[NanoBSD]: Scripts
Два скрипта, чтобы потом выложить куда надо и ничего самому не забыть.
#1 Слив конфигурации Nanobsd на флэшку:
#!/bin/sh
# Nanobsd configuration backup script
# DVS Thu Jul 22 15:36:47 UTC 2010
# Target: NanoBSD router based on 7.3-p1
# 1. Variables
# 1.1 Executable & script variables
# 1.1.1 Local backup storage
cvolume='/cfg'
# 1.1.2 Filename of local backup /etc directory
bn_etc='etc.cpio.gz'
# 1.1.3 Filename of local backup /var/home directory
bn_var='var.cpio.gz'
# 1.1.4 SSH key-file location
ssh_lkey='/etc/ssh/ssh_host_dsa_key'
# 1.1.5 Remote backup storage
rbcks='192.168.22.47'
# 1.1.6 Remote backup user
ruser='nms'
# 1.1.7 DATE executable
date=`/bin/date +%d%m%Y`
# 1.1.8 Router hostname
hname=`/usr/bin/uname -n`
# 1.2 Error codes
# 1.2.1 Error code (no fstab entry for /cfg)
E_NOFSTB=2
# 1.2.2 Error code (no command-line arguments)
E_NOARGS=3
# 1.2.3 Error code (unrecognized aruments)
E_NEXSTARG=4
# 1.2.4 Error code (no root privileges)
E_NOROOTPRIV=5
# 3. Functions
# 3.1 Exit status analyze
exit_status() {
if [ $1 -ne 0 ]
then
echo "[FAILED]"
[ $2 ] && logger -it ${USER} "Execution error. $2 failed with code $1"
exit $1
else
echo "[DONE]"
fi
}
# 3.2 Backup to local storage
local_backup() {
local type='Local-backup'
# Check if /cfg is in /etc/fstab
grep ${cvolume} /etc/fstab > /dev/null 2>&1
if [ $? -eq 0 ]
then
# Check if /cfg is mounted
if mount | grep ${cvolume} > /dev/null ; then
echo -n "[WRN]: Hmm ${cvolume} is already mounted. Trying to umount it... "
umount ${cvolume} > /dev/null 2>&1
exit_status $? ${type}
fi
# Mount /cfg
echo -n "[MSG]: Mounting ${cvolume}... "
mount ${cvolume} > /dev/null 2>&1
exit_status $? ${type}
# Create backup of directory /etc
echo -n "[MSG]: Saving configuration to ${cvolume}/${bn_etc}... "
tar --format cpio -C / -czf ${cvolume}/${bn_etc} etc
exit_status $? ${type}
# Create backup of directory /var/home
echo -n "[MSG]: Saving user data to ${cvolume}/${bn_var}... "
tar --format cpio -C / -czf ${cvolume}/${bn_var} var/home
exit_status $? ${type}
# Umount /cfg directory
echo -n "[MSG]: Umounting ${cvolume}... "
umount ${cvolume} > /dev/null 2>&1
exit_status $? ${type}
logger -it ${USER} "${type} completed successfully."
else
echo "[ERR]: There is no record is /etc/fstab for ${cvolume}."
logger -it ${USER} "Execution error. ${type} failed with code ${E_NOFSTB}"
exit $E_NOFSTB
fi
}
# 3.3 Prepare system for use this script
prepare_backup() {
# Copy SSH public key to remote storage
echo "[MSG]: Enter ${ruser} password to copy ssh-key to ${rbcks}."
ssh ${ruser}@${rbcks} "cat - >> .ssh/authorized_keys" < $ssh_lkey.pub > /dev/null 2>&1
if [ $? -ne 0 ]
then
echo "[ERR]: Configuring ssh-keys... [FAILED]"
exit $?
else
echo "[MSG]: Configuring ssh-keys... [DONE]"
fi
}
# 3.4 Copy configuration backup to remote storage
remote_backup() {
local type='Remote-backup'
# Constructing path to remote backup file
local bname=freebsd/$hname/conf-backup-$date.cpio.gz
# Creating new backup file remote storage
echo -n "[MSG]: Saving configuration to ${rbcks}... "
tar --format cpio -C / -czf - etc | ssh -i ${ssh_lkey} ${ruser}@${rbcks} "cat - > ${bname}" > /dev/null 2>&1
exit_status $? ${type}
logger -it ${USER} "${type} completed successfully."
