#!/bin/sh
#
# Firestarter 0.8.x 'Post-Install' script
# ---
# This file moves the Firestarter application into LFS compliant directories
# as well as creating the files to allow a standard user (who is not root) to
# be able to manipulate the application themselves.
#
# Changelog:
#
# 1.4  - Added fix for not installing GNOME related components if 
#	 gnome-core was not installed.
# 1.3  - Added logic to do some decent Kernel revision detection 
#      (so we remove the correct file when putting the rc.script in.)
# 1.2  - Added generation of a compliant rc.script to start firestarter 
#      on demand
# 1.1x - Added trap for Control-C, 
#        Fixed the symbolic link to console_helper,
#        Added root verification, (the old postinstall script died 
#        on RH / SuSE boxes when run by a non-root user)
#        Don't create new directories for {pam.d / console.apps} if they 
#        already exist
# 1.1  - Added shabang! so distributions with weird locations to 'sh' can cope
# 1.0x - Added variables for required system binaries
# 1.0  - Initial Release

# Must be root to execute this script
if [ $UID -ne 0 ] ; then
    $ECHO "$0: Sorry, you must be root to run this script"
    exit 1
fi

trap '' 2

# System binaries (possibly RH specific)
CHKCONFIG='/sbin/chkconfig'
CONSOLEHELP='/usr/sbin/consolehelper'
FIRESTARTER='/usr/bin/firestarter' 

# Kernel Revision
KV=`uname -r | cut -c 1-3`

if [ -e /usr/local/bin/firestarter ] || [ -e /usr/bin/firestarter ] || [ -e /opt/bin/firestarter ]; then

mv $FIRESTARTER /usr/sbin/
ln -s $CONSOLEHELP /usr/bin/firestarter

fi

if [ ! -d /etc/pam.d ]; then

mkdir -p /etc/pam.d

fi

cat > /etc/pam.d/firestarter <<EOF
auth       sufficient   /lib/security/pam_rootok.so
auth       required     /lib/security/pam_pwdb.so
session    optional     /lib/security/pam_xauth.so
account    required     /lib/security/pam_permit.so
EOF

if [ ! -d /etc/security/console.apps ]; then

mkdir -p /etc/security/console.apps

fi


cat > /etc/security/console.apps/firestarter <<EOF
USER=root
FALLBACK=true
PROGRAM=/usr/sbin/firestarter
SESSION=true
EOF



if [ "$KV" = "2.2" ] && [ -e /etc/rc.d/init.d/ipchains ]; then

$CHKCONFIG --del ipchains 

cat > /etc/rc.d/init.d/firestarter <<EOF
#!/bin/sh
#
# Startup script for the Firestarter Application Suite
#
# chkconfig: 2345 08 92
#
# description: Automates the startup of Firestarter's generated ruleset
#
# Script Author:	Paul Drain <pd@cipherfunk.org>
#   -- a hack taken from the default RH ipchains startup script
#
# config: /etc/firestarter/firewall.sh
#

# Source function library.
. /etc/init.d/functions

# Get config.
. /etc/sysconfig/network

# Check that networking is up.
if [ \${NETWORKING} = "no" ]
then
	exit 0
fi

[ -x /usr/sbin/firestarter ] || exit 0

FS_CONFIG="/etc/firestarter/firewall.sh"
RETVAL=0

start() {
	if [ -f \$FS_CONFIG ]; then
	# Clear the existing rulesets out, so we don't run into any duplicates
	action "Flushing all current rules and user defined chains:" ipchains -F
	action "Clearing all current rules and user defined chains:" ipchains -X
	action "Zeroing all current rules:" ipchains -Z
	echo -n "Applying Firestarter configuration: "
        \$FS_CONFIG
		success "Applying Firestarter configuration" || 
		failure "Applying Firestarter configuration"
	echo
	touch /var/lock/subsys/firestarter
	fi
}

stop() {
	action "Flushing all current rules and user defined chains:" ipchains -F
	action "Clearing all current rules and user defined chains:" ipchains -X
    	action "Zeroing all current rules:" ipchains -Z
	echo -n "Resetting built-in chains to the default ACCEPT policy:"
		ipchains -P input ACCEPT
		ipchains -P forward ACCEPT
		ipchains -P output ACCEPT
	success "Resetting built-in chains to the default ACCEPT policy" ||\
	failure "Resetting built-in chains to the default ACCEPT policy"
	RETVAL=$?
	echo
	[ \$RETVAL -eq 0 ] && rm -f /var/lock/subsys/firestarter
	return \$RETVAL
}

panic() {
	echo -n "Changing target policies to DENY: "
		ipchains -P input DENY
		ipchains -P forward DENY
		ipchains -P output DENY 
	success "Changing target policies to DENY" ||
	failure "Changing target policies to DENY"
	echo
	action "Flushing all current rules and user defined chains:" ipchains -F
	action "Clearing all current rules and user defined chains:" ipchains -X
	action "Zeroing all current rules:" ipchains -Z
	RETVAL=$?
	echo
	[ \$RETVAL -eq 0 ] && rm -f /var/lock/subsys/firestarter
	return \$RETVAL
}

