#!/bin/sh

# don't allow root to run the script
if [ `id -u` = "0" ]; then
   echo 'Please run this script as a normal user.'
   echo 'If you have not created a normal user, please run "adduser"'
   exit 2
fi
USER=`id -urn`



#			 Prompt user for inputs



cat <<EOT
We will set up the firewall, NAT, DNS, sendmail, DHCP, NTP, and Apache.
Don't worry, the firewall will be setup conservatively and I will ask
you about the things that the outside world will be able to see.

Network interface selection
EOT

for line in `dmesg | awk '/address ..:..:..:..:..:../{print $1 "-" $NF}'`; do
    echo $line | tr '-' ' ' >/tmp/cfgfw$$
    read iface mac </tmp/cfgfw$$
    rm /tmp/cfgfw$$
    read ans?"Use $iface (MAC $mac) for the inside or outside interface? [io] "
    case $ans in
    i)
	if [ "X$INSIDE" != "X" ]; then
	    echo "Sorry, you have already selected $iface for the inside"
	else
	    INSIDE=$iface
	fi ;;
    o)
	if [ "X$OUTSIDE" != "X" ]; then
	    echo "Sorry, you have already selected $OUTSIDE for the outside"
	else
	    OUTSIDE=$iface
	fi ;;
    *)
	echo "Skipping $iface"
	;;
    esac
done

if [ -z "$OUTSIDE" ]; then
    echo "You have not selected an interface for the outside."
    exit 1
fi

if [ -z "$INSIDE" ]; then
    echo "You have not selected an interface for the inside."
    exit 1
fi

echo "Using $INSIDE for the inside interface and $OUTSIDE for the outside."

IPNUM=`/sbin/ifconfig $OUTSIDE | awk '/inet /{print $2}'`
echo "Your outside IP number appears to be $IPNUM - if this is not correct,"
echo "you didn't tell me the inside and outside interfaces correctly, Please"
echo "press Ctrl-C and re-run this script."

echo
read DOMAIN?"What is your domain name? "

RCF_XDM=NO
if [ -e /usr/X11R6/bin/X ]; then
    SYSCTL_X11='s/^#machdep.allowaperture=/machdep.allowaperture=1/;'
    read XDM_YES?"Do you want xdm (X Windows login) to be started at boot time? [yn] "
    if [ "X$XDM_YES" = "Xy" -o "X$XDM_YES" = "XY" ]; then
        RCF_XDM=""
    fi
fi

read HTTP_YES?"Will you be running a web server visible to the world? [yn] "
if [ "X$HTTP_YES" = "Xy" -o "X$HTTP_YES" = "XY" ]; then
    IPF_HTTPD=""
    RCF_HTTPD=""
    read SSL_YES?"Will it also run SSL? [yn] "
    if [ "X$SSL_YES" = "Xy" -o "X$SSL_YES" = "XY" ]; then
        IPF_SSL=""
        RCF_HTTPD="-DSSL"
        echo "Be sure to read the manpage for SSL and create your keys."
    else
        IPF_SSL="#"
    fi
else
    IPF_HTTPD="#"
    RCF_HTTPD="NO"
    IPF_SSL="#"
fi

read SMTP_YES?"Will you be running an email server visible to the world? [yn] "
if [ "X$SMTP_YES" = "Xy" -o "X$SMTP_YES" = "XY" ]; then
    IPF_SENDMAIL=""
    RCF_SENDMAIL="-bd -q30m"
else
    IPF_SENDMAIL="#"
    RCF_SENDMAIL="-q30m"
fi



echo
read COUNTRY?"Which country are you in? [two-letter ISO code] "
if [ "X$COUNTRY" = "Xus" -o "X$COUNTRY" = "XUS" ]; then
   read STATE?"Which state are you in? [two-letter postal code] "
   COUNTRY="$COUNTRY-$STATE"
fi
echo "$COUNTRY" | tr a-z A-Z >/tmp/cfgfw$$
read COUNTRY < /tmp/cfgfw$$