}
# 4. Main function (Reads command line options)
# 4.1 Variables
# 4.2 Main function
# 4.2.1 Checking user privileges
if [ $USER != "root" ]
then
echo "[ERR]: Sorry, only root can do so."
logger -it ${USER} "Execution error. Insufficient privileges. "
exit $E_NOROOTPRIV
fi
# 4.2.2 Check if script invoked with no command-line args.
if [ $# -eq "0" ]
then
echo "Usage: `basename $0`: { -l | -r | -p }"
exit $E_NOARGS
fi
# 4.2.3 Reading command-line arguments
# Options:
# configuration-backup -l - backup to local storage;
# configuration-backup -r - backup to remote storage - using scp;
# configuration-backup -p - prepare system to do backup jobs;
while getopts lrpq optname
do
case $optname in
l) local_backup;;
r) remote_backup;;
p) prepare_backup;;
*) echo "Usage: `basename $0`: { -l | -r | -p }"
exit $E_NEXSTARG;;
esac
doneSyhi-подсветка кода
# 2. Firewall, NAT, Shaping:
# $FreeBSD: src/etc/rc.firewall,v 1.52.2.3.6.1 2010/02/10 00:26:20 kensmith Exp $
# DVS Thu Jul 26 12:38:41 UTC 2010
# NanoBSD Shaping router with NAT IPFW configuration file
# 1. General settings
# 1.1 Interfaces
# 1.1.1 External interface
eif='em1'
eip='xx.xx.xx.xx'
# 1.1.2 Internal interface
iif='em0'
iip='192.168.50.10'
# 1.1.3 Management interface
cif='fxp0'
cip='192.168.23.10'
# 1.2 Access lists
# 1.2.1 Local access ACL
laccess="xx.xx.xx.xx/30 192.168.23.0/24 xx.xx.xx.xx"
# 1.2.2 NAT ACL
nout_pools="192.168.50.0/24,10"
ninp_pools="${eip},10"
# 1.2.3 SHAPER ACL
sout_pools="192.168.50.0/24,12"
sinp_pools="192.168.50.0/23,10"
