#!/bin/sh

TMP=/tmp/fwconfig.$$

#
# tailor no-CR echo
#
if [ "`echo -n`" = "-n" ]; then
        # sysv echo
        DN=""
        BC="\c"
else
        # bsd echo
        DN="-n"
        BC=""
fi
 
PRODUCT='Solstice FireWall-1'
 
#
# OS release, 4 or 5
#
OSREL=`/usr/bin/uname -r | sed 's/\./\ /' | awk '{print $1}'`
 
#
# default installation directory
#
if [ ! -d /etc/fw ]; then
	echo ""
	echo "*** /etc/fw does not exist - aborting."
	echo ""
	exit 1
fi

#
# find out where $FWDIR and $VARDIR really are (follow symlinks)
#
FWDIR=`cd /etc/fw; /bin/pwd` 2> /dev/null
VARDIR=`cd /etc/fw/conf/..; /bin/pwd` 2> /dev/null

trap "rm -f $TMP; exit 1" 2
 
#
# read string from user w/o printing on screen, store in $pwd
#
readpwd () {
        trap "stty echo; rm -f $TMP; exit 1" 2
        stty -echo
        pwdlen=0
        while [ $pwdlen -lt 7 ]; do
                pwd=""
                echo $DN "Enter password: $BC"
                read pwd
                echo ""
                pwdlen=`echo "$pwd" | wc -c`
                if [ $pwdlen -lt 7 ]; then
                        echo "Too short, must be 6 characters or more."
                fi
        done
        stty echo
        trap "rm -f $TMP; exit 1" 2
}
 
#
# get a password, /bin/passwd style (sort of)
#
readp2 () {
        readpwd
        spwd="$pwd"
        echo "Type password again for verification."
        readpwd
        if [ "$pwd" != "$spwd" ]; then
                echo "Passwords don't match - try again."
                readp2
        else
                echo "Password accepted."
        fi
}
 
#
# warn user about already running product
#
echo ""
echo "*******************************************************************************"
echo ""
echo "WARNING: Before continuing, be sure $PRODUCT is NOT"
echo "         running (neither the kernel module nor the GUI)."
echo ""
echo "         Attempting reconfiguration while $PRODUCT is running"
echo "         may have unexpected effects."
echo ""
echo "         Also, make sure you have appropriate access privileges"
echo "         to effect any desired changes."
echo ""
echo "         To abort reconfiguration at any time, press Ctrl-C."
echo ""
echo "*******************************************************************************"
 
echo ""
echo "Press RETURN to continue, or Ctrl-C to exit."
read yn
 
#
# configuration options
#

while : ; do
 echo ""
 echo "$PRODUCT post-install configuration options"
 echo "-------------------------------------------------------------------------------"
 echo "Choose one of the following options:"
 echo ""
 echo "(1) Change group access privileges"
 echo "(2) Enable user authentication option"
 echo "(3) Disable user authentication option"
 echo "(4) Set managed host(s) list and password (for Control Center)"
 echo "(5) Set managing host(s) list and password (for Filter Module)"
 echo "(6) Specify this host's external network interface name"
 echo "(7) Enable $PRODUCT startup at system boot time"
 echo "(8) Disable $PRODUCT startup at system boot time"
 echo "(9) Exit"
 echo ""

 opt="0"
 while [ "$opt" -lt 1 -o "$opt" -gt 9 ]; do
        echo $DN "Enter your selection (1-9): $BC"
        read opt
        if [ "$opt" -lt 1 -o "$opt" -gt 9 ]; then
                echo "Please choose an option from the above menu."
                echo ""
        fi
 done

 echo ""
 hupinetd=no

 didsomething=yes
 case $opt in
	# set group access permissions
	1)
		echo ""
		echo ""
		echo "$PRODUCT access and execution permissions"
		echo "-------------------------------------------------------------------------------"
		echo "In addition to the superuser, one Unix group may be given permission for"
		echo "access and execution of $PRODUCT. You may name that group here,"
		echo "if desired."
		echo ""
		echo "Note: If the group name you wish to use does not yet exist, abort now"
		echo "      with Ctrl-C and create the group, then restart."
 