#			    NAT and ipfilter



mkdir -p cfg/etc

cat >cfg/etc/ipf.rules <<EOT
#####################################################################
#
# IP packet filtering rules (firewall)
# Shamim Mohamed 3/2001
 
# If you change this file, run
#    ipf -Fa -f /etc/ipf.rules
# to update kernel tables
 
# All rules are "quick" so go strictly top to bottom
 
#  Don't bug loopback
#
pass out quick on lo0
pass in quick on lo0
 
#  Don't bother the inside interface either
#
pass out quick on $INSIDE
pass in quick on $INSIDE
 
#####################################################################
#
#  First, we deal with bogus packets.
#
 
#  Block any inherently bad packets coming in from the outside world.
#  These include ICMP redirect packets and IP fragments so short the
#  filtering rules won't be able to examine the whole UDP/TCP header.
#
block in log quick on $OUTSIDE proto icmp from any to any icmp-type redir
block in log quick on $OUTSIDE proto tcp/udp all with short
 
#  Block any IP spoofing atempts.  (Packets "from" non-routable
#  addresses shouldn't be coming in from the outside).
#
block in quick on $OUTSIDE from 192.168.0.0/16 to any
block in quick on $OUTSIDE from 127.0.0.0/8    to any
block in quick on $OUTSIDE from 172.16.0.0/12  to any
block in quick on $OUTSIDE from 10.0.0.0/8     to any
block in quick on $OUTSIDE from 0.0.0.0/8      to any
block in quick on $OUTSIDE from 169.254.0.0/16 to any
block in quick on $OUTSIDE from 192.0.2.0/24   to any
block in quick on $OUTSIDE from 204.152.64.0/23 to any
block in quick on $OUTSIDE from 224.0.0.0/3    to any
block in quick on $OUTSIDE from 255.255.255.255/32 to any
 
#  Kill all source-routed packets
#
block in quick on $OUTSIDE all with opt lsrr
block in quick on $OUTSIDE all with opt ssrr
 
#  Don't allow non-routable packets to leave our network
#
block out quick on $OUTSIDE from any to 192.168.0.0/16
block out quick on $OUTSIDE from any to 127.0.0.0/8
block out quick on $OUTSIDE from any to 172.16.0.0/12
block out quick on $OUTSIDE from any to 10.0.0.0/8
block out quick on $OUTSIDE from any to 0.0.0.0/8
block out quick on $OUTSIDE from any to 169.254.0.0/16
block out quick on $OUTSIDE from any to 192.0.2.0/24
block out quick on $OUTSIDE from any to 204.152.64.0/23
block out quick on $OUTSIDE from any to 224.0.0.0/3
block out quick on $OUTSIDE from any to 255.255.255.255/32
 
#
#####################################################################
 
 
#####################################################################
#
#  Now the normal filtering rules
#
 
#  ICMP: allow incoming ping and traceroute only
#
pass in quick on $OUTSIDE proto icmp from any to any icmp-type echorep
pass in quick on $OUTSIDE proto icmp from any to any icmp-type echo
pass in quick on $OUTSIDE proto icmp from any to any icmp-type timex
pass in quick on $OUTSIDE proto icmp from any to any icmp-type unreach
block in log quick on $OUTSIDE proto icmp from any to any
 
#  TCP: Allow ssh, smtp, http and https incoming. Only match
#  SYN packets, and allow the state table to handle the rest of the
#  connection.
#
pass in quick on $OUTSIDE proto tcp from any to any port = ssh   flags S keep frags keep state
# If you're not running sendmail, comment this out
$IPF_SENDMAIL pass in quick on $OUTSIDE proto tcp from any to any port = smtp  flags S keep frags keep state
# If you're not running Apache, comment the next two rules out
$IPF_HTTPD pass in quick on $OUTSIDE proto tcp from any to any port = http  flags S keep frags keep state
# If you're not using SSL with Apache (for https), comment this out
$IPF_SSL pass in quick on $OUTSIDE proto tcp from any to any port = https flags S keep frags keep state
 
#  UDP: reject all UDP from the outside. The raudio proxy will
#  insert temporary entries into the table when it sees PNA
#  connections.
 