# 1.3 System defined variables
# 1.3.1 Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
# 1.3.2 Set quiet mode if requested
case ${ipfw_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
# 1.4 NAT Pools
# 1.4.1 Pool - 10
${fwcmd} nat 10 config ip ${eip} same_ports reset unreg_only
# 1.5 Pipe Templates
${fwcmd} -f pipe flush
# 1.5.1 Template :: Bandwidth 512Kbit/s
# 1.5.1.a Abonents Incoming Traffic :: Input Pipe
${fwcmd} pipe 10 config bw 512Kbit/s mask dst-ip 0xfffffffc queue 46Kbytes
# 1.5.1.b Abonents Outgoing Traffic :: Output Pipe
${fwcmd} pipe 12 config bw 512Kbit/s mask src-ip 0xfffffffc queue 46Kbytes
# 2. Functions & Tables
# 2.1 Setup loopback interface
setup_loopback () {
${fwcmd} add pass all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any
}
# 2.2 Fill Pool Tables
fill_pool_tables () {
local list=$1
local table=$2
for pair in ${list}
do
local net=`echo ${pair} | awk '{split($0, ARRAY, ","); print ARRAY[1]}'`
local plid=`echo ${pair} | awk '{split($0, ARRAY, ","); print ARRAY[2]}'`
${fwcmd} table ${table} add ${net} ${plid}
done
}
# 3 Tables
# 3.1 Suck in local access rules (TABLE 1)
${fwcmd} table 1 flush > /dev/null 2>&1
for net in ${laccess}
do
${fwcmd} table 1 add ${net}
done
# 3.2 Suck in NAT-OUT access rules (TABLE 10)
${fwcmd} table 10 flush > /dev/null 2>&1
fill_pool_tables ${nout_pools} 10
# 3.2 Suck in NAT-IN access rules (TABLE 11)
${fwcmd} table 11 flush > /dev/null 2>&1
fill_pool_tables ${ninp_pools} 11
# 3.3 Suck in SHAPER-OUT access rules (TABLE 25)
${fwcmd} table 25 flush > /dev/null 2>&1
fill_pool_tables ${sout_pools} 25
# 3.4 Suck in SHAPER-IN access rules (TABLE 26)
${fwcmd} table 26 flush > /dev/null 2>&1
fill_pool_tables ${sinp_pools} 26
# 4. Global Ruleset
# 4.1 Flush out the list before we begin.
${fwcmd} -f flush
# 4.2 Local/Managment access rules
setup_loopback
${fwcmd} add pass all from "table(1)" to me in
${fwcmd} add pass all from me to any out
# 4.3 Rules based on traffic destanation
# 4.3.1 External interface out :: abonents outgoing traffic
${fwcmd} add skipto 10000 all from any to any out xmit ${eif}
# 4.3.2 External interface in :: abonents incoming traffic
${fwcmd} add skipto 15000 all from any to any in recv ${eif}
# 4.3.3 Internal interface out :: abonents incoming traffic
${fwcmd} add skipto 20000 all from any to any out xmit ${iif}
# 4.3.4 Internal interface in :: abonents outgoing traffic
${fwcmd} add skipto 25000 all from any to any in recv ${iif}
# 4.3.5 Default rule
${fwcmd} add allow ip from any to any
# 4.4 Local Rulesests
# 4.4.1 Ruleset 4.3.1
${fwcmd} add 10000 nat tablearg all from "table(10)" to any
${fwcmd} add 10100 deny ip from any to any
# 4.4.2 Ruleset 4.3.2
${fwcmd} add 15000 nat tablearg all from any to "table(11)"
${fwcmd} add 15100 deny ip from any to any
# 4.4.3 Ruleset 4.3.3
${fwcmd} add 20000 pipe tablearg all from any to "table(26)"
${fwcmd} add 20100 allow ip from any to any
# 4.4.4 Ruleset 4.3.4
${fwcmd} add 25000 pipe tablearg all from "table(25)" to any
${fwcmd} add 25100 allow ip from any to any
# 5. End of file
echo Firewall rules loaded.Syhi-подсветка кода
#1 Слив конфигурации Nanobsd на флэшку:
#!/bin/sh
# Nanobsd configuration backup script
# DVS Thu Jul 22 15:36:47 UTC 2010
# Target: NanoBSD router based on 7.3-p1
# 1. Variables
# 1.1 Executable & script variables
# 1.1.1 Local backup storage
cvolume='/cfg'
# 1.1.2 Filename of local backup /etc directory
bn_etc='etc.cpio.gz'
# 1.1.3 Filename of local backup /var/home directory
bn_var='var.cpio.gz'
# 1.1.4 SSH key-file location
ssh_lkey='/etc/ssh/ssh_host_dsa_key'
# 1.1.5 Remote backup storage
rbcks='192.168.22.47'
# 1.1.6 Remote backup user
ruser='nms'
# 1.1.7 DATE executable
date=`/bin/date +%d%m%Y`
# 1.1.8 Router hostname
hname=`/usr/bin/uname -n`
# 1.2 Error codes
# 1.2.1 Error code (no fstab entry for /cfg)
E_NOFSTB=2
# 1.2.2 Error code (no command-line arguments)
E_NOARGS=3
# 1.2.3 Error code (unrecognized aruments)
E_NEXSTARG=4
# 1.2.4 Error code (no root privileges)
E_NOROOTPRIV=5
# 3. Functions
# 3.1 Exit status analyze
exit_status() {
if [ $1 -ne 0 ]
then
echo "[FAILED]"
[ $2 ] && logger -it ${USER} "Execution error. $2 failed with code $1"
exit $1
else
echo "[DONE]"
fi
}
# 3.2 Backup to local storage
local_backup() {
local type='Local-backup'
# Check if /cfg is in /etc/fstab
grep ${cvolume} /etc/fstab > /dev/null 2>&1
if [ $? -eq 0 ]
then
# Check if /cfg is mounted
if mount | grep ${cvolume} > /dev/null ; then
echo -n "[WRN]: Hmm ${cvolume} is already mounted. Trying to umount it... "
umount ${cvolume} > /dev/null 2>&1
exit_status $? ${type}
fi
# Mount /cfg
echo -n "[MSG]: Mounting ${cvolume}... "
mount ${cvolume} > /dev/null 2>&1
exit_status $? ${type}
# Create backup of directory /etc
echo -n "[MSG]: Saving configuration to ${cvolume}/${bn_etc}... "
tar --format cpio -C / -czf ${cvolume}/${bn_etc} etc
exit_status $? ${type}
# Create backup of directory /var/home
echo -n "[MSG]: Saving user data to ${cvolume}/${bn_var}... "
tar --format cpio -C / -czf ${cvolume}/${bn_var} var/home
exit_status $? ${type}
# Umount /cfg directory
echo -n "[MSG]: Umounting ${cvolume}... "
umount ${cvolume} > /dev/null 2>&1
exit_status $? ${type}
logger -it ${USER} "${type} completed successfully."