		yn="n"
		while [ "$yn" = "n" ]; do
		 echo ""
		 echo $DN "Please enter the group name, or press RETURN for no group: $BC"
		 grp=""
		 read grp
		 echo ""
		 if [ "$grp" = "" ]; then
		        msg="No group permissions will be granted. Only the superuser \
		will be able to access $PRODUCT."
		 else
		        msg="Group $grp and the superuser will be able to access $PRODUCT."
		 fi
		 echo $msg
		 echo $DN "Is this ok (y/n) [y] ? $BC"
		 yn=""
		 read yn
		done

		echo ""
		echo "Setting group permissions..."

		# reset permissions to root-only
		chmod -R go-rwxs,u+rw,u-s $FWDIR
		if [ $FWDIR != $VARDIR ]; then
		 chmod -R go-rwxs,u+rw,u-s $VARDIR
		fi

		# set kernel module permissions for SunOS 4
		if [ $OSREL -eq 4 ]; then
			ex - $FWDIR/modules/fw.mkdev << EOEX 2>&1 > /dev/null
1,\$s/^.*# FW-1-grp/set grp = # FW-1-grp/
w!
q
EOEX
		fi

		# reset group to bin
		chgrp -R bin $FWDIR 2> /dev/null
		if [ $FWDIR != $VARDIR ]; then
		 chgrp -R bin $VARDIR 2> /dev/null
		fi

		# check to see if group is set
		if [ "$grp" != "" ]; then
			# try changing group of $FWDIR
		        chgrp -R $grp $FWDIR
		        if [ $? -eq 0 ]; then
	 		 # if chgrp succeeded, group is ok - continue

			# set kernel module permissions for SunOS 4
			if [ $OSREL -eq 4 ]; then
				ex - $FWDIR/modules/fw.mkdev << EOEX 2>&1 > /dev/null
1,\$s/^.*# FW-1-grp/set grp = $grp # FW-1-grp/
w!
q
EOEX
			fi

			 if [ $FWDIR != $VARDIR ]; then
		        	chgrp -R $grp $VARDIR
				chmod g+rwxs $VARDIR
			 fi
			 if [ $OSREL -eq 5 ]; then
			 	rem_drv fw 2> /dev/null
			 	add_drv -m "* 0660 root $grp" fw
			 fi

			 # dirs in $VARDIR, root rwx, group rwxs
		         find $VARDIR/conf $VARDIR/database $VARDIR/log $VARDIR/state $VARDIR/tmp -type d -exec chmod g+rwxs \{\} \;
			 # files in $VARDIR, root rwx, group rwx
		         find $VARDIR/conf $VARDIR/database $VARDIR/log $VARDIR/state $VARDIR/tmp -type f -perm 700 -exec chmod 770 \{\} \;
			 # files in $VARDIR, root fw, group rw
		         find $VARDIR/conf $VARDIR/database $VARDIR/log $VARDIR/state $VARDIR/tmp -type f -perm 600 -exec chmod 660 \{\} \;

			 # files in $FWDIR, root rwx, group rx
		         find $FWDIR -type f -perm 700 -exec chmod 750 \{\} \;
			 # dirs in $FWDIR, root rwx, group rx
		         find $FWDIR -type d -perm 700 -exec chmod 750 \{\} \;
			 # files in $FWDIR, root rw, group r
		         find $FWDIR -type f -perm 600 -exec chmod 640 \{\} \;

		        else
		         echo "*** Group $grp does not exist, retaining root-only permissions."
		        fi
		else
			if [ $OSREL -eq 5 ]; then
			 rem_drv fw 2> /dev/null
			 add_drv -m "* 0600 root bin" fw
			fi
		fi
		;;

	# enable user auth
	2)
		echo "Enabling authentication option:"
		if [ ! -f $FWDIR/conf/fwauthd.conf ]; then
			rm -f $FWDIR/conf/fwauthd.conf
			ln -s fwauthd.conf.gen $FWDIR/conf/fwauthd.conf
		fi
		ex - /etc/inetd.conf << EOEX 2>&1 > /dev/null
1,\$s/^[	]*telnet/#FW: telnet/g
w!
q
EOEX
		ex - /etc/inetd.conf << EOEX 2>&1 > /dev/null
1,\$s/^[	]*ftp/#FW: ftp/g
w!
q
EOEX
		hupinetd=yes
		;;

