#! /bin/bash # postinst script for arno-iptables-firewall set -e . /usr/share/debconf/confmodule db_version 2.0 # move config files from versions prior to 1.8.8 if [ -f /etc/arno-iptables-firewall.debconf ]; then echo "Moving debconf settings to /etc/arno-iptables-firewall/debconf.cfg." mv /etc/arno-iptables-firewall.debconf /etc/arno-iptables-firewall/debconf.cfg fi if [ -f /etc/arno-firewall-blocked-hosts ]; then echo "Moving host blacklist to /etc/arno-iptables-firewall/blocked-hosts." mv /etc/arno-firewall-blocked-hosts /etc/arno-iptables-firewall/blocked-hosts fi if [ -f /etc/arno-firewall-mac-addresses ]; then echo "Moving MAC address filter list to /etc/arno-iptables-firewall/mac-addresses." mv /etc/arno-firewall-mac-addresses /etc/arno-iptables-firewall/mac-addresses fi if [ -f /etc/arno-firewall-custom-rules ]; then echo "Merging custom iptables rules into /etc/arno-iptables-firewall/custom-rules." cat /etc/arno-firewall-custom-rules >> /etc/arno-iptables-firewall/custom-rules rm -f /etc/arno-firewall-custom-rules fi CFG=/etc/arno-iptables-firewall/conf.d/00debconf.conf case "$1" in configure) # query all vars from debconf # most important: is debconf management requested db_get arno-iptables-firewall/debconf-wanted if [ "$RET" = "true" ]; then # debconf is welcome: look whether there is a config file and # recreate the config file if missing if [ ! -e $CFG ]; then cat << EOT > $CFG ####################################################################### # Feel free to edit this file. However, be aware that debconf writes # # to (and reads from) this file too. In case of doubt, only use # # 'dpkg-reconfigure -plow arno-iptables-firewall' to edit this file. # # If you really don't want to use debconf, or if you have specific # # needs, you're likely better off using placing an additional # # configuration snippet into/etc/arno-iptables-firewall/conf.d/. # # Also see README.Debian. # ####################################################################### EXT_IF="" EXT_IF_DHCP_IP=0 OPEN_TCP="" OPEN_UDP="" INT_IF="" NAT=0 INTERNAL_NET="" NAT_INTERNAL_NET="" OPEN_ICMP=0 EOT fi # query the names of the external interfaces from debconf db_get arno-iptables-firewall/config-ext-if ; DC_EXT_IF="$RET" # query the DHCP status from debconf db_get arno-iptables-firewall/dynamic-ip if [ "$RET" = "true" ]; then DC_EXT_IF_DHCP_IP=1 else DC_EXT_IF_DHCP_IP=0 fi # query the external services from debconf db_get arno-iptables-firewall/services-tcp ; DC_OPEN_TCP="$RET" db_get arno-iptables-firewall/services-udp ; DC_OPEN_UDP="$RET" # query the NAT status from debconf db_get arno-iptables-firewall/nat if [ "$RET" = "true" ]; then DC_NAT=1 else DC_NAT=0 fi # query the internal network interfaces from debconf db_get arno-iptables-firewall/config-int-if ; DC_INT_IF="$RET" # query the internal networks from debconf db_get arno-iptables-firewall/config-int-net ; DC_INTERNAL_NET="$RET" # we need to quote all slashes DC_INTERNAL_NET=${DC_INTERNAL_NET//\//\\\/} # query the internal networks with access to the external world from debconf db_get arno-iptables-firewall/config-int-nat-net ; DC_NAT_INTERNAL_NET="$RET" # we need to quote all slashes DC_NAT_INTERNAL_NET=${DC_NAT_INTERNAL_NET//\//\\\/} # allow the whole internal net for NAT if this was left empty if [[ -z $DC_NAT_INTERNAL_NET && "$DC_NAT" == "1" ]]; then DC_NAT_INTERNAL_NET="$DC_INTERNAL_NET" fi # query the 'pingable' status from debconf db_get arno-iptables-firewall/icmp-echo if [ "$RET" = "true" ]; then DC_OPEN_ICMP=1 else DC_OPEN_ICMP=0 fi # make a backup conf file cp -dpf $CFG $CFG.tmp # check that all vars are in the debconf file # If the admin deleted or commented some variables but then set # them via debconf, (re-)add them to the conffile. test -z "$DC_EXT_IF" || grep -Eq '^ *EXT_IF=' $CFG.tmp || echo "EXT_IF=" >> $CFG.tmp test -z "$DC_EXT_IF_DHCP_IP" || grep -Eq '^ *EXT_IF_DHCP_IP=' $CFG.tmp || echo "EXT_IF_DHCP_IP=" >> $CFG.tmp test -z "$DC_OPEN_TCP" || grep -Eq '^ *OPEN_TCP=' $CFG.tmp || echo "OPEN_TCP=" >> $CFG.tmp test -z "$DC_OPEN_UDP" || grep -Eq '^ *OPEN_UDP=' $CFG.tmp || echo "OPEN_UDP=" >> $CFG.tmp test -z "$DC_NAT" || grep -Eq '^ *NAT=' $CFG.tmp || echo "NAT=" >> $CFG.tmp test -z "$DC_INT_IF" || grep -Eq '^ *INT_IF=' $CFG.tmp || echo "INT_IF=" >> $CFG.tmp test -z "$DC_INTERNAL_NET" || grep -Eq '^ *INTERNAL_NET=' $CFG.tmp || echo "INTERNAL_NET=" >> $CFG.tmp test -z "$DC_NAT_INTERNAL_NET" || grep -Eq '^ *NAT_INTERNAL_NET=' $CFG.tmp || echo "NAT_INTERNAL_NET=" >> $CFG.tmp test -z "$DC_OPEN_ICMP" || grep -Eq '^ *OPEN_ICMP=' $CFG.tmp || echo "OPEN_ICMP=" >> $CFG.tmp # now set the value from the debconf database # write values to config file sed -e "s/^ *EXT_IF=.*/EXT_IF=\"$DC_EXT_IF\"/" \ -e "s/^ *EXT_IF_DHCP_IP=.*/EXT_IF_DHCP_IP=$DC_EXT_IF_DHCP_IP/" \ -e "s/^ *OPEN_TCP=.*/OPEN_TCP=\"$DC_OPEN_TCP\"/" \ -e "s/^ *OPEN_UDP=.*/OPEN_UDP=\"$DC_OPEN_UDP\"/" \ -e "s/^ *NAT=.*/NAT=$DC_NAT/" \ -e "s/^ *INT_IF=.*/INT_IF=\"$DC_INT_IF\"/" \ -e "s/^ *INTERNAL_NET=.*/INTERNAL_NET=\"$DC_INTERNAL_NET\"/" \ -e "s/^ *NAT_INTERNAL_NET=.*/NAT_INTERNAL_NET=\"$DC_NAT_INTERNAL_NET\"/" \ -e "s/^ *OPEN_ICMP=.*/OPEN_ICMP=$DC_OPEN_ICMP/" \ < $CFG.tmp > $CFG # replace the old conffile by the working copy rm -f $CFG.tmp db_get arno-iptables-firewall/restart if [ "$RET" = "true" ]; then invoke-rc.d arno-iptables-firewall restart fi fi # debconf wanted # reload rsyslog if available if [ -x /etc/init.d/rsyslog ]; then invoke-rc.d rsyslog restart fi ;; abort-upgrade|abort-remove|abort-deconfigure) # nothing to do ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac if [ -x "/etc/init.d/arno-iptables-firewall" ]; then update-rc.d arno-iptables-firewall defaults >/dev/null || exit 0 fi # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. exit 0