else
echo "[ERR]: There is no record is /etc/fstab for ${cvolume}."
logger -it ${USER} "Execution error. ${type} failed with code ${E_NOFSTB}"
exit $E_NOFSTB
fi
}
# 3.3 Prepare system for use this script
prepare_backup() {
# Copy SSH public key to remote storage
echo "[MSG]: Enter ${ruser} password to copy ssh-key to ${rbcks}."
ssh ${ruser}@${rbcks} "cat - >> .ssh/authorized_keys" < $ssh_lkey.pub > /dev/null 2>&1
if [ $? -ne 0 ]
then
echo "[ERR]: Configuring ssh-keys... [FAILED]"
exit $?
else
echo "[MSG]: Configuring ssh-keys... [DONE]"
fi
}
# 3.4 Copy configuration backup to remote storage
remote_backup() {
local type='Remote-backup'
# Constructing path to remote backup file
local bname=freebsd/$hname/conf-backup-$date.cpio.gz
# Creating new backup file remote storage
echo -n "[MSG]: Saving configuration to ${rbcks}... "
tar --format cpio -C / -czf - etc | ssh -i ${ssh_lkey} ${ruser}@${rbcks} "cat - > ${bname}" > /dev/null 2>&1
exit_status $? ${type}
logger -it ${USER} "${type} completed successfully."
}
# 4. Main function (Reads command line options)
# 4.1 Variables
# 4.2 Main function
# 4.2.1 Checking user privileges
if [ $USER != "root" ]
then
echo "[ERR]: Sorry, only root can do so."
logger -it ${USER} "Execution error. Insufficient privileges. "
exit $E_NOROOTPRIV
fi
# 4.2.2 Check if script invoked with no command-line args.
if [ $# -eq "0" ]
then
echo "Usage: `basename $0`: { -l | -r | -p }"
exit $E_NOARGS
fi
# 4.2.3 Reading command-line arguments
# Options:
# configuration-backup -l - backup to local storage;
# configuration-backup -r - backup to remote storage - using scp;
# configuration-backup -p - prepare system to do backup jobs;
while getopts lrpq optname
do
case $optname in
l) local_backup;;
r) remote_backup;;
p) prepare_backup;;
*) echo "Usage: `basename $0`: { -l | -r | -p }"
exit $E_NEXSTARG;;
esac
doneSyhi-подсветка кода
# 2. Firewall, NAT, Shaping:
# $FreeBSD: src/etc/rc.firewall,v 1.52.2.3.6.1 2010/02/10 00:26:20 kensmith Exp $
# DVS Thu Jul 26 12:38:41 UTC 2010
# NanoBSD Shaping router with NAT IPFW configuration file
# 1. General settings
# 1.1 Interfaces
# 1.1.1 External interface
eif='em1'
eip='xx.xx.xx.xx'
# 1.1.2 Internal interface
iif='em0'
iip='192.168.50.10'
# 1.1.3 Management interface
cif='fxp0'
cip='192.168.23.10'
# 1.2 Access lists
# 1.2.1 Local access ACL
laccess="xx.xx.xx.xx/30 192.168.23.0/24 xx.xx.xx.xx"
# 1.2.2 NAT ACL
nout_pools="192.168.50.0/24,10"
ninp_pools="${eip},10"
# 1.2.3 SHAPER ACL
sout_pools="192.168.50.0/24,12"
sinp_pools="192.168.50.0/23,10"
# 1.3 System defined variables
# 1.3.1 Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
# 1.3.2 Set quiet mode if requested
case ${ipfw_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
# 1.4 NAT Pools
# 1.4.1 Pool - 10
${fwcmd} nat 10 config ip ${eip} same_ports reset unreg_only
