old = (ftp http telnet)
	set new = (rlogin smtp)
	set secured_services = ($old $new)

	E ""
	E "Installing Secured Services option"
	E "-----------------------------------"
	E "You may make the services below secured. By doing that you will enable"
	E "the usage of strong authentication and/or content security for this"
	E "service (see the user guide for details)."

authenticate:
	set smtp_on=0	
	E ""
	E "1) FTP"
	E "2) HTTP"
	E "3) TELNET"
	E "4) RLOGIN"
	E "5) SMTP"
	E ""
	E "Please enter the numbers of the services you want to make secured."
	E "For example, if you wish to make only ftp and rlogin secured,"
	E -n "enter '1 4' > "
	get dans
	E ""

	if ("X$dans" == X) then
		set services = "no service"
		set list = " "
	else
		set auth = ($dans)
		if ($hpux) then
			echo $dans | egrep -q '[^ 0-9]'
			set x = $status
		else
			echo $dans | egrep -s '[^ 0-9]'
			set x = $status
		endif
		if ($x == 0 || $#auth > $#secured_services) then
			E "Invalid respond. Please reenter."
			goto authenticate
		endif

		set i = 1
		while ( $i <= $#auth)
			set j = 1
			while ($j < $i)
				if ($auth[$i] == $auth[$j]) then
					E "Invalid respond. Please reenter."
					goto authenticate
				endif
				@ j = $j + 1
			end
			@ i = $i + 1
		end

		set list = ""
		foreach i ($auth)
			if (($i < 1) || ($i > $#secured_services)) then
				E "Invalid respond. Please reenter."
				goto authenticate
			endif
			if ($secured_services[$i] == "smtp") then
				set smtp_on=1
			endif
			set list = ($list $secured_services[$i])				
		end

		set services = $list[1]
		set i = 2
		while ($i < $#list)
			set services = "$services, $list[$i]"
			@ i = $i + 1
		end
		if ($#list > 1) then
			set services = "$services and $list[$i]"
		endif
	endif

	E "You have selected $services to be secured."
	E -n 'Is this correct (y/n) [n]: '
	get yn
	if ("X$yn" != "Xy") goto authenticate

	E ""
	E -n "Do you wish to enable the client authentication feature (y/n) [y] ? "
	get yn
	E ""

	if ("X$yn" == "X" || "X$yn" == "Xy") then
		set list = ($list client)
	endif

	if (("X$list" == "X") || ("X$list" == "X ")) then
		set authdef = none
	else
		set authdef = "$list"
	endif
	set setauth = "$authdef"

#
# If no secured services were asked for, we do not ask if the user
# wants backward compatibility or not.
#

	if ("X$services" == "Xno service" || $aix) then
		set back_comp = "false"
		goto backward_comp_end
	endif

	E ""
	E "In version 2.1, the FTP, Telnet and HTTP security daemons were"
	E "listening on their original TCP ports (i.e. 21, 23 and 80 respectively)."
	E "Beginning at version 3.0, these daemons may be installed on"
	E "randomly selected high ports instead. The FireWall gateway will"
	E "redirect connections coming to the original ports to these high ports."
	E ""
	E "Answering 'yes' to the following question will keep the FTP, Telnet"
	E "and HTTP security daemons on their original TCP ports. This will"
	E "allow security policies to be loaded from version 2.1 control module"
	E "on a version 3.0 gateway module."
	E ""
	E "Do you wish to enable backward compatibility, i.e. let 2.1 control"
	E -n "stations control 3.0 inspection modules (y/n) [n] ? "
	get yn
	E ""
	
	if ("X$yn" == "Xy") then
		set back_comp = "true"
	else 
		set back_comp = "false"
	endif

backward_comp_end:

#
# Get the list of security servers + client authentication.
#
	if (! $?authdef) then
		set list = " "
	else
		if ("X$?authdef" == Xnone) then
			set list = " "
		else
			set list = "$authdef"
		endif
	endif

# ------------------------ Configure inetd.conf ------------------------ #

#
# Delete the old comments from inted.conf (see below) 
#
	ex - /etc/inetd.conf << EOEX >& /dev/null
1,\$s/^#FW: //g
w!
q
EOEX