#  Of course we need to allow packets coming in as replies to our
#  connections so we keep state. Strictly speaking, with packets
#  coming from our network we don't have to only match SYN,
#  and it's rather unlikely that there will be any fragments. But
#  what the hell.
#
pass out quick on $OUTSIDE proto tcp  from any to any flags S keep frags keep state
pass out quick on $OUTSIDE proto udp  from any to any keep state 
pass out quick
EOT

cat >cfg/etc/ipnat.rules <<EOT
#####################################################################
#
# NAT rules, along with application proxies (ftp, real audio)
# Shamim Mohamed 3/2001
 
# If you edit this file, run
#    ipnat -CF -f /etc/ipnat.rules
# to update kernel tables
 
# If the address of the outbound interface might change (DHCP lease
# expiry, ppp re-connect) run ipf -y to update the address of $OUTSIDE on
# all rules!

#####################################################################
 
# Application level proxies (must be done before rewriting source
# addresses, since ipnat is first-match)
 
# ftp - for active connections
map $OUTSIDE 192.168.1.0/24 -> $OUTSIDE/32 proxy port ftp ftp/tcp
 
# RealAudio
# commented out because I don't quite have it working yet
#map $OUTSIDE 192.168.1.0/24 -> $OUTSIDE/32 proxy port 7070 raudio/tcp
#map $OUTSIDE 192.168.1.0/24 -> $OUTSIDE/32 proxy port  554 raudio/tcp

#####################################################################
# 
# Okay! Now we're ready to do the core of the packet rewriting.
# Rewrite dest and source; allocate a new src port between 10000 and 20000
#
map $OUTSIDE 192.168.1.0/24 -> $OUTSIDE/32 portmap tcp/udp 10000:20000
 
# Allow anything else (ICMP and others) to go through
#
map $OUTSIDE 192.168.1.0/24 -> $OUTSIDE/32

#
# End of file
#
#####################################################################
EOT



#			    The DHCP server



cat >cfg/etc/dhcpd.conf <<EOT
#       $OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#
 
# Network:              192.168.1.0/255.255.255.0
# Domain name:          my.domain
# Name servers:         192.168.1.3 and 192.168.1.5
# Default router:       192.168.1.1
# Addresses:            192.168.1.32 - 192.168.1.127
#
shared-network LOCAL-NET {
        option  domain-name "$DOMAIN";
        option  domain-name-servers 192.168.1.1;
 
        subnet 192.168.1.0 netmask 255.255.255.0 {
                option routers 192.168.1.1;
 
                range 192.168.1.32 192.168.1.127;
        }
}
EOT

cat >cfg/etc/dhcpd.interfaces <<EOT
#       $OpenBSD: dhcpd.interfaces,v 1.1 1998/08/19 04:25:45 form Exp $
#
# List of network interfaces served by dhcpd(8).
#
# ep0
# ed0 le0
# de1
$INSIDE
EOT

mkdir -p cfg/var/db
touch cfg/var/db/dhcpd.leases



#				sendmail



sed 's/^#Dj$w.Foo.COM/Dj'"$DOMAIN/" </etc/mail/sendmail.cf >cfg/etc/mail/sendmail.cf
cp /etc/mail/aliases cfg/etc/mail/aliases
cat >>cfg/etc/mail/aliases <<EOT
root: $USER
manager: $USER
dumper: $USER
EOT