	# disable user auth
	3)
		echo "Restoring telnet and ftp in /etc/inetd.conf..."
		ex - /etc/inetd.conf << EOEX 2>&1 > /dev/null
1,\$s/^#FW: //
w!
q
EOEX
		rm -f $FWDIR/conf/fwauthd.conf
		hupinetd=yes
		;;

	# managed hosts/password
	4)
		echo "Managed hosts"
		echo "-------------------------------------------------------------------------------"
		echo "You may enter a list of hosts this Master module will manage."
		nrhosts=0
		while [ $nrhosts -eq 0 ]; do
			echo ""
			echo "Please enter the names of managed hosts, one per line."
			echo "When done, press Ctrl-D or your EOF character."
			echo ""
			uname -n | tee $TMP
			cat >> $TMP
			h=""
			for hst in `cat $TMP`; do
				h=$h:$hst
				nrhosts=`expr $nrhosts + 1`
			done
			echo ""
			if [ $nrhosts -eq 0 ]; then
				echo "You specified no managed hosts."
			else
				echo "The following hosts will be managed:"
				echo ""
				cat $TMP
				echo ""
				echo $DN "Is this ok (y/n) [y]? $BC"
				yn=""
				read yn
				if [ "$yn" = "y" -o "$yn" = "" ]; then
					:
				else
					nrhosts=0
				fi
			fi
		done

		if [ $nrhosts -gt 1 ]; then
			echo ""
			pwd=""
			while [ "$pwd" = "" ]; do
				echo "You may now enter an initial authentication password"
				echo "to be used with the managed hosts."
				echo ""
				readp2
			done
			$FWDIR/bin/fw putkey -p "$pwd" `echo $h | sed 's/:/\ /g'` 2> /dev/null

			echo ""
			echo "Note: You should create authentication keys for use on"
			echo "      all managed hosts."
			echo "      Use 'fw putkey <manager_host_name>' and supply the"
			echo "      same secret key you did above."
		fi
		;;

	# managing hosts/password
	5)
		echo "Master hosts"
		echo "-------------------------------------------------------------------------------"
		echo "You may now enter a list of trusted Master Hosts, i.e., hosts"
		echo "which are allowed to control the Packet Filter Module residing"
		echo "on this host."
		nrmast=0
		while [ $nrmast -eq 0 ]; do
			echo ""
			echo "Please enter the names of all master hosts, one per line."
			echo "When done, press Ctrl-D or your EOF character."
			echo ""
			cat > $TMP
			for hst in `cat $TMP`; do
				h=$h:$hst
				nrmast=`expr $nrmast + 1`
			done
			echo ""
			if [ $nrmast -eq 0 ]; then
				echo "You specified no master hosts."
			else
				echo "The following hosts will be masters:"
				echo ""
				cat $TMP
				echo ""
				echo $DN "Is this ok (y/n) [y] ? $BC"
				yn=""
				read yn
				if [ "$yn" = "y" -o "$yn" = "" ]; then
					:
				else
					nrmast=0
				fi
			fi
		done

		rm -f $FWDIR/conf/masters
		cat $TMP > $FWDIR/conf/masters

		pwd=""
		while [ "$pwd" = "" ]; do
			echo ""
			echo "You may now enter an initial authentication password"
			echo "to be used with your master hosts."
			echo ""
			readp2
		done
		$FWDIR/bin/fw putkey -p "$pwd" `echo $h | sed 's/:/\ /g'` 2> /dev/null
		echo ""
		echo "Note: you should create authentication keys for use on"
		echo "      all master hosts."
		echo "      Use 'fw putkey <master_hostname>' and supply the"
		echo "      same secret key as you did above."
		echo ""
		;;

