#!/bin/csh -f

# Installing/uninstalling default filter on boot
#	
# Be very carefull in changing this script.
#
	source scripts/aliases

	set shell_if = "if"
	set shell_else = "else"
	set FW_BOOT_DIR = "/etc/fw.boot"
	exists $FW_BOOT_DIR
	if ($status != 0) then
		mkdir $FW_BOOT_DIR
	endif

	if ($?bootsec) then
		if ($bootsec == 0) goto next_action
		if ("X$bootsec" == "X1") then
			\cp $FWDIR/lib/defaultfilter.boot $FWDIR/conf/defaultfilter.pf
		else
			\cp $FWDIR/lib/defaultfilter.drop $FWDIR/conf/defaultfilter.pf
		endif

		E "Generating default filter"
		$FWDIR/bin/fw defaultgen >& /dev/null
		\cp $FWDIR/bin/fwdefault $FW_BOOT_DIR
		if ($status != 0) then
			echo "Cannot copy default filter to $FW_BOOT_DIR"
			goto abort
		endif
		\cp $FWDIR/state/default.bin $FW_BOOT_DIR
		if ($status != 0) then
			echo "Cannot copy default filter to $FW_BOOT_DIR"
			goto abort
		endif
	endif

next_action:
	if ($bootsec != 0) then
		set BOOTSEC_ON = 1
		set BOOTSEC_OFF = 0
	else
		set BOOTSEC_ON = 0
		set BOOTSEC_OFF = 1
	endif

	set plural=""
	if ($solaris2) then
		set bootdir = /etc/rcS.d
		set plural = s
	endif
	if ($sunos4) set bootdir=/etc/rc.boot
	if ($hpux == 10) then
		set bootdir = /sbin/rc2.d
		set plural = s
	endif
	if ($hpux == 9) set bootdir=/etc/brc

	if ($solaris2) goto solaris2label
	if ($sunos4) goto sunos4label
	if ($hpux == 10) goto hpux10label
	if ($hpux == 9) goto hpux9label

solaris2label:		

	alias ex /usr/ucb/ex

	grep "FW-1 addition" /etc/rcS.d/S30rootusr.sh >& /dev/null
	if ($status == 0) then
		echo "You possess a beta version of FW-1 3.0"
		echo "Due to internal problem of that version, Default filter"
		echo "cannot be configured without a damage to system files."
		echo "In order to solve the problem please restore the original"
		echo "/etc/rcS.d/S30rootusr.sh system file."
		echo "If you have problems, please contact your reseller"
		exit 0
	endif
# Modify S30rootusr.sh so that interfaces are down.
	
	grep "FW1_BOOTSEC" /etc/rcS.d/S30rootusr.sh >& /dev/null
	if ($status != 0) then
		if (! (-e $FW_BOOT_DIR/S30rootusr.sh)) then
			\cp /etc/rcS.d/S30rootusr.sh $FW_BOOT_DIR
		endif

		ex - /etc/rcS.d/S30rootusr.sh << EOEX >& /dev/null
/#ident
a
FW1_BOOTSEC=1

$shell_if [ \${FW1_BOOTSEC:-0} -eq 1 ]; then
	IF_STATE="down"
$shell_else
	IF_STATE="up"
fi
.

/broadcast + -trailers up
d
i
					 -trailers \${IF_STATE:-up} \
.
/\/sbin\/ifconfig
i
$shell_if [ \${FW1_BOOTSEC:-0} -eq 0 ]; then
.
/1 >\/dev\/null
a
fi
.
w!
q
EOEX
	endif
	grep "FW1_BOOTSEC=$BOOTSEC_OFF" /etc/rcS.d/S30rootusr.sh >& /dev/null
	if ($status == 0) then
		ex - /etc/rcS.d/S30rootusr.sh >& /dev/null << EOEX
/FW1_BOOTSEC=$BOOTSEC_OFF
d
i
FW1_BOOTSEC=$BOOTSEC_ON
.
w!
q
EOEX
		if ($BOOTSEC_ON) then
			E "Default Filter installed"
		else
			E "Default Filter disabled"
		endif
	endif

createS31FW1:

# Create S31firewall1.

	if ($BOOTSEC_ON) then

		cat > /etc/rcS.d/S31firewall1 << EOF
#!/bin/sh
IFS=" ."
set \`echo /etc/hostname\.*[0-9]\`
while test \$# -ge 2
do
	shift
	$shell_if [ "\$1" != "xx0" ]; then
		/sbin/ifconfig \$1 up
	fi
	shift
done
IFS=" "
$FW_BOOT_DIR/fwdefault

