#!/bin/csh -f
# Copyright (c) 1995 CheckPoint Software Technologies.
# Company Confidential
# antispoof.csh Version 0.1
set path = ( /usr/ucb $path )
#set echo verbose
alias ask 'echo -n \!* ": "'
alias label 'echo "**********************************************************"'
alias line  'echo "----------------------------------------------------------"'
echo "************ FireWall-1 Anti Spoofing Setup ******************"
echo "You will be asked to enter the names of all the FW-1 Gateways"
echo "that have external interfaces, "
echo " "
echo "For each and every one of these you must enter:"
echo "     1. The names of the external interfaces (e.g. le1, ie0 etc)"
echo "     2. All the internal Networks behind that gateway (IP Number + Netmask)"
echo " "
label

if ( `whoami` != root ) then
	echo "Not a super-user, Super user Permissions are essential for correct"
	echo "Operation of the Anti Spoofing setup script"
	echo "" ; echo -n "Continue Anyway (y/n) [n]?"
	set ans = $<
	if($ans != y) goto abort
endif

set tmpfn = /tmp/fw1.spoof.$$

echo "// FW-1 ANTISPOOF START" > $tmpfn

set code = ""
set gws = ()
moregws:
set h = `hostname`
echo -n "Enter FireWall-1 filter module machine name [Default: $h]: "
set gateway = $<
if ("x$gateway" == x) then
	set gateway = $h
endif

set gws = ( $gws $gateway )
getifs:
echo " "
echo "Enter ALL external interfaces for "$gateway", one at a time."
echo " "
set ifs = ()
moreifs:
ask "Enter name of the external interface (e.g. le1), [<RET> to end]"
set  newif = $<
if ( "x$newif" == "x" ) goto ifsdone
set  ifs = ( $ifs $newif )
goto moreifs

ifsdone:
if ($#ifs == 0) then
	echo "No interfaces entered.  You must have at least one external interface."
	goto getifs
endif
echo "The following interface entered as your external interfaces on $gateway"
echo $ifs
ask "Is this correct (y/n) [y]"
set ans = $<
if ("x$ans" != xy && "x$ans" != x) then
	set ifs
	goto moreifs
endif

line
echo "You will now be requested to supply the list of your internal networks"
echo "A network is specified by its network number (e.g. 192.9.200.0) and"
echo "its network mask (e.g. 255.255.255.0)"
echo "Please enter ALL your internal networks, one at a time."
set nets = ()
set nms = ()
morenets:
ask "Enter network number [<RET> to end]"
set newnet = $<
if ( "x$newnet" == "x" ) goto netsdone
ask "Enter netmask for network $newnet"
set newnm = $<
if ("x$newnm" == x) set newnm = default
ask "Network: $newnet  Netmask: $newnm  Is this correct (y/n) [y]"
set ok = $<
if ("x$ok" != "xy" && "x$ok" != x) then
	echo "Net $newnet not added"
	goto morenets
endif
echo " "
set nets = ( $nets $newnet )
set nms = ( $nms $newnm )
goto morenets

netsdone:
line
echo "The following information was entered: "
echo "Machine $gateway"
echo "External Interface(s): " $ifs
echo "Internal Networks: "
echo "Netnum			Netmask"
set ifl = ( $nets )
set nml = ( $nms )
foreach i ( $ifl )
	echo $i "		" $nml[1]
	shift nml
end
line
echo "Creating code for $gateway"
@ i=0
set ckcode
set op
foreach net ( $nets )
	@ i++
	set nm = $nms[$i]
	if ($nm == default) then
		set ckcode = "$ckcode $op netof ip_src = $net"
	else
		set ckcode = "$ckcode $op (ip_src & $nm) = $net"
	endif
	set op = or
end
foreach i ( $ifs )
	set newcode = "inbound $i@$gateway drop $ckcode, LOG(alert,0);"
	echo $newcode >> $tmpfn
end
label
ask "Do you want to add another FireWall-1 gateway? (y/n)[n]"
set ans = $<
if ($ans == "y") goto moregws

gwdone:
echo "// FW-1 ANTISPOOF END" >> $tmpfn

if (! $?FWDIR) then
	echo Setting FWDIR = /etc/fw
	setenv FWDIR /etc/fw
endif
setenv DEFS $FWDIR/lib/fwui_head.def
label
echo "The following code will be entered into $DEFS :"
line
cat $tmpfn
line
ask "Are you sure you want to update $DEFS (y/n) [y]"
set ans = $<
if ("x$ans" != xy & "x$ans" != x) then
	echo "FireWall-1 configuration NOT updated, quitting"
	echo "Bye Bye."
	exit 1
endif

cp $DEFS $DEFS.`date +%m%d%H%M%S`
egrep -s 'FW-1 ANTISPOOF' $DEFS
if ($status == 0) then
	echo "Removing old Anti Spoofing code from $DEFS"
#	echo -n "Continue ? (y/n) [n] "
#	set ok = $<
#	if ("x$ok" != "y") exit 0
	ex - $DEFS << EOEX
/FW-1 ANTISPOOF START/,/FW-1 ANTISPOOF END/d
w
q
EOEX
endif
cat $tmpfn >> $DEFS
line
echo "Code updated in $DEFS"
line
echo "To verify the operation of this script, you should look at"
echo "the definitions at the bottom of $DEFS"
line
echo "Please re-load your FireWall-1 filter configuration on $gws"
line

exit 0

abort:
echo "Bye bye"
exit 1