#				  NTP



echo
echo "Here is a list of nearby time servers:"
awk "/$COUNTRY/"'{print $2}' <<'EOT'
AR tick.nap.com.ar
AR time.sinectis.com.ar
AR tock.nap.com.ar
AU augean.eleceng.adelaide.edu.au
AU ntp.adelaide.edu.au
AU ntp.saard.net
AU time.deakin.edu.au
AU time.esec.com.au
BR ntp.cais.rnp.br
BR ntp.pop-df.rnp.br
BR ntp.pop-pr.rnp.br
BR ntp.ufes.br
BR ntp1.pucpr.br
CA ntp.cpsc.ucalgary.ca
CA ntp1.cmc.ec.gc.ca
CA ntp2.cmc.ec.gc.ca
CA tick.utoronto.ca
CA time.chu.nrc.ca
CA time.nrc.ca
CA timelord.uregina.ca
CA tock.utoronto.ca
CZ ntp.cesnet.cz
DK clock.netcetera.dk
DK clock2.netcetera.dk
ES slug.ctv.es
FI tick.keso.fi
FI tock.keso.fi
FR ntp.obspm.fr
FR ntp.univ-lyon1.fr
FR ntp.via.ecp.fr
HR zg1.ntp.carnet.hr
HR zg2.ntp.carnet.hr
HR st.ntp.carnet.hr
HR ri.ntp.carnet.hr
HR os.ntp.carnet.hr
HU time.kfki.hu
ID ntp.incaf.net
IE ntp.maths.tcd.ie
IT ntps.net4u.it
JP ntp.cyber-fleet.net
KR time.nuri.net
MX ntp2a.audiotel.com.mx
MX ntp2b.audiotel.com.mx
MX ntp2c.audiotel.com.mx
NG ntp.supernet300.com
NO fartein.ifi.uio.no
NO time.alcanet.no
NZ ntp.massey.ac.nz
NZ ntp.public.otago.ac.nz
NZ tk1.ihug.co.nz
NZ tk2.ihug.co.nz
NZ tk3.ihug.co.nz
NZ ntp.waikato.ac.nz
PL info.cyf-kr.edu.pl
PT bug.fe.up.pt
RO ntp.ip.ro
RU ntp.landau.ac.ru
RU ntp.psn.ru
RU sign.chg.ru
SE ntp.lth.se
SG ntp.shim.org
SI calvus.rzs-hm.si
SI sizif.mf.uni-lj.si
SI ntp1.arnes.si
SI ntp2.arnes.si
SI time.ijs.si
SI time.ijs.si
UK ntp.cs.strath.ac.uk
UK ntp.exnet.com
UK ntp0.uk.uu.net
UK ntp1.uk.uu.net
UK ntp2.uk.uu.net
UK ntp2a.mcc.ac.uk
UK ntp2b.mcc.ac.uk
UK ntp2c.mcc.ac.uk
UK ntp2d.mcc.ac.uk
UK tick.tanac.net
US-AR sushi.compsci.lyon.edu
US-CA ns.scruz.net
US-CA ntp.ucsd.edu
US-CA ntp.to.themasses.org
US-CA ntp1.mainecoon.com
US-CA ntp2.mainecoon.com
US-CA time.five-ten-sg.com
US-DE louie.udel.edu
US-GA ntp.shorty.com
US-GA rolex.peachnet.edu
US-GA timex.peachnet.edu
US-IL ntp-0.cso.uiuc.edu
US-IL ntp-1.cso.uiuc.edu
US-IL ntp-1.mcs.anl.gov
US-IL ntp-2.cso.uiuc.edu
US-IL ntp-2.mcs.anl.gov
US-IN gilbreth.ecn.purdue.edu
US-IN harbor.ecn.purdue.edu
US-IN molecule.ecn.purdue.edu
US-KS ntp1.kansas.net
US-KS ntp2.kansas.net
US-MA timeserver.cs.umb.edu
US-MN ns.nts.umn.edu
US-MN nss.nts.umn.edu
US-MO everest.cclabs.missouri.edu
US-MT chronos1.umt.edu
US-MT chronos2.umt.edu
US-MT chronos3.umt.edu
US-NC clock1.unc.edu
US-NE allison.radiks.net
US-NV cuckoo.nevada.edu
US-NV tick.cs.unlv.edu
US-NV tock.cs.unlv.edu
US-NY ntp.ctr.columbia.edu
US-NY ntp0.cornell.edu
US-NY ntp1.mpis.net
US-NY ntp2.mpis.net
US-NY sundial.columbia.edu
US-NY timex.cs.columbia.edu
US-OK constellation.ecn.uoknor.edu
US-OR tick.koalas.com
US-PA ntp.botbay.net
US-PA clock-1.cs.cmu.edu
US-PA clock-2.cs.cmu.edu
US-PA clock.psu.edu
US-PA fuzz.psc.edu
US-PA ntp-1.ece.cmu.edu
US-PA ntp-2.ece.cmu.edu
US-TX ntp.cox.smu.edu
US-TX ntp.fnbhs.com
US-TX ntp.tmc.edu
US-TX ntp5.tamu.edu
US-TX tick.greyware.com
US-TX tock.greyware.com
US-VA ntp-1.vt.edu
US-VA ntp-2.vt.edu
US-VA ntp.cmr.gov
US-WA clock.tricity.wsu.edu
US-WA ntp.tcp-udp.net
US-WI ntp1.cs.wisc.edu
US-WI ntp3.cs.wisc.edu
VE ntp.linux.org.ve
ZA ntp.cs.unp.ac.za
ZA ntp.cs.unp.ac.za
EOT