	# configure external network interface
	6)
	        echo ""
	        echo ""
	        echo "Specification of external network interface"
	        echo "-------------------------------------------------------------------------------"
	        echo "In order for $PRODUCT to correctly detect the number of"
	        echo "hosts your internal network has, it is necessary for you to specify"
	        echo "the name of this host's external network interface."
	        echo ""
	        echo "(If this host has only one network interface, enter the name of"
	        echo "that interface)."
	        yn="n"
	        while [ "$yn" = "n" ]; do
	                 echo ""
	                 echo $DN "Enter this host's external interface name [le0]: $BC"
	                 xint=""
	                 read xint
	                 if [ "$xint" = "" ]; then
	                        xint=le0
	                 fi
	                 echo ""
	                 echo "You specified $xint as the name of this host's external network interface."
	                 echo ""
	                 echo $DN "Is this ok (y/n) [y] ? $BC"
	                 yn=""
	                 read yn
                done
		echo $xint > $FWDIR/conf/external.if
		;;	

	# enable boot startup
	7)
		if [ $OSREL -eq 5 ]; then
		 rm -f /etc/rc[23].d/S[0-9][0-9]firewall1 /etc/init.d/firewall1 2>&1 > /dev/null
		 echo "Installing auto-startup script in /etc/rc3.d..."
		 cat > /etc/init.d/firewall1 << EOCAT
#!/bin/sh
# FW-1 Start
if [ -f $FWDIR/bin/fwstart ]; then
        FWDIR=$FWDIR
        export FWDIR
        $FWDIR/bin/fwstart
fi
# FW-1 END
EOCAT
		 ln -f /etc/init.d/firewall1 /etc/rc3.d/S95firewall1
		 chown root /etc/rc3.d/S95firewall1
		 chgrp sys /etc/rc3.d/S95firewall1
		 chmod 744 /etc/rc3.d/S95firewall1
		else # OSREL = 4
		 echo "Deleting old startup script from /etc/rc.local, if present..."
		 grep -s FW-1 /etc/rc.local
		 if [ $? -eq 0 ]; then
			ex - /etc/rc.local << EOF
/^# FW-1/,/^# FW-1 END/d
w!
q
EOF
		 fi
		 echo "Installing auto-startup script in /etc/rc.local..."
		 cat >> /etc/rc.local << EOF
# FW-1 Start
if [ -f $FWDIR/bin/fwstart ]; then
        FWDIR=$FWDIR
        export FWDIR
        $FWDIR/bin/fwstart
fi
# FW-1 END
EOF
		fi
		;;

	# disable boot startup
	8)
		if [ $OSREL -eq 5 ]; then
		 echo "Removing auto-startup script in /etc/rc3.d, if present..."
		 rm -f /etc/rc[23].d/S[0-9][0-9]firewall1 /etc/init.d/firewall1 2>&1 > /dev/null
		else # OSREL = 4
		 echo "Deleting old startup script from /etc/rc.local, if present..."
		 grep -s FW-1 /etc/rc.local
		 if [ $? -eq 0 ]; then
			ex - /etc/rc.local << EOF
/^# FW-1/,/^# FW-1 END/d
w!
q
EOF
		 fi
		fi
		;;

	# exit
	9)
		echo ""
		rm -f $TMP
		exit
		;;

	# default
	*)
		echo ""
		echo "Unrecognized choice, try again."
		echo ""
		didsomething=no
		;;
 esac

 # 
 # kick inetd if required (change to /etc/inetd.conf by enable or disable
 # of user authentication)
 #
 if [ $hupinetd = yes ]; then
	if [ $OSREL -eq 5 ]; then
	 inetdpid=`/usr/bin/ps -e | fgrep -v fgrep | fgrep inetd | awk '{print $1}'`
	else
	 inetdpid=`/usr/bin/ps -gx | fgrep -v fgrep | fgrep inetd | awk '{print $1}'`
	fi
	if [ "$inetdpid" != "" ]; then
		echo "	Sending HUP signal to inetd for restart..."
		kill -HUP $inetdpid

	else
		echo "	Note: you will need to restart inetd for"
		echo "	      authenticated ftp and telnet servers"
		echo "	      to become active."
	fi
 fi

 if [ $didsomething = yes ]; then
	 echo "Done."
 fi
 echo ""
done