# 1.5 Pipe Templates
${fwcmd} -f pipe flush
# 1.5.1 Template :: Bandwidth 512Kbit/s
# 1.5.1.a Abonents Incoming Traffic :: Input Pipe
${fwcmd} pipe 10 config bw 512Kbit/s mask dst-ip 0xfffffffc queue 46Kbytes
# 1.5.1.b Abonents Outgoing Traffic :: Output Pipe
${fwcmd} pipe 12 config bw 512Kbit/s mask src-ip 0xfffffffc queue 46Kbytes
# 2. Functions & Tables
# 2.1 Setup loopback interface
setup_loopback () {
${fwcmd} add pass all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any
}
# 2.2 Fill Pool Tables
fill_pool_tables () {
local list=$1
local table=$2
for pair in ${list}
do
local net=`echo ${pair} | awk '{split($0, ARRAY, ","); print ARRAY[1]}'`
local plid=`echo ${pair} | awk '{split($0, ARRAY, ","); print ARRAY[2]}'`
${fwcmd} table ${table} add ${net} ${plid}
done
}
# 3 Tables
# 3.1 Suck in local access rules (TABLE 1)
${fwcmd} table 1 flush > /dev/null 2>&1
for net in ${laccess}
do
${fwcmd} table 1 add ${net}
done
# 3.2 Suck in NAT-OUT access rules (TABLE 10)
${fwcmd} table 10 flush > /dev/null 2>&1
fill_pool_tables ${nout_pools} 10
# 3.2 Suck in NAT-IN access rules (TABLE 11)
${fwcmd} table 11 flush > /dev/null 2>&1
fill_pool_tables ${ninp_pools} 11
# 3.3 Suck in SHAPER-OUT access rules (TABLE 25)
${fwcmd} table 25 flush > /dev/null 2>&1
fill_pool_tables ${sout_pools} 25
# 3.4 Suck in SHAPER-IN access rules (TABLE 26)
${fwcmd} table 26 flush > /dev/null 2>&1
fill_pool_tables ${sinp_pools} 26
# 4. Global Ruleset
# 4.1 Flush out the list before we begin.
${fwcmd} -f flush
# 4.2 Local/Managment access rules
setup_loopback
${fwcmd} add pass all from "table(1)" to me in
${fwcmd} add pass all from me to any out
# 4.3 Rules based on traffic destanation
# 4.3.1 External interface out :: abonents outgoing traffic
${fwcmd} add skipto 10000 all from any to any out xmit ${eif}
# 4.3.2 External interface in :: abonents incoming traffic
${fwcmd} add skipto 15000 all from any to any in recv ${eif}
# 4.3.3 Internal interface out :: abonents incoming traffic
${fwcmd} add skipto 20000 all from any to any out xmit ${iif}
# 4.3.4 Internal interface in :: abonents outgoing traffic
${fwcmd} add skipto 25000 all from any to any in recv ${iif}
# 4.3.5 Default rule
${fwcmd} add allow ip from any to any
# 4.4 Local Rulesests
# 4.4.1 Ruleset 4.3.1
${fwcmd} add 10000 nat tablearg all from "table(10)" to any
${fwcmd} add 10100 deny ip from any to any
# 4.4.2 Ruleset 4.3.2
${fwcmd} add 15000 nat tablearg all from any to "table(11)"
${fwcmd} add 15100 deny ip from any to any
# 4.4.3 Ruleset 4.3.3
${fwcmd} add 20000 pipe tablearg all from any to "table(26)"
${fwcmd} add 20100 allow ip from any to any
# 4.4.4 Ruleset 4.3.4
${fwcmd} add 25000 pipe tablearg all from "table(25)" to any
${fwcmd} add 25100 allow ip from any to any
# 5. End of file
echo Firewall rules loaded.Syhi-подсветка кода