diff options
author | Hakan Olsson <ho@cvs.openbsd.org> | 2002-06-12 21:32:44 +0000 |
---|---|---|
committer | Hakan Olsson <ho@cvs.openbsd.org> | 2002-06-12 21:32:44 +0000 |
commit | 1de867e488ca037bc40380f13103f1edb3b12385 (patch) | |
tree | 37c3ca4b022a2d78c47c06afaf6f30f9cb5b64a0 /sbin | |
parent | 418dc9720af622d409c33dd35608dc579441a06f (diff) |
Rewrite for pf, plus some other small stuff
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/isakmpd/samples/singlehost-setup.sh | 67 |
1 files changed, 48 insertions, 19 deletions
diff --git a/sbin/isakmpd/samples/singlehost-setup.sh b/sbin/isakmpd/samples/singlehost-setup.sh index 378f599902b..aaa57702edc 100644 --- a/sbin/isakmpd/samples/singlehost-setup.sh +++ b/sbin/isakmpd/samples/singlehost-setup.sh @@ -1,41 +1,70 @@ #!/bin/sh -# $OpenBSD: singlehost-setup.sh,v 1.2 2000/11/23 12:56:25 niklas Exp $ +# $OpenBSD: singlehost-setup.sh,v 1.3 2002/06/12 21:32:43 ho Exp $ # $EOM: singlehost-setup.sh,v 1.3 2000/11/23 12:24:43 niklas Exp $ # A script to test single-host VPNs +# For the 'pf' variable +. /etc/rc.conf + +# Default paths +PF_CONF=/etc/pf.conf +PFCTL=/sbin/pfctl +ISAKMPD=/sbin/isakmpd + +# Called on script exit cleanup () { - ipf -r -f - <<' EOF' - pass out quick on lo2 proto 50 all - pass out quick on lo2 from 192.168.11.0/24 to any - pass out quick on lo3 proto 50 all - pass out quick on lo3 from 192.168.12.0/24 to any - block out on lo2 - block out on lo3 - EOF + if [ "X${pf}" = "xYES" -a -f ${PF_CONF} ]; then + ${PFCTL} -R -f ${PF_CONF} + else + ${PFCTL} -qd + fi + + USER=`id -p | grep ^login | cut -f2` + chown $USER singlehost-east.conf singlehost-west.conf policy + chmod 644 singlehost-east.conf singlehost-west.conf policy + + [ -f east.pid ] && kill `cat east.pid` + [ -f west.pid ] && kill `cat west.pid` + rm -f east.pid west.pid east.fifo west.fifo } -ifconfig lo2 192.168.11.1 netmask 0xffffff00 -ifconfig lo3 192.168.12.1 netmask 0xffffff00 -ifconfig lo4 10.1.0.11 netmask 0xffff0000 -ifconfig lo5 10.1.0.12 netmask 0xffff0000 +# Start by initializing interfaces +/sbin/ifconfig lo2 192.168.11.1 netmask 0xffffff00 up +/sbin/ifconfig lo3 192.168.12.1 netmask 0xffffff00 up +/sbin/ifconfig lo4 10.1.0.11 netmask 0xffff0000 up +/sbin/ifconfig lo5 10.1.0.12 netmask 0xffff0000 up -ipf -E -f - <<EOF +# Add rules +( + cat <<EOF pass out quick on lo2 proto 50 all pass out quick on lo2 from 192.168.11.0/24 to any pass out quick on lo3 proto 50 all pass out quick on lo3 from 192.168.12.0/24 to any -block out on lo2 -block out on lo3 +block out on lo2 all +block out on lo3 all EOF + if [ "X${pf}" = "xYES" -a -f ${PF_CONF} ]; then + cat ${PF_CONF} | egrep -v '^(scrub|rdr|binat|nat)' + else + pfctl -qe >/dev/null + fi +) | tee /tmp/aa | pfctl -R -f - trap cleanup 1 2 3 15 -isakmpd -c singlehost-east.conf -f east.fifo "$@" -isakmpd -c singlehost-west.conf -f west.fifo "$@" +# The configuration files needs proper owners and modes +USER=`id -p | grep ^uid | cut -f2` +chown $USER singlehost-east.conf singlehost-west.conf policy +chmod 600 singlehost-east.conf singlehost-west.conf policy -# Give them some slack... +# Start the daemons +rm -f east.pid west.pid east.fifo west.fifo +${ISAKMPD} -c singlehost-east.conf -f east.fifo -i east.pid "$@" +${ISAKMPD} -c singlehost-west.conf -f west.fifo -i west.pid "$@" +# Give them some time to negotiate their stuff... sleep 10 ping -I 192.168.11.1 -c 30 192.168.12.1 |