read NTP1?"Please pick one server from the list: "
read NTP2?"Please pick another server from the list: "
cat >cfg/etc/ntp.conf <<EOT
server $NTP1
server $NTP2
EOT

if [ ! -x /usr/local/sbin/xntpd ]; then
    ARCH=`uname -m`
    echo "NTP is not installed on your system."
    echo "Please switch to another VT (Ctrl-Alt-F2) and, as root, run this:"
    echo "    pkg_add -v ftp://ftp.openbsd.org/pub/OpenBSD/2.8/packages/$ARCH/xntp3-5.93e.tgz"
    echo "Then come back here (Ctrl-Alt-F1) and hit return."
    read junk
fi

if [ ! -x /usr/local/sbin/smbd ]; then
    ARCH=`uname -m`
    echo "Samba (for MS-Windows file sharing) is not installed on your system."
    echo "Please switch to another VT (Ctrl-Alt-F2) and, as root, run this:"
    echo "    pkg_add -v ftp://ftp.openbsd.org/pub/OpenBSD/2.9/packages/$ARCH/samba-2.0.10.tgz
    echo "Then come back here (Ctrl-Alt-F1) and hit return. "
    read junk
fi



#				  DNS



mkdir -p cfg/var/named/namedb

echo $IPNUM | awk -F. '{printf("%s.%s.%s.%s\n", $4, $3, $2, $1)}'>/tmp/cfgfw$$
read IPNUM_REV </tmp/cfgfw$$

awk '/nameserver/{NS = NS " " $2}END{print NS}' </etc/resolv.conf >/tmp/cfgfw$$
read NAMESERVERS </tmp/cfgfw$$

cat >cfg/var/named/named.boot <<EOT
primary $DOMAIN                     $DOMAIN.db
primary 1.168.192.in-addr.arpa      $DOMAIN.rev
  
; your static IP number, reversed
primary $IPNUM_REV.in-addr.arpa     dsl.rev

 ; remember to add your nameservers here!
 forwarders                      $NAMESERVERS
EOT

cat >cfg/var/named/namedb/$DOMAIN.db <<EOT
@       IN      SOA     gateway.$DOMAIN.
root.fake-domain.org.
(
                                 14      ; Serial
                                 10800   ; Refresh
                                 3600    ; Retry
                                 604800  ; Expire
                                 86400 ) ; Minimum
  
