firewall.sh revision 7c478bd95313f5f23a4c958a745db2134aa03244
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License, Version 1.0 only
# (the "License"). You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
# Copyright 1990, 1991 Sun Microsystems, Inc. All Rights Reserved.
#
#
#ident "%Z%%M% %I% %E% SMI"
#
# Makes the local machine a firewall
#
# Assumption: this is run at the high level of security. Other
# ASET tasks are making sure that there is no + in /etc/hosts.equiv
# and no /.rhosts files.
#
# This script does 2 things:
#
# 1) Turn the kernel variable 'ip_forwarding' off, thereby ensuring
# that the firewall will not pass on IP packets.
#
# 2) Ensure in.routed is started with -q flag. This prevents routing info
# But it could be error-prone. What we will do is:
#
# and calls /usr/etc/in.routed.asetoriginal with -q flag.
echo
echo "*** Begin Firewall Task ***"
then
exit $?
fi
if [ "$ASETSECLEVEL" != "high" ]
then
echo
echo "Task skipped for security levels other than high."
exit 0
fi
then
echo
echo "You are not authorized to convert the machine to be a firewall."
exit 1
fi
# old value of ip_forwarding
0 | 1 | 2 )
# valid value
;;
*)
echo
echo "Invalid old ip_forwarding value $oldvalue! Task skipped!"
exit 1
;;
esac
done_already=false
if [ "$oldvalue" = "0" ]
then
echo
echo "IP forwarding already disabled."
done_already=true
else
# ndd bug# 1185290 - ndd always indicates failure when setting a network entry
# if [ $? -ne 0 ]
# then
# echo
# echo "Could not change IP forwarding"
# exit 1
# fi
echo
echo "Disabled IP forwarding."
fi
if [ -f ${RC2INET}.asetoriginal ]
then
echo
echo "IP forwarding already disabled in rc files."
else
w
q
!
echo
echo "Saved ${RC2INET} to ${RC2INET}.asetorignal;"
echo "Turned off IP forwarding in ${RC2INET} ."
fi
if [ -f ${ROUTED}.asetoriginal ]
then
echo
echo "ROUTED daemon already configured to be opaque."
else
if [ $? -ne 0 ]
then
echo
echo "Could not rename ${ROUTED}."
exit 1
fi
# echo
if [ $? -ne 0 ]
then
echo
echo "Could not create new ${ROUTED} script."
exit 1
fi
echo "${ROUTED}.asetoriginal -q \$*" >> ${ROUTED}
if [ $? -ne 0 ]
then
echo
echo "Could not chmod new ${ROUTED} script."
exit 1
fi
echo
echo "Renamed ${ROUTED} to ${ROUTED}.asetorignal;"
echo "Installed new ${ROUTED} script."
fi
echo
echo "*** End Firewall Task ***"