[vlions]

#!/sbin/sh

# $RCSfile: S25fw1boot.sh,v $ $Revision: 1.14.4.3.8.1 $ $Date: 2003/11/05 12:57:31 $


echo FireWall-1 boot security configuration:

if [ -z "$FW_BOOT_DIR" ]
then
# echo "FW_BOOT_DIR undefined. Using /etc/fw.boot"
FW_BOOT_DIR=/etc/fw.boot
fi

if [ -z "$PPK_BOOT_DIR" ]
then
PPK_BOOT_DIR=/etc/ppk.boot
fi

if [ -c /dev/securexl0 ]
then
$PPK_BOOT_DIR/bin/sim installin
sim_ap="securexl"
else
sim_ap=""
fi

export FW_BOOT_DIR # needed for bootconf
export PPK_BOOT_DIR # needed for bootconf

ifdevlist=$FW_BOOT_DIR/ifdev

dbg_on=0

dbg() {
if [ $dbg_on -eq 1 ] ; then
eval $*
fi
}

true() {
return 0
}

apverify() {
if [ $2 -ne -1 ] ; then
echo "FW-1: WARNNING $1 has autopush configuration which is not ALL:"
echo $*
echo "FW-1: Aborting $0 ..."
exit
fi
}

ap_cmd="$FW_BOOT_DIR/fwboot ap"
fwipfwdoff="$FW_BOOT_DIR/fwboot ipforwarding_off"
fwbootd="$FW_BOOT_DIR/fwboot bootd"
fwifdev="$FW_BOOT_DIR/fwboot ifdev $ifdevlist"
fwdevname="$FW_BOOT_DIR/fwboot fwdevname"

bootconf="$FW_BOOT_DIR/fwboot bootconf"

os_inet6_installed=1

FW1_BOOTSEC=`$bootconf get_def`
FW1_DOIPFWD=`$bootconf get_ipf`

if [ `$bootconf get_ipv6` -eq 1 -a ${os_inet6_installed} -eq 1 ]; then
IPV6_INSTALLED=1
else
IPV6_INSTALLED=0
fi

fwdefault="$FW_BOOT_DIR/fwboot default $FW1_BOOTSEC"

if [ ${FW1_DOIPFWD:-1} -ne 0 ]; then
echo FW-1: Disabling IP forwarding
$fwipfwdoff
fi

if [ ${FW1_BOOTSEC:-0} != "0" ]; then
echo FW-1: Loading default filter
( unset FWDIR ; $fwdefault )
fi

echo FW-1: Loading I/F device list:" \c"
$fwifdev
echo FW-1: Starting bootd": \c"
$fwbootd

push_fwip_module() {

ap_udp_save=`$ap_cmd -g $1 0`
ap_udp_fw=`$ap_cmd -g $1 0 1 $2`

if [ $? -ne 0 ] ; then
echo "FW-1: Nothing is pushed on $1"
else
apverify $1 $ap_udp_save
dbg echo $ap_cmd -r $1 0
$ap_cmd -r $1 0
fi

dbg echo $ap_cmd -a $1 $ap_udp_fw
if $ap_cmd -a $1 $ap_udp_fw ; then
dbg echo $1 `$ap_cmd -g $1 0`
else
echo FW-1: $1 autopush failed: resetting ...

if $ap_cmd -g $1 0 >/dev/null 2>&1 ; then
dbg echo $ap_cmd -r $1 0
$ap_cmd -r $1 0
fi

dbg echo $ap_cmd -a $1 $ap_udp_save
$ap_cmd -a $1 $ap_udp_save

dbg echo $1 `$ap_cmd -g $1 0`

exit
fi
}

push_fw_over_interface() {

while read ifdev ifoptions ; do
if [ "$ifdev" = "#" -o "$ifdev" = "" ] ; then
true
else
real_dev=`$fwdevname $ifdev`
if [ $? -ne 0 ] ; then
continue
fi
$ap_cmd -e $real_dev $1 >/dev/null 2>&1
if [ $? -eq 17 ] ; then
continue
fi
if $ap_cmd -g $real_dev 0 >/dev/null 2>&1 ; then
ap_if_save=`$ap_cmd -g $real_dev 0`
ap_if_fw=`$ap_cmd -g $real_dev 0 0 $2 $1`
apverify $real_dev $ap_if_save
dbg echo $ap_cmd -r $real_dev 0
$ap_cmd -r $real_dev 0
else
if [ $? -ne 19 ] ; then
continue
fi
ap_if_save=""
ap_if_fw="-1 0 $2 $1"
fi
echo FW-1: Autopushing over $real_dev
dbg echo $ap_cmd -a $real_dev $ap_if_fw
if $ap_cmd -a $real_dev $ap_if_fw ; then
dbg echo $real_dev `$ap_cmd -g $real_dev 0`
else
echo FW-1: $real_dev autopush failed: resetting ...

if $ap_cmd -g $real_dev 0 >/dev/null 2>&1 ; then
dbg echo $ap_cmd -r $real_dev 0
$ap_cmd -r $real_dev 0
fi

if [ "X$ap_if_save" != "X" ] ; then
dbg echo $ap_cmd -a $real_dev $ap_if_save
$ap_cmd -a $real_dev $ap_if_save
fi


dbg echo $real_dev `$ap_cmd -g $real_dev 0`
fi
fi
done < $ifdevlist

}

echo FW-1: Autopushing under UDP

push_fwip_module udp fwip

if [ ${IPV6_INSTALLED:-0} -ne 0 ]; then
echo FW-1: Autopushing under UDP6
push_fwip_module udp6 fwip6
fi

echo FW-1: Autopushing over network interface drivers

push_fw_over_interface fw $sim_ap

if [ ${IPV6_INSTALLED:-0} -ne 0 ]; then
push_fw_over_interface fw6
fi

# Solaris 10 must call other startup scripts that where found
# in /etc/rcS.d
if [ `uname -r` = "5.10" ]; then
if [ -f /etc/rcS.d/S29cphaboot ]; then
mv -f /etc/rcS.d/S29cphaboot $FW_BOOT_DIR/cphaboot
fi
if [ -f $FW_BOOT_DIR/cphaboot ]; then
$FW_BOOT_DIR/cphaboot
fi
fi