EOF

		/usr/bin/chmod 744 /etc/rcS.d/S31firewall1
	else
		/bin/rm -f /etc/rcS.d/S31firewall1
	endif
	goto ok

sunos4label:

# if FW1 lines appear in /etc/rc.boot update them, otherwise add them

	set bootfile = /etc/rc.boot
	grep 'FW1_BOOTSEC' < $bootfile >& /dev/null
	if ($status != 0) then
		if (!(-e /etc/fw.boot/rc.boot)) then
			/bin/cp /etc/rc.boot /etc/fw.boot
		endif
		ex - $bootfile << SEOEX >& /dev/null
/exit \$error
?exit with error status from fsck
i
FW1_BOOTSEC=1
$shell_if [ \$FW1_BOOTSEC ]; then
	/usr/etc/modload $FWDIR/modules/fwmod.4.1.x.o -exec $FWDIR/modules/fw.mkdev
	echo "FW-1: loading default filter..."
	$FW_BOOT_DIR/fwdefault
fi
.
w!
q
SEOEX
	endif
	grep "FW1_BOOTSEC=$BOOTSEC_OFF" $bootfile >& /dev/null
	if ($status == 0) then
		ex - $bootfile >& /dev/null << EOF1
/FW1_BOOTSEC=$BOOTSEC_OFF
d
i
FW1_BOOTSEC=$BOOTSEC_ON
.
w!
q
EOF1
		if ($BOOTSEC_ON) then
			E "IP forwarding disabled"
		else
			E "IP forwarding enabled"
		endif
	endif

	goto ok


hpux10label:
# if file fw1bootsec exists we just update all appearances of FWDIR that
# may have changed, otherwise we create this file and link S002firewall1 to it

	set rcfile = /sbin/init.d/fw1bootsec
	if (-f $rcfile) /bin/rm -f $rcfile
	set ln_rcfile = /sbin/rc2.d/S002fw1bootsec
	if ($bootsec == 0) then
		/bin/rm -f $ln_rcfile
		goto ok
	endif

	cat > $rcfile << EOCAT
#!/sbin/sh
case \$1 in
	start_msg)
		print "Start FireWall-1 Boot-time Security Filter"
		exit 0
		;;

	stop_msg)
		print "Stop FireWall-1 Boot-time Security Filter"
		exit 0
		;;

	start)
		if [ -f $FWDIR/bin/fwstart ]; then
			FWDIR=$FWDIR
			\$FWDIR/bin/fw ctl install
			$FW_BOOT_DIR/fwdefault
			exit \$?
		fi
		exit 1
		;;

	*)
		print "USAGE: \$O {start_msg | stop_msg | start }" >&2
		exit 1

esac
EOCAT
	\rm -f $ln_rcfile
	ln -s $rcfile $ln_rcfile
	chown root $rcfile $ln_rcfile
	chgrp sys $rcfile $ln_rcfile
	chmod 555 $rcfile $ln_rcfile
	E ""
	E "Default filter code installed in /sbin/rc2.d"
	goto ok

hpux9label: 
# if FW1 lines already exists in file /etc/brc they are updated (as FWDIR
# may have changes), therwise these lines are inserted to this file

	if (!(-e $FW_BOOT_DIR/brc)) then
		/bin/cp /etc/brc $FW_BOOT_DIR
	endif
	grep -q "FW1_BOOTSEC" /etc/brc
	if ($status != 0) then
		ex - /etc/brc << EOEX >& /dev/null
\$-1
a

FW1_BOOTSEC=1
$shell_if [ \$FW1_BOOTSEC ]; then
	$FWDIR/bin/fw ctl install
	$FW_BOOT_DIR/fwdefault
fi
.
w!
q
EOEX
	endif
	grep -q "FW1_BOOTSEC=$BOOTSEC_OFF" /etc/brc
	if ($status == 0) then
		ex - /etc/brc >& /dev/null << EOF1
/FW1_BOOTSEC=$BOOTSEC_OFF
d
i
FW1_BOOTSEC=$BOOTSEC_ON
.
w!
q
EOF1
		if ($BOOTSEC_ON) then
			E "IP forwarding disabled"
		else
			E "IP forwarding enabled"
		endif
	endif

ok:
	exit 0

abort:
	exit 1