# See how we were called.
case "\$1" in
  start)
	start
	;;
  stop)
	stop
	;;
  status)
	ipchains -nvL
	;;
  restart)
	if [ -f /var/lock/subsys/firestarter ]; then
            stop
            start
        fi
	;;
  panic)
	panic
	;;
  *)
	echo "Usage: firestarter {start|stop|status|restart|panic}"
	exit 1
esac
exit \$RETVAL


EOF

chmod 0700 /etc/rc.d/init.d/firestarter
$CHKCONFIG --add firestarter
$CHKCONFIG --level 35 firestarter on

fi

if [ "$KV" = "2.4" ] && [ -e /etc/rc.d/init.d/iptables ]; then

$CHKCONFIG --del iptables

cat > /etc/rc.d/init.d/firestarter <<EOF
#!/bin/sh
#
# Startup script for the Firestarter Application Suite
#
# chkconfig: 2345 08 92
#
# description: Automates the startup of Firestarter's generated ruleset
#
# Script Author:	Paul Drain <pd@cipherfunk.org>
#   -- a hack taken from the default RH ipchains startup script
#
# config: /etc/firestarter/firewall.sh
#

# Source function library.
. /etc/init.d/functions

# Get config.
. /etc/sysconfig/network

# Check that networking is up.
if [ \${NETWORKING} = "no" ]
then
	exit 0
fi

[ -x /usr/sbin/firestarter ] || exit 0

FS_CONFIG="/etc/firestarter/firewall.sh"
RETVAL=0

start() {
	if [ -f \$FS_CONFIG ]; then
	# Clear the existing rulesets out, so we don't run into any duplicates
	action "Flushing all current rules and user defined chains:" iptables -F
	action "Clearing all current rules and user defined chains:" iptables -X
	action "Zeroing all current rules:" iptables -Z
	echo -n "Applying Firestarter configuration: "
        \$FS_CONFIG
		success "Applying Firestarter configuration" || 
		failure "Applying Firestarter configuration"
	echo
	touch /var/lock/subsys/firestarter
	fi
}

stop() {
	action "Flushing all current rules and user defined chains:" iptables -F
	action "Clearing all current rules and user defined chains:" iptables -X
    	action "Zeroing all current rules:" iptables -Z
	echo -n "Resetting built-in chains to the default ACCEPT policy:"
		iptables -P INPUT ACCEPT
		iptables -P FORWARD ACCEPT
		iptables -P OUTPUT ACCEPT
	success "Resetting built-in chains to the default ACCEPT policy" ||\
	failure "Resetting built-in chains to the default ACCEPT policy"
	RETVAL=$?
	echo
	[ \$RETVAL -eq 0 ] && rm -f /var/lock/subsys/firestarter
	return \$RETVAL
}

panic() {
	echo -n "Changing target policies to DENY: "
		iptables -P INPUT DENY
		iptables -P FORWARD DENY
		iptables -P OUTPUT DENY 
	success "Changing target policies to DENY" ||
	failure "Changing target policies to DENY"
	echo
	action "Flushing all current rules and user defined chains:" iptables -F
	action "Clearing all current rules and user defined chains:" iptables -X
	action "Zeroing all current rules:" iptables -Z
	RETVAL=$?
	echo
	[ \$RETVAL -eq 0 ] && rm -f /var/lock/subsys/firestarter
	return \$RETVAL
}

# See how we were called.
case "\$1" in
  start)
	start
	;;
  stop)
	stop
	;;
  status)
	iptables -nL
	;;
  restart)
	if [ -f /var/lock/subsys/firestarter ]; then
            stop
            start
        fi
	;;
  panic)
	panic
	;;
  *)
	echo "Usage: firestarter {start|stop|status|restart|panic}"
	exit 1
esac
exit \$RETVAL


EOF

chmod 0700 /etc/rc.d/init.d/firestarter
$CHKCONFIG --add firestarter
$CHKCONFIG --level 35 firestarter on

fi

if [ -d /usr/share/gnome ] && [ -e /usr/local/share/pixmaps/firestarter.png ]; then

mv /usr/local/share/pixmaps/firestarter.png /usr/share/pixmaps/firestarter.png

fi

if [ -d /usr/share/gnome ] && [ -e /usr/local/share/gnome/apps/Internet/firestarter.desktop ]; then

mv /usr/local/share/gnome/apps/Internet/firestarter.desktop /usr/share/gnome/apps/Internet/firestarter.desktop

fi

trap 2

exit 0