#
# Make sure inetd will be rerun after this.
#
	set killinetd

#
# If control backward compatibility was asked, comment out the old security 
# servers in inetd.conf so they don't clash with the security servers.
# Note that only OLD services may be commented out.
#
	if ($back_comp == "true") then
		foreach i ($list)
			foreach j ($old)
				if ($i == $j) then
					ex - /etc/inetd.conf << EOEX >& /dev/null
1,\$s/^[ 	]*$i/#FW: $i/g
w!
q
EOEX
				endif
			end
		end
	endif

# ------------------------ Configure fwauthd.conf ------------------------ #

#
# Delete the old comments from fwauthd.conf
#
	ex - $FWDIR/conf/fwauthd.conf << EOEX >& /dev/null
1,\$s/^#FW: //g
w!
q
EOEX

	if ($smtp_on == 0) then
		if (-f $FWDIR/conf/smtp.conf) then
			mv $FWDIR/conf/smtp.conf $FWDIR/conf/smtp.conf.org
		endif	
	endif
	if ($smtp_on == 1) then
		if (-f $FWDIR/conf/smtp.conf.org) then
			mv $FWDIR/conf/smtp.conf.org $FWDIR/conf/smtp.conf
		endif	
	endif

#
# If backward compatibility was asked, make sure all real ports in fwauthd.conf
# are set to their respective logical ports. 
#
# Note that client authentication (port 259) is always backward compatible,
# while smtp (25), rlogin (513), and lhttp (10081) are never backward 
# compatible.
#
	set fwauthd_conf = $FWDIR/conf/fwauthd.conf
	set tmp_conf = $FWDIR/conf/fwauthd.conf.tmp

	if (-f $fwauthd_conf) then
		if ($back_comp == "true") then
			awk 'BEGIN { OFS = "\t" } \
				$1 == "25" || $1 == "513" || $1 == 10081 { $4 = "0"; print; next} \
				{ $4 = $1; print }' $fwauthd_conf > $tmp_conf
		else
			awk 'BEGIN { OFS = "\t" } \
				$1 == "259" { $4 = $1; print ; next } \
				{ $4 = "0" ; print }' $fwauthd_conf > $tmp_conf
		endif

		mv $tmp_conf $fwauthd_conf
	endif

#
# In any case, update the 'control_back_compatibility' flag in objects.C
# to the value chosen by the user.
#
	$FWDIR/bin/fw config control_back_compatibility put $back_comp
	
#
# Finally,  Comment out in fwauthd.conf the FW-1 security servers that were 
# not chosen by the user. (This does not touch lines in fwauthd.conf which 
# do not belong to security servers, like the lhttpd line).
#
	set services = ($secured_services client)
	foreach i ($services)
		set not_in_list = 1
		foreach j ($list)
			if ($i == $j) then
				set not_in_list = 0
				break
			endif
		end
		if ($not_in_list) then
			ex - $FWDIR/conf/fwauthd.conf << EOEX >& /dev/null
1,\$s/^.*in\.a$i\d/#FW: &/g
w!
q
EOEX
		endif
	end


	set setauth


	if ($solaris2) then
		set inetdpid = `/usr/bin/ps -e | grep 'inetd$' | awk '{print $1}'`
	else if ($hpux) then
		set inetdpid = `/bin/ps -e | grep 'inetd$' | awk '{print $1}'`
	else if ($freebsd) then
		set inetdpid = `/bin/ps ax | grep 'inetd$' | awk '{print $1}'`
	else
		set inetdpid = `/usr/bin/ps ax | grep 'inetd$' | grep -v grep | awk '{print $1}'`
	endif

	if ($?killinetd) then
		if ("X$inetdpid" != X) then
			E ""
			E "Restarting the inet daemon (process $inetdpid)"
			kill -HUP $inetdpid
			sleep 4
		endif
	endif

#	E ""
#	E "If you are/were using backward compatibility mode,"
#	E "remember to restart the inet daemon process (before starting"
#	E "FireWall-1, so the authentication option will work as specified."
#	E "You might wish to use the command 'kill -1 $inetdpid'"
#	E "as super-user."
#	E ""

	exit 0