         IN      NS      gateway.$DOMAIN.
  
  
gateway IN      A       192.168.1.1
; add other machines here
; mypc  IN      A       192.168.1.2

; your static IP number
dsl     IN      A       $IPNUM
  
www     IN      CNAME   dsl
mail    IN      CNAME   gateway
gateway IN      CNAME   gateway
EOT

cat >cfg/var/named/namedb/dsl.rev <<EOT
@       IN      SOA     gateway.fake-domain.org.
root.$DOMAIN.
(
                                 14      ; Serial
                                 10800   ; Refresh
                                 3600    ; Retry
                                 604800  ; Expire
                                 86400 ) ; Minimum
  
        IN      NS      gateway.$DOMAIN.
  
  
1       IN      PTR     gateway.$DOMAIN.

; add other machines here...
; 2     IN      PTR     mypc.$DOMAIN.

EOT

cat >cfg/etc/resolv.conf <<EOT
search $DOMAIN
nameserver 192.168.1.1
lookup file bind
EOT





#			       smb.conf



if [ ! -d /etc/samba ]; then

samba-2.0.10.tgz 
fi
WG=${DOMAIN%.*}
cat >cfg/etc/samba/smb.conf <<EOT
# Global parameters
[global]
        workgroup = $WG
        netbios name = gateway
        server string = bastion host (OpenBSD 2.9)
        interfaces = 192.168.1.1/24
        security = SHARE
        log file = /var/log/smbd.%m
        max log size = 50
        os level = 0
        local master = No
        dns proxy = No
        hosts allow = 192.168.1.
 
[homes]
        comment = Home Directories
        writeable = Yes
        browseable = No
 
[printers]
        comment = All Printers
        path = /usr/spool/samba
        printable = Yes
        browseable = No
 
[web files]
        comment = Web files exported to the world
        path = /var/www/htdocs
        guest ok = Yes
EOT



#				rc.conf


sed "\
s/^sendmail_flags=.*/sendmail_flags=\"$RCF_SENDMAIL\"/;\
s/^named_flags=.*/named_flags=\"\"/;\
s/^ntpdate_flags=.*/ntpdate_flags=\"$NTP1\"/;\
s/^httpd_flags=.*/httpd_flags=\"$RCF_HTTPD\"/;\
s/^xdm_flags=.*/xdm_flags=\"$RCF_XDM\"/;\
s/^dhcpd_flags=.*/dhcpd_flags=\"-q\"/;\
s/^ipfilter=.*/ipfilter=YES/;\
s/^ipnat=.*/ipnat=YES/;\
s/^ntpd=.*/ntpd=YES/;\
s/^smbd=.*/smbd=YES/;\
s/^nmbd=.*/nmbd=YES/;\
" </etc/rc.conf >cfg/etc/rc.conf




#			      sysctl.conf


sed "s/^#net.inet.ip.forwarding=/net.inet.ip.forwarding=1/;$SYSCTL_X11"</etc/sysctl.conf>cfg/etc/sysctl.conf


#				All Done

cat <<EOT

I have written a bunch of files for you in ./cfg - Please look over
everything and if you're happy, copy them to the real locations. You can
do that with this command (as root):
    cd cfg; tar cf - | (cd /; tar xf -)

Please run "newaliases" as root; this will make sure that you get
administrative and security notices from the system.

Then you can start the gateway going by running these commands (as root):
    ipf -Fa -f /etc/ipf.rules
    ipnat -CF -f /etc/ipnat.rules
    ntpdate -b $NTP1
    named -t /var/named -u named
    dhcpd -q $INSIDE
    smbd -D
    nmbd -D
(or you could reboot the machine, but you don't have to.)

Also, run "man afterboot" and look over everything it tells you about.

Good luck!

